| 8806 |
2021-05-21 10:14
|
 Document%209863223.xls a3770e810232a6e15b4fd36a444ef8d4
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php - rule_id: 1445
https://euro-office.net/AwI3uwiwuU6.php - rule_id: 1468
|
20
samyberry.co.za(66.85.46.71)
euro-office.net(198.38.82.90) - mailcious
moayadcenter.com(192.99.147.163) - mailcious
app.lead-concept.com(163.172.106.186) - mailcious
welcometotheafterdeath.com(192.254.234.250) - mailcious
specs2go.shawalzahid.com(158.69.144.71) - mailcious
fotounirii.ro(89.35.173.76) - mailcious
weeflow.com(5.135.142.22) - mailcious
langgal.coop.np(192.185.110.229)
lojamusic.com.br(162.241.2.234) - mailcious
192.185.110.229
5.135.142.22 - mailcious
192.99.147.163 - mailcious
198.38.82.90 - phishing
192.254.234.250 - mailcious
163.172.106.186 - mailcious
89.35.173.76 - mailcious
66.85.46.71 - mailcious
162.241.2.234 - mailcious
158.69.144.71 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php
https://euro-office.net/AwI3uwiwuU6.php
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8807 |
2021-05-21 10:09
|
 Doc1.docm 53e6579c2aad2ae7d6a3ce99045a114b
VBA_macro VirusTotal Malware unpack itself Tofsee DNS |
1
https://occurrent-fatigues.000webhostapp.com/12_CNB_Programas_de_Becas-70212-em.txt
|
2
occurrent-fatigues.000webhostapp.com(145.14.145.120) - malware
145.14.145.67 - malware
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8808 |
2021-05-20 16:39
|
 invoice_996451.doc bee4631c31d5682a91174ee18d7c9335
RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed |
1
https://rotf.lol/jbx7apct
|
2
rotf.lol(104.21.63.195)
104.21.63.195
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8809 |
2021-05-20 16:36
|
 Inv%2006687243.xls 5186a21d30bbf28909683c4767597481
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://armaenerji.com/UserFiles/site/enerji-kablolari/HES/tbqsCGNY.php
https://plascom.ind.br/_img/parceiros/Ii2g4cYzKfaMLz7.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://mahinur.nucleustechbd.com/3IPk4Tm2As.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
https://fuherpronn.org/u52Xze2Vn28f.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://lamiragereception.com.au/ABs8dJ2ZJ3jgv0n.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
|
20
mahinur.nucleustechbd.com(67.222.155.191)
lamiragereception.com.au(67.23.226.231)
armaenerji.com(217.195.198.212) - mailcious
plascom.ind.br(191.252.142.218)
fuherpronn.org(162.241.194.204) - mailcious
specs2go.shawalzahid.com(158.69.144.71)
fotounirii.ro(89.35.173.76)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
gamberinigianluca.com(64.37.52.95)
lojamusic.com.br(162.241.2.234)
89.35.173.76
217.195.198.212 - mailcious
192.185.36.81 - mailcious
64.37.52.95 - mailcious
191.252.142.218
67.23.226.231 - mailcious
67.222.155.191 - mailcious
162.241.194.204 - mailcious
162.241.2.234
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8810 |
2021-05-20 16:36
|
 PO%2068601112.xls c389608ec63d30c2d36486bd7db8668f
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
https://lrt.com.pk/9mmQzL8P7.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://staging.gaiafacturacion.com/produccion/v4/include/lib/phpqrcode/cache/rzkNuqp6m1hoY.php
https://towingnow.ca/LvR2HWHdQ.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://standup.canicinteractive.com/vendor/swiftmailer/swiftmailer/lib/classes/SO2vS3SCmo1jil.php
https://euro-office.net/AwI3uwiwuU6.php
|
20
euro-office.net(198.38.82.90)
iminnovator.com(192.185.139.153)
specs2go.shawalzahid.com(158.69.144.71)
standup.canicinteractive.com(162.249.2.44) - mailcious
lrt.com.pk(104.21.92.175) - mailcious
welcometotheafterdeath.com(192.254.234.250)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
staging.gaiafacturacion.com(179.27.152.153) - mailcious
towingnow.ca(74.220.194.185)
lojamusic.com.br(162.241.2.234)
192.185.139.153
74.220.194.185
179.27.152.153 - mailcious
198.38.82.90 - phishing
192.254.234.250 - mailcious
192.185.36.81 - mailcious
162.241.2.234
172.67.196.213 - mailcious
162.249.2.44 - mailcious
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8811 |
2021-05-20 16:34
|
 Delivery%20Order%208323673.xls 4100f7280e2ec85db09ee5e67b15b9dd
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
6
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php
https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
|
4
app.lead-concept.com(163.172.106.186) - mailcious
weeflow.com(5.135.142.22)
5.135.142.22
163.172.106.186 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8812 |
2021-05-20 10:09
|
 H2AymTOp.txt 6281865f1e7a60eca71ecce24d777c59
