5326 |
2021-02-20 19:50
|
ebook.exe 07f79b595254bd60ccec7561e858de35 Check memory Checks debugger unpack itself AppData folder malicious URLs AntiVM_Disk VM Disk Size Check |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
3.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5327 |
2021-02-20 19:50
|
local.exe 21d160d4752d40baaaf7cb5e2d2ed52b VirusTotal Malware unpack itself Remote Code Execution |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
2.2 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5328 |
2021-02-20 19:50
|
threex.exe cb543811126f9fbe90dacf4025042797 VirusTotal Malware Check memory Checks debugger unpack itself malicious URLs |
1
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.6 |
|
31 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5329 |
2021-02-20 19:50
|
fourx.exe d14be22fbe0e28268fef84adf657d76c VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs DNS |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
1
192.236.147.189 - malware
|
|
|
4.4 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5330 |
2021-02-20 19:50
|
onex.exe eefefb81434a3b57d1fd4cb5d42114c8 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs DNS |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
1
192.236.147.189 - malware
|
|
|
4.4 |
|
20 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5331 |
2021-02-20 19:53
|
INVRS.exe ebb811d0396c06a70fe74d9b23679446 VirusTotal Malware unpack itself DNS |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
|
|
|
2.4 |
|
10 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5332 |
2021-02-20 19:53
|
1p5a53wm.b51.exe 0fb903f0809892bf7d7f21eae6ad28dc VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW human activity check Windows |
9
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://www.bing.com/ http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://www.bing.com/favicon.ico http://www.bing.com/th?id=OHR.AABday_ROW7509883666_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp http://www.bing.com/fd/ls/l?IG=043F3A2D8D2C4B6B9C09E2F720D3709C&CID=01780408A55967761BED0BECA44C666F&Type=Event.ClientInst&DATA=[{"T":"CI.GetError","FID":"CI","Name":"JSGetError","Text":"%27undefined%27%uC740%28%uB294%29%20null%20%uC774%uAC70%uB098%20%uAC1C%uCCB4%uAC00%20%uC544%uB2D9%uB2C8%uB2E4.","Meta":"http%3A//www.bing.com/","Line":18,"Char":%20undefined}] http://www.bing.com/fd/ls/l?IG=043F3A2D8D2C4B6B9C09E2F720D3709C&CID=01780408A55967761BED0BECA44C666F&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":62,"BP":172,"CT":203,"IL":1},"ad":[-1,-1,870,492,870,492,0]}&P=SERP&DA=HKGE01 http://www.bing.com/fd/ls/l?IG=043F3A2D8D2C4B6B9C09E2F720D3709C&CID=01780408A55967761BED0BECA44C666F&Type=Event.ClientInst&DATA=[{"T":"CI.GetError","FID":"CI","Name":"JSGetError","Text":"%27performance%27%uC774%28%uAC00%29%20%uC815%uC758%uB418%uC9C0%20%uC54A%uC558%uC2B5%uB2C8%uB2E4.","Meta":"http%3A//www.bing.com/","Line":18,"Char":%20undefined}] http://www.bing.com/sa/simg/hpc27.png
|
|
|
|
6.8 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5333 |
2021-02-20 19:55
|
SCR.exe 2ffb956f7e7a21c54dd411e6c6b7d005 VirusTotal Malware malicious URLs DNS |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
|
|
|
2.4 |
|
11 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5334 |
2021-02-20 19:56
|
Proxo 2 of 4_86134.exe 238b94895b10d3113dad0fffca1f4968 VirusTotal Malware Malicious Traffic Check memory Creates executable files RWX flags setting unpack itself malicious URLs Tofsee |
10
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://dlsft.com/callback/geo/geo.php http://dlsft.com/callback/?channel=ProgramasGratis&id=86134&action=started http://dlsft.com/callback/offers.php http://dlsft.com/callback/info.php?id=86134 http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f https://img.programasgratis.es/fichas_210x140/5110_1.jpg https://cdn.cleanfile.xyz/setup https://www.dlsft.com/download.php?file=setup
|
7
www.dlsft.com(35.190.60.70) cdn.cleanfile.xyz(172.67.158.112) img.programasgratis.es(62.210.69.73) dlsft.com(35.190.60.70) - mailcious 62.210.69.73 104.21.65.53 35.190.60.70
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
|
43 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5335 |
2021-02-20 19:56
|
