| 8746 |
2021-06-04 11:37
|
 Pb3Setp.exe 192157321ae17032b5edee8de07e0e86
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Ransomware Windows ComputerName DNS Cryptographic key crashed |
8
https://iplogger.org/1jE3z7
https://iplogger.org/1vjFz7
https://topnewsdesign.xyz/?user=pb3_1
https://topnewsdesign.xyz/?user=pb3_2
https://topnewsdesign.xyz/?user=pb3_3
https://topnewsdesign.xyz/?user=pb3_4
https://topnewsdesign.xyz/?user=pb3_5
https://topnewsdesign.xyz/?user=pb3_6
|
7
topnewsdesign.xyz(104.21.69.75)
iplogger.org(88.99.66.31) - mailcious
brershrowal.xyz(45.93.6.203)
88.99.66.31 - mailcious
194.5.98.144
45.93.6.203
104.21.69.75
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8747 |
2021-06-04 11:35
|
 vbc.exe a24fc1476d5da0d06ebcb6924a02bb18
AsyncRAT backdoor PWS .NET framework Ave Maria WARZONE RAT RemcosRAT Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check GIF Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows ComputerName DNS Cryptographic key DDNS keylogger |
2
http://www.iptrackeronline.com/
https://www.iptrackeronline.com/
|
11
www.google.com(216.58.197.228)
seencroundercontroller.webredirect.org(194.5.98.144)
www.iptrackeronline.com(104.26.1.222)
multipleentry90dayscontroller.homingbeacon.net(194.5.98.144)
safeduringthecoronavirus.duckdns.org(194.5.98.144)
bressonseencrounder.mangospot.net(194.5.98.144)
104.26.0.222
142.250.66.132
13.107.21.200
142.250.66.68
194.5.98.144
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8748 |
2021-06-03 21:23
|
 ETC2.exe 340fc80338a3c3c557374768a228a1e6
PE File PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
4
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1622722580&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:2447884964&cup2hreq=a27df1d7403d37620c0c0dbf011f52828841c05d16d94ef1dc6b40b7e9cf943f
|
2
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77)
211.114.66.77
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8749 |
2021-06-03 21:09
|
 moimoi.exe 46eadea2077db56d94566a6c8b7d45c2
AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.161.36)
13.107.21.200
216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8750 |
2021-06-03 21:04
|
 maxfrnd.exe 5d740968b96798cd1db3fdd4d9b18427
PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(216.146.43.70)
216.146.43.71
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8751 |
2021-06-03 20:58
|
 petoncode.exe 7c47f30bcdb61dada53d87ff5c73115e
AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.161.36)
142.250.204.100
13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8752 |
2021-06-03 20:55
|
 Inv%2004256248.xls 10a6370bb359ff9f3a595c3ad389222c
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://tineo.gal/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/Installers/lSNBjeKdHn.php
https://srivinaysalian.com/wp-content/plugins/catch-instagram-feed-gallery-widget/public/css/jYfe4b9imB.php
https://Abidshakir.co.uk/wp-content/plugins/elementor/includes/admin-templates/22VemIrdTrquwKE.php
https://ootashop.com/catalog/language/ar/extension/captcha/Iz40CaCFx.php
https://vitiligomatch.com/wpvitiligomatch/wp-includes/css/dist/block-directory/QaLUIUkxomX.php
https://thelottery.io/wp-content/themes/twentytwentyone/template-parts/content/Dxpzq4NTGh.php
https://kweraltd.com/wp-content/plugins/woocommerce-delivery-notes/includes/component/u63R84hM.php
https://labrie-sabette.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/gp5yHrBp.php
https://menuiserie-lemoine.bzh/wp-content/themes/twentynineteen/template-parts/content/x0XxEHWGdeyPBEj.php
https://shantijoseph.com/wp-content/themes/twentyseventeen/template-parts/footer/RSMMlevr.php
|
20
kweraltd.com(54.39.133.15) - mailcious
ootashop.com(199.188.205.57) - mailcious
labrie-sabette.com(173.230.252.50) - mailcious
thelottery.io(138.68.242.172) - mailcious
menuiserie-lemoine.bzh(188.165.53.185) - mailcious
shantijoseph.com(87.247.240.31) - mailcious
vitiligomatch.com(192.185.16.122) - mailcious
srivinaysalian.com(216.37.42.46) - mailcious
abidshakir.co.uk(62.171.164.209) - mailcious
tineo.gal(82.98.169.3) - mailcious
192.185.16.122 - mailcious
188.165.53.185 - mailcious
216.37.42.46 - mailcious
82.98.169.3 - mailcious
87.247.240.31 - mailcious
54.39.133.15 - mailcious
138.68.242.172 - mailcious
173.230.252.50 - mailcious
199.188.205.57 - mailcious
