8746 |
2021-06-04 11:37
|
Pb3Setp.exe 192157321ae17032b5edee8de07e0e86 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder Tofsee Ransomware Windows ComputerName DNS Cryptographic key crashed |
8
https://iplogger.org/1jE3z7 https://iplogger.org/1vjFz7 https://topnewsdesign.xyz/?user=pb3_1 https://topnewsdesign.xyz/?user=pb3_2 https://topnewsdesign.xyz/?user=pb3_3 https://topnewsdesign.xyz/?user=pb3_4 https://topnewsdesign.xyz/?user=pb3_5 https://topnewsdesign.xyz/?user=pb3_6
|
7
topnewsdesign.xyz(104.21.69.75) iplogger.org(88.99.66.31) - mailcious brershrowal.xyz(45.93.6.203) 88.99.66.31 - mailcious 194.5.98.144 45.93.6.203 104.21.69.75
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8747 |
2021-06-04 11:35
|
vbc.exe a24fc1476d5da0d06ebcb6924a02bb18 AsyncRAT backdoor PWS .NET framework Ave Maria WARZONE RAT RemcosRAT Admin Tool (Sysinternals Devolutions inc) DNS Sniff Audio KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check GIF Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces AppData folder AntiVM_Disk VM Disk Size Check human activity check Tofsee Windows ComputerName DNS Cryptographic key DDNS keylogger |
2
http://www.iptrackeronline.com/ https://www.iptrackeronline.com/
|
11
www.google.com(216.58.197.228) seencroundercontroller.webredirect.org(194.5.98.144) www.iptrackeronline.com(104.26.1.222) multipleentry90dayscontroller.homingbeacon.net(194.5.98.144) safeduringthecoronavirus.duckdns.org(194.5.98.144) bressonseencrounder.mangospot.net(194.5.98.144) 104.26.0.222 142.250.66.132 13.107.21.200 142.250.66.68 194.5.98.144
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
|
|
16.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8748 |
2021-06-03 21:23
|
ETC2.exe 340fc80338a3c3c557374768a228a1e6 PE File PE64 VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger unpack itself Tofsee Windows DNS |
4
http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1622722580&mv=m&mvi=2&pl=18&rmhost=r6---sn-3u-bh2z7.gvt1.com&shardbypass=yes&smhost=r6---sn-3u-bh2sy.gvt1.com http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:2447884964&cup2hreq=a27df1d7403d37620c0c0dbf011f52828841c05d16d94ef1dc6b40b7e9cf943f
|
2
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 211.114.66.77
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
4.4 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8749 |
2021-06-03 21:09
|
moimoi.exe 46eadea2077db56d94566a6c8b7d45c2 AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.161.36) 13.107.21.200 216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8750 |
2021-06-03 21:04
|
maxfrnd.exe 5d740968b96798cd1db3fdd4d9b18427 PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 216.146.43.71 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8751 |
2021-06-03 20:58
|
petoncode.exe 7c47f30bcdb61dada53d87ff5c73115e AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS crashed |
1
|
3
www.google.com(172.217.161.36) 142.250.204.100 13.107.21.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.6 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8752 |
2021-06-03 20:55
|
Inv%2004256248.xls 10a6370bb359ff9f3a595c3ad389222c VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://tineo.gal/wp-content/plugins/wordpress-seo/vendor/composer/installers/tests/Composer/Installers/lSNBjeKdHn.php
https://srivinaysalian.com/wp-content/plugins/catch-instagram-feed-gallery-widget/public/css/jYfe4b9imB.php
https://Abidshakir.co.uk/wp-content/plugins/elementor/includes/admin-templates/22VemIrdTrquwKE.php
https://ootashop.com/catalog/language/ar/extension/captcha/Iz40CaCFx.php
https://vitiligomatch.com/wpvitiligomatch/wp-includes/css/dist/block-directory/QaLUIUkxomX.php
https://thelottery.io/wp-content/themes/twentytwentyone/template-parts/content/Dxpzq4NTGh.php
https://kweraltd.com/wp-content/plugins/woocommerce-delivery-notes/includes/component/u63R84hM.php
https://labrie-sabette.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/gp5yHrBp.php
https://menuiserie-lemoine.bzh/wp-content/themes/twentynineteen/template-parts/content/x0XxEHWGdeyPBEj.php
https://shantijoseph.com/wp-content/themes/twentyseventeen/template-parts/footer/RSMMlevr.php
|
20
kweraltd.com(54.39.133.15) - mailcious
ootashop.com(199.188.205.57) - mailcious
labrie-sabette.com(173.230.252.50) - mailcious
thelottery.io(138.68.242.172) - mailcious
menuiserie-lemoine.bzh(188.165.53.185) - mailcious
shantijoseph.com(87.247.240.31) - mailcious
vitiligomatch.com(192.185.16.122) - mailcious
srivinaysalian.com(216.37.42.46) - mailcious
abidshakir.co.uk(62.171.164.209) - mailcious
tineo.gal(82.98.169.3) - mailcious 192.185.16.122 - mailcious
188.165.53.185 - mailcious
216.37.42.46 - mailcious
82.98.169.3 - mailcious
87.247.240.31 - mailcious
