46 |
2020-07-20 16:36
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/favicon.ico http://www.nalara1220.o-r.kr/main.jpg http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/main.jsp http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200) ajax.googleapis.com(172.217.26.10) iecvlist.microsoft.com(117.18.232.200) www.nalara1220.o-r.kr(35.226.40.154) 1.1.1.1 117.18.232.200 172.217.175.42 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
47 |
2020-07-20 16:39
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/main.jpg http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg http://www.nalara1220.o-r.kr/favicon.ico
|
8
ajax.googleapis.com(172.217.26.10) www.nalara1220.o-r.kr(35.226.40.154) ie9cvlist.ie.microsoft.com(117.18.232.200) iecvlist.microsoft.com(117.18.232.200) 1.1.1.1 117.18.232.200 172.217.175.42 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
48 |
2020-07-20 16:45
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://client.winamp.com/update?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe http://client.winamp.com/update/latest-version.php?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&lang=en-US http://client.winamp.com/update/client_session.php?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://client.winamp.com/update?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&lang=en-US http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
9
www.google.com(172.217.161.36) client.winamp.com(31.12.71.55) download.nullsoft.com(5.39.58.66) ie9cvlist.ie.microsoft.com(117.18.232.200) 117.18.232.200 1.1.1.1 172.217.25.68 31.12.71.55 5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
14.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
49 |
2020-07-20 16:59
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files ICMP traffic exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe http://client.winamp.com/update?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&lang=en-US http://client.winamp.com/update?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://client.winamp.com/update/client_session.php?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US http://client.winamp.com/update/latest-version.php?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&lang=en-US https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
9
download.nullsoft.com(5.39.58.66) www.google.com(172.217.161.36) client.winamp.com(31.12.71.55) ie9cvlist.ie.microsoft.com(117.18.232.200) 1.1.1.1 117.18.232.200 172.217.174.100 31.12.71.55 5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
14.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
50 |
2020-07-20 17:45
|
https://www.gomlab.com/downloa... 04a1b261477eff216d800437c6d613fd Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
30
http://www.gomlab.com/browser.gom http://www.gomlab.com/gomlab_v2/ui/img/common/ico_foot_blog.png?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/grm/ico_grm.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/ico_browser1.png http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_iapp.png?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/gcm/ico_gcm.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/ico_notiinfo.gif?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/common/logo_footer.png?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/gmx/ico_gmx_pro.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/gen/ico_gen.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/ico_foot_face.png?v=1912302 http://www.gomlab.com/ http://www.gomlab.com/gomlab_v2/ui/img/gmm/ico_gmm.png?v=2 http://www.gomlab.com/browser.gom http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_win.png?v=1912302 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.gomlab.com/gomlab_v2/ui/css/browser_info.css?version=2020071601 http://www.gomlab.com/gomlab_v2/ui/img/gmp/ico_gmp.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/gsv/ico_gsv.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/gmx/ico_gmx.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_gplay.png?v=1912302 http://www.gomlab.com/favicon.ico http://www.gomlab.com/gomlab_v2/ui/img/sub/bar_ddd.gif?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/common/logo_on2.png?v=1912302 http://www.gomlab.com/gomlab_v2/ui/img/grc/ico_grc.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/gau/ico_gau.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/ico_browser2.png http://www.gomlab.com/gomlab_v2/ui/img/gst/ico_gst.png?v=2 http://www.gomlab.com/gomlab_v2/ui/img/common/bu_dot1.gif?v=1912302 https://www.gomlab.com/download/ https://www.gomlab.com/index.gom
|
6
iecvlist.microsoft.com(117.18.232.200) ie9cvlist.ie.microsoft.com(117.18.232.200) www.gomlab.com(52.85.194.45) 1.1.1.1 117.18.232.200 54.192.71.137
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
51 |
2020-07-20 17:46
|
