| 46471 |
2020-09-17 14:39
|
WindowsHostService.exe d5ebc9c528e0b12e46f6f86b35f20d2f
PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.0 |
|
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46472 |
2020-09-17 14:38
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535
PDB |
|
|
|
|
0.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46473 |
2020-09-17 14:37
|
Windows Desktop Service.exe 8493fad5457907ede406c7a4c3a062ca
VirusTotal Malware |
|
|
|
|
1.8 |
|
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46474 |
2020-09-17 14:30
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535
VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46475 |
2020-09-17 14:29
|
k.exe 03ee1b3842ed89d04387ab0bca377f93
VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46476 |
2020-09-17 13:18
|
invoice_241237.doc 55f33ea5bc39bf4b3d1b8b84bf490d0f
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://joovy.ga/choolee/gate.php
http://joovy.ga/choolee/gate.php
http://tsdychinese2onlyywalkaloneinlifev28lad.duckdns.org/chnsfrnd2/winlog.exe
|
2
103.140.251.164
85.143.172.110
|
15
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
|
5.6 |
|
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46477 |
2020-09-17 13:16
|
Z8o7iM2ao.exe 74e1e27ff30505c68a6d398dcdcbd333
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/8YcMwTkC1JapSNpuPs/6jAvvMtg2PkLRJY/oJ17/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46478 |
2020-09-17 13:15
|
61011293.doc c728f2e8fc4b4d5f405501f9d03f6d10
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://dtyl.shop/wp-content/W68Nx/
http://74.219.172.26/crWjb/sSaMtwv9oK1Wrq1fZ/
|
2
39.106.125.174
74.219.172.26
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
5.0 |
|
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46479 |
2020-09-17 11:27
|
MES_2020_09_17_F39291.doc bfe71f93f7bac4c0e36d71db123fc89d
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://51.38.124.206/ZBVWK4JdQTu/OjeYWDBQyjr7a3PNB9/mF0quBjQmBvxgvRH4/G8bvIGHX5GRya/5FTgKvD6wixRenfu/c5yY2vg72PoEPr/
http://theccwork.com/mail.theccwork.com/IJp/
https://writingfromling.live/wp-admin/GL/
|
5
104.31.73.193
128.199.130.232
174.113.69.136
51.38.124.206
66.70.159.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46480 |
2020-09-17 11:01
|
document_41001.doc 3d5abc66469a2c34ced4af18757fee74
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
2
http://www.wz889955.com/kbc/?ARr=4t1a4J0InJBMP+vZ4h5WUk8s9OECu9JrdUteDpLQ2MT0XKcRH3nGqAaLB8SXPlidlsHzm/re&nflpdZ=u4itAxTPyb7D
http://www.cilofreight.com/myfile/black.exe
|
2
129.232.186.102
34.102.136.180
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
5.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46481 |
2020-09-17 10:54
|
black.exe 5e42c4b571d41ee78cde75a614316611
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
9.8 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46482 |
2020-09-17 09:46
|
jaU9lLOuS7iGN3AU.exe 0805f65bf7f482e8dec2c0df8f16a21d
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://118.243.83.70/230s7Phv2S1pZv1aUA/u9paL6xZb/eoJehil/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46483 |
2020-09-17 09:45
|
BAL_P0CKUYH.doc 23830f7559bb6f2aeea9518d22466bee
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://74.219.172.26/NhD2FDuCZgUvuvY6Qt0/UXm3CnBOei/HuRfNIfwSDf9U54CfY0/UsLD/lWUe6ljiWB28EXhDcm/mzIZ0X55vVetY/
http://luzzeri.com/wp-includes/T1mrkC/
|
5
103.8.25.12
39.100.61.34
45.32.115.34
74.219.172.26
94.242.61.186
|
6
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.4 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46484 |
2020-09-17 09:30
|
qq.exe 594719c16f8cb2849bf7d54e9e7a5e5f
VirusTotal Malware unpack itself sandbox evasion crashed |
|
|
|
|
3.2 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46485 |
2020-09-17 09:02
|
3kknRIqyLadKQddiLJu0.exe 8428926592a23a849523726cbb9e351b
Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://118.243.83.70/gXcK5FWt2E2SaLTNEN/1XJQCaNZ0WcD5PV3/NUBfuZ6fagnSxux/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|