| 49801 |
2020-12-17 17:57
|
http://mute-saga-0240.lovesick... 7aa5769c35ee7fc6bf69d344890a95f1
Dridex Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://mute-saga-0240.lovesick.jp/WAH.exe
|
2
mute-saga-0240.lovesick.jp(163.44.185.199) - malware
163.44.185.199 - malware
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
12 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49802 |
2020-12-17 17:42
|
631ec884e194a04ac89ae7db34ee2c... 631ec884e194a04ac89ae7db34ee2cdc
Vulnerability VirusTotal Malware wscript.exe payload download unpack itself malicious URLs |
|
2
www.hahae.co.kr(211.233.50.229) - mailcious
211.233.50.229 - malware
|
|
|
6.8 |
M |
20 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49803 |
2020-12-17 17:12
|
regasm.exe 8ffafa832e6e9a941c2b87a7c75d6d27
VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS crashed |
1
http://paratuseventos.cl/doc/nov16/index.php - rule_id: 152
|
3
paratuseventos.cl(162.214.123.251) - mailcious
162.214.123.251
20.43.94.199
|
|
1
http://paratuseventos.cl/doc/nov16/index.php
|
14.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49804 |
2020-12-17 16:19
|
vbn.exe 74e570ba5f6106f6e93121660da4f462
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName Cryptographic key |
1
http://www.excellentsunshop.com/cgc/?v2=SU0xek3BHwTUkYY7nlKXQ7zeI8h4mxTMtb12zbJJxjrhGHWatOaRJA5AnYPvMNX+zCUTF0rO&oX=TxohN6vpNVWDF
|
2
www.excellentsunshop.com(161.117.47.123)
161.117.47.123
|
|
|
13.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49805 |
2020-12-17 15:17
|
vbc.exe ae8d9001b6fc7686c84fb7cd58d95894
VirusTotal Malware Buffer PE Check memory Checks debugger buffers extracted unpack itself DNS |
|
|
|
|
3.4 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49806 |
2020-12-17 15:15
|
suf.hta 3bc3c371d30b1a8633a3dbb3069e86ad
VirusTotal Malware suspicious privilege Check memory WMI unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
2
www.hahae.co.kr(211.233.50.229) - mailcious
211.233.50.229 - malware
|
|
|
5.0 |
M |
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49807 |
2020-12-17 15:08
|
suf.hta 3bc3c371d30b1a8633a3dbb3069e86ad
VirusTotal Malware crashed |
|
|
|
|
1.0 |
|
4 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49808 |
2020-12-17 10:05
|
document.doc 01c8f989db53ea3a342cc16ede71e06f
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit DNS crashed Downloader |
|
1
54.169.136.76 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49809 |
2020-12-17 10:04
|
http://www.hahae.co.kr/new3/IS... 06cfdaf0990fcd6ace527e1ae005e36f
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://www.hahae.co.kr/new3/ISAF/Libs/php/cross.php?op=1&dt=1214&uid=01
http://www.hahae.co.kr/favicon.ico
|
2
www.hahae.co.kr(211.233.50.229) - mailcious
211.233.50.229 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49810 |
2020-12-17 09:50
|
winlog.exe 926682b2da9a8406bcb427da6a9e00ac
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName Trojan DNS Software |
1
http://webtex.ga/akin/gate.php
|
2
webtex.ga(176.118.165.175) - mailcious
176.118.165.175
|
8
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Fake 404 Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
|
|
14.4 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49811 |
2020-12-17 09:49
|
diego.png.exe d8a449d9a8aa11d58db91e3dc2387595
VirusTotal Malware unpack itself DNS |
|
|
|
|
2.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49812 |
2020-12-17 09:37
|
svchost.exe d543a59ba12985acaf4134c3ff427b86
NetWireRC VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Checks Bios Detects VirtualBox suspicious process malicious URLs VMware anti-virtualization Windows ComputerName DNS Cryptographic key DDNS Software |
|
2
rnnfibi.hopto.org(194.5.98.33) - mailcious
194.5.98.33
|
1
ET POLICY DNS Query to DynDNS Domain *.hopto .org
|
|
16.8 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49813 |
2020-12-17 09:36
|
prosperx.scr 9c13e16c165b2a914fd342729e7e919c
VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49814 |
2020-12-17 09:18
|
prosperx.scr 9c13e16c165b2a914fd342729e7e919c
VirusTotal Malware Buffer PE Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows DNS Cryptographic key |
|
1
|
|
|
9.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49815 |
2020-12-17 09:16
|
OSW.exe f0e54257937a0cce319faf635a3e1f98
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
2.4 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|