| 8836 |
2021-05-13 08:23
|
 kn.exe 167f0a829df709cc4107369ed23fbdfb
Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:554636579&cup2hreq=f1e8358d230c769ebdd30f8b65f8e5e943940b09e34e48f61ef8e622dae553a6
|
5
edgedl.me.gvt1.com(34.104.35.123)
wespeaktruthtoman.sytes.net(79.134.225.47) - mailcious
79.134.225.47 - mailcious
34.104.35.123
142.250.204.99
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8837 |
2021-05-12 17:58
|
generated order 257404.xlsm 77838fe56970ec040ea084f6c5b3def6
VBA_macro VirusTotal Malware unpack itself Tofsee |
8
https://bhuttangill.com/wp-includes/js/tinymce/themes/inlite/Agk5yxu6D3SEW.php
https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/SFMm6Qoe.php
https://traffickerdigital.guru/wp-content/plugins/stops-core-theme-and-plugin-updates/templates/notices/3RKTmgwCIosO1Q.php
https://wickerconsultingllc.com/wp-content/plugins/force-regenerate-thumbnails/jquery-ui/redmond/MGggfHzY0QH0Cp3.php
https://italmaps.com/nuovo/wp-includes/js/jquery/ui/vUYhCCeCNKQoEk.php
https://bitfore.co.uk/wp-content/plugins/elementor/includes/admin-templates/1WiStiiT.php
https://senalgrafsac.com/prueba/vendor/bootstrap/css/Z1Oeq1XQhEC.php
https://darkmattercompany.com/billing/templates/orderforms/comparison/images/OMqNCOuk.php
|
20
bhuttangill.com(95.216.246.100) - mailcious
multigranos.com.bo(64.37.56.40) - mailcious
traffickerdigital.guru(185.61.154.27) - mailcious
grupoakrabu.com(67.222.131.40) - mailcious
darkmattercompany.com(192.185.171.227) - mailcious
wickerconsultingllc.com(192.185.115.105) - mailcious
vipecotton.com(172.67.138.115) - mailcious
italmaps.com(185.116.60.7) - mailcious
bitfore.co.uk(162.241.85.241) - mailcious
senalgrafsac.com(162.241.190.216) - mailcious
64.37.56.40 - mailcious
192.185.171.227 - mailcious
185.61.154.27 - mailcious
162.241.190.216 - mailcious
104.21.56.243 - mailcious
162.241.85.241 - mailcious
95.216.246.100 - mailcious
192.185.115.105 - mailcious
185.116.60.7 - mailcious
67.222.131.40 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8838 |
2021-05-12 17:55
|
 r1oo.exe 85725f2ce8ff2e36e9a3849e512e8db5
BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132// - rule_id: 1354
https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172)
185.215.113.54 - malware
104.26.12.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SURICATA HTTP unable to match response to request
|
1
http://185.215.113.54:62132/
|
16.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8839 |
2021-05-12 15:42
|
http://premcogroup.com/bin/sui... a7a26d57df53b79b97f904d5b5133f66
AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File PE File PE32 VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
premcogroup.com(162.214.101.129) - malware
162.214.101.129 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
|
|
5.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8840 |
2021-05-12 12:31
|
 2roxy.txt 2f4bcc44bf320f3cd7e8961802ffe3e5
BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132//
https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31)
185.215.113.54 - malware
104.26.12.31
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
16.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8841 |
2021-05-12 12:14
|
 Taxicab.txt df92371c2f2a4b170d14e2b22b352d26
AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic suspicious TLD Tofsee DNS |
1
https://u0s.runboot.ru/SystemServiceModelDispatcherXPathMessageFunctionCorrelationData62451
|
2
u0s.runboot.ru(217.107.34.191)
217.107.34.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8842 |
2021-05-12 10:27
|
 racopp.txt a73349885f36cdef7315984ad948a1ab
PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications AppData folder suspicious TLD installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
7
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/2c0e4a92a0d91cd2b863333fd026a43c7b0e00d6
http://34.89.59.109/
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/7896a8713169d4ef7152ec7f2f4c9ea6f1776723
https://telete.in/hdmiprapor
https://aven93r.ru/uploads/sync.exe
https://aven93r.ru/uploads/procexp.exe
https://aven93r.ru/uploads/bit.exe
|
5
aven93r.ru(172.67.158.218)
telete.in(195.201.225.248) - mailcious
172.67.158.218
195.201.225.248 - mailcious
34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8843 |
2021-05-12 10:02
|
 4fcr.exe d73fd4127cedd82ec566aecf62676d1e
AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Antivirus Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key |
4
http://34.89.59.109//l/f/p0EVXnkBuI_ccNKoulHs/8227c57c53954b173dcab41c73a1eb8268622c7c
http://34.89.59.109//l/f/p0EVXnkBuI_ccNKoulHs/266c9d9a82c06a89b7a9b8551db4cd766a228758
http://34.89.59.109/
https://telete.in/justprovistpro
|
3
telete.in(195.201.225.248) - mailcious
195.201.225.248 - mailcious
34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8844 |
2021-05-11 17:20
|
http://alshamaleh-ye.com/xplt/... 5f4725f701ced44640eaa5c979bc01a6
AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
alshamaleh-ye.com(79.124.8.115) - malware
79.124.8.115 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
5.2 |
M |
11 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8845 |
2021-05-11 09:19
|
 Giwdmzf.exe 49fc90c6abbe70021eaac6d8dd41c7dd
AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
216.146.43.70 - suspicious
172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8846 |
2021-05-11 09:00
|
한국사_교과서(smdv).js 9ea397a03f2e5f3b0bfbd8f70f9f82cd
AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8847 |
2021-05-11 07:38
|
 Mcnzurtic.exe 6989acbd9d6104b59fdbf6cb0473cd35
AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(162.88.193.70)
162.88.193.70
104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8848 |
2021-05-10 12:21
|
 BankStatement009810.xlsb 4bedb6631269e591cdfe5c981cd4d219
VBA_macro VirusTotal Malware unpack itself Tofsee |
1
https://spainblogmandala.web.za/msoffice.exe
|
2
spainblogmandala.web.za(169.239.183.80) - malware
169.239.183.80 - malware
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8849 |
2021-05-07 12:25
|
 akon.exe 0690de55a2a4081dd2ebc1f658bba4da
PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows DNS Cryptographic key |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2?cup2key=10:462738584&cup2hreq=cab54b4bc40bdca2d3fa8e3bf26b30011efe9eee128012b431cd9c7b556f34cc
|
2
edgedl.me.gvt1.com(34.104.35.123)
34.104.35.123
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8850 |
2021-05-07 11:34
|
 cutscroll.png 5ceaa6deb3ee0395632e64da64077689
tor Gen1 Emotet PE File PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://117.54.250.246/lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/ - rule_id: 1304
|
4
103.66.72.217 - mailcious
115.73.211.230 - mailcious
181.176.161.143 - mailcious
117.54.250.246 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 8
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET INFO TLS Handshake Failure
|
1
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|