| 8731 |
2021-06-08 09:02
|
 Inv%20799146.xls c72b5321c62c54829b3300ee5d9441e1
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee Windows crashed |
1
https://main.bgsr.site/wp-includes/sodium_compat/src/Core32/ChaCha20/d68Tou3ui1RoUA.php
|
2
main.bgsr.site(185.150.189.217)
185.150.189.217
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8732 |
2021-06-07 17:26
|
http://23.95.122.53/imo/ana.ex... ed74a72fc3b7510936e9768cbf5d6fca
AgentTesla Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8733 |
2021-06-06 21:56
|
 d.exe 95fae5e8246bec2a2c04a331da6950b5
AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Kovter DNS crashed |
|
2
142.4.200.50
217.182.169.148 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
8.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8734 |
2021-06-06 21:47
|
 update.exe a3b54783fd619282ff712dc6e3c6b197
DNS Socket Create Service Escalate priviledges KeyLogger Code injection ScreenShot BitCoin AntiDebug AntiVM PE File PE64 VirusTotal Cryptocurrency Miner Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName Firmware DNS CoinMiner |
|
2
pastebin.com(104.23.98.190) - mailcious
104.23.98.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
14.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8735 |
2021-06-05 12:41
|
http://111.251.36.166
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8736 |
2021-06-05 10:51
|
 svchost.exe c1e7cb2700292ecd0bc4f4b1d718853d
DNS Socket Code injection ScreenShot AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Tofsee Windows ComputerName keylogger |
|
2
irc.service-exec.net(195.133.40.24) - malware
195.133.40.24 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8737 |
2021-06-05 06:33
|
http://114.47.80.66:60/ 5d366dadccfd1a925723ce2afbcffbf6
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File JPEG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
8
http://114.47.80.66:60/img/1_01.jpg
http://114.47.80.66:60/css/bootstrap.min.css
http://114.47.80.66:60/js/bootstrap.min.js
http://lib.sinaapp.com/js/jquery/1.8.3/jquery.min.js
http://114.47.80.66:60/
http://114.47.80.66:60/img/1_02.jpg
http://114.47.80.66:60/favicon.ico
http://114.47.80.66:60/css/style.css
|
3
lib.sinaapp.com(183.60.187.57)
183.60.187.58 - malware
114.47.80.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8738 |
2021-06-04 18:30
|
 zxcvb.exe e02ae8a88df1daa8a2cf8af319a386e3
PWS Loki[b] Loki[m] AgentTesla AsyncRAT backdoor Gen1 Gen2 browser info stealer Google Chrome User Data Malicious Packer Antivirus DNS Socket HTTP KeyLogger Http API Internet API ScreenShot DGA Create Service Sniff Audio Escalate priviledges FTP Code Malware download ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed Downloader |
17
http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/cc8a94f61ad1ac31ed9d2c0f0fef1ca23f6e10e5
http://veronika.ac.ug/index.php
http://veronikaa.ac.ug/softokn3.dll
http://veronikaa.ac.ug/sqlite3.dll
http://veronikaa.ac.ug/freebl3.dll
http://34.88.140.135/
http://185.215.113.77/axcxcvhgfc.exe
http://185.215.113.77/ac.exe
http://185.215.113.77/oxcxcvhgfc.exe
http://185.215.113.77/rc.exe
http://185.215.113.77/ds1.exe
http://185.215.113.77/ds2.exe
http://185.215.113.77/cc.exe
http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/60386bf3c5b2b54595947b12ff770ab9abe3aa9a
https://tttttt.me/brikitiki
https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
https://cdn.discordapp.com/attachments/720918485122940978/850158270907678730/Xypgtvglqrlgdvgezyimsisukuqhicz
|
11
brudfascaqezd.ac.ug() - mailcious
tttttt.me(95.216.186.40) - mailcious
cdn.discordapp.com(162.159.129.233) - malware
nothinglike.ac.ug(79.134.225.25) - mailcious
veronikaa.ac.ug(185.215.113.77) - mailcious
veronika.ac.ug(185.215.113.77) - malware
34.88.140.135
95.216.186.40 - mailcious
162.159.130.233 - malware
79.134.225.25
185.215.113.77 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
24.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8739 |
