8836 |
2021-05-13 08:23
|
kn.exe 167f0a829df709cc4107369ed23fbdfb Malicious Library DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Tofsee Windows ComputerName DNS DDNS |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:554636579&cup2hreq=f1e8358d230c769ebdd30f8b65f8e5e943940b09e34e48f61ef8e622dae553a6
|
5
edgedl.me.gvt1.com(34.104.35.123) wespeaktruthtoman.sytes.net(79.134.225.47) - mailcious 79.134.225.47 - mailcious 34.104.35.123 142.250.204.99
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8837 |
2021-05-12 17:58
|
generated order 257404.xlsm 77838fe56970ec040ea084f6c5b3def6 VBA_macro VirusTotal Malware unpack itself Tofsee |
8
https://bhuttangill.com/wp-includes/js/tinymce/themes/inlite/Agk5yxu6D3SEW.php
https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/SFMm6Qoe.php
https://traffickerdigital.guru/wp-content/plugins/stops-core-theme-and-plugin-updates/templates/notices/3RKTmgwCIosO1Q.php
https://wickerconsultingllc.com/wp-content/plugins/force-regenerate-thumbnails/jquery-ui/redmond/MGggfHzY0QH0Cp3.php
https://italmaps.com/nuovo/wp-includes/js/jquery/ui/vUYhCCeCNKQoEk.php
https://bitfore.co.uk/wp-content/plugins/elementor/includes/admin-templates/1WiStiiT.php
https://senalgrafsac.com/prueba/vendor/bootstrap/css/Z1Oeq1XQhEC.php
https://darkmattercompany.com/billing/templates/orderforms/comparison/images/OMqNCOuk.php
|
20
bhuttangill.com(95.216.246.100) - mailcious
multigranos.com.bo(64.37.56.40) - mailcious
traffickerdigital.guru(185.61.154.27) - mailcious
grupoakrabu.com(67.222.131.40) - mailcious
darkmattercompany.com(192.185.171.227) - mailcious
wickerconsultingllc.com(192.185.115.105) - mailcious
vipecotton.com(172.67.138.115) - mailcious
italmaps.com(185.116.60.7) - mailcious
bitfore.co.uk(162.241.85.241) - mailcious
senalgrafsac.com(162.241.190.216) - mailcious 64.37.56.40 - mailcious
192.185.171.227 - mailcious
185.61.154.27 - mailcious
162.241.190.216 - mailcious
104.21.56.243 - mailcious
162.241.85.241 - mailcious
95.216.246.100 - mailcious
192.185.115.105 - mailcious
185.116.60.7 - mailcious
67.222.131.40 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8838 |
2021-05-12 17:55
|
r1oo.exe 85725f2ce8ff2e36e9a3849e512e8db5 BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132// - rule_id: 1354 https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 185.215.113.54 - malware 104.26.12.31
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 24 SURICATA HTTP unable to match response to request
|
1
http://185.215.113.54:62132/
|
16.8 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8839 |
2021-05-12 15:42
|
http://premcogroup.com/bin/sui... a7a26d57df53b79b97f904d5b5133f66 AgentTesla DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence AntiDebug AntiVM MSOffice File PE File PE32 VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
premcogroup.com(162.214.101.129) - malware 162.214.101.129 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure
|
|
5.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8840 |
2021-05-12 12:31
|
2roxy.txt 2f4bcc44bf320f3cd7e8961802ffe3e5 BitCoin Antivirus AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer ENERGETIC BEAR VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://185.215.113.54:62132// https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 185.215.113.54 - malware 104.26.12.31
|
3
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
16.8 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8841 |
2021-05-12 12:14
|
Taxicab.txt df92371c2f2a4b170d14e2b22b352d26 AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware Malicious Traffic suspicious TLD Tofsee DNS |
1
https://u0s.runboot.ru/SystemServiceModelDispatcherXPathMessageFunctionCorrelationData62451
|
2
u0s.runboot.ru(217.107.34.191) 217.107.34.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8842 |
