| 46456 |
2020-09-18 13:26
|
Qvvn5zOrG.exe b251fc29e1b72d5a29bb2eba8f9412e2
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/I4F6/THttNvff9NR/AKOJY1jR2lQoORoF/
|
5
155.186.0.121
38.88.126.202
51.38.124.206
82.196.15.205
71.72.196.159
|
|
|
8.4 |
|
37 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46457 |
2020-09-18 13:24
|
FILE_IMLJN8AV0.doc e1be29a8796394531172cd0ca910f6b2
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/
http://71.72.196.159/atnhsPRxnJvD/0oPheFssnHmS/KX4GdOjf8jrOq/A5RyTcE7KR1Ga5fRP/S0t7gWW/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46458 |
2020-09-18 13:23
|
INV_OHB_090120_HUP_091820.doc e1be29a8796394531172cd0ca910f6b2
Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://71.72.196.159/rvOiOjkA5SZKeecSaWK/XBVWz/
http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
6
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46459 |
2020-09-18 10:22
|
http://edunara.kr/ 9236c5c9937e3bd6703f7bbc3a50fb9c
Code Injection Creates executable files unpack itself Windows utilities malicious URLs Windows DNS |
9
http://edunara.kr/px.js?ch=2
http://ww1.trhzc.c/adclk?&gm=vaNn80x%2Fdo31FZjhNtfravm6Us2DZWpE%2BxcxZGQKC4uCH98mUI5hpzBdrDrUWLwGqBgvLltKRwbSAJmNjloVj8jXsONUXPw1fOxTHASrE3ITd3gemfIh1O6T2eU90D4wXSjleUdAp25HX016RCVcbjHZS7VlkDxUO%2FwwUeKH0mbC8kO2Z5OyPBDR58zvMzwStPX85Ag3g29YqEaTEi24P9FmXDg%2F17hmeaZAxqAA7iwABCYeu0HZm9enRFBJvkMKxU9nlEmuFWkPym6ovMyrpZiZibgQB5uS2aVYCOBOsWE%2Bp61PSigc0fDGhDWZ%2Fs%2F%2B1Ojnoar4FcJRoC9pCHQCjC30Uq9wbLxCYMyp666w18VTCp7bHGFohhML52vpaUDh8i2yWCpMqRdkd0Qpieauc2Pe1DEh9cpJqHl6XeQvroqKU0EzcTQiW2oz8rlw4NTxoccZ4IwKSSvjQMOYx%2F%2BYPsFbNq1vh%2BSskZIs2QB04zpwH%2FzDmQ0YyEeZR6G2sq7F0SwjSBoDHMGrxR3USvWt2TL0qcKgE6F5FNoHa94W%2BIR3Iqsu8UIhL61s6fKbpuWD7ezpuw5x4hnJYnIuH1zb2cW78jxpaj52zQS%2Bbh8SxLQihXCDwKzAKHk2UQz7h0V%2Fo6t1qEhXBH87bJM%2F7fSS88mnZ9O1zckVnERyRch6ybxJwukyUacx8bE80o8o%2BMOOdi2lfbaqeG5Po%2Bg8iU9wGhfM6PtqfzTjf899dPg0XnC2Th2hwrUOcdZ1ZbIDmIaL6rkq1Q1H9JfqDLlTKYDWoLCDgnPGgJdJbDN%2F3GVb4x8NvJXClwywd%2BtPbV2CL%2BJcadrfG505iB5%2F8vxt00W7lHEk4scl8Zw6rM1XR%2B0h4Zf8KvddQyJCtak%2FZlvIV8NLWoGildHhc7F2k8ypV1uzq%2F%2BKJEfXeyQXAi7VFDMZCgQ0o0vkqogrBn%2B4g2COmTKfVjXV%2Fl2TUtRyWJuCMzR6xldJkE3hD4nCFvwmvFKiF6GzNSPYNsiLn2TWbPbYPvgoGlQjSV6ECwRssTxkdqVKzTZoUDK71KZXy4MOIuVOGkY9IhT0%2FEYlqxTyve9Wwc9mWEyUbSX%2B3Xed%2Fj3ox4DUF67aGafIaDEMtDJVuQhfnpHOKAFpBX0B9gZ7AlDLpsUEFQAMaqMl1usqnPO0AD%2Fdg8WZ30YRnnvFOHx2mAJYglSOD4LBDPgmMWDa%2FHWTh68ZMFl3p0XU4