AsyncRAT backdoor PWS .NET framework DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
1
|
5
wealthybillionaire.ddns.net(41.217.58.202)
www.google.com(172.217.175.100)
41.217.58.202
142.250.204.36
79.134.225.52 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8813 |
2021-05-20 10:01
|
 Delivery%20Order%2035933112.xl... 5c1384a9073d57a8dcd0321d3f6a712c
VBA_macro MSOffice File VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed |
3
https://tres-erres.com.ar/h/gnu/PHPExcel/locale/cs/0GHHoPxx.php
https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.php
https://transportesrmb.com/crm/ywUFFQLQayam.php
|
4
tres-erres.com.ar(192.190.80.21)
app.lead-concept.com(163.172.106.186)
192.190.80.21
163.172.106.186
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
8.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8814 |
2021-05-20 09:38
|
 5.exe 9e0637d40ac3dfd9fed6e63763394d96
Gen1 Gen2 PE File OS Processor Check PE32 DLL JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS |
4
http://45.142.212.182/
http://45.142.212.182//l/f/EEYxh3kBuI_ccNKoAt7T/e84c55e599563d5b8d81f48d87d75c3e3898e9ac
http://45.142.212.182//l/f/EEYxh3kBuI_ccNKoAt7T/0044474b34b9fc5b40e04100690c9837413267be
https://tttttt.me/kokajakprozak
|
3
tttttt.me(95.216.186.40) - mailcious
45.142.212.182
95.216.186.40 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8815 |
2021-05-20 09:34
|
 Delivery%20Order%2026947238.xl... c245d6f79bca2e8e87381a68b842c4d2
VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php
https://clodoaldofernandes.com.br/_privado/sistema/modulos/link/categoria/tqP8TJ220u.php
https://ciatran.com.co/wp-content/plugins/shortcodes-ultimate/inc/core/K2kGXKi6v5rC.php
https://mail-call.us/76a7Sg6AAZRX.php
https://proterra.med.br/wp-includes/js/tinymce/themes/advanced/Zg1TbiK17uVn.php
https://agentsv2.ivm.mv/user_guide/_static/css/rjWMenNTq.php
https://canteraspalomino.com/firmas/img/UignuN7NTZsS.php
https://notificacao.acessoeduk.com.br/FAIBRA/boleto/Ojjgl6TANm7k.php
https://fate.sa/2EWZ1gzKbk.php
https://aims1.ezicodes.com/wp-includes/js/tinymce/skins/lightgray/A2jVIUfifA7zwR.php
|
20
canteraspalomino.com(192.185.123.100)
proterra.med.br(192.185.217.211)
fate.sa(192.196.158.90)
mail-call.us(74.220.219.123)
clodoaldofernandes.com.br(177.72.160.55)
ciatran.com.co(107.190.140.178)
notificacao.acessoeduk.com.br(186.233.148.33)
agentsv2.ivm.mv(192.185.36.231)
aims1.ezicodes.com(188.225.225.70)
www.ktateeb.vision-building.com(95.217.60.220)
192.185.217.211
107.190.140.178
186.233.148.33
192.185.36.231
95.217.60.220
177.72.160.55
192.196.158.90
188.225.225.70
192.185.123.100
74.220.219.123 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8816 |
2021-05-19 17:34
|
 testvba.dotm de000aa60d73ab904fe119294741e5c4
VBA_macro VirusTotal Malware Creates executable files unpack itself Tofsee |
|
2
github.com(15.164.81.167) - mailcious
15.164.81.167 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8817 |
2021-05-19 13:45
|
 1.exe 296546fc0093734f42dfa96729643b86
Anti_VM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://3.22.172.216:64155//
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
104.26.12.31
3.22.172.216
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8818 |
2021-05-18 17:58
|
 diagram-1596364538.xls a3b0860623b4c70ff15d97fa2df88662
MSOffice File Check memory unpack itself Tofsee DNS crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious
162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8819 |
2021-05-18 09:57
|
 CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47
AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193//
https://iplogger.org/1uP9s7
https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082
https://iplogger.org/favicon.ico
https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172)
42nn.hellomir.ru(217.107.34.191)
iplogger.org(88.99.66.31) - mailcious
87.251.71.193
88.99.66.31 - mailcious
104.26.13.31
37.187.95.110
217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8820 |
2021-05-18 09:56
|
 diagram-58392516.xls 3e58b8987074c6d6b6725e2cbdb0494d
MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
5
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe
https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
8
www.microsoft.com(23.201.37.168)
definitionupdates.microsoft.com(23.40.44.112)
incoming.telemetry.mozilla.org(44.240.8.189)
hermescomm.net(162.241.27.24) - mailcious
52.33.45.66
23.40.44.112
162.241.27.24 - suspicious
23.201.37.168
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|