2021-05-12 10:27
|
racopp.txt a73349885f36cdef7315984ad948a1ab PWS .NET framework Gen1 Gen2 Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format VirusTotal Email Client Info Stealer Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files ICMP traffic unpack itself Collect installed applications AppData folder suspicious TLD installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key crashed |
7
http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/2c0e4a92a0d91cd2b863333fd026a43c7b0e00d6 http://34.89.59.109/ http://34.89.59.109//l/f/jUEqXnkBuI_ccNKof1Lb/7896a8713169d4ef7152ec7f2f4c9ea6f1776723 https://telete.in/hdmiprapor https://aven93r.ru/uploads/sync.exe https://aven93r.ru/uploads/procexp.exe https://aven93r.ru/uploads/bit.exe
|
5
aven93r.ru(172.67.158.218) telete.in(195.201.225.248) - mailcious 172.67.158.218 195.201.225.248 - mailcious 34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.6 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8843 |
2021-05-12 10:02
|
4fcr.exe d73fd4127cedd82ec566aecf62676d1e AsyncRAT backdoor PWS .NET framework Gen1 Gen2 Antivirus Http API Steal credential ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser Email ComputerName DNS Cryptographic key |
4
http://34.89.59.109//l/f/p0EVXnkBuI_ccNKoulHs/8227c57c53954b173dcab41c73a1eb8268622c7c http://34.89.59.109//l/f/p0EVXnkBuI_ccNKoulHs/266c9d9a82c06a89b7a9b8551db4cd766a228758 http://34.89.59.109/ https://telete.in/justprovistpro
|
3
telete.in(195.201.225.248) - mailcious 195.201.225.248 - mailcious 34.89.59.109
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.6 |
M |
51 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8844 |
2021-05-11 17:20
|
http://alshamaleh-ye.com/xplt/... 5f4725f701ced44640eaa5c979bc01a6 AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
alshamaleh-ye.com(79.124.8.115) - malware 79.124.8.115 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
5.2 |
M |
11 |
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8845 |
2021-05-11 09:19
|
Giwdmzf.exe 49fc90c6abbe70021eaac6d8dd41c7dd AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8846 |
2021-05-11 09:00
|
한국사_교과서(smdv).js 9ea397a03f2e5f3b0bfbd8f70f9f82cd AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8847 |
2021-05-11 07:38
|
Mcnzurtic.exe 6989acbd9d6104b59fdbf6cb0473cd35 AsyncRAT backdoor AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(162.88.193.70) 162.88.193.70 104.21.19.200
|
4
ET POLICY External IP Lookup - checkip.dyndns.org ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8848 |
2021-05-10 12:21
|
BankStatement009810.xlsb 4bedb6631269e591cdfe5c981cd4d219 VBA_macro VirusTotal Malware unpack itself Tofsee |
1
https://spainblogmandala.web.za/msoffice.exe
|
2
spainblogmandala.web.za(169.239.183.80) - malware 169.239.183.80 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8849 |
2021-05-07 12:25
|
akon.exe 0690de55a2a4081dd2ebc1f658bba4da PWS .NET framework Malicious Library AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows DNS Cryptographic key |
2
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2?cup2key=10:462738584&cup2hreq=cab54b4bc40bdca2d3fa8e3bf26b30011efe9eee128012b431cd9c7b556f34cc
|
2
edgedl.me.gvt1.com(34.104.35.123) 34.104.35.123
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8850 |
2021-05-07 11:34
|
cutscroll.png 5ceaa6deb3ee0395632e64da64077689 tor Gen1 Emotet PE File PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://117.54.250.246/lib95/TEST22-PC_W617601.17CBB1F79387D3BF80BB1A2B3BA9BB75/5/kps/ - rule_id: 1304
|
4
103.66.72.217 - mailcious 115.73.211.230 - mailcious 181.176.161.143 - mailcious 117.54.250.246 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 8 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET INFO TLS Handshake Failure
|
1
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|