8806 |
2021-05-21 10:14
|
Document%209863223.xls a3770e810232a6e15b4fd36a444ef8d4 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php - rule_id: 1445 https://euro-office.net/AwI3uwiwuU6.php - rule_id: 1468
|
20
samyberry.co.za(66.85.46.71) euro-office.net(198.38.82.90) - mailcious moayadcenter.com(192.99.147.163) - mailcious app.lead-concept.com(163.172.106.186) - mailcious welcometotheafterdeath.com(192.254.234.250) - mailcious specs2go.shawalzahid.com(158.69.144.71) - mailcious fotounirii.ro(89.35.173.76) - mailcious weeflow.com(5.135.142.22) - mailcious langgal.coop.np(192.185.110.229) lojamusic.com.br(162.241.2.234) - mailcious 192.185.110.229 5.135.142.22 - mailcious 192.99.147.163 - mailcious 198.38.82.90 - phishing 192.254.234.250 - mailcious 163.172.106.186 - mailcious 89.35.173.76 - mailcious 66.85.46.71 - mailcious 162.241.2.234 - mailcious 158.69.144.71 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
2
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php https://euro-office.net/AwI3uwiwuU6.php
|
3.2 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8807 |
2021-05-21 10:09
|
Doc1.docm 53e6579c2aad2ae7d6a3ce99045a114b VBA_macro VirusTotal Malware unpack itself Tofsee DNS |
1
https://occurrent-fatigues.000webhostapp.com/12_CNB_Programas_de_Becas-70212-em.txt
|
2
occurrent-fatigues.000webhostapp.com(145.14.145.120) - malware 145.14.145.67 - malware
|
3
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
|
|
4.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8808 |
2021-05-20 16:39
|
invoice_996451.doc bee4631c31d5682a91174ee18d7c9335 RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed |
1
https://rotf.lol/jbx7apct
|
2
rotf.lol(104.21.63.195) 104.21.63.195
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8809 |
2021-05-20 16:36
|
Inv%2006687243.xls 5186a21d30bbf28909683c4767597481 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://armaenerji.com/UserFiles/site/enerji-kablolari/HES/tbqsCGNY.php
https://plascom.ind.br/_img/parceiros/Ii2g4cYzKfaMLz7.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://mahinur.nucleustechbd.com/3IPk4Tm2As.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
https://fuherpronn.org/u52Xze2Vn28f.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://lamiragereception.com.au/ABs8dJ2ZJ3jgv0n.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
|
20
mahinur.nucleustechbd.com(67.222.155.191)
lamiragereception.com.au(67.23.226.231)
armaenerji.com(217.195.198.212) - mailcious
plascom.ind.br(191.252.142.218)
fuherpronn.org(162.241.194.204) - mailcious
specs2go.shawalzahid.com(158.69.144.71)
fotounirii.ro(89.35.173.76)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
gamberinigianluca.com(64.37.52.95)
lojamusic.com.br(162.241.2.234) 89.35.173.76
217.195.198.212 - mailcious
192.185.36.81 - mailcious
64.37.52.95 - mailcious
191.252.142.218
67.23.226.231 - mailcious
67.222.155.191 - mailcious
162.241.194.204 - mailcious
162.241.2.234
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.8 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8810 |
2021-05-20 16:36
|
PO%2068601112.xls c389608ec63d30c2d36486bd7db8668f VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
12
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
https://lrt.com.pk/9mmQzL8P7.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://abdul.yousufbaloch.com/C1q5m9Q5DWZJ24d.php
https://staging.gaiafacturacion.com/produccion/v4/include/lib/phpqrcode/cache/rzkNuqp6m1hoY.php
https://towingnow.ca/LvR2HWHdQ.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://standup.canicinteractive.com/vendor/swiftmailer/swiftmailer/lib/classes/SO2vS3SCmo1jil.php
https://euro-office.net/AwI3uwiwuU6.php
|
20
euro-office.net(198.38.82.90)
iminnovator.com(192.185.139.153)
specs2go.shawalzahid.com(158.69.144.71)
standup.canicinteractive.com(162.249.2.44) - mailcious
lrt.com.pk(104.21.92.175) - mailcious
welcometotheafterdeath.com(192.254.234.250)
abdul.yousufbaloch.com(192.185.36.81) - mailcious
staging.gaiafacturacion.com(179.27.152.153) - mailcious
towingnow.ca(74.220.194.185)
lojamusic.com.br(162.241.2.234) 192.185.139.153
74.220.194.185
179.27.152.153 - mailcious
198.38.82.90 - phishing
192.254.234.250 - mailcious
192.185.36.81 - mailcious
162.241.2.234
172.67.196.213 - mailcious
162.249.2.44 - mailcious
158.69.144.71
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8811 |
2021-05-20 16:34
|
Delivery%20Order%208323673.xls 4100f7280e2ec85db09ee5e67b15b9dd VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee DNS |
6
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://weeflow.com/wp-content/themes/twentyfourteen/genericons/font/B8Yj2bd8nrfXk5.php
https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.php
https://gamberinigianluca.com/wp-content/themes/constructor/themes/black-urban/1FaXnq8F.php
|
4
app.lead-concept.com(163.172.106.186) - mailcious
weeflow.com(5.135.142.22) 5.135.142.22
163.172.106.186 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8812 |
2021-05-20 10:09
|
H2AymTOp.txt 6281865f1e7a60eca71ecce24d777c59 AsyncRAT backdoor PWS .NET framework DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
1
|
5
wealthybillionaire.ddns.net(41.217.58.202) www.google.com(172.217.175.100) 41.217.58.202 142.250.204.36 79.134.225.52 - mailcious
