8776 |
2021-05-27 10:27
|
AwSetp.exe 77a3dd75a7400c15f9a95929f2f76df6 AsyncRAT backdoor Gen1 .NET EXE PE File PE32 DLL OS Processor Check Browser Info Stealer FTP Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Ransomware Windows Browser ComputerName Software crashed |
11
https://iplogger.org/1v9Fz7 https://iphonemail.xyz/ https://iplogger.org/1e9Ut7 https://news-systems.xyz/?user=aws2 - rule_id: 1515 https://news-systems.xyz/?user=aws3 - rule_id: 1515 https://news-systems.xyz/?user=aws1 - rule_id: 1515 https://news-systems.xyz/?user=aws6 - rule_id: 1515 https://news-systems.xyz/?user=aws4 - rule_id: 1515 https://news-systems.xyz/?user=aws5 - rule_id: 1515 https://iphonemail.xyz/api.php?getusers https://iphonemail.xyz/api.php
|
6
news-systems.xyz(104.21.33.129) - mailcious iphonemail.xyz(104.21.40.195) iplogger.org(88.99.66.31) - mailcious 172.67.188.69 88.99.66.31 - mailcious 104.21.33.129 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
https://news-systems.xyz/ https://news-systems.xyz/ https://news-systems.xyz/ https://news-systems.xyz/ https://news-systems.xyz/ https://news-systems.xyz/
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8777 |
2021-05-27 10:26
|
BBQbrowser.exe 81189d695443fc7f2a0adab7a6957d89 AsyncRAT backdoor BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393 https://wlf.gofast24.ru/SystemServiceModelSecureConversationFebStrings25251 https://api.ip.sb/geoip
|
5
wlf.gofast24.ru(217.107.34.191) api.ip.sb(104.26.12.31) 104.26.12.31 87.251.71.193 - mailcious 217.107.34.191 - mailcious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection SURICATA HTTP unable to match response to request
|
1
|
10.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8778 |
2021-05-27 10:26
|
WLP_Setup.exe 6bd3098fc75bd4616d1d069b41a366cd AsyncRAT backdoor PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://45.144.225.163:57433// https://api.ip.sb/geoip
|
7
masterself.world(172.67.134.204) - malware api.ip.sb(172.67.75.172) iplogger.org(88.99.66.31) - mailcious 104.21.25.222 88.99.66.31 - mailcious 104.26.12.31 45.144.225.163
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed DNS Query to .world TLD SURICATA HTTP unable to match response to request
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8779 |
2021-05-27 10:26
|
file18.exe 495214dc4882127b4cf5480510ce440c AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD Tofsee Windows Cryptographic key crashed |
2
http://bargwelahar.xyz// https://jv.inokkr.ru/SystemServiceModelChannelsPeerFlooderSimple47662
|
4
jv.inokkr.ru(195.161.41.50) bargwelahar.xyz(5.44.45.140) 5.44.45.140 195.161.41.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8780 |
2021-05-27 10:00
|
Document 70259454.xls fa58cb567a2ffeee77053fadf440a56f VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://vitiligomatch.com/wpvitiligomatch/wp-includes/css/dist/block-directory/QaLUIUkxomX.php
https://bellaloveboutique.com/wp-content/themes/salient/includes/partials/tgTzKdqzGivuZ9.php
https://ppml.com.kh/ppml.com.kh/sothea.chhem/E7rTEXxjAS.php
https://marcoislandguidebook.com/wp-includes/js/tinymce/plugins/charmap/xltGrJWiK.php
https://ntf.gov.sb/components/com_acysms/views/unsubscribe/tmpl/8Wa80ysYUv6Klh.php
https://bycec.in/wp-includes/js/tinymce/plugins/charmap/1MRWRA8z2S2Ajv.php
https://houzzlink.com/wp-content/plugins/osen-wc-mpesa-master/updates/Puc/KOmZGbynRtPJ.php
https://labrie-sabette.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/gp5yHrBp.php
https://www.akseral.com/yonetim/vendors/iconfonts/font-awesome/css/wjM7uzNc3U8doR.php
https://alpax.elcanotradingcorp.com/public/bower_components/jquery/src/ajax/oAIZxkctW.php
|
26
ntf.gov.sb(192.185.32.234) - mailcious
labrie-sabette.com(173.230.252.50) - mailcious
alpax.elcanotradingcorp.com(108.167.181.248) - mailcious
www.akseral.com(83.150.213.154)
marcoislandguidebook.com(192.185.79.55) - mailcious
houzzlink.com(148.66.138.194) - mailcious
incoming.telemetry.mozilla.org(52.42.229.170)
definitionupdates.microsoft.com(23.40.44.112)
vitiligomatch.com(192.185.16.122) - mailcious
bycec.in(208.91.198.106) - mailcious
ppml.com.kh(209.188.15.214) - mailcious