X4YLfatLMFBh%2BECzNGF29JvxjuwS6WHfIcp2zRKGkqG8ELqceIDPgrFHcEQYzTZhFuGBJe2HPajap0ulPx3U4OenbCDanHGMjx5Jupt%2Fcw6LxdQl7m5fcW8JCVpoFQ6TBfpVTJfmFjjD5grqsWbzrmOSj974wDbBjIrn5Rymmgt56rxHC73vGdMNdYwV81bUsBgqBWwOP5M%2FGyS4UwynOWtUpQbsBcbE9O%2FEsPHV9JgUd%2F0pzXW2NBcCu4y2SlZAgsKVd0ynXtYCItBJmXCcNdGbvcdpWXy2wD3E4Nmfz9LPD2Q83%2FXxeNmumMC12WRnmQrLAd1ikddGfuyI7lgbxRqPW4l%2BFQmBaWJO2kKiuKe1kPehEn%2FDuje0aWBpRoHq%2FVSfNy9Ei4m7P0mpFuDcxDsOI3tu7PG6wk%3D&gc=11173479376031803831482&gi=3bMSGjhTdc9fKE%2FnmVnRAMkKL3e0lY6DmvABNOPoR5Za6gnOdjwTZ5cQlMmSerRhSCA%2B4w4DOLOcTrm6304YOdHoel9CQ1k007Sc0cJpq%2BW8Dy90Q9c%2F2s2FFIremh8v2qse4uYepSGh%2FUXbhBf9Dke81Fbh9oZQiY2KLwKt8u6IBGF0M6jPavWTi7RPIAbbaISnexyu4pUfyEEY96TSI3dSx%2Bh0vxavVEzoxrnlkKT79ya8lE1EVreMyiEbQIo2d8BUqbsCoaUVa2x48j4%2BA2mw4iwvpu6yz2aSv4wHMROqNDGg8lBJPUTdHz7F%2BcTm6syrrUT93EYGXYCzwCnddnYn6Fv87%2FMsl8EyjUAVscj7BPwZpqrfbgcnsNCtGKT8AwaQOhsFRZjiouaAU%2FvOB%2FV1Um82jkwwbj67T0523wqo0XN9Nhv3%2B1rDQ1ROaqrCuonhMsSZ60MdOMxQKaPNTarV0ZzsVLsmOnFvqS63%2FraBgr1fvpprM%2FfPIFHtbJnV%2F0IluMQSZk6sEDQT0CnB8v5lR%2BWvX9BKavUk7PiVTZqRkBA3JrA2gj4ewcWjRLXQyErquVIMO8pDABMP1DLhAg%3D%3D&kgp=0&jccheck=1&jccheck=1
http:///zcvisitor/14060bca-f94d-11ea-a63b-0acfd00d957b?campaignid=082dbb60-c1ce-11ea-88e6-0a06ea97c507
http://usa.llyr-iap.com/zcredirect?visitid=14060bca-f94d-11ea-a63b-0acfd00d957b&type=js&browserWidth=1020&browserHeight=613&iframeDetected=false
http:///aS/feedclick?s=Ilxxar-4JDjHYSZnQRV0rUoLXZk8gkPQVyQZ7AkEgAut3Q5wgRfquehZ1ZnUncqkY_iD5bFykKi_84eTTfdYjvJhYB0lhN02w7bvw4bnd-W8d-dbpRP5jdpPFz6d4P_3D254tbPpb_TRVdk4QngqGsShisdnfdTCiW2sb-v18WBg-SXEZSPlMJn6Jvp2Nfesx2TtDlUaXFKLvbHD1XYExmN03MC45aGs8oitFKR9GdWa20aLD4elENbdf_IOAZTpNzlhoSpswNmz-NEnlQU9hsUrAAWCWiKnxLb8Df9q_tEJJpwPSDe_NtFkWe1i_53OQaB_RB-OGToh6s0pPikYOx4dSrPRA6suNNn_LYBrRyl6EARZVFALDets3_98TNRM2OdfWpRdg1PJmtu8aic4042H609E5Mmi5zA4AmCsP81uVSjm6oMtlHvMhE4DHRNu5e_8hS45gi5-vuNcVk4zWFYswVREENmebaE5HD1-s1EQH8BBZh7rR04Uv82HbD9Oe7juwzwogxlv5hOlOunMKmjNLMMTZIlumF1VVH9EDxXdm6pB7cakD-4K2qfdnF8mP6jwiJj3aC8QfEtsqylpeR_XmSrVP1iYW8owlqR8oq7GIgzU-ndWzQeXD0GlNw7NQOcptr00RgDwgnsPwe0EA6XNk1nboqvvt08uQTTV3Vi4nHnHl7t2xWXS4vz3AC4dh_Tdr8JrvoOte1VWtwz0kcFiVhddv73nqyTUF5uPVoecwZisq2NEw3bqneWx7ruLRUWvGae3tpF41lxTkQPO59Z2fAdhoBtgwnAFupUdPfu8RdRni3Y9hrkEXH2fD04C307vLP3VrHtue9HG9BJ2DjsxELDaIN5e4gzBP2CeSjmJxO-iyWjf4x_PS3pWgypIWUbChny-Q2BgGLknnuiD1yqjnj07vDZpOzEQsNog3l5BMt4V4cbe0NpWefNPhNVxqDomzNDto1_zOE234TsqeuDeLy5FGor1bMEPb8DIZephrepC-c5siy2eHpxQVfMxGdxEzl6WRErz-SJtaiVGfT1WTVFjPu73LCUleHfIBE04G-vv3w44PGWCXHzsP1Zm-SNCwjFAvHiMrmojSri2qyU7ugF2M-yuDTF8nTyMvAgGdIs0ipqA2DpLAmwBmSDbNZWLazcZZv6uvWDm3ZjdvdUHwoc48Uya_MghINXZ2dP0NatE1cnb9Q5RUDuR6cw8GCxP4_jDbLeqTtGge7u4s3qlIZT6kkNyrqQt3trz2AX0ZXYWqs5-6SYNb-iWwdA0