https://robotica.cl/w3ZunC4T3N... 6186934d6ebcbd2761413698113233cf Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
6
iecvlist.microsoft.com(117.18.232.200) ie9cvlist.ie.microsoft.com(117.18.232.200) robotica.cl(162.241.89.50) 117.18.232.200 1.1.1.1 162.241.89.50
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
52 |
2020-07-20 18:31
|
https://robotica.cl/w3ZunC4T3N... 6186934d6ebcbd2761413698113233cf Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
6
iecvlist.microsoft.com(117.18.232.200) ie9cvlist.ie.microsoft.com(117.18.232.200) robotica.cl(162.241.89.50) 1.1.1.1 117.18.232.200 162.241.89.50
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
53 |
2020-07-20 22:08
|
http://salesforce-ibmcloud.koz... a4195bdf6d0f782598f69bc40c4d7e50 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
6
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://salesforce-ibmcloud.kozow.com/dinb/n5ZfororigTi07nAdmv.exe http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:2226628205&cup2hreq=9fa6a99178756f39930792169a297a539150964df3b68b60e055338d9146cedc https://update.googleapis.com/service/update2
|
5
172.217.161.46 185.241.194.126 216.58.197.238 216.58.220.99 59.18.30.143
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
17.0 |
M |
22 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
54 |
2020-07-20 22:10
|
http://salesforce-ibmcloud.koz... 4a3b3aa0b72d467be7321ceac9d3db92 VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://salesforce-ibmcloud.kozow.com/dinb/iqbtcvforWiTEi.exe https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3879736586&cup2hreq=38573e2bd8d307473452a19c05fd112561639335a4451f1528f0199d3aadc08c
|
5
172.217.161.46 172.217.175.35 185.241.194.126 216.58.197.238 59.18.30.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP
|
|
12.4 |
|
15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
55 |
2020-07-20 23:31
|
http://124.160.126.238/11.exe 5d2e9716be941d7c77c05947390de736 Malware download VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows Exploit DNS crashed |
4
http://www.362com.com/Update.txt http://www.362com.com/32.exe http://124.160.126.238/11.exe https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
4
118.45.42.72 124.160.126.238 172.217.161.46 180.96.62.240
|
7
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE JS/Nemucod.M.gen downloading EXE payload ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Cryptocurrency Miner Checkin
|
|
10.8 |
M |
57 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
56 |
2020-07-20 23:34
|
https://aliyousefpoor.com/wp-a... 51fe38a980f41111074aabdde5ee5124 Dridex VirusTotal Malware Malicious Traffic Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3931948972&cup2hreq=5e123fa38a5f0fca8a382a6654ad73525f2788155898562efb0ab9ca0c7b4925
|
4
180.96.62.240 172.217.161.46 216.58.220.99 5.61.27.215
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.4 |
M |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
57 |
2020-07-20 23:40
|
https://aliyousefpoor.com/wp-a... 51fe38a980f41111074aabdde5ee5124 VirusTotal Malware Tofsee Windows DNS |
2
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595255778&mv=m&mvi=4&pl=18&shardbypass=yes
|
4
172.217.161.46 172.217.175.35 172.217.25.238 59.18.30.143
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
1.6 |
M |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
58 |
2020-07-21 09:14
|
index.doc c703b02e832e614300d89d6ca20ec066 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
1
http://dnamsolutions.com/wp-content/uploads/2020/06/1lysfmz246/
|
5
dnamsolutions.com(3.128.58.81) adealbox.com(45.33.51.129) 1.1.1.1 3.128.58.81 45.33.51.129
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.8 |
|
17 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
59 |
2020-07-21 09:15
|
popopo.png 70a2ed9f2ca011da8aca485e966ec973 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
http://api.ipify.org/ http://ip-api.com/json/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:763652607&cup2hreq=f27afa7e7872d311f3a36ceda504c930a64812564d93fe56791a21437a6172ca
|
6
172.217.161.46 172.217.31.163 185.100.86.174 198.54.126.78 208.95.112.1 23.21.213.140
|
5
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com ET POLICY External IP Lookup api.ipify.org SURICATA Applayer Detect protocol only one direction
|
|
15.2 |
M |
28 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
60 |
2020-07-21 09:17
|
index3.doc a738c10344822c4368d7bc1f088a0221 Vulnerability Malware Malicious Traffic unpack itself Tofsee Windows DNS |
4
http://chundubio.com/wkdn/cwwb/ http://124.45.106.173:443/8pajLRHY/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3411936393&cup2hreq=43bebfe92b2be2b06049145b360b1fa9b830d808693b08a2e8660eec6cfc2363
|
5
123.254.105.242 124.45.106.173 172.217.161.46 172.217.175.35 23.21.213.140
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
3.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|