| 50386 |
2020-11-17 09:27
|
nass.exe d9e4ff69934ce995feaa9e54e0d5ad07
suspicious privilege Check memory Checks debugger unpack itself malicious URLs |
|
|
|
|
2.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50387 |
2020-11-17 09:19
|
document.doc a19eabf7fb153b7d9481cbd5a2957e5d
VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs Exploit DNS crashed Downloader |
1
http://198.23.212.152/mom.exe
|
1
198.23.212.152 - suspicious
|
2
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50388 |
2020-11-17 09:19
|
e3txkz.pdf.exe a19e9a48a5adb409f2eed82694231a7a
VirusTotal Malware PDB unpack itself DNS crashed |
|
|
|
|
2.4 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50389 |
2020-11-17 09:09
|
document-1559797301.xlsb b716cc176fe7a6c664ee428bcda1704e
unpack itself malicious URLs |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50390 |
2020-11-17 09:08
|
161120.gif.exe 62796a07ec927fa798d39dbcaa16a967
unpack itself RCE |
|
|
|
|
1.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50391 |
2020-11-17 09:03
|
document-1559797301.xlsb b716cc176fe7a6c664ee428bcda1704e
unpack itself malicious URLs |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50392 |
2020-11-17 07:30
|
http://stoplyingme.com/pdf/nas... d9e4ff69934ce995feaa9e54e0d5ad07
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Windows Exploit DNS crashed |
1
http://stoplyingme.com/pdf/nass.exe
|
3
stoplyingme.com(37.72.175.148)
172.217.25.14 - suspicious
37.72.175.148
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50393 |
2020-11-17 07:21
|
http://download.logins.online/... 9f566a164a5c6ae046c24d0e911dc577
Dridex VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://download.logins.online/exe/LinK13112020.msi
|
3
download.logins.online(172.67.136.62)
172.67.136.62
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
6 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50394 |
2020-11-16 23:53
|
arch64.exe 62993bb7deb866e9d52ac4221d266468
VirusTotal Malware RWX flags setting unpack itself Windows utilities suspicious process malicious URLs Windows ComputerName DNS |
2
http://45.134.21.8:61/SDuQ
http://45.134.21.8:61/fwlink
|
2
45.134.21.8
172.217.25.14 - suspicious
|
|
|
5.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50395 |
2020-11-16 23:51
|
svchost.exe 9044b597dc455f00b922491411426ef6
VirusTotal Malware PDB Malicious Traffic RWX flags setting unpack itself malicious URLs ComputerName DNS |
2
http://45.63.58.134/WGTcpDEjfJlnd9IASbPhArlczzzhLNQC
http://45.63.58.134/g.pixel
|
1
45.63.58.134 - suspicious
|
|
|
6.2 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50396 |
2020-11-16 23:47
|
Setup.exe 142a8356420248e2ccbfa977b576279c
VirusTotal Malware Check memory Checks debugger WMI unpack itself ComputerName |
|
|
|
|
2.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50397 |
2020-11-16 23:43
|
web ori2.exe 3b7b6e39851547b367a5f4e398cea7bd
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key Software crashed keylogger |
|
5
aarque.co(45.155.36.57) - mailcious
pastebin.com(104.23.98.190) - mailcious
45.155.36.57 - suspicious
104.23.99.190 - suspicious
172.217.25.14 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
19.0 |
M |
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50398 |
2020-11-16 23:41
|
BOQ8600.txt.exe 5f3d7585543a71950085cb925730494e
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key |
1
|
2
api.ipify.org(50.19.252.36)
54.235.83.248
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
12.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50399 |
2020-11-16 23:37
|
vbc.exe ffdeea6205f5911f3e7d7b103308c3e2
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
2
magicview.ga(8.208.99.216) - mailcious
8.208.99.216
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
|
1
http://magicview.ga/akin/gate.php
|
7.8 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50400 |
2020-11-16 23:28
|
invoice_141147.doc c11c7bd737d1dcf126e3cea347737ae6
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
5
magicview.ga(8.208.99.216) - mailcious
unitedstdyfrkesokoriorimistreetsmstgpd.ydns.eu(103.141.138.122) - malware
8.208.99.216
103.141.138.122 - suspicious
172.217.25.14 - suspicious
|
12
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO DNS Query for Suspicious .ga Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://magicview.ga/akin/gate.php
|
5.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|