2021-06-04 18:14
|
 cc.exe a366fb953227608061d99b578d6a31c1
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM PE File PE32 Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
1
https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
|
2
cdn.discordapp.com(162.159.135.233) - malware
162.159.134.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8740 |
2021-06-04 13:23
|
 5.exe 26c1fa9d93b8875b52d84e0e1b268d3e
AsyncRAT backdoor BitCoin KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.116:62665/
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
185.215.113.116
172.67.75.172
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SURICATA HTTP unable to match response to request
|
|
12.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8741 |
2021-06-04 12:12
|
 flashplayer.exe c25218fcf7bce8f3b6431d8125e2e898
AsyncRAT backdoor Emotet Generic Malware VMProtect AntiDebug AntiVM PE File .NET EXE PE32 DLL GIF Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW IP Check Tofsee Ransomware Windows Browser DNS Cryptographic key crashed |
8
http://ol.gamegame.info/report7.4.php - rule_id: 1518
http://iw.gamegame.info/report7.4.php - rule_id: 1517
http://ip-api.com/json/
http://uyg5wye.2ihsfa.com/api/?sid=225691&key=326f32f218d7def7aba855b5cc3b5918 - rule_id: 1396
http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396
http://ip-api.com/json/?fields=8198
https://iplogger.org/18hh57
https://www.facebook.com/
|
15
www.facebook.com(157.240.215.35)
email.yg9.me(198.13.62.186) - suspicious
uyg5wye.2ihsfa.com(88.218.92.148) - mailcious
ol.gamegame.info(104.21.21.221) - mailcious
iplogger.org(88.99.66.31) - mailcious
ip-api.com(208.95.112.1)
iw.gamegame.info(104.21.21.221) - mailcious
news-systems.xyz() - mailcious
88.99.66.31 - mailcious
208.95.112.1
172.67.200.215
104.21.21.221 - mailcious
88.218.92.148 - malware
157.240.215.35
198.13.62.186 - suspicious
|
3
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
ET POLICY External IP Lookup ip-api.com
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://ol.gamegame.info/report7.4.php
http://iw.gamegame.info/report7.4.php
http://uyg5wye.2ihsfa.com/api/
http://uyg5wye.2ihsfa.com/api/
|
17.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8742 |
2021-06-04 12:10
|
 file31s.exe 6a763fac0951021be4b351dddf62bb1d
PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 MSOffice File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
5
http://176.31.56.216:58181/
https://iplogger.org/12nXi7
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
https://bitbucket.org/mminminminmin05/testtest/downloads/5.exe
|
7
api.ip.sb(104.26.13.31)
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious
176.31.56.216
172.67.75.172
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8743 |
2021-06-04 12:09
|
 0b1.exe e7287f303c0b70b8f23c67c962a84f81
AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows DNS |
1
|
8
www.google.com(172.217.25.68)
88.99.66.31 - mailcious
208.95.112.1
172.217.24.68
88.218.92.148 - malware
157.240.215.35
198.13.62.186 - suspicious
172.217.26.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8744 |
2021-06-04 11:40
|
 file32.exe 5e3c86d15d42bb7d2b0987377d556880
AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://p0.miraimibun.ru/SystemDataSqlClientSqlCachedBuffer70002
|
5
cengonic.xyz(83.136.233.220)
p0.miraimibun.ru(217.107.34.191)
194.5.97.61
83.136.233.220
217.107.34.191 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8745 |
2021-06-04 11:38
|
 svch.exe 38c02aa6d06437949ae91666ffe8cacd
AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows ComputerName DNS Cryptographic key keylogger |
2
http://www.iptrackeronline.com/
https://www.iptrackeronline.com/
|
8
www.iptrackeronline.com(104.26.0.222)
immzonenorthbellmorexxx.mangospot.net(194.5.97.61)
www.google.com(216.58.197.228)
142.250.204.36
194.5.97.61
13.107.21.200
104.26.1.222
142.250.66.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|