46471 |
2020-09-17 14:39
|
WindowsHostService.exe d5ebc9c528e0b12e46f6f86b35f20d2f PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.0 |
|
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46472 |
2020-09-17 14:38
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535 PDB |
|
|
|
|
0.2 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46473 |
2020-09-17 14:37
|
Windows Desktop Service.exe 8493fad5457907ede406c7a4c3a062ca VirusTotal Malware |
|
|
|
|
1.8 |
|
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46474 |
2020-09-17 14:30
|
MicrosoftAgentService.exe 15922e839af98488c51f2bf6d42f8535 VirusTotal Malware PDB Check memory Checks debugger unpack itself |
|
|
|
|
1.8 |
|
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46475 |
2020-09-17 14:29
|
k.exe 03ee1b3842ed89d04387ab0bca377f93 VirusTotal Malware PDB |
|
|
|
|
1.4 |
|
43 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46476 |
2020-09-17 13:18
|
invoice_241237.doc 55f33ea5bc39bf4b3d1b8b84bf490d0f LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://joovy.ga/choolee/gate.php http://joovy.ga/choolee/gate.php http://tsdychinese2onlyywalkaloneinlifev28lad.duckdns.org/chnsfrnd2/winlog.exe
|
2
103.140.251.164 85.143.172.110
|
15
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
5.6 |
|
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46477 |
2020-09-17 13:16
|
Z8o7iM2ao.exe 74e1e27ff30505c68a6d398dcdcbd333 Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://74.219.172.26/8YcMwTkC1JapSNpuPs/6jAvvMtg2PkLRJY/oJ17/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46478 |
2020-09-17 13:15
|
61011293.doc c728f2e8fc4b4d5f405501f9d03f6d10 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
2
http://dtyl.shop/wp-content/W68Nx/ http://74.219.172.26/crWjb/sSaMtwv9oK1Wrq1fZ/
|
2
39.106.125.174 74.219.172.26
|
3
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.0 |
|
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46479 |
2020-09-17 11:27
|
MES_2020_09_17_F39291.doc bfe71f93f7bac4c0e36d71db123fc89d Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://51.38.124.206/ZBVWK4JdQTu/OjeYWDBQyjr7a3PNB9/mF0quBjQmBvxgvRH4/G8bvIGHX5GRya/5FTgKvD6wixRenfu/c5yY2vg72PoEPr/ http://theccwork.com/mail.theccwork.com/IJp/ https://writingfromling.live/wp-admin/GL/
|
5
104.31.73.193 128.199.130.232 174.113.69.136 51.38.124.206 66.70.159.18
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46480 |
2020-09-17 11:01
|
document_41001.doc 3d5abc66469a2c34ced4af18757fee74 VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed |
2
http://www.wz889955.com/kbc/?ARr=4t1a4J0InJBMP+vZ4h5WUk8s9OECu9JrdUteDpLQ2MT0XKcRH3nGqAaLB8SXPlidlsHzm/re&nflpdZ=u4itAxTPyb7D http://www.cilofreight.com/myfile/black.exe
|
2
129.232.186.102 34.102.136.180
|
2
ET POLICY PE EXE or DLL Windows file download HTTP ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
|
|
5.2 |
M |
21 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46481 |
2020-09-17 10:54
|
black.exe 5e42c4b571d41ee78cde75a614316611 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs Windows Cryptographic key |
|
|
|
|
9.8 |
M |
29 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46482 |
2020-09-17 09:46
|
jaU9lLOuS7iGN3AU.exe 0805f65bf7f482e8dec2c0df8f16a21d Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://118.243.83.70/230s7Phv2S1pZv1aUA/u9paL6xZb/eoJehil/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46483 |
2020-09-17 09:45
|
BAL_P0CKUYH.doc 23830f7559bb6f2aeea9518d22466bee Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://74.219.172.26/NhD2FDuCZgUvuvY6Qt0/UXm3CnBOei/HuRfNIfwSDf9U54CfY0/UsLD/lWUe6ljiWB28EXhDcm/mzIZ0X55vVetY/ http://luzzeri.com/wp-includes/T1mrkC/
|
5
103.8.25.12 39.100.61.34 45.32.115.34 74.219.172.26 94.242.61.186
|
6
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.4 |
|
31 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46484 |
2020-09-17 09:30
|
qq.exe 594719c16f8cb2849bf7d54e9e7a5e5f VirusTotal Malware unpack itself sandbox evasion crashed |
|
|
|
|
3.2 |
M |
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
46485 |
2020-09-17 09:02
|
3kknRIqyLadKQddiLJu0.exe 8428926592a23a849523726cbb9e351b Malware Malicious Traffic RWX flags setting unpack itself malicious URLs sandbox evasion Windows Advertising ComputerName Remote Code Execution DNS Cryptographic key |
1
http://118.243.83.70/gXcK5FWt2E2SaLTNEN/1XJQCaNZ0WcD5PV3/NUBfuZ6fagnSxux/
|
1
|
|
|
5.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|