54.39.133.15 - mailcious
138.68.242.172 - mailcious
173.230.252.50 - mailcious
199.188.205.57 - mailcious
62.171.164.209 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8753 |
2021-06-03 09:19
|
PO 825468.xls d24d609e6ac612f69030bfc3695e6aad VBA_macro Malicious Packer MSOffice File VirusTotal Malware unpack itself Tofsee |
4
https://sunshineserviceproviders.com/wp-content/plugins/w2dc/templates/categories/WS3E2S2dTX7hx.php
https://bwcreativestudio.com/blog/wp-includes/js/jquery/ui/PrEe0VE6BJ0CD.php
https://arboretsens72.fr/wp-content/themes/twentyseventeen/template-parts/footer/X8FJlzkyXi8ixjn.php
https://zabalit.com/wp-content/plugins/wordpress-seo/css/dist/3IR10ztB.php
|
8
bwcreativestudio.com(51.79.223.113)
sunshineserviceproviders.com(192.185.145.128)
zabalit.com(82.223.12.53)
arboretsens72.fr(5.135.136.199) 82.223.12.53
51.79.223.113
5.135.136.199
192.185.145.128
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8754 |
2021-06-02 18:11
|
file16.exe 71be6ce9458398183d7664cc8e4edc51 AsyncRAT backdoor PWS .NET framework BitCoin Admin Tool (Sysinternals Devolutions inc) Anti_VM AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
2
http://elaselorol.xyz// https://api.ip.sb/geoip
|
4
api.ip.sb(104.26.12.31) elaselorol.xyz(195.123.221.46) 195.123.221.46 172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8755 |
2021-06-02 18:04
|
sg-3nlJH.exe 41a5ea7052e4e49b5f159511f4f3a1ec AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.71) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8756 |
2021-06-02 18:00
|
file15.exe f503a51d3f5c1b15602ca18e145ea7c6 AsyncRAT backdoor Gen1 Gen2 Malicious Packer Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS |
4
http://34.105.230.174/ http://34.105.230.174//l/f/GFLvy3kBuI_ccNKogOz6/02fba16e593aeafa8ca627e981f73bd22cefc7a3 http://34.105.230.174//l/f/GFLvy3kBuI_ccNKogOz6/a280620c863d7ffc3144795ab2accf7dfb84515d https://tttttt.me/h_manchik_1
|
3
tttttt.me(95.216.186.40) - mailcious 34.105.230.174 95.216.186.40 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
15.0 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8757 |
2021-06-02 17:59
|
file17.exe f75e65cf6b796abc480ed75fcbef0552 PWS .NET framework Admin Tool (Sysinternals Devolutions inc) Http API Steal credential ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Tofsee Windows Cryptographic key |
1
https://tttttt.me/h_manchik_1
|
2
tttttt.me(95.216.186.40) - mailcious 95.216.186.40 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8758 |
2021-06-02 16:27
|
http://chek.zennolab.com/proxy... b6dc5502b3a9e484f096210896f467f5 AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
2
http://chek.zennolab.com/proxy.php http://chek.zennolab.com/favicon.ico
|
2
chek.zennolab.com(37.1.223.41) 37.1.223.41
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8759 |
2021-06-02 14:23
|
Inv 272590.doc 8566c9b1e8b18b0f23cf21ca5f2d5daf VBA_macro MSOffice File Vulnerability VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
9
https://resaltodigital.com/wp-content/uploads/jupiterx/compiler/jupiterx/qwrSrMZN.php
https://tkswift.com/well-known/pki-validation/c/i/a/Iyv91q8QlxVQGfh.php
https://rockconsultllc.com/Malik2/wp-content/plugins/bluehost-wordpress-plugin/build/KhPxqrfzEA.php
https://stskleen.com.au/wp-content/plugins/woocommerce-services/dist/chunks/CaUGJzgC.php
https://brandvoxtech.com/wp-content/plugins/premium-addons-for-elementor/widgets/dep/DPOySTqLqjmhG.php
https://pillsdaddy.com/wp-includes/js/tinymce/themes/inlite/vyQ9P2Q9.php
https://indiaudyogmart.com/public/lte/plugins/ckeditor/adapters/E9HENiTTi0Z.php
https://reachmedical.in/changes/uploads/file_format/5vixBSDMmITU.php
https://brasilvioleiro.com.br/wp-content/cache/object/e3c/9ab/rSpBh8UHQx8r.php
|
18
brandvoxtech.com(162.241.123.29)
brasilvioleiro.com.br(104.21.23.96)
pillsdaddy.com(198.54.115.156)
tkswift.com(108.170.13.242)
rockconsultllc.com(162.241.244.67) - mailcious
resaltodigital.com(160.153.133.162)
indiaudyogmart.com(167.86.75.162)
stskleen.com.au(198.71.233.109)
reachmedical.in(142.4.29.146) 167.86.75.162
160.153.133.162
198.54.115.156 - malware
108.170.13.242
172.67.210.41
162.241.244.67 - mailcious
162.241.123.29 - mailcious
198.71.233.109 - malware
142.4.29.146
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8760 |
2021-06-02 09:23
|
MAERSK INVOICE, BL, & AWB.doc 4f9bf95254ac818ee13e8c4915a23aa0 RTF File doc VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit DNS crashed |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:3327672849&cup2hreq=052f4fe1376d892301ddcc9da78e0130a0d9987d20d1c21c33cdbfabd555c6fb
|
4
edgedl.me.gvt1.com(34.104.35.123) bit.ly(67.199.248.10) - mailcious 34.104.35.123 67.199.248.10 - phishing
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|