8761 |
2021-06-01 17:20
|
info_10621.xlsb 4567910e5ab113f08eb7edd48152074b Gen1 Gen2 PE File DLL OS Processor Check PE32 VirusTotal Malware MachineGuid Check memory Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
2
http://authd.feronok.com/Y_2Bxq_2FCq_2/F7MtFfN9/OaOiUxVKaMBar_2Bwadu9JI/5f2JIT1R6z/wqyp5OYH26_2FCxoz/4cOT1gafxSEk/1G5XsW988_2/BjdSRlF7L4UAwI/jcsnuDJ33Fm5LZiPOHvvA/PAjjFqU39DDThmrZ/eR22M_2Fe0ePvSa/5l4TtOyHif5dcS9VgY/EtNp35w6x/i4xoaI04WasHjLAOvTF6/tc4VmpY6u_2F8heA9cW/KMPn27BMSv_2B3g7Hp4Ztp/SRUmhDBdfjn5m/rRGd_2Bb/Kx_2FAWnV71TDHDIMbMeb_2/BNfwSQhYk9/_2Fu_2BOoxOVDOIkf/D2gC2K1i https://megoseri.com/app.dll
|
4
authd.feronok.com(35.199.86.111) megoseri.com(146.0.72.81) 146.0.72.81 35.199.86.111
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8762 |
2021-06-01 17:04
|
consoleapp5a.exe 0ffde20bbcf9388a2b446c90222ac410 AsyncRAT backdoor AntiDebug AntiVM PE File .NET EXE PE32 Dridex TrickBot VirusTotal Malware Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Kovter Windows DNS crashed |
1
https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll - rule_id: 1685
|
3
cdn.discordapp.com(162.159.134.233) - malware 185.157.161.205 162.159.130.233 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
1
https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll
|
12.4 |
M |
44 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8763 |
2021-06-01 09:37
|
fsoleApp1.exe b9e9adf06ee8e96deae78c73127ffff6 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 131.186.161.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8764 |
2021-06-01 09:28
|
QUAConsoleApp5.exe 51ee29d68a7aefead4a82af353bab78c PWS Loki[b] Loki[m] AsyncRAT backdoor DNS KeyLogger ScreenShot AntiDebug AntiVM PE File .NET EXE PE32 VirusTotal Malware Malicious Traffic IP Check Tofsee |
2
http://ip-api.com/json/ https://cdn.discordapp.com/attachments/844641656991907850/846437254331367444/ClassLibrary1.dll
|
6
ip-api.com(208.95.112.1) cdn.discordapp.com(162.159.134.233) - malware yz.videomarket.eu(185.157.161.205) - mailcious 208.95.112.1 162.159.129.233 - malware 185.157.161.205
|
2
ET POLICY External IP Lookup ip-api.com SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8765 |
2021-06-01 09:25
|
Yx3PBY9RC15I0sLk.jpg.ps1 18fd76d1d31e0833d26a36729842c5f7 Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
2
https://cdn.discordapp.com/attachments/808540577594736675/848370661323702282/firefox.lnk https://cdn.discordapp.com/attachments/808540577594736675/848370352207691826/gO9BxdwXEaBmHAS2.jpg
|
2
cdn.discordapp.com(162.159.134.233) - malware 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
2 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8766 |
2021-05-31 18:05
|
asd80.exe b7c53f778e82c1594d8a1a27ebb65af0 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 162.88.193.70 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8767 |
2021-05-31 11:25
|
qv55b3lqjXhJQckX.jpg.ps1 6ee03a2d6b4558fa09cdf1e33dcaa897 Antivirus GIF Format VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key |
4
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat - rule_id: 1678 https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk - rule_id: 1677 https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
4
lavishcuisine.com(192.169.204.60) - mailcious cdn.discordapp.com(162.159.134.233) - malware 192.169.204.60 - mailcious 162.159.135.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
https://cdn.discordapp.com/attachments/834258459628535898/846168516519657512/firefox.bat https://cdn.discordapp.com/attachments/834258459628535898/844363329371897866/firefox.lnk
|
9.4 |
|
1 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8768 |
2021-05-31 09:37
|
Ls_Droid_v1.1.9.0.exe a1459b6cd648d10da05707b69166d2f6 Anti_VM .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Checks Bios Detects VMWare Check virtual network interfaces VMware anti-virtualization Tofsee Windows Firmware crashed |
1
https://tinywebdb.ls-droid.com/testme.php
|
3
tinywebdb.ls-droid.com(109.106.250.191) www.ls-droid.com(109.106.250.191) 109.106.250.191 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8769 |
2021-05-28 08:28
|
covid.exe 5bcb9ac769b8c069e202b42b16773af7 Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:2210899602&cup2hreq=4af8a317c8f3b4f0e5cc0232ccdfe81ee58927156e4e3612666c5b15dbc1ee68
|
6
edgedl.me.gvt1.com(34.104.35.123) wekeepworking.sytes.net(185.140.53.40) - mailcious 34.104.35.123 142.250.66.99 211.114.66.77 185.140.53.40 - mailcious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
16.6 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8770 |