http://edunara.kr/
http://edunara.kr/px.js?ch=1
http://b.rmgserving.com/rmgjsc/zcFilters.js?1
http://edunara.kr/?ga=VDcN2s1hQH8MI5O7mMQ3FjhtgAz5exmV80lk81lmq%2FcTYH3lfRtOh0RZCWexV9Lvcz%2FlDFNc8WCOpv3XATdfHjnsoCW0CgPnIoo8w6iGWQcnk1wvKlVq5QnXIp4xSZIG2lGGc0Yi8HsG3XkpaKuzAQXg0KiMR%2Bzv2N9PqtN4DHA%3D&gerf=keOgbftnJcS5WR4gs86NWwR3WHbSXL6SPDTMFJhMJI4%3D&guro=Cp8OT0moDM6RefezILqbI%2FdaFE%2F5jBx6sW83UgiFlKBi3Xc1LOCUrag%2BclnThL%2Fv&
|
5
121.254.136.24
141.8.224.25
173.192.101.24
208.73.211.165
54.225.132.253
|
|
|
3.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46460 |
2020-09-18 10:21
|
8xDprwp7V3FKb0v.exe 5cc6c157fc05d45204a6664d97b1e8ed
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/QZEAMl2WT2T/nvSjAODEm3XuU/
|
3
38.88.126.202
51.38.124.206
91.105.94.200
|
|
|
7.4 |
|
8 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46461 |
2020-09-18 10:00
|
22xVW0v.exe 36bc7cd40eb0d9563621bc3afc834dd8
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://5.189.168.53:8080/UoBc0sXE7hvMKlY/XKnKe2SRr9ndMN/Sm9aKk/hmeghhelJOk1mRUqY/8qwsE5c7eF/UqxUkyfaKVrBRTp/
|
2
190.192.39.136
5.189.168.53
|
|
|
7.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46462 |
2020-09-18 09:43
|
testest.exe a16782a5ea9ab3ad0e71e61db261f550
Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46463 |
2020-09-18 09:43
|
tel.exe 0b52424adb115b1336d084cf0cfbb73e
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Windows utilities Check virtual network interfaces malicious URLs AntiVM_Disk VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
2
http://checkip.dyndns.org/
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
https://freegeoip.app/xml/175.208.134.150
https://freegeoip.app/xml/175.208.134.150
|
4
104.28.4.151
131.186.113.70
149.154.167.220
216.146.43.71
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET INFO TLS Handshake Failure
|
|
10.2 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46464 |
2020-09-18 09:26
|
Et9TKtRVeJOssH1zKCDX.exe 789178461b2d4a00b3cc78cab36c6669
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://38.88.126.202:8080/bxWb/J7hS3/J284OPI00GuAjv3e/2l4MNRECeng/iJ0zHnIdXWWSlB0/
|
3
