| 8881 |
2021-04-24 18:20
|
 documents-634555987.xlsm 14a592b56e28f22cb1405846193b308b
VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
kurtos.eu(192.185.166.227)
giftsonlinejo.com(67.205.36.230)
67.205.36.230
192.185.166.227
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8882 |
2021-04-24 18:20
|
 documents-631320621.xlsm 6f72c84993020114d1ff0002d3717498
VirusTotal Malware unpack itself Tofsee DNS |
|
4
giftsonlinejo.com(67.205.36.230)
kurtos.eu(192.185.166.227)
192.185.166.227
67.205.36.230
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8883 |
2021-04-23 18:46
|
xUiuQ.txt b47160d5d81de4c8094c324ea1b524f9
PWS .NET framework AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS crashed |
1
|
4
www.google.com(216.58.197.228)
142.250.204.100
13.107.21.200
142.250.66.36
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8884 |
2021-04-23 18:39
|
invoice_533767.doc 551fc4e6c0a593d0b04b055531d1fc4e
RTF File doc VirusTotal Malware ICMP traffic exploit crash unpack itself Tofsee Exploit crashed |
5
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://pxlme.me/25hNv_MR
http://perezluzwsdycafewstu.dns.army/perdoc/regasm.exe
|
2
pxlme.me(51.15.139.10) - mailcious
51.15.139.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8885 |
2021-04-23 18:38
|
 sskiper.exe 8062355a111a77ec5e83711bb635b60b
Process Kill FindFirstVolume PWS .NET framework CryptGenKey AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
11
http://download3.info//
http://download2.info/users/content/id4843920512/sskiperus_part2.txt
http://download2.info/function/v2tmp/momomoomomom.php
http://188.119.112.16:29931//
http://download2.info/users/content/id03084901/mmow.txt
http://download2.info/function/v2tmp/sskiperus2.php
https://kis-easy.ru/SystemDataOleDbOleDbServicesWrapperc
https://api.ip.sb/geoip
https://iplogger.com/1jwpj7
https://h.fastihost.ru/SystemCollectionsGenericSystemQueueDebugViewL
https://iplogger.com/1jepj7
|
12
h.fastihost.ru(81.177.140.201)
kis-easy.ru(81.177.140.201)
api.ip.sb(104.26.12.31)
download2.info(109.248.175.195)
iplogger.com(88.99.66.31)
download3.info(185.26.121.195)
88.99.66.31 - mailcious
188.119.112.16
109.248.175.195 - malware
104.26.13.31
81.177.140.201 - phishing
185.230.141.234
|
6
ET USER_AGENTS Suspicious User-Agent (Installed OK)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO Packed Executable Download
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA HTTP unable to match response to request
|
|
16.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8886 |
2021-04-23 18:37
|
 update.exe 7806508028c78ff39211cdfe01a070ef
Library Malware Gen2 Malware download Amadey ENERGETIC BEAR Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder Tofsee Windows ComputerName DNS |
2
http://176.121.14.159/build.exe
http://185.215.113.67/4dcYcWsw3/index.php
|
4
api.faceit.com(104.17.63.50)
176.121.14.159 - malware
104.17.62.50
185.215.113.67
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Amadey CnC Check-In
ET DROP Spamhaus DROP Listed Traffic Inbound group 22
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8887 |
2021-04-23 18:36
|
http://armyscheme.sytes.net/wi... fdd0b9ab0a8d70288ddef6337b62d151Malware Code Injection unpack itself Windows utilities Tofsee Windows DNS DDNS |
1
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
|
4
edgedl.gvt1.com(142.250.34.2)
armyscheme.sytes.net(3.35.236.132) - malware
3.35.236.132 - malware
142.250.34.2
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain
ET INFO Possible RTF File With Obfuscated Version Header
ET INFO TLS Handshake Failure
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8888 |
2021-04-23 18:18
|
 FSL_456021054.pdf c0555665c606123b68c3c746f238743c
AgentTesla KeyBase Keylogger AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.161.70)
131.186.161.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8889 |
2021-04-23 14:23
|
 catalog-1605179562.xlsm 082645e6b13d4cdd417b3d82c15a8c83unpack itself Tofsee DNS |
|
4
ozmontelectrical.com(162.144.12.242) - mailcious
eletrocoghi.com.br(192.185.216.95) - mailcious
192.185.216.95 - malware
162.144.12.242 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8890 |
2021-04-23 13:56
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(172.67.73.126)
172.67.73.126
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8891 |
2021-04-23 13:42
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.6.30)
104.26.6.30
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8892 |
2021-04-23 13:10
|
 index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js
https://d3js.org/d3.v4.js
https://d3js.org/d3-scale-chromatic.v1.min.js
https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.7.30)
104.26.6.30
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8893 |
2021-04-23 10:10
|
 askinstall36.exe 9f2a48592d3ce0632f1ecca2c34567b9
Trojan_PWS_Stealer Credential User Data Emotet Gen2 Antivirus AsyncRAT backdoor SQLite Cookie Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481
http://www.fddnice.pw/ - rule_id: 482
http://www.kenuot.com/Home/Index/lkdinl
https://iplogger.org/1s4qp7
|
8
www.kenuot.com(188.225.87.175)
iplogger.org(88.99.66.31) - mailcious
www.fddnice.pw(103.155.92.58) - mailcious
www.cncode.pw(144.202.76.47) - mailcious
88.99.66.31 - mailcious
144.202.76.47
188.225.87.175 - mailcious
103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO HTTP Request to a *.pw domain
|
2
http://www.cncode.pw/
http://www.fddnice.pw/
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8894 |
2021-04-23 10:10
|
soft.exe 7c41e064f77799275788d55d09d1ff3eBrowser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Email ComputerName DNS Software Downloader |
6
http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678
http://hirezz.com/test/includes/image.php
https://up.ufile.io/v1/upload/finalise
https://iplogger.org/1ib2a7
https://up.ufile.io/v1/upload/create_session
https://up.ufile.io/v1/upload/chunk
|
6
up.ufile.io(104.27.194.88)
hirezz.com(162.144.12.143)
iplogger.org(88.99.66.31) - mailcious
104.27.194.88
88.99.66.31 - mailcious
162.144.12.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/Unk Downloader CnC Activity
|
|
11.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8895 |
2021-04-23 10:09
|
check.dll 19cf698a9ec21bb5a1b12c9c462e2d3dDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.54.41.193/che1/TEST22-PC_W617601.B3E19DB41C770B4F9DA6BB1D235F02FF/5/kps/
|
6
103.54.41.193
115.73.211.230
117.252.68.211
181.176.161.143
103.66.72.217
102.176.221.78
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|