62.171.164.209 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8753 |
2021-06-03 09:19
|
PO 825468.xls d24d609e6ac612f69030bfc3695e6aad
VBA_macro Malicious Packer MSOffice File VirusTotal Malware unpack itself Tofsee |
4
https://sunshineserviceproviders.com/wp-content/plugins/w2dc/templates/categories/WS3E2S2dTX7hx.php
https://bwcreativestudio.com/blog/wp-includes/js/jquery/ui/PrEe0VE6BJ0CD.php
https://arboretsens72.fr/wp-content/themes/twentyseventeen/template-parts/footer/X8FJlzkyXi8ixjn.php
https://zabalit.com/wp-content/plugins/wordpress-seo/css/dist/3IR10ztB.php
|
8
bwcreativestudio.com(51.79.223.113)
sunshineserviceproviders.com(192.185.145.128)
zabalit.com(82.223.12.53)
arboretsens72.fr(5.135.136.199)
82.223.12.53
51.79.223.113
5.135.136.199
192.185.145.128
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8754 |
2021-06-02 18:11
|
 file16.exe 71be6ce9458398183d7664cc8e4edc51
AsyncRAT backdoor PWS .NET framework BitCoin Admin Tool (Sysinternals Devolutions inc) Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://elaselorol.xyz//
https://api.ip.sb/geoip
|
4
api.ip.sb(104.26.12.31)
elaselorol.xyz(195.123.221.46)
195.123.221.46
172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8755 |
2021-06-02 18:04
|
 sg-3nlJH.exe 41a5ea7052e4e49b5f159511f4f3a1ec
AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8756 |
2021-06-02 18:00
|
 file15.exe f503a51d3f5c1b15602ca18e145ea7c6
AsyncRAT backdoor Gen1 Gen2 Malicious Packer Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS |
4
http://34.105.230.174/
http://34.105.230.174//l/f/GFLvy3kBuI_ccNKogOz6/02fba16e593aeafa8ca627e981f73bd22cefc7a3
http://34.105.230.174//l/f/GFLvy3kBuI_ccNKogOz6/a280620c863d7ffc3144795ab2accf7dfb84515d
https://tttttt.me/h_manchik_1
|
3
tttttt.me(95.216.186.40) - mailcious
34.105.230.174
95.216.186.40 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
15.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8757 |
2021-06-02 17:59
|
 file17.exe f75e65cf6b796abc480ed75fcbef0552
PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows Cryptographic key |
1
https://tttttt.me/h_manchik_1
|
2
tttttt.me(95.216.186.40) - mailcious
95.216.186.40 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8758 |
2021-06-02 16:27
|
http://chek.zennolab.com/proxy... b6dc5502b3a9e484f096210896f467f5
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://chek.zennolab.com/proxy.php
http://chek.zennolab.com/favicon.ico
|
2
chek.zennolab.com(37.1.223.41)
37.1.223.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8759 |
2021-06-02 14:23
|
Inv 272590.doc 8566c9b1e8b18b0f23cf21ca5f2d5daf
VBA_macro MSOffice File Vulnerability VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
9
https://resaltodigital.com/wp-content/uploads/jupiterx/compiler/jupiterx/qwrSrMZN.php
https://tkswift.com/well-known/pki-validation/c/i/a/Iyv91q8QlxVQGfh.php
https://rockconsultllc.com/Malik2/wp-content/plugins/bluehost-wordpress-plugin/build/KhPxqrfzEA.php
https://stskleen.com.au/wp-content/plugins/woocommerce-services/dist/chunks/CaUGJzgC.php
https://brandvoxtech.com/wp-content/plugins/premium-addons-for-elementor/widgets/dep/DPOySTqLqjmhG.php
https://pillsdaddy.com/wp-includes/js/tinymce/themes/inlite/vyQ9P2Q9.php
https://indiaudyogmart.com/public/lte/plugins/ckeditor/adapters/E9HENiTTi0Z.php
https://reachmedical.in/changes/uploads/file_format/5vixBSDMmITU.php
https://brasilvioleiro.com.br/wp-content/cache/object/e3c/9ab/rSpBh8UHQx8r.php
|
18
brandvoxtech.com(162.241.123.29)
brasilvioleiro.com.br(104.21.23.96)
pillsdaddy.com(198.54.115.156)
tkswift.com(108.170.13.242)
rockconsultllc.com(162.241.244.67) - mailcious
resaltodigital.com(160.153.133.162)
indiaudyogmart.com(167.86.75.162)
stskleen.com.au(198.71.233.109)
reachmedical.in(142.4.29.146)
167.86.75.162
160.153.133.162
198.54.115.156 - malware
108.170.13.242
172.67.210.41
162.241.244.67 - mailcious
162.241.123.29 - mailcious
198.71.233.109 - malware
142.4.29.146
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8760 |
2021-06-02 09:23
|
 MAERSK INVOICE, BL, & AWB.doc 4f9bf95254ac818ee13e8c4915a23aa0
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:3327672849&cup2hreq=052f4fe1376d892301ddcc9da78e0130a0d9987d20d1c21c33cdbfabd555c6fb
|
4
edgedl.me.gvt1.com(34.104.35.123)
bit.ly(67.199.248.10) - mailcious
34.104.35.123
67.199.248.10 - phishing
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|