April 26, 2021

Help Understanding Domain Activity

Could someone help me understand what type of malware would cause this type of domain request activity? The investigation started with an Umbrella alert showing a single host reaching out to 5 malicious domain names. Upon further review, I found thousands of queries to thousands of sketchy domains all within just 3 minutes all from the same individual hosts. Then the queries stopped and DNS activity resumed to normal business stuff. I questioned the user about their actions and system behavior during this time and they had no odd system behaviors and they said they were reviewing emails but didn’t click on any suspicious links or attachments. My thought was something tried to load in the background of Outlook when reviewing emails, but I want to learn more about what type of malware would cause this. I’ve used Umbrella logs to prove smaller malicious web requests, but the enormity of the requests in a short period of time peaked my interest.

I posted a sample of the domain activity on pastebin.


Thanks for your input.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.