| 49786 |
2020-12-22 12:24
|
HM68DCU.doc 4f0f77186bc4b10b8f897f0313c6cda5
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/27chhoguocutamup/5imql7bgzmxb27gdx5w/u9fj1w7wwkbo8bxsv/ - rule_id: 193
|
9
enableinfosolutions.com(166.62.45.30) - malware
amartaka.net(104.18.55.1) - mailcious
nguyenphuchn.com(45.32.124.178) - malware
197.87.160.216 - mailcious
166.62.45.30 - malware
78.188.225.105 - mailcious
104.18.55.1
45.32.124.178 - malware
50.116.111.59 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49787 |
2020-12-22 12:22
|
DE4GKQWD8CA.doc a6e82e49f8fac750dea41d36e926f4d9
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://50.116.111.59:8080/bz7nnk/ - rule_id: 193
https://update.googleapis.com/service/update2?cup2key=10:308671038&cup2hreq=3e3441fd0f40a06388e518ef6b977f6a1da78bd764227383e475bc0c5cb30b88
|
7
palladium.tdmcdev.co.za(197.242.155.144) - malware
musickidsprogram.com(107.180.20.91) - malware
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
50.116.111.59 - mailcious
197.242.155.144 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49788 |
2020-12-22 12:20
|
file.exe 6d048030d31349665bb357ad55cd79b1
VirusTotal Malware unpack itself RCE |
|
|
|
|
2.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49789 |
2020-12-22 11:40
|
ANC1QRIZ0X.doc 989c3a50ecfe2a54f97e739eee3154bf
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
1
http://50.116.111.59:8080/l5a5l1op6fchimox/ - rule_id: 193
|
7
palladium.tdmcdev.co.za(197.242.155.144) - malware
musickidsprogram.com(107.180.20.91) - malware
107.180.20.91 - malware
197.87.160.216 - mailcious
78.188.225.105 - mailcious
50.116.111.59 - mailcious
197.242.155.144 - malware
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
1
http://50.116.111.59:8080/
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49790 |
2020-12-22 11:39
|
config2.json.exe 062f86194f7d3281a7eac6238c635237
VirusTotal Malware unpack itself malicious URLs DNS crashed |
|
|
|
|
3.6 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49791 |
2020-12-22 11:21
|
78983-4.xlsm e8fecc39968a9add2d38560e88d3c07a
Malware download Dridex TrickBot VirusTotal Malware suspicious privilege Checks debugger buffers extracted Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter Windows ComputerName DNS crashed Downloader |
1
http://www.orthogen.com.tr/properties.png
|
7
www.orthogen.com.tr(5.180.184.204)
5.180.184.204
196.45.140.146
103.87.25.220
103.126.185.7
41.243.29.182
103.65.196.44
|
7
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
SURICATA Applayer Mismatch protocol both directions
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET MALWARE JS/WSF Downloader Dec 08 2016 M4
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
10.0 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49792 |
2020-12-22 11:12
|
1WMZPO6LD84.doc c4a740227ca940d4bd157716f2c9f0e0
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://50.116.111.59:8080/up2bvtk2k3m5i88p/8xb0u79bai58/1robzvbdpq7sbc2/
|
5
swallow.tdmcdev.co.za(197.242.155.144) - malware
197.87.160.216
78.188.225.105
50.116.111.59
197.242.155.144 - malware
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
6.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49793 |
2020-12-22 11:12
|
Ableton Activator v.3.4.exe c59985a2a4b0a33ce346df4c605f61c4
Browser Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs VMware anti-virtualization installed browsers check Tofsee Ransomware Windows Browser ComputerName Firmware DNS Cryptographic key crashed |
2
http://54.38.15.249:35200/IRemotePanel
https://api.ip.sb/geoip
|
7
WHOIS.APNIC.NET(172.104.77.201)
whois.iana.org(192.0.32.59)
api.ip.sb(172.67.75.172)
104.26.12.31
172.104.79.63
192.0.32.59
54.38.15.249
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49794 |
2020-12-22 11:02
|
winlog.exe 6afe65a67db47fb50ae3506d8e6e0e4d
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/akin/gate.php - rule_id: 186
|
2
webtex.ga(185.193.143.118) - mailcious
185.193.143.118
|
8
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
|
1
http://webtex.ga/akin/gate.php
|
13.2 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49795 |
2020-12-22 11:01
|
1.exe 09874cbb134851ff3b971960916ce5bb
VirusTotal Malware unpack itself RCE |
|
|
|
|
2.6 |
M |
61 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49796 |
2020-12-22 10:42
|
uninsxsd1218.exe a0e151a2b74b2816155c47f209761415
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory WMI Creates executable files Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName |
|
2
upgrade.i-xinnuo.com(60.10.7.133)
60.10.7.133
|
|
|
11.0 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49797 |
2020-12-22 10:42
|
vbc.exe fcd369792aaf258ffbd27408e3d32f1f
VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName DNS crashed |
|
|
|
|
10.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49798 |
2020-12-22 09:32
|
svchost.exe 3ee960d7d595c82b47ce28164afed056
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://begadi.ga/chud/gate.php - rule_id: 161
|
2
begadi.ga(185.193.143.118) - mailcious
185.193.143.118
|
10
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://begadi.ga/chud/gate.php
|
14.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49799 |
2020-12-22 09:31
|
uninsxsd1218.exe a0e151a2b74b2816155c47f209761415
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory WMI Creates executable files Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS |
|
|
|
|
10.6 |
M |
41 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49800 |
2020-12-22 09:25
|
ox.exe 346e98b8a995d5f3150c502c055de9ef
Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
https://api.ipify.org/
|
4
api.ipify.org(23.21.126.66)
crt.comodoca.com(91.199.212.52)
91.199.212.52
54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|