38.88.126.202
51.38.124.206
91.105.94.200
|
|
|
7.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46465 |
2020-09-18 09:15
|
DOC_QSU_090120_CCC_091820.doc f8473dc3fcda21407659420512f2f347
Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://carolinacanullo.com/js/hllPT/
http://71.72.196.159/G2bGreKGpkKf4R9vnbE/OXHPKAKL/VdGApd88fdIt/cxdYCgs/gAgKLoXGWvE5CyK7xo/kHRUq/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46466 |
2020-09-18 09:14
|
19796066164507054740687.doc f8473dc3fcda21407659420512f2f347
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://71.72.196.159/g8HwGzlJGmUJv2vA/ymTfP5sL/lrgXuwwDqDDVfVg0/uIwL5/oT0WeoB6dh7nR4EcS/
http://carolinacanullo.com/js/hllPT/
|
3
203.195.224.199
204.11.59.195
71.72.196.159
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46467 |
2020-09-18 08:02
|
http://blog.penmman.com/wp-con... 6f34b1d69e321a9e7732d2c6f89cb9f5
VirusTotal Malware AutoRuns Code Injection Malicious Traffic Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
3
http://134.209.36.254:8080/nQVwnK5kipQq3M/
http://blog.penmman.com/wp-content/uploads/1ECbn9K/
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
117.18.232.200
13.235.119.142
134.209.36.254
71.72.196.159
|
4
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
12.6 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46468 |
2020-09-17 18:42
|
vnCCABpwYPRX4baP.exe ce34c7cdcab98f7079871c93c60f5c52
VirusTotal Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/63AF/J0jZ8vawc7jMRA/wSFU6dnZEeAgbeD0/
|
1
|
|
|
6.6 |
|
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46469 |
2020-09-17 18:38
|
invoice_233131.doc a91fa70c30ad0a8f44690103b7eae994
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://babaseoa.com/cartel/five/fre.php
http://babaseoa.com/cartel/five/fre.php
http://tsdyshgshgnationalobjindustrialat21mpq.duckdns.org/shengdoc/vbc.exe
|
2
103.141.138.130
185.209.1.124
|
12
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46470 |
2020-09-17 18:38
|
Attachments-3370623.doc 80ed1babd3eb82afe06707e642356179
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://38.88.126.202:8080/MticMlegzsdrKOIyKAc/XxGbS/MGxeY2p6BFneM0U3/V6Rf7nWA5zS/jVyW6zlg/tcoNq0jCI/
http://localesfavoritos.com/wp-admin/c/
|
5
174.113.69.136
217.61.130.34
38.88.126.202
51.38.124.206
82.196.15.205
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.8 |
|
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|