8731 |
2021-06-08 09:02
|
Inv%20799146.xls c72b5321c62c54829b3300ee5d9441e1 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee Windows crashed |
1
https://main.bgsr.site/wp-includes/sodium_compat/src/Core32/ChaCha20/d68Tou3ui1RoUA.php
|
2
main.bgsr.site(185.150.189.217) 185.150.189.217
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8732 |
2021-06-07 17:26
|
http://23.95.122.53/imo/ana.ex... ed74a72fc3b7510936e9768cbf5d6fca AgentTesla Admin Tool (Sysinternals Devolutions inc) Anti_VM Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P Malware download VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed Downloader |
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.2 |
M |
48 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8733 |
2021-06-06 21:56
|
d.exe 95fae5e8246bec2a2c04a331da6950b5 AntiDebug AntiVM PE File .NET EXE PE32 Malware download AsyncRAT Dridex NetWireRC TrickBot VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Kovter DNS crashed |
|
2
142.4.200.50 217.182.169.148 - mailcious
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
|
|
8.8 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8734 |
2021-06-06 21:47
|
update.exe a3b54783fd619282ff712dc6e3c6b197 DNS Socket Create Service Escalate priviledges KeyLogger Code injection ScreenShot BitCoin AntiDebug AntiVM PE File PE64 VirusTotal Cryptocurrency Miner Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Windows ComputerName Firmware DNS CoinMiner |
|
2
pastebin.com(104.23.98.190) - mailcious 104.23.98.190 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
|
|
14.6 |
|
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8735 |
2021-06-05 12:41
|
http://111.251.36.166 AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
1
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8736 |
2021-06-05 10:51
|
svchost.exe c1e7cb2700292ecd0bc4f4b1d718853d DNS Socket Code injection ScreenShot AntiDebug AntiVM PE File PE32 VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Tofsee Windows ComputerName keylogger |
|
2
irc.service-exec.net(195.133.40.24) - malware 195.133.40.24 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8737 |
2021-06-05 06:33
|
http://114.47.80.66:60/ 5d366dadccfd1a925723ce2afbcffbf6 AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File JPEG Format Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
8
http://114.47.80.66:60/img/1_01.jpg http://114.47.80.66:60/css/bootstrap.min.css http://114.47.80.66:60/js/bootstrap.min.js http://lib.sinaapp.com/js/jquery/1.8.3/jquery.min.js http://114.47.80.66:60/ http://114.47.80.66:60/img/1_02.jpg http://114.47.80.66:60/favicon.ico http://114.47.80.66:60/css/style.css
|
3
lib.sinaapp.com(183.60.187.57) 183.60.187.58 - malware 114.47.80.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8738 |
2021-06-04 18:30
|
zxcvb.exe e02ae8a88df1daa8a2cf8af319a386e3 PWS Loki[b] Loki[m] AgentTesla AsyncRAT backdoor Gen1 Gen2 browser info stealer Google Chrome User Data Malicious Packer Antivirus DNS Socket HTTP KeyLogger Http API Internet API ScreenShot DGA Create Service Sniff Audio Escalate priviledges FTP Code Malware download ENERGETIC BEAR VirusTotal Email Client Info Stealer Malware powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed Downloader |
17
http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/cc8a94f61ad1ac31ed9d2c0f0fef1ca23f6e10e5
http://veronika.ac.ug/index.php
http://veronikaa.ac.ug/softokn3.dll
http://veronikaa.ac.ug/sqlite3.dll
http://veronikaa.ac.ug/freebl3.dll
http://34.88.140.135/
http://185.215.113.77/axcxcvhgfc.exe
http://185.215.113.77/ac.exe
http://185.215.113.77/oxcxcvhgfc.exe
http://185.215.113.77/rc.exe
http://185.215.113.77/ds1.exe
http://185.215.113.77/ds2.exe
http://185.215.113.77/cc.exe
http://34.88.140.135//l/f/L1VU1nkBuI_ccNKoeTXp/60386bf3c5b2b54595947b12ff770ab9abe3aa9a
https://tttttt.me/brikitiki
https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
https://cdn.discordapp.com/attachments/720918485122940978/850158270907678730/Xypgtvglqrlgdvgezyimsisukuqhicz
|
11
brudfascaqezd.ac.ug() - mailcious
tttttt.me(95.216.186.40) - mailcious
cdn.discordapp.com(162.159.129.233) - malware
nothinglike.ac.ug(79.134.225.25) - mailcious
veronikaa.ac.ug(185.215.113.77) - mailcious
veronika.ac.ug(185.215.113.77) - malware 34.88.140.135
95.216.186.40 - mailcious
162.159.130.233 - malware
79.134.225.25
185.215.113.77 - malware