|
2
ET POLICY DNS Query to DynDNS Domain *.ddns .net SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.8 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8813 |
2021-05-20 10:01
|
Delivery%20Order%2035933112.xl... 5c1384a9073d57a8dcd0321d3f6a712c VBA_macro MSOffice File VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed |
3
https://tres-erres.com.ar/h/gnu/PHPExcel/locale/cs/0GHHoPxx.php
https://app.lead-concept.com/ws/wSu6ZEPLdlxH7W8.php
https://transportesrmb.com/crm/ywUFFQLQayam.php
|
4
tres-erres.com.ar(192.190.80.21)
app.lead-concept.com(163.172.106.186) 192.190.80.21
163.172.106.186
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
8.0 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8814 |
2021-05-20 09:38
|
5.exe 9e0637d40ac3dfd9fed6e63763394d96 Gen1 Gen2 PE File OS Processor Check PE32 DLL JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS |
4
http://45.142.212.182/ http://45.142.212.182//l/f/EEYxh3kBuI_ccNKoAt7T/e84c55e599563d5b8d81f48d87d75c3e3898e9ac http://45.142.212.182//l/f/EEYxh3kBuI_ccNKoAt7T/0044474b34b9fc5b40e04100690c9837413267be https://tttttt.me/kokajakprozak
|
3
tttttt.me(95.216.186.40) - mailcious 45.142.212.182 95.216.186.40 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.2 |
|
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8815 |
2021-05-20 09:34
|
Delivery%20Order%2026947238.xl... c245d6f79bca2e8e87381a68b842c4d2 VBA_macro MSOffice File VirusTotal Malware unpack itself Tofsee |
10
https://www.ktateeb.vision-building.com/public/graph/uploads/200x300/content_images/CByVubhIO51.php
https://clodoaldofernandes.com.br/_privado/sistema/modulos/link/categoria/tqP8TJ220u.php
https://ciatran.com.co/wp-content/plugins/shortcodes-ultimate/inc/core/K2kGXKi6v5rC.php
https://mail-call.us/76a7Sg6AAZRX.php
https://proterra.med.br/wp-includes/js/tinymce/themes/advanced/Zg1TbiK17uVn.php
https://agentsv2.ivm.mv/user_guide/_static/css/rjWMenNTq.php
https://canteraspalomino.com/firmas/img/UignuN7NTZsS.php
https://notificacao.acessoeduk.com.br/FAIBRA/boleto/Ojjgl6TANm7k.php
https://fate.sa/2EWZ1gzKbk.php
https://aims1.ezicodes.com/wp-includes/js/tinymce/skins/lightgray/A2jVIUfifA7zwR.php
|
20
canteraspalomino.com(192.185.123.100)
proterra.med.br(192.185.217.211)
fate.sa(192.196.158.90)
mail-call.us(74.220.219.123)
clodoaldofernandes.com.br(177.72.160.55)
ciatran.com.co(107.190.140.178)
notificacao.acessoeduk.com.br(186.233.148.33)
agentsv2.ivm.mv(192.185.36.231)
aims1.ezicodes.com(188.225.225.70)
www.ktateeb.vision-building.com(95.217.60.220) 192.185.217.211
107.190.140.178
186.233.148.33
192.185.36.231
95.217.60.220
177.72.160.55
192.196.158.90
188.225.225.70
192.185.123.100
74.220.219.123 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8816 |
2021-05-19 17:34
|
testvba.dotm de000aa60d73ab904fe119294741e5c4 VBA_macro VirusTotal Malware Creates executable files unpack itself Tofsee |
|
2
github.com(15.164.81.167) - mailcious 15.164.81.167 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8817 |
2021-05-19 13:45
|
1.exe 296546fc0093734f42dfa96729643b86 Anti_VM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces VMware anti-virtualization installed browsers check Tofsee Windows Browser ComputerName Firmware DNS Cryptographic key Software crashed |
2
http://3.22.172.216:64155// https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 3.22.172.216
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
10.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8818 |
2021-05-18 17:58
|
diagram-1596364538.xls a3b0860623b4c70ff15d97fa2df88662 MSOffice File Check memory unpack itself Tofsee DNS crashed |
|
2
hermescomm.net(162.241.27.24) - mailcious 162.241.27.24 - suspicious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8819 |
2021-05-18 09:57
|
CBCbrowser.exe 5cdf8ce1bcc26bf8473f09447cfa0c47 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 MSOffice File Browser Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key crashed |
5
http://87.251.71.193// https://iplogger.org/1uP9s7 https://42nn.hellomir.ru/SystemServiceModelChannelsHttpInput54082 https://iplogger.org/favicon.ico https://api.ip.sb/geoip
|
8
api.ip.sb(172.67.75.172) 42nn.hellomir.ru(217.107.34.191) iplogger.org(88.99.66.31) - mailcious 87.251.71.193 88.99.66.31 - mailcious 104.26.13.31 37.187.95.110 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
12.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8820 |
2021-05-18 09:56
|
diagram-58392516.xls 3e58b8987074c6d6b6725e2cbdb0494d MSOffice File VirusTotal Malware Check memory unpack itself Tofsee crashed |
5
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092 https://definitionupdates.microsoft.com/download/DefinitionUpdates/VersionedSignatures/AM/1.339.927.0/x86/mpas-fe.exe https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?arch=x86&eng=0.0.0.0&asdelta=0.0.0.0&prod=925A3ACA-C353-458A-AC8D-A7E5EB378092
|
8
www.microsoft.com(23.201.37.168) definitionupdates.microsoft.com(23.40.44.112) incoming.telemetry.mozilla.org(44.240.8.189) hermescomm.net(162.241.27.24) - mailcious 52.33.45.66 23.40.44.112 162.241.27.24 - suspicious 23.201.37.168
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
15 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|