bellaloveboutique.com(107.180.58.44) - mailcious
www.microsoft.com(23.212.13.232) 192.185.16.122 - mailcious
192.185.32.234 - mailcious
108.167.181.248 - mailcious
23.40.44.112
35.155.6.125
107.180.58.44 - mailcious
148.66.138.194 - malware
173.230.252.50 - mailcious
208.91.198.106 - malware
209.188.15.214 - mailcious
192.185.79.55 - mailcious
23.212.13.232
83.150.213.154 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
3.2 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8781 |
2021-05-27 09:56
|
file5.exe c6409dcd1888eed5d528f85c21b89162 Malicious Library PE File PE32 OS Processor Check VirusTotal Malware Checks debugger Creates executable files unpack itself suspicious process AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee DNS |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://157.90.238.247:43252// http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
4
CXGVubAglGFDxYMBdULdcW.CXGVubAglGFDxYMBdULdcW() api.ip.sb(104.26.12.31) 157.90.238.247 104.26.13.31
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
4.2 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8782 |
2021-05-27 09:56
|
file20.exe e79511486f15a4f50b215af8440f25f9 AsyncRAT backdoor NPKI PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key Software crashed |
2
http://mitedaziko.xyz// https://api.ip.sb/geoip
|
4
mitedaziko.xyz(94.140.115.158) api.ip.sb(172.67.75.172) 94.140.115.158 172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8783 |
2021-05-27 09:56
|
file4.exe 10e4779075440455a3a16bfb66aceb52 AsyncRAT backdoor PWS .NET framework .NET EXE PE File OS Processor Check PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Windows Browser ComputerName Remote Code Execution Cryptographic key Software crashed |
2
http://gemmase.xyz// https://api.ip.sb/geoip
|
4
gemmase.xyz(45.130.147.55) api.ip.sb(104.26.12.31) 45.130.147.55 172.67.75.172
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
7.4 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8784 |
2021-05-27 09:54
|
file19.exe 131296e016a70ea67760fa6eec3dca8f Anti_VM PE File PE32 VirusTotal Malware unpack itself Checks Bios Detects VirtualBox Detects VMWare VMware anti-virtualization Tofsee Windows Firmware DNS crashed |
2
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
|
2
api.faceit.com(104.17.62.50) 104.17.62.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.8 |
M |
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8785 |
2021-05-27 09:18
|
Document%20777622.xls a7b63000938bbeb31722acac4a96b004 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://supereclinica.com.br/gestor/ckfinder/plugins/fileeditor/codemirror/Mad1mAVF6Vla1IY.php
https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php
https://smtp.computeraccess.co.in/8Lj6KntHS.php
https://donboscoschoolbd.com/fdoMMqJznv.php
https://coeniglich.de/oVWjOr1Z3Z.php
https://bypuzzle.com.br/avada/wp-content/themes/twentyfifteen/css/5clwWvDJgRsTKvW.php
https://proterra.med.br/wp-includes/js/tinymce/themes/advanced/Zg1TbiK17uVn.php
https://agentsv2.ivm.mv/user_guide/_static/css/rjWMenNTq.php
https://clinicasaludmasculina.com/phone/css/AvGj1IrWszA5cUW.php
https://bonsventosnautica.com.br/xhpxAHxeWeE6lH3.php
|
19
supereclinica.com.br(162.241.203.185) - mailcious
donboscoschoolbd.com(138.201.27.66) - mailcious
proterra.med.br(192.185.217.211) - mailcious
smtp.computeraccess.co.in(192.185.154.138) - mailcious
coeniglich.de(172.104.152.37) - mailcious
clinicasaludmasculina.com(192.185.131.33) - mailcious
bonsventosnautica.com.br(162.241.203.116) - mailcious
agentsv2.ivm.mv(192.185.36.231) - mailcious
www.ktateeb.vision-building.com()
bypuzzle.com.br(192.185.215.103) - mailcious 192.185.131.33 - malware
192.185.217.211 - mailcious
138.201.27.66 - mailcious
192.185.36.231 - mailcious
162.241.203.185 - malware
192.185.215.103 - mailcious
162.241.203.116 - mailcious
192.185.154.138 - mailcious
172.104.152.37 - mailcious
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8786 |
2021-05-27 09:03
|
PO 7080027.xls f1fcca46fd7af3f90aa67654250e7a05 VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee |
10
https://bellaloveboutique.com/wp-content/themes/salient/includes/partials/tgTzKdqzGivuZ9.php
