8911 |
2021-04-21 09:36
|
catalog-2133469391.xlsm c08158e8674bb5ef097c64236f0b42aa Check memory unpack itself Tofsee DNS crashed |
2
http://halle-auer20h.ru.com/lenta.html https://steilppm.ac.id/drms/lenta.html
|
8
steilppm.ac.id(173.254.61.152) acienciaparaficarrico.com.br(198.50.218.68) halle-auer20h.ru.com(34.86.137.163) deccanrestaurant.co.uk(5.100.155.169) 198.50.218.68 - malware 5.100.155.169 - malware 173.254.61.152 34.86.137.163
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8912 |
2021-04-21 09:36
|
catalog-349912341.xlsm df2938a470a7d5a3194207f5bd91fba8 Check memory unpack itself Tofsee crashed |
2
http://halle-auer20h.ru.com/lenta.html https://steilppm.ac.id/drms/lenta.html
|
8
steilppm.ac.id(173.254.61.152) acienciaparaficarrico.com.br(198.50.218.68) halle-auer20h.ru.com(34.86.137.163) deccanrestaurant.co.uk(5.100.155.169) 34.86.137.163 173.254.61.152 5.100.155.169 - malware 198.50.218.68 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8913 |
2021-04-21 09:25
|
ashleyx.exe 8bb6b2cd59a316a1b2509a53d9b7bed5 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software |
3
http://edgedl.gvt1.com/edgedl/release2/chrome/AL5rs2UJAhI5hqZoF2YHW-w_89.0.4389.128/89.0.4389.128_chrome_installer.exe http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C74A40101EF9210BFD08B410CB832AFC.html https://update.googleapis.com/service/update2?cup2key=10:3910824222&cup2hreq=dc950c06ee23db63ccbc6463d0953d7c049cb27465657b9d252c3381314707af
|
6
edgedl.gvt1.com(142.250.34.2) mmwrlridbhmibnr.ml(104.21.86.143) 142.250.204.35 172.67.220.147 142.250.34.2 51.195.53.221 - mailcious
|
4
ET INFO DNS Query for Suspicious .ml Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
15.6 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8914 |
2021-04-21 09:22
|
km.dot 94c2c8723c5275bbc57c76fca34e94f0Vulnerability VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed |
|
2
lidamtour.com(181.119.48.4) - malware 181.119.48.4 - malware
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8915 |
2021-04-20 16:13
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
5
http://rsimadinah.com/wp-content/16qT/ - rule_id: 1014 http://insvat.com/wp-admin/Dw/ - rule_id: 1010 http://blogs.g2gtechnologies.com/blogs/v/ - rule_id: 1011 http://pattayastore.com/visio-network-1hmpp/j5/ - rule_id: 1013 https://tenmoney.business/wp-content/nhW/ - rule_id: 1015
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(172.67.156.186) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 66.96.230.225 - malware 172.67.156.186 - mailcious 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
http://rsimadinah.com/wp-content/16qT/ http://insvat.com/wp-admin/Dw/ http://blogs.g2gtechnologies.com/blogs/v/ http://pattayastore.com/visio-network-1hmpp/j5/ https://tenmoney.business/wp-content/nhW/
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8916 |
2021-04-20 15:50
|
setupapp.exe 73eb70ca5994df6e2766bb5b799f04ecVirusTotal Malware suspicious privilege WMI unpack itself Tofsee ComputerName DNS |
5
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=7AbuFcy6rVsv90SWbhZYjX%2F1l2smGDcgr940AwiIF4k%3D&spr=https&se=2021-04-21T07%3A12%3A02Z&rscl=x-e2eid-d85b51fb-5af2448b-86391750-db8470b1-session-1ebff91c-856e4d36-a4b4e0af-5a74b6de https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=9UUozfiE%2FOpxeeckU6eKE51prLyA7vjOQSQhv8%2F4Goc%3D&spr=https&se=2021-04-21T07%3A35%3A45Z&rscl=x-e2eid-1750f897-21ec47fd-858b9192-280e65c5-session-4d66908c-74d44857-ac54d7ee-2d4cedfc https://msdl.microsoft.com/download/symbols/index2.txt https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
|
16
sndvoices.com(172.67.216.130) cd525338-6a0f-400b-a98a-ae23e317d921.sndvoices.com() vsblobprodscussu5shard10.blob.core.windows.net(20.150.39.196) fotamene.com(172.67.128.242) - malware spolaect.info(172.67.161.225) msdl.microsoft.com(204.79.197.219) lalemada.info(172.67.207.106) vsblobprodscussu5shard58.blob.core.windows.net(13.84.56.16) server10.sndvoices.com(172.67.216.130) 204.79.197.219 172.67.207.106 13.84.56.16 104.21.16.228 172.67.161.225 104.21.1.88 20.150.39.196
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.0 |
M |
54 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8917 |
2021-04-20 09:48
|
Zzsvkpq.pdf 542f3ea693d61187bd10db0376a6b3e7 Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://osiq.club/main.php http://osiq.club/3.jpg http://osiq.club/1.jpg http://osiq.club/2.jpg http://osiq.club/6.jpg http://osiq.club/4.jpg http://osiq.club/ http://osiq.club/7.jpg http://osiq.club/5.jpg https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15) osiq.club(45.133.1.27) yoursite.com(172.67.133.191) 172.67.133.191 45.133.1.27
