8926 |
2021-04-20 09:28
|
invoice_115521.doc 10ea6889fd7ca096c9b307b276a03b99 LokiBot Malware download VirusTotal Malware c&c Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed |
2
http://bncoporations.tk/Bn2/fre.php https://pxlme.me/r4K_NukV
|
7
bncoporations.tk(172.67.185.63) stdytheviejupcazfekr.dns.army(103.133.108.6) - mailcious pxlme.me(51.15.139.10) 59.18.44.14 104.21.19.52 103.133.108.6 - mailcious 51.15.139.10
|
12
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download ET DNS Query to a .tk domain - Likely Hostile ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY HTTP Request to a *.tk domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
4.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8927 |
2021-04-20 09:26
|
zuPrmTisZ3pMewf.exe 93675693e8fcb6b339a5529f49fadf6f VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS crashed |
4
http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618877781&mv=m&mvi=3&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:2761306227&cup2hreq=639d202355e668bd9c14c78151e1a3454c42a124f2d3580ede034472a7c3977a
|
5
r3---sn-3u-bh26.gvt1.com(59.18.44.14) 142.250.204.35 142.250.66.110 59.18.44.14 142.250.66.99
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
14.6 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8928 |
2021-04-20 09:23
|
g1mrfi.rar 340994098deb6bf6fa91f73350af7c15 Gen2 Gen1 VirusTotal Malware PDB Malicious Traffic unpack itself Tofsee Windows DNS crashed |
3
http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:4227462757&cup2hreq=368373e8187af8080730cb1ca102e99c23fa418c238c3586be44d3f46bbd62cd
|
2
edgedl.gvt1.com(142.250.34.2) 142.250.34.2
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
3.2 |
|
8 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8929 |
2021-04-20 09:05
|
catalog-1301901571.xlsm b7a0b0ca21ea1ec602751681d5c60b11Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 92.53.96.120 - mailcious 103.50.162.157 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8930 |
2021-04-20 09:04
|
catalog-1321576138.xlsm 0b6cef78cf09fe70881452faab47918fCheck memory unpack itself Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 103.50.162.157 - mailcious 92.53.96.120 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8931 |
2021-04-20 09:03
|
catalog-1356110994.xlsm 8b7f402856f3d80cb0d041a26f35ec99Check memory unpack itself Tofsee DNS crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 92.53.96.120 - mailcious 103.50.162.157 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8932 |
2021-04-20 09:02
|
catalog-134300255.xlsm c1bbead8915e662c20f05437a1966028Check memory unpack itself suspicious TLD Tofsee crashed |
|
6
truboprovodnaya-armatura.ru(92.53.96.120) heavensabode.in(103.50.162.157) scientia-ti.com.br(108.179.192.222) 108.179.192.222 - malware 103.50.162.157 - mailcious 92.53.96.120 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8933 |
2021-04-20 07:49
|
Pvcjjru.exe 6581f25476a8e4009877ba7498489ef6 Gen1 AsyncRAT backdoor Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName crashed Password |
9
http://novget.com/3.jpg http://novget.com/ - rule_id: 986 http://novget.com/main.php http://novget.com/7.jpg http://novget.com/5.jpg http://novget.com/6.jpg http://novget.com/4.jpg http://novget.com/2.jpg https://yoursite.com/
|
5
www.yoursite.com(104.21.14.15) novget.com(45.144.225.201) - mailcious yoursite.com(104.21.14.15) 45.144.225.201 172.67.133.191
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
|
1
|
19.4 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8934 |
2021-04-20 07:41
|
Ddsfrkgc.pdf 764abd8daf6dddba262e3bbae25fdbf5 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
3
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150 https://yoursite.com/
|
8
www.yoursite.com(104.21.14.15) freegeoip.app(172.67.188.154) yoursite.com(172.67.133.191) checkip.dyndns.org(131.186.161.70) 172.67.133.191 131.186.161.70 104.21.14.15 104.21.19.200
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
14.2 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8935 |
2021-04-20 07:39
|
Nnojr.exe 0223c7c933d538790ea29c9975490088 PWS .NET framework Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.70) 131.186.113.70 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.2 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8936 |
2021-04-19 13:53
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(172.67.156.186) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 104.21.8.30 66.96.230.225 - malware 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8937 |
2021-04-19 10:22
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(104.21.8.30) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 104.21.8.30 66.96.230.225 - malware 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8938 |
2021-04-18 10:36
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(104.21.8.30) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 66.96.230.225 - malware 172.67.156.186 - mailcious 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8939 |
2021-04-17 10:24
|
catalog-342909133.xlsm 2f6bd277a917a4bca6216444ecbc1d62ICMP traffic unpack itself Tofsee DNS |
1
http://jerry-dibbert16ih.ru.com/rocket.html
|
10
alexandrea-friesen16ka.ru.com(34.95.253.189) - mailcious useragent20.barloggio.net(116.0.21.14) - mailcious jerry-dibbert16ih.ru.com(34.95.253.189) ri.posgradocolumbia.edu.py(50.87.146.86) - mailcious casadopai.net.br(192.185.214.152) - mailcious 192.185.214.152 - mailcious 50.87.146.86 - mailcious 116.0.21.14 - mailcious 34.95.253.189 - mailcious 104.21.19.200
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8940 |
2021-04-17 10:22
|
catalog-323305862.xlsm fcb2af95d2b6abd32e4886d302b207aaCheck memory unpack itself Tofsee crashed |
1
http://jerry-dibbert16ih.ru.com/rocket.html
|
9
alexandrea-friesen16ka.ru.com(34.95.253.189) - mailcious useragent20.barloggio.net(116.0.21.14) - mailcious jerry-dibbert16ih.ru.com(34.95.253.189) ri.posgradocolumbia.edu.py(50.87.146.86) - mailcious casadopai.net.br(192.185.214.152) - mailcious 192.185.214.152 - mailcious 50.87.146.86 - mailcious 34.95.253.189 - mailcious 116.0.21.14 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|