https://forwei.com/image/cache/data/Varios/Cables/0YGwrERy.php
https://surustore.com/image/cache/catalog/demo/banners/h0dD8T2aNRz.php
https://ootashop.com/catalog/language/ar/extension/captcha/Iz40CaCFx.php
https://bycec.in/wp-includes/js/tinymce/plugins/charmap/1MRWRA8z2S2Ajv.php
https://marcoislandguidebook.com/wp-includes/js/tinymce/plugins/charmap/xltGrJWiK.php
https://labrie-sabette.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/gp5yHrBp.php
https://brandsites.gunwebhosting.com.au/site/wp-includes/Text/Diff/Engine/eUhebviTSOzDZ.php
https://dinratnews.net/wp-content/uploads/2020/05/thumbnails/brCyRumj.php
https://enlazador.com.es/wp-content/themes/twentynineteen/sass/blocks/mLrfH3gL5MqmI.php
|
20
marcoislandguidebook.com(192.185.79.55)
brandsites.gunwebhosting.com.au(122.201.118.64)
ootashop.com(199.188.205.57)
forwei.com(217.160.0.5) - mailcious
labrie-sabette.com(173.230.252.50) - mailcious
enlazador.com.es(51.77.67.181)
surustore.com(192.158.238.23)
dinratnews.net(103.237.38.215)
bycec.in(208.91.198.106)
bellaloveboutique.com(107.180.58.44) 122.201.118.64
51.77.67.181
217.160.0.5 - malware
192.158.238.23
107.180.58.44 - mailcious
103.237.38.215 - mailcious
173.230.252.50 - mailcious
199.188.205.57
208.91.198.106 - malware
192.185.79.55 - mailcious
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8787 |
2021-05-26 17:40
|
PO 474050.xls 8cd09ba1a0a1c52115e5419c92342708 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://market-in.org/wp-content/uploads/2020/06/H4RiD4lTF.php
https://akachi.co.za/uJPPYNmRbBCB8fm.php
https://sklep.northserwis.pl/fckeditor/editor/dialog/common/images/239x8XnABbK.php
https://agentsv2.ivm.mv/user_guide/_static/css/rjWMenNTq.php
https://mail-call.us/76a7Sg6AAZRX.php
https://aims1.ezicodes.com/wp-includes/js/tinymce/skins/lightgray/A2jVIUfifA7zwR.php
https://fate.sa/2EWZ1gzKbk.php
https://newzroot.com/wp-content/themes/sahifa/css/ilightbox/otlDh6Ov4gImZ0t.php
https://creatalca.cl/nacionprogresiva/wp-includes/css/dist/block-directory/3pHa6HkTHtTkK.php
https://coeniglich.de/oVWjOr1Z3Z.php
|
20
fate.sa(192.196.158.90) - mailcious
akachi.co.za(66.85.46.71) - mailcious
sklep.northserwis.pl(82.177.209.21) - mailcious
mail-call.us(74.220.219.123) - mailcious
coeniglich.de(172.104.152.37) - mailcious
newzroot.com(138.201.203.76) - mailcious
agentsv2.ivm.mv(192.185.36.231) - mailcious
market-in.org(104.21.55.237) - mailcious
aims1.ezicodes.com(188.225.225.70) - mailcious
creatalca.cl(192.185.16.103) - mailcious 104.21.55.237
82.177.209.21 - mailcious
192.185.36.231 - mailcious
192.196.158.90 - mailcious
188.225.225.70 - mailcious
138.201.203.76 - mailcious
66.85.46.71 - mailcious
172.104.152.37 - mailcious
74.220.219.123 - malware
192.185.16.103 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
3.4 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8788 |
2021-05-26 09:52
|
t.exe ddda0d5616775408eb31992c1d602a8d AsyncRAT backdoor .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows DNS |
2
http://46.101.81.223/origin.exe - rule_id: 1596 http://46.101.81.223/origin.exe
|
3
ieaspk.com(67.220.184.98) 67.220.184.98 - malware 46.101.81.223
|
8
ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://46.101.81.223/origin.exe
|
3.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8789 |
2021-05-26 09:40
|
jexi_cry.exe 6245b34a94512b3f2a8b753e7b8dd24f AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows DNS |
1
|
5
www.google.com(172.217.175.68) 142.250.66.68 13.107.21.200 172.217.163.228 104.21.19.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8790 |
2021-05-26 09:36
|
%E5%88%9B%E8%BE%89%E4%BC%81%E4... b002b1aef58889242163dba60b7d6a47 Gen2 Emotet PE File OS Processor Check PE32 VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Tofsee Windows Remote Code Execution crashed |
2
http://hi.baidu.com/8youyu8888/item/eb4fbac9be30f77389ad9e99 https://infoflow.baidu.com/
|
4
hi.baidu.com(183.232.231.225) - mailcious infoflow.baidu.com(124.237.176.132) 220.181.107.148 124.237.176.132
|
2
ET POLICY Unsupported/Fake Windows NT Version 5.0 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|