| 46681 |
2020-11-06 11:06
|
reservation.exe 59d5f66f4cd5889b1e825239097a5974
VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs Tofsee Ransomware Windows Tor ComputerName DNS Cryptographic key crashed |
1
https://456345746g546646.gb.net//inc/040b73a6c5b6ac.php
|
3
456345746g546646.gb.net()
103.153.182.50
117.18.232.200 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
53 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46682 |
2020-11-06 11:03
|
http://ps.popcash.net/go/27536... a954a876386a7bb1541498370036cb31
Dridex VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://ps.popcash.net/go/275368/567202 - mailcious
http://ps.popcash.net/ad/ad?p=275368&w=567202&t=6e236c90efedc53e&r=&vw=0&vh=0 - mailcious
https://simplegrg.shop/favicon.ico
https://simplegrg.shop/home/base64.min.js
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/aes.min.js
https://simplegrg.shop/home/image.php
https://shachibato-anime.shop/
https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
https://cdnjs.cloudflare.com/ajax/libs/zepto/1.2.0/zepto.min.js
https://simplegrg.shop/home/?key=8BCE03840BE4E829
https://simplegrg.shop/home?key=8BCE03840BE4E829
|
9
ps.popcash.net(52.201.162.15) - mailcious
cdnjs.cloudflare.com(104.16.19.94) - mailcious
simplegrg.shop(185.178.208.137)
shachibato-anime.shop(185.178.208.164)
185.178.208.164 - suspicious
104.16.18.94
52.203.234.71
185.178.208.137
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46683 |
2020-11-06 10:52
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download Vulnerability VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php - mailcious
http://duracom.ga/SD3/win32.exe - malware
|
3
magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.8 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46684 |
2020-11-06 10:49
|
Recycle.exe 9307f47769c237710365aaa4ca511fe7
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
172.217.25.14 - suspicious
|
|
|
8.6 |
M |
20 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46685 |
2020-11-06 10:48
|
priority3-word.doc 01b461a688d740775311e53c60109509
Vulnerability unpack itself malicious URLs |
|
|
|
|
2.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46686 |
2020-11-06 10:45
|
n2.exe 31dd83fcd01a7696ea76f960b6a05592
VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.4 |
M |
33 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46687 |
2020-11-06 10:28
|
f4n.exe 1db6bd4d13cb9966e8875b3812aef71d
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
cussoricti.com()
api.ipify.org(184.73.247.141)
54.225.153.147
185.18.52.47
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
9.4 |
M |
51 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46688 |
2020-11-06 10:28
|
document3.doc d5c72a79881e7245bcb3fe135d4143f5
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed |
2
http://magicview.ga/webxpo/gate.php
http://duracom.ga/SD3/win32.exe
|
3
magicview.ga(46.173.214.75) - mailcious
duracom.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
|
13
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
M |
36 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46689 |
2020-11-06 10:25
|
document2.doc 7fbbd3038fcb18fba29a100ed36821ad
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
3
http://www.abcsolucion.com/vdi/?-Z=XmqBrgm/s7sJaqHdKZUQX45I0MCw0sdqQpbMI0R4giA4jEtnVtacsT7YFth3uMROrJSEaG0d&rZ=X48HMfqP
http://www.westermann-shop.com/vdi/?rZ=X48HMfqP&-Z=w6PY0/hsT1sd2nqyQp0d8BtC9NhnAFKUrNmR4SZhU1/BEmJAGkOSsP6FVKbEb6p0EWKD4LTW
http://qdrenfa.com/~zadmin/ban2/ban2.exe
|
7
www.abcsolucion.com(162.241.61.243)
www.westermann-shop.com(134.119.234.55)
qdrenfa.com(46.173.214.75) - mailcious
134.119.234.55
46.173.214.75 - suspicious
162.241.61.243
172.217.25.14 - suspicious
|
2
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46690 |
2020-11-06 10:23
|
document.doc 79448c02d4b2b2e220122144474ee234
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/ex/us8/vbc.exe
http://crestmart.ga/main/config/US/temp.php
|
3
crestmart.ga(46.173.214.75) - mailcious
kregmartlime.ga(46.173.214.75) - malware
46.173.214.75 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.0 |
M |
28 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46691 |
2020-11-06 10:20
|
Clhwv8.exe bea248598c663d948e0acacc45520392
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed |
|
1
172.217.25.14 - suspicious
|
|
|
14.4 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46692 |
2020-11-06 10:19
|
7123854.xlsb c55b3057e78df922252a6e2cec03cbd1
VirusTotal Malware Check memory Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs WriteConsoleW ComputerName crashed |
|
|
|
|
4.8 |
|
4 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46693 |
2020-11-06 10:06
|
http://175.208.134.150:8282/te... 5c8e2fed189e7b7f7f1d9e756fd072f8
Code Injection RWX flags setting unpack itself Windows utilities Windows DNS |
2
http://175.208.134.150:8282/test/test.eml
http://175.208.134.150:8282/favicon.ico
|
2
172.217.25.14 - suspicious
175.208.134.150
|
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46694 |
2020-11-06 09:58
|
ajhtredfga.exe 5516ba90dc9a6978aaec99276ba4383c
Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Browser Email ComputerName |
11
http://217.8.117.77/ohtredfga.exe
http://morasergiov.ac.ug/ - mailcious
http://morasergiov.ac.ug/vcruntime140.dll
http://morasergiov.ac.ug/nss3.dll
http://morasergiov.ac.ug/sqlite3.dll
http://jamesrlongacre.ug/index.php - mailcious
http://morasergiov.ac.ug/freebl3.dll
http://morasergiov.ac.ug/mozglue.dll
http://morasergiov.ac.ug/main.php - mailcious
http://morasergiov.ac.ug/msvcp140.dll
http://morasergiov.ac.ug/softokn3.dll
|
3
morasergiov.ac.ug(217.8.117.77) - mailcious
jamesrlongacre.ug(217.8.117.77) - malware
217.8.117.77 - suspicious
|
7
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
18.0 |
M |
51 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46695 |
2020-11-06 09:50
|
http://175.208.134.150:8282/te... 5c8e2fed189e7b7f7f1d9e756fd072f8
Code Injection RWX flags setting unpack itself Windows utilities Windows DNS |
2
http://175.208.134.150:8282/test/test.eml
http://175.208.134.150:8282/favicon.ico
|
2
172.217.25.14 - suspicious
175.208.134.150
|
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|