31 |
2020-07-20 13:33
|
23d3382.hta d8c6560478cca57bb84a2c37228c44bf Malware Code Injection Malicious Traffic unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3853635478&cup2hreq=92a7148437394b58f7ec4abd157fc4e0117c52535a660c1e0d7b4db923123f53
|
2
172.217.175.35 172.217.26.46
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
32 |
2020-07-20 13:39
|
index.doc b60e35e93dbbbc16b3e578ec6645c562 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
5
http://www.szhealthshield.com/websiteguide/k82i/ https://digitalcon7.net/wp-snapshots/0Wn/ https://exam.ylsbmeirong.com/data/tjEyH973/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:616390958&cup2hreq=a32c267c8d5d3ad228c9b82cbf2e70cb8d8956df84658eec24e35e7161705363
|
8
104.18.37.221 104.247.221.104 122.114.105.25 172.217.161.46 172.217.161.67 177.144.135.2 207.246.99.156 5.61.27.215
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
37 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
33 |
2020-07-20 14:01
|
http://agoty.org/wp-content/up... b60e35e93dbbbc16b3e578ec6645c562 VirusTotal Malware Code Injection exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
2
http://agoty.org/wp-content/uploads/1569700949_aQmJGB6jChk2g_6711054_esaD78/e0n1mn2x_6ygf_41wR_vLbhodeZ/05uoy_108vytsx7/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
2
109.74.200.201 216.58.220.110
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.0 |
M |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
34 |
2020-07-20 14:06
|
23d3382.hta d8c6560478cca57bb84a2c37228c44bf Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs human activity check Tofsee Interception ComputerName DNS |
5
http://www.hajjinfo-org.tar-gz.net/plugins/15984/11992/true/true/ http://swupmf.adobe.com/manifest/60/win/reader9rdr-en_US.upd http://swupmf.adobe.com/manifest/60/win/AdobeUpdater.upd http://www.hajjinfo-org.tar-gz.net/cgi/8ee4d36866/15984/11992/28673f34/file.hta https://cdn-m1l.net/202/n0gbg3QzgawhZHfdd8e5v2uXl2Q6dymqpyraEjMN/15984/11992/1b31ea0f
|
3
169.239.128.142 185.225.19.64 23.212.12.57
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible HTA Application Download
|
|
6.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
35 |
2020-07-20 14:15
|
23d3382.hta d8c6560478cca57bb84a2c37228c44bf Browser Info Stealer Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting exploit crash unpack itself Check virtual network interfaces malicious URLs installed browsers check Tofsee Exploit Browser ComputerName DNS crashed |
3
http://www.hajjinfo-org.tar-gz.net/plugins/15984/11992/true/true/ http://www.hajjinfo-org.tar-gz.net/cgi/8ee4d36866/15984/11992/28673f34/file.hta https://cdn-m1l.net/202/MyjsSbjuQKXH7pHOBq3AqA7vsyuri6ule5dKoSOP/15984/11992/872a2125
|
2
169.239.128.142 185.225.19.64
|
2
ET POLICY Possible HTA Application Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
2020-07-20 14:27
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/favicon.ico http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/ http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg
|
3
117.18.232.200 216.58.197.170 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
37 |
2020-07-20 14:33
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/favicon.ico http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
|
3
117.18.232.200 172.217.25.234 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
38 |
2020-07-20 15:11
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe http://client.winamp.com/update?v=5.8&ID=BE3FEB0E973D1245B7E64DE6F6CD049C&lang=en-US http://client.winamp.com/update/client_session.php?v=5.8&ID=BE3FEB0E973D1245B7E64DE6F6CD049C&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://client.winamp.com/update?v=5.8&ID=BE3FEB0E973D1245B7E64DE6F6CD049C&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://client.winamp.com/update/latest-version.php?v=5.8&ID=BE3FEB0E973D1245B7E64DE6F6CD049C&lang=en-US http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
4
117.18.232.200 172.217.161.36 31.12.71.55 5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
15.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
39 |
2020-07-20 15:22
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/favicon.ico http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/CSS/mainC.css
|
3
117.18.232.200 172.217.31.138 35.226.40.154
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
40 |
2020-07-20 15:36
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/favicon.ico
|
4
117.18.232.200 172.217.161.74 35.226.40.154 52.184.220.162
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
41 |
2020-07-20 15:53
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/CSS/mainC.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/favicon.ico http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/ http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg
|
3
117.18.232.200 172.217.175.106 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
42 |
2020-07-20 16:10
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/main.jpg http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/favicon.ico http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
|
3
117.18.232.200 172.217.25.74 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
43 |
2020-07-20 16:17
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/main.jpg http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/favicon.ico http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/main.jsp http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/mainC.css
|
8
ajax.googleapis.com(172.217.175.42) ie9cvlist.ie.microsoft.com(117.18.232.200) iecvlist.microsoft.com(117.18.232.200) www.nalara1220.o-r.kr(35.226.40.154) 117.18.232.200 216.58.197.234 35.226.40.154 8.8.4.4
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
44 |
2020-07-20 16:24
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/CSS/mainC.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/favicon.ico http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
3
117.18.232.200 216.58.197.138 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
2020-07-20 16:29
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/main.jpg http://www.nalara1220.o-r.kr/CSS/mainC.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/favicon.ico
|
3
117.18.232.200 216.58.197.234 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|