3w5vyhsm.chs.exe ff21bfb6689578309bba793ef75c6332 VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows Exploit DNS crashed |
36
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://a4.bing.com/fd/ls/l?IG=AEB9CC1FB0344DAEB358612764968A17&CID=1837EE8FCEC561662F98E16BCF6760C5&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613832241233%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613832241233%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613832241233%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613832241233%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613832241330%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613832241330%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A698%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1613832241339%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1613832241416%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js http://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js http://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js http://www.bing.com/ipv6test/test?FORM=MONITR http://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js http://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js http://www.bing.com/Passport.aspx?popup=1 http://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js http://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js http://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js http://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js http://www.bing.com/rp/Rzsvw_wDLdlO1j0liY0kGWbLtGg.gz.js http://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js http://www.bing.com/rp/fOTa3tS0UbBigvRZgJotvLqABI4.gz.js http://www.bing.com/rp/wNOiwlHhbbAgGouQxwFS8CWEuwU.gz.js http://www2.bing.com/ipv6test/test http://www.bing.com/ http://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js http://www.bing.com/fd/ls/lsp.aspx? http://www.bing.com/fd/ls/l?IG=AEB9CC1FB0344DAEB358612764968A17&CID=1837EE8FCEC561662F98E16BCF6760C5&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":157,"BP":382,"CT":407,"IL":1},"ad":[-1,-1,1233,841,1233,841,0]}&P=SERP&DA=HKGE01 http://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js http://www.bing.com/sa/simg/hpc27.png http://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js http://www.bing.com/sa/simg/favicon-2x.ico http://www.bing.com/th?id=OHR.AABday_ROW7509883666_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp http://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js http://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js http://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js http://www.bing.com/fd/ls/lsp.aspx https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1613818238&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1&lc=1042&id=264960&checkda=1 https://www.bing.com/orgid/idtoken/conditional https://www.bing.com/secure/Passport.aspx?popup=1 https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=cb4d1b3a-44d6-43ed-bcaf-e7117c298f1c&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%22AEB9CC1FB0344DAEB358612764968A17%22%7d
|
8
login.live.com(20.190.165.7) a4.bing.com(119.207.66.35) login.microsoftonline.com(40.126.38.18) www2.bing.com(13.107.21.200) 40.126.38.16 61.111.58.27 13.107.21.200 40.126.38.18
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
7.0 |
|
1 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5336 |
2021-02-20 19:58
|
RussianDollTest.exe 8bbd5e482cb618e54ed597111d520f0f VirusTotal Malware PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Windows Exploit DNS crashed |
36
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://www.bing.com/rp/svI82uPNFRD54V4bMLaeahXQXBI.gz.js http://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js http://www.bing.com/rp/hceflue5sqxkKta9dP3R-IFtPuY.gz.js http://www.bing.com/ipv6test/test?FORM=MONITR http://www.bing.com/rp/_ofc7e4WqqkT9lPqQJykFP4vxq4.gz.js http://www.bing.com/rp/2ajnlX1juJQ_Nu80sW46BDUL1-A.gz.js http://www.bing.com/Passport.aspx?popup=1 http://www.bing.com/rp/MDr1f9aJs4rBVf1F5DAtlALvweY.gz.js http://www.bing.com/rp/swyt_VnIjJDWZW5KEq7a8l_1AEw.gz.js