2021-05-28 08:26
|
seleja.exe 38976248b5751e588795a5c9c4ca0327 PE File OS Processor Check PE32 VirusTotal Malware PDB Malicious Traffic unpack itself Tofsee Windows DNS crashed |
3
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe http://r2---sn-3u-bh2z7.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=175.208.134.150&mm=28&mn=sn-3u-bh2z7&ms=nvh&mt=1622157617&mv=m&mvi=2&pl=18&shardbypass=yes https://update.googleapis.com/service/update2?cup2key=10:1895035685&cup2hreq=72915f2a185bd04d4a4507b96e78435e1e4d450e3fccbcf7802dca34e4dee720
|
2
r2---sn-3u-bh2z7.gvt1.com(211.114.66.77) 211.114.66.77
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8771 |
2021-05-28 08:22
|
Delivery Order 92281186.xls 7967d491dfb9148f1bb51cdb3acedbab VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
10
https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php
https://ntf.gov.sb/components/com_acysms/views/unsubscribe/tmpl/8Wa80ysYUv6Klh.php
https://brandsites.gunwebhosting.com.au/site/wp-includes/Text/Diff/Engine/eUhebviTSOzDZ.php
https://bellaloveboutique.com/wp-content/themes/salient/includes/partials/tgTzKdqzGivuZ9.php
https://prediction2020.com/wp-content/plugins/really-simple-ssl/testssl/cloudflare/jDN6wmFidG65.php
https://ootashop.com/catalog/language/ar/extension/captcha/Iz40CaCFx.php
https://ourcomm.co.uk/wp-content/plugins/buddyboss-platform/bp-moderation/classes/SXDetkgsnPP.php
https://srivinaysalian.com/wp-content/plugins/catch-instagram-feed-gallery-widget/public/css/jYfe4b9imB.php
https://marcoislandguidebook.com/wp-includes/js/tinymce/plugins/charmap/xltGrJWiK.php
https://alpax.elcanotradingcorp.com/public/bower_components/jquery/src/ajax/oAIZxkctW.php
|
20
marcoislandguidebook.com(192.185.79.55) - mailcious
brandsites.gunwebhosting.com.au(122.201.118.64) - mailcious
ootashop.com(199.188.205.57) - mailcious
ntf.gov.sb(192.185.32.234) - mailcious
alpax.elcanotradingcorp.com(108.167.181.248) - mailcious
ourcomm.co.uk(217.160.0.196) - mailcious
surustore.com(192.158.238.23) - mailcious
prediction2020.com(107.160.244.54) - mailcious
bellaloveboutique.com(107.180.58.44) - mailcious
srivinaysalian.com(216.37.42.46) - mailcious 192.185.32.234 - mailcious
108.167.181.248 - mailcious
216.37.42.46 - mailcious
107.160.244.54 - mailcious
192.158.238.23 - mailcious
122.201.118.64 - mailcious
107.180.58.44 - mailcious
199.188.205.57 - mailcious
192.185.79.55 - mailcious
217.160.0.196 - malware
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
1
https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php
|
3.8 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8772 |
2021-05-28 08:22
|
test.exe 0e24059570f9655711ba4454c21c9e2e AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows |
1
http://vunachiimpex.xyz/buta/vuga.exe
|
4
vunachiimpex.xyz() - malware
ieaspk.com(67.220.184.98) - mailcious 185.239.243.112 - malware
67.220.184.98 - malware
|
8
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET HUNTING Request to .XYZ Domain with Minimal Headers ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
|
|
3.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8773 |
2021-05-28 08:21
|
file3.exe 4fbb9246662af8c36caf102eccf4bff0 AsyncRAT backdoor BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.244.181.187:57969// https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.13.31) 185.244.181.187 104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.4 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8774 |
2021-05-28 08:09
|
ConsoleApp10.exe d2470e33e04e12bdc2acf475f40da080 AsyncRAT backdoor PWS .NET framework SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 131.186.113.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
9.6 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8775 |
2021-05-27 17:42
|
relese.exe 67c0f9f7a63db607929cfbae83442911 AsyncRAT backdoor NPKI Gen2 AntiDebug AntiVM PE File OS Processor Check PE32 DLL .NET DLL PNG Format JPEG Format MSOffice File .NET EXE PE64 VirusTotal Malware PDB Code Injection buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit Remote Code Execution DNS crashed |
3
http://cacerts.digicert.com/DigiCertGlobalRootG2.crt http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.6.1&processName=Svc_host.exe&platform=0009&osver=5&isServer=0 https://go.microsoft.com/fwlink/?linkid=850289&tfm=.NETFramework,Version=v4.6.1&processName=Svc_host.exe&platform=0009&osver=5&isServer=0
|
5
cacerts.digicert.com(104.18.10.39) dotnet.microsoft.com(13.107.213.49) 104.18.11.39 13.107.246.49 104.18.10.39
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|