8881 |
2021-04-24 18:20
|
documents-634555987.xlsm 14a592b56e28f22cb1405846193b308b VirusTotal Malware Check memory unpack itself Tofsee crashed |
|
4
kurtos.eu(192.185.166.227) giftsonlinejo.com(67.205.36.230) 67.205.36.230 192.185.166.227
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
|
5 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8882 |
2021-04-24 18:20
|
documents-631320621.xlsm 6f72c84993020114d1ff0002d3717498 VirusTotal Malware unpack itself Tofsee DNS |
|
4
giftsonlinejo.com(67.205.36.230) kurtos.eu(192.185.166.227) 192.185.166.227 67.205.36.230
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
4 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8883 |
2021-04-23 18:46
|
xUiuQ.txt b47160d5d81de4c8094c324ea1b524f9 PWS .NET framework AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows ComputerName DNS crashed |
1
|
4
www.google.com(216.58.197.228) 142.250.204.100 13.107.21.200 142.250.66.36
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8884 |
2021-04-23 18:39
|
invoice_533767.doc 551fc4e6c0a593d0b04b055531d1fc4e RTF File doc VirusTotal Malware ICMP traffic exploit crash unpack itself Tofsee Exploit crashed |
5
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
https://pxlme.me/25hNv_MR
http://perezluzwsdycafewstu.dns.army/perdoc/regasm.exe
|
2
pxlme.me(51.15.139.10) - mailcious 51.15.139.10 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8885 |
2021-04-23 18:38
|
sskiper.exe 8062355a111a77ec5e83711bb635b60b Process Kill FindFirstVolume PWS .NET framework CryptGenKey AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key Software crashed |
11
http://download3.info// http://download2.info/users/content/id4843920512/sskiperus_part2.txt http://download2.info/function/v2tmp/momomoomomom.php http://188.119.112.16:29931// http://download2.info/users/content/id03084901/mmow.txt http://download2.info/function/v2tmp/sskiperus2.php https://kis-easy.ru/SystemDataOleDbOleDbServicesWrapperc https://api.ip.sb/geoip https://iplogger.com/1jwpj7 https://h.fastihost.ru/SystemCollectionsGenericSystemQueueDebugViewL https://iplogger.com/1jepj7
|
12
h.fastihost.ru(81.177.140.201) kis-easy.ru(81.177.140.201) api.ip.sb(104.26.12.31) download2.info(109.248.175.195) iplogger.com(88.99.66.31) download3.info(185.26.121.195) 88.99.66.31 - mailcious 188.119.112.16 109.248.175.195 - malware 104.26.13.31 81.177.140.201 - phishing 185.230.141.234
|
6
ET USER_AGENTS Suspicious User-Agent (Installed OK) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO Packed Executable Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
16.0 |
M |
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8886 |
2021-04-23 18:37
|
update.exe 7806508028c78ff39211cdfe01a070ef Library Malware Gen2 Malware download Amadey ENERGETIC BEAR Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder Tofsee Windows ComputerName DNS |
2
http://176.121.14.159/build.exe http://185.215.113.67/4dcYcWsw3/index.php
|
4
api.faceit.com(104.17.63.50) 176.121.14.159 - malware 104.17.62.50 185.215.113.67
|
9
ET DROP Spamhaus DROP Listed Traffic Inbound group 24 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Amadey CnC Check-In ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8887 |
2021-04-23 18:36
|
http://armyscheme.sytes.net/wi... fdd0b9ab0a8d70288ddef6337b62d151Malware Code Injection unpack itself Windows utilities Tofsee Windows DNS DDNS |
1
http://edgedl.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
|
4
edgedl.gvt1.com(142.250.34.2) armyscheme.sytes.net(3.35.236.132) - malware 3.35.236.132 - malware 142.250.34.2
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain ET INFO Possible RTF File With Obfuscated Version Header ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8888 |
2021-04-23 18:18
|
FSL_456021054.pdf c0555665c606123b68c3c746f238743c AgentTesla KeyBase Keylogger AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 131.186.161.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.4 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8889 |
2021-04-23 14:23
|
catalog-1605179562.xlsm 082645e6b13d4cdd417b3d82c15a8c83unpack itself Tofsee DNS |
|
4
ozmontelectrical.com(162.144.12.242) - mailcious eletrocoghi.com.br(192.185.216.95) - mailcious 192.185.216.95 - malware 162.144.12.242 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8890 |
2021-04-23 13:56
|
index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js https://d3js.org/d3.v4.js https://d3js.org/d3-scale-chromatic.v1.min.js https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(172.67.73.126) 172.67.73.126
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8891 |
2021-04-23 13:42
|
index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js https://d3js.org/d3.v4.js https://d3js.org/d3-scale-chromatic.v1.min.js https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.6.30) 104.26.6.30
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8892 |
2021-04-23 13:10
|
index.html f80e9553e5387cb4fcb09a9094416f4dCode Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://d3js.org/d3.v4.js https://d3js.org/d3.v4.js https://d3js.org/d3-scale-chromatic.v1.min.js https://d3js.org/d3-geo-projection.v2.min.js
|
2
d3js.org(104.26.7.30) 104.26.6.30
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8893 |
2021-04-23 10:10
|
askinstall36.exe 9f2a48592d3ce0632f1ecca2c34567b9 Trojan_PWS_Stealer Credential User Data Emotet Gen2 Antivirus AsyncRAT backdoor SQLite Cookie Browser Info Stealer VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW installed browsers check Tofsee Ransomware Windows Exploit Browser ComputerName Remote Code Execution DNS crashed |
4
http://www.cncode.pw/ - rule_id: 481 http://www.fddnice.pw/ - rule_id: 482 http://www.kenuot.com/Home/Index/lkdinl https://iplogger.org/1s4qp7
|
8
www.kenuot.com(188.225.87.175) iplogger.org(88.99.66.31) - mailcious www.fddnice.pw(103.155.92.58) - mailcious www.cncode.pw(144.202.76.47) - mailcious 88.99.66.31 - mailcious 144.202.76.47 188.225.87.175 - mailcious 103.155.92.58 - mailcious
|
3
ET DNS Query to a *.pw domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO HTTP Request to a *.pw domain
|
2
http://www.cncode.pw/ http://www.fddnice.pw/
|
12.4 |
M |
39 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8894 |
2021-04-23 10:10
|
soft.exe 7c41e064f77799275788d55d09d1ff3eBrowser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware MachineGuid Malicious Traffic Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Email ComputerName DNS Software Downloader |
6
http://hirezz.com/test/includes/image.php?id=00009CF9F2321904909678 http://hirezz.com/test/includes/image.php https://up.ufile.io/v1/upload/finalise https://iplogger.org/1ib2a7 https://up.ufile.io/v1/upload/create_session https://up.ufile.io/v1/upload/chunk
|
6
up.ufile.io(104.27.194.88) hirezz.com(162.144.12.143) iplogger.org(88.99.66.31) - mailcious 104.27.194.88 88.99.66.31 - mailcious 162.144.12.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Unk Downloader CnC Activity
|
|
11.0 |
|
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8895 |
2021-04-23 10:09
|
check.dll 19cf698a9ec21bb5a1b12c9c462e2d3dDridex TrickBot VirusTotal Malware suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces Kovter ComputerName DNS crashed |
1
https://103.54.41.193/che1/TEST22-PC_W617601.B3E19DB41C770B4F9DA6BB1D235F02FF/5/kps/
|
6
103.54.41.193 115.73.211.230 117.252.68.211 181.176.161.143 103.66.72.217 102.176.221.78
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET INFO TLS Handshake Failure ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
5.8 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|