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.0 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8918 |
2021-04-20 09:46
|
Zeqenylvg.pdf d20d0d39b52c812da0ae519d68aa889b Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://45.144.225.201/5.jpg http://45.144.225.201/7.jpg http://45.144.225.201/main.php http://45.144.225.201/1.jpg http://45.144.225.201/ http://45.144.225.201/3.jpg http://45.144.225.201/2.jpg http://45.144.225.201/4.jpg http://45.144.225.201/6.jpg https://yoursite.com/
|
5
www.yoursite.com(172.67.133.191) yoursite.com(104.21.14.15) 104.21.14.15 172.67.133.191 45.144.225.201 - mailcious
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
|
18.2 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8919 |
2021-04-20 09:42
|
Iyjomdb_Signed_.xls bebcbeef93c5ee64473336c98c6a13c4VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted RWX flags setting unpack itself Tofsee Interception Windows ComputerName DNS Cryptographic key crashed |
1
https://cdn.discordapp.com/attachments/775608373949235243/781771882017456178/Iyjobgr
|
5
discord.com(162.159.137.232) - mailcious cdn.discordapp.com(162.159.133.233) - malware 162.159.136.232 162.159.135.233 - malware 104.21.19.200
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.8 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8920 |
2021-04-20 09:40
|
Wvlvhrl.pdf 149b0568e10ba3994c5c88440221fb2e Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
12
http://vtqt.xyz/5.jpg http://vtqt.xyz/7.jpg http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://vtqt.xyz/1.jpg http://vtqt.xyz/ http://vtqt.xyz/3.jpg http://vtqt.xyz/2.jpg http://vtqt.xyz/4.jpg http://vtqt.xyz/6.jpg http://vtqt.xyz/main.php http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f https://yoursite.com/
|
6
www.yoursite.com(172.67.133.191) vtqt.xyz(45.133.1.27) yoursite.com(104.21.14.15) 104.21.14.15 172.67.133.191 45.133.1.27
|
7
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
17.6 |
|
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8921 |
2021-04-20 09:37
|
Dmdckvjtg.pdf 46ddcd557521e886e2548e72097e01d6 Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs WriteConsoleW anti-virtualization installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName DNS crashed Password |
10
http://orisinlog.com/main.php http://orisinlog.com/5.jpg http://orisinlog.com/7.jpg http://orisinlog.com/1.jpg http://orisinlog.com/3.jpg http://orisinlog.com/2.jpg http://orisinlog.com/ - rule_id: 108 http://orisinlog.com/4.jpg http://orisinlog.com/6.jpg https://yoursite.com/
|
6
orisinlog.com(45.144.225.201) - mailcious www.yoursite.com(172.67.133.191) yoursite.com(104.21.14.15) 104.21.14.15 172.67.188.154 45.144.225.201 - mailcious
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
18.0 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8922 |
2021-04-20 09:35
|
Uekonhzz.pdf d4d8ef44275700e1b44a4c82fa18a7e7 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
8
www.yoursite.com(172.67.133.191) freegeoip.app(172.67.188.154) yoursite.com(104.21.14.15) checkip.dyndns.org(131.186.161.70) 172.67.133.191 216.146.43.70 - suspicious 104.21.14.15 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8923 |
2021-04-20 09:34
|
Dtiqyjksq.pdf f800c3f06fc079a0b96c979a887c4000 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15) freegeoip.app(104.21.19.200) yoursite.com(172.67.133.191) checkip.dyndns.org(216.146.43.70) 131.186.113.70 172.67.188.154 172.67.133.191
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
13.2 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8924 |
2021-04-20 09:31
|
Hyjgyn.pdf 1ceae4d45ed09a9ed4d5c392a7654fa9 AsyncRAT backdoor VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee Windows ComputerName crashed |
1
|
3
www.yoursite.com(104.21.14.15) yoursite.com(172.67.133.191) 172.67.133.191
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8925 |
2021-04-20 09:29
|
Famtf.pdf a4326b69873c799207e4c9d30c2ed3ac AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
7
www.yoursite.com(104.21.14.15) freegeoip.app(172.67.188.154) yoursite.com(172.67.133.191) checkip.dyndns.org(216.146.43.71) 104.21.14.15 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.0 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|