http://a4.bing.com/fd/ls/l?IG=18CE5E9F5F8940A394632CC7ED43E607&CID=043AB4A3D2396D2226B9BB47D3AA6C7E&TYPE=Event.ClientInst&DATA=%5B%7B%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613821441667%2C%22Name%22%3A%22Base%22%2C%22FID%22%3A%22CI%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613821441667%2C%22Name%22%3A%22M%22%2C%22FID%22%3A%22BRW%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613821441667%2C%22Name%22%3A%221%22%2C%22FID%22%3A%22Mutation%22%7D%2C%7B%22T%22%3A%22CI.Info%22%2C%22TS%22%3A1613821441667%2C%22Name%22%3A%224%22%2C%22FID%22%3A%22DM%22%7D%2C%7B%22RTT%22%3A%221%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613821441758%2C%22Name%22%3A%22ClientPerf%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22w%22%3A%221365%22%2C%22h%22%3A%221024%22%2C%22dpr%22%3A%220%22%2C%22T%22%3A%22CI.Init%22%2C%22TS%22%3A1613821441759%2C%22Name%22%3A%22ClientScreen%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22Time%22%3A682%2C%22T%22%3A%22CI.Latency%22%2C%22TS%22%3A1613821441808%2C%22Name%22%3A%22sBoxTime%22%2C%22FID%22%3A%22HP%22%7D%2C%7B%22T%22%3A%22CI.ClientInst%22%2C%22TS%22%3A1613821441913%2C%22Name%22%3A%22OrgId%22%2C%22FID%22%3A%22NoSignInAttempt%22%7D%5D http://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js http://www.bing.com/rp/RXZtj0lYpFm5XDPMpuGSsNG8i9I.gz.js http://www.bing.com/rp/Rzsvw_wDLdlO1j0liY0kGWbLtGg.gz.js http://www.bing.com/rp/Dta1_Or8JEDr20O5LJEJy7sv1z0.gz.js http://www.bing.com/rp/fOTa3tS0UbBigvRZgJotvLqABI4.gz.js http://www.bing.com/rp/wNOiwlHhbbAgGouQxwFS8CWEuwU.gz.js http://www2.bing.com/ipv6test/test http://www.bing.com/ http://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js http://www.bing.com/fd/ls/lsp.aspx? http://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js http://www.bing.com/sa/simg/hpc27.png http://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js http://www.bing.com/sa/simg/favicon-2x.ico http://www.bing.com/th?id=OHR.AABday_ROW7509883666_1920x1080.jpg&rf=LaDigue_1920x1080.jpg&pid=hp http://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js http://www.bing.com/fd/ls/l?IG=18CE5E9F5F8940A394632CC7ED43E607&CID=043AB4A3D2396D2226B9BB47D3AA6C7E&Type=Event.CPT&DATA={"pp":{"S":"L","FC":-1,"BC":-1,"SE":-1,"TC":-1,"H":209,"BP":405,"CT":436,"IL":1},"ad":[-1,-1,1233,841,1233,841,0]}&P=SERP&DA=HKGE01 http://www.bing.com/rp/FvkosEDIbuCPhD1mwLAN-LJ7Coc.gz.js http://www.bing.com/rp/a282eRIAnHsW_URoyogdzsukm_o.gz.js http://www.bing.com/fd/ls/lsp.aspx https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token+code&nonce=b81573da-d96c-4877-8ef5-2dce9fea8256&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fconditional&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2218CE5E9F5F8940A394632CC7ED43E607%22%7d https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1613818380&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1&lc=1042&id=264960&checkda=1 https://www.bing.com/orgid/idtoken/conditional https://www.bing.com/secure/Passport.aspx?popup=1
|
7
login.live.com(40.126.37.0) a4.bing.com(119.207.66.35) login.microsoftonline.com(40.126.38.23) www2.bing.com(13.107.21.200) 20.190.165.4 20.190.165.20 23.59.72.65
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
8.2 |
|
2 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5337 |
2021-02-21 09:28
|
11.exe 2055c8af98ca708f9556baab52de02e8 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
|
|
|
|
8.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5338 |
2021-02-21 09:29
|
8.jjkes.exe 25056df6d3546de971eafe5da5f9ae44 Dridex TrickBot VirusTotal Malware Report PDB suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
|
6
134.119.186.202 - mailcious 200.52.147.93 - mailcious 193.8.194.96 - mailcious 194.5.249.156 - phishing 45.155.173.242 - mailcious 185.163.45.138 - mailcious
|
6
ET CNC Feodo Tracker Reported CnC Server group 8 ET CNC Feodo Tracker Reported CnC Server group 16 ET CNC Feodo Tracker Reported CnC Server group 11 ET CNC Feodo Tracker Reported CnC Server group 12 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
8.0 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5339 |
2021-02-21 09:47
|
cmdzx.exe 173389c1303ed2a3f047a40b5c8e34ad VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName |
|
|
|
|
9.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5340 |
2021-02-21 09:47
|
cmdss.exe 173389c1303ed2a3f047a40b5c8e34ad VirusTotal Malware Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
|
|
|
|
9.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|