| 46696 |
2020-11-06 08:15
|
http://movies3002.online/1.zip d58abe50000351513990c86213e824bb |
|
|
|
|
|
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46697 |
2020-11-06 07:57
|
http://216.170.114.73/chous.do... 644c300e72c2a2eb7dea039dcf95af8a
Dridex VirusTotal Malware Code Injection Malicious Traffic exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://216.170.114.73/chous.doc
|
2
216.170.114.73 - suspicious
117.18.232.200 - suspicious
|
5
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET INFO Dotted Quad Host DOC Request
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
|
|
5.8 |
|
27 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46698 |
2020-11-06 07:44
|
https://ultimatenutritiononlin... c58dd175c569b8713620bcefa5635753
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
ultimatenutritiononline.com(108.167.158.215) - malware
108.167.158.215 - suspicious
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46699 |
2020-11-06 07:38
|
https://ultimatenutritiononlin... c58dd175c569b8713620bcefa5635753
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
ultimatenutritiononline.com(108.167.158.215)
108.167.158.215
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46700 |
2020-11-05 18:26
|
main.file.rtf 55e166bdfb914283278f0f7d9dcc9f65
Malware Malicious Traffic buffers extracted exploit crash unpack itself malicious URLs Tofsee Exploit crashed |
1
https://cdn-sop.net/202/8f8rO7e7zsx35Mmi38pAVx5cmQLe5IkBed85bmMn/-1/13897/171a9d16
|
2
cdn-sop.net(172.93.188.161)
172.93.188.161
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46701 |
2020-11-05 18:25
|
tt.exe fc63e8813cca45e82fdde362a2836794
VirusTotal Malware unpack itself |
|
|
|
|
2.0 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46702 |
2020-11-05 18:23
|
document.doc 01a61f8646cf09a907c9876b2a3f0227
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
2
http://kregmartlime.ga/main/ex/ap1/vbc.exe - malware
http://crestmart.ga/main/config/emma/temp.php
|
3
crestmart.ga(91.203.193.242) - mailcious
kregmartlime.ga(91.203.193.242) - malware
91.203.193.242 - suspicious
|
11
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.8 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46703 |
2020-11-05 18:22
|
info.exe e2ec666e8f1c920dbdf54816e2350fac
VirusTotal Malware unpack itself Remote Code Execution |
|
|
|
|
2.6 |
M |
58 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46704 |
2020-11-05 18:21
|
26848.exe 8bac2dfe38653583440ca35fffb5180e
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion anti-virtualization VM Disk Size Check installed browsers check Browser Email ComputerName Remote Code Execution DNS Software crashed |
1
http://185.208.182.54/mmc/index.php
|
1
|
1
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
|
|
16.8 |
M |
37 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46705 |
2020-11-05 18:13
|
invoice_141144.doc 4c084f9a7c1a961a35768108ca70e1f5
LokiBot Malware download Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
2
http://unitedfrtsdykesokoriorimistreetsmtsfma.ydns.eu/chnsfrnd1/vbc.exe
http://magicview.ga/akin/gate.php
|
4
magicview.ga(91.203.193.242) - mailcious
unitedfrtsdykesokoriorimistreetsmtsfma.ydns.eu(103.141.138.122)
91.203.193.242 - suspicious
103.141.138.122 - suspicious
|
12
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
4.2 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46706 |
2020-11-05 18:11
|
vbc.exe b95a2c81ccdad3a6515190121cdf4e90
VirusTotal Malware Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder DNS crashed |
|
1
172.217.25.14 - suspicious
|
|
|
3.6 |
|
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46707 |
2020-11-05 18:08
|
f4n.exe 1db6bd4d13cb9966e8875b3812aef71d
Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency MachineGuid Check memory Collect installed applications malicious URLs sandbox evasion anti-virtualization IP Check installed browsers check Ransomware Browser ComputerName Software |
1
http://api.ipify.org/?format=xml
|
4
cussoricti.com(62.76.40.132)
api.ipify.org(184.73.247.141)
50.19.252.36
62.76.40.132
|
1
ET POLICY External IP Lookup (ipify .org)
|
|
8.6 |
|
32 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46708 |
2020-11-05 18:08
|
peace.exe c74a4de1af2ca02c62ab19625eb98b8b
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.8 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46709 |
2020-11-05 13:53
|
lvs7kabg6ouix3r.exe d32acba23526d5c591027df645884b39
Malware download Nanocore VirusTotal Malware c&c Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW human activity check Windows ComputerName DNS |
|
2
172.217.25.14 - suspicious
84.38.134.114 - suspicious
|
1
ET MALWARE Possible NanoCore C2 60B
|
|
14.8 |
M |
53 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 46710 |
2020-11-05 13:45
|
peace.exe c74a4de1af2ca02c62ab19625eb98b8b
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself malicious URLs Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed |
|
|
|
|
9.8 |
M |
24 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|