| 50626 |
2020-11-16 23:37
|
vbc.exe ffdeea6205f5911f3e7d7b103308c3e2
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName Trojan DNS Software |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
2
magicview.ga(8.208.99.216) - mailcious
8.208.99.216
|
10
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO DNS Query for Suspicious .ga Domain
|
1
http://magicview.ga/akin/gate.php
|
7.8 |
M |
67 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50627 |
2020-11-16 23:28
|
invoice_141147.doc c11c7bd737d1dcf126e3cea347737ae6
LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself malicious URLs Windows Exploit Trojan DNS crashed Downloader |
1
http://magicview.ga/akin/gate.php - rule_id: 96
|
5
magicview.ga(8.208.99.216) - mailcious
unitedstdyfrkesokoriorimistreetsmstgpd.ydns.eu(103.141.138.122) - malware
8.208.99.216
103.141.138.122 - suspicious
172.217.25.14 - suspicious
|
12
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO DNS Query for Suspicious .ga Domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://magicview.ga/akin/gate.php
|
5.6 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50628 |
2020-11-16 23:28
|
BOQ8600.txt.exe 5f3d7585543a71950085cb925730494e
VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote AppData folder malicious URLs WriteConsoleW IP Check Windows ComputerName Cryptographic key |
1
|
2
api.ipify.org(23.21.42.25)
54.225.169.28
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
12.2 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50629 |
2020-11-16 23:19
|
10674100.jpg.exe a8d086952534df0b84fbd100e0b39f7d
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check human activity check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
5
freegeoip.app(172.67.188.154)
checkip.dyndns.org(162.88.193.70)
104.28.5.151
131.186.161.70
167.88.170.103
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
|
|
10.2 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50630 |
2020-11-16 18:30
|
sendhookfile.exe 7555e7e8511af8c51837674d79f6e391
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
3.0 |
M |
58 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50631 |
2020-11-16 18:29
|
Netflix_Leecher_3.0.exe fd94d289b3711b1d7f6111ae8047d9f4
VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs ComputerName |
|
|
|
|
3.0 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50632 |
2020-11-16 17:05
|
ARC_TH1940084283ZO.doc 55d79fbe07c3d17f618890bd72c4efc3
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - rule_id: 99
http://64.207.182.168:8080/ynEa1jfetxWq5u/ - rule_id: 98
|
7
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.208.159.220 - suspicious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
64.207.182.168 - suspicious
102.182.145.130 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
2
http://annabphotography.co.uk/wp-includes/WdHO/
http://64.207.182.168:8080/
|
7.0 |
M |
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50633 |
2020-11-16 16:51
|
FILE 69108.doc 80380e507ae539fad4894d36491f513c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
|
13
zhidong.store() - mailcious
www.meshzs.com(188.166.149.118) - malware
inbichngoc.com(104.18.62.160) - malware
dartzeel.com(35.214.163.147) - malware
www.angiathinh.com(118.71.180.39) - mailcious
nurmarkaz.org(160.153.138.219) - malware
australaqua.com(104.18.48.247) - mailcious
188.166.149.118 - suspicious
35.214.163.147 - suspicious
160.153.138.219 - suspicious
104.18.48.247
104.18.63.160
118.71.180.39
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
45 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50634 |
2020-11-16 16:36
|
KasperWare_BETA.exe 07c60c57ceecf8527213ea4c65739abf
VirusTotal Malware PDB MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces malicious URLs Tofsee |
3
https://cdn.discordapp.com/attachments/743750440327446570/748942494561075301/Token_Stealer.bat
https://raw.githubusercontent.com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer.vbs
https://raw.githubusercontent.com/Itroublve/Token-Browser-Password-Stealer-Creator/master/AVOID%20ME/tokenstealer2.vbs
|
6
github.com(15.164.81.167) - mailcious
raw.githubusercontent.com(151.101.192.133) - malware
cdn.discordapp.com(162.159.135.233) - malware
52.78.231.108 - suspicious
151.101.76.133 - suspicious
162.159.130.233 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
54 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50635 |
2020-11-16 16:34
|
42674ac72c128ad00644c264f303ed... 42674ac72c128ad00644c264f303edb0
Email Client Info Stealer suspicious privilege Checks debugger Creates shortcut unpack itself malicious URLs AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName |
|
|
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50636 |
2020-11-16 16:24
|
6c9a21fbf0fb419a00d145b62a470c... 6c9a21fbf0fb419a00d145b62a470cf3
VirusTotal Email Client Info Stealer Malware Checks debugger unpack itself malicious URLs Ransomware Email DNS |
|
1
172.217.25.14 - suspicious
|
|
|
3.6 |
|
5 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50637 |
2020-11-16 16:15
|
6079ddee4a0bcf4778e2dc9d4c269a... 6079ddee4a0bcf4778e2dc9d4c269a4d
VirusTotal Email Client Info Stealer Malware Checks debugger unpack itself malicious URLs Ransomware Email DNS |
|
1
172.217.25.14 - suspicious
|
|
|
4.0 |
|
28 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50638 |
2020-11-16 16:08
|
IZ965Q89_15_01.doc e2a74e7d83a27eb49e4074a301d695d4
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
|
8
www.hgklighting.com(104.31.72.216) - malware
pilkom.ulm.ac.id(103.195.91.180) - malware
thegioilap.vn(112.213.89.7) - malware
jelajahpulautidung.com() - malware
165.227.220.53 - suspicious
103.195.91.180 - suspicious
112.213.89.7 - suspicious
104.31.73.216
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
42 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50639 |
2020-11-16 16:07
|
03e927e6cb9a1e99f7b0cf1fffaf04... 03e927e6cb9a1e99f7b0cf1fffaf04ab
VirusTotal Email Client Info Stealer Malware Checks debugger unpack itself malicious URLs Ransomware Email |
|
|
|
|
3.0 |
|
8 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 50640 |
2020-11-16 15:47
|
Arc_SV7257602192KT.doc 410eee98c357147776c0e926c6336db2
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
|
8
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.208.159.220 - suspicious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
64.207.182.168 - suspicious
102.182.145.130 - suspicious
51.89.199.141 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
7.0 |
M |
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|