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
24.6 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8739 |
2021-06-04 18:14
|
cc.exe a366fb953227608061d99b578d6a31c1 AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM PE File PE32 Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName Remote Code Execution |
1
https://cdn.discordapp.com/attachments/720918485122940978/850158871501602823/Cdfyxciknlozqdclvjieazyvhyfqdvt
|
2
cdn.discordapp.com(162.159.135.233) - malware 162.159.134.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8740 |
2021-06-04 13:23
|
5.exe 26c1fa9d93b8875b52d84e0e1b268d3e AsyncRAT backdoor BitCoin KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.116:62665/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 185.215.113.116 172.67.75.172
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 24 SURICATA HTTP unable to match response to request
|
|
12.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8741 |
2021-06-04 12:12
|
flashplayer.exe c25218fcf7bce8f3b6431d8125e2e898 AsyncRAT backdoor Emotet Generic Malware VMProtect AntiDebug AntiVM PE File .NET EXE PE32 DLL GIF Format Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW IP Check Tofsee Ransomware Windows Browser DNS Cryptographic key crashed |
8
http://ol.gamegame.info/report7.4.php - rule_id: 1518 http://iw.gamegame.info/report7.4.php - rule_id: 1517 http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=225691&key=326f32f218d7def7aba855b5cc3b5918 - rule_id: 1396 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://ip-api.com/json/?fields=8198 https://iplogger.org/18hh57 https://www.facebook.com/
|
15
www.facebook.com(157.240.215.35) email.yg9.me(198.13.62.186) - suspicious uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ol.gamegame.info(104.21.21.221) - mailcious iplogger.org(88.99.66.31) - mailcious ip-api.com(208.95.112.1) iw.gamegame.info(104.21.21.221) - mailcious news-systems.xyz() - mailcious 88.99.66.31 - mailcious 208.95.112.1 172.67.200.215 104.21.21.221 - mailcious 88.218.92.148 - malware 157.240.215.35 198.13.62.186 - suspicious
|
3
ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
4
http://ol.gamegame.info/report7.4.php http://iw.gamegame.info/report7.4.php http://uyg5wye.2ihsfa.com/api/ http://uyg5wye.2ihsfa.com/api/
|
17.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8742 |
2021-06-04 12:10
|
file31s.exe 6a763fac0951021be4b351dddf62bb1d PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 MSOffice File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted RWX flags setting unpack itself Windows utilities Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
5
http://176.31.56.216:58181/
https://iplogger.org/12nXi7
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
https://bitbucket.org/mminminminmin05/testtest/downloads/5.exe
|
7
api.ip.sb(104.26.13.31)
bitbucket.org(104.192.141.1) - malware
iplogger.org(88.99.66.31) - mailcious 176.31.56.216
172.67.75.172
88.99.66.31 - mailcious
104.192.141.1 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8743 |
2021-06-04 12:09
|
0b1.exe e7287f303c0b70b8f23c67c962a84f81 AsyncRAT backdoor PWS .NET framework PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows DNS |
1
|
8
www.google.com(172.217.25.68) 88.99.66.31 - mailcious 208.95.112.1 172.217.24.68 88.218.92.148 - malware 157.240.215.35 198.13.62.186 - suspicious 172.217.26.132
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
43 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8744 |
2021-06-04 11:40
|
file32.exe 5e3c86d15d42bb7d2b0987377d556880 AsyncRAT backdoor BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://p0.miraimibun.ru/SystemDataSqlClientSqlCachedBuffer70002
|
5
cengonic.xyz(83.136.233.220) p0.miraimibun.ru(217.107.34.191) 194.5.97.61 83.136.233.220 217.107.34.191 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8745 |
2021-06-04 11:38
|
svch.exe 38c02aa6d06437949ae91666ffe8cacd AsyncRAT backdoor PWS .NET framework Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder human activity check Tofsee Windows ComputerName DNS Cryptographic key keylogger |
2
http://www.iptrackeronline.com/ https://www.iptrackeronline.com/
|
8
www.iptrackeronline.com(104.26.0.222) immzonenorthbellmorexxx.mangospot.net(194.5.97.61) www.google.com(216.58.197.228) 142.250.204.36 194.5.97.61 13.107.21.200 104.26.1.222 142.250.66.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|