| 8941 |
2021-04-17 10:22
|
 catalog-350434392.xlsm 94e7b5a0f5cecb24336de03de0771631
unpack itself Tofsee DNS |
1
http://jerry-dibbert16ih.ru.com/rocket.html
|
9
alexandrea-friesen16ka.ru.com(34.95.253.189) - mailcious
useragent20.barloggio.net(116.0.21.14) - mailcious
jerry-dibbert16ih.ru.com(34.95.253.189)
ri.posgradocolumbia.edu.py(50.87.146.86) - mailcious
casadopai.net.br(192.185.214.152) - mailcious
192.185.214.152 - mailcious
50.87.146.86 - mailcious
116.0.21.14 - mailcious
34.95.253.189 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8942 |
2021-04-17 10:20
|
 catalog-359462809.xlsm f00e8a3cb014f7732fe0b5b685304ff2
unpack itself Tofsee DNS |
2
http://alexandrea-friesen16ka.ru.com/rocket.html
http://jerry-dibbert16ih.ru.com/rocket.html
|
9
alexandrea-friesen16ka.ru.com(34.95.253.189)
useragent20.barloggio.net(116.0.21.14)
jerry-dibbert16ih.ru.com(34.95.253.189)
ri.posgradocolumbia.edu.py(50.87.146.86)
casadopai.net.br(192.185.214.152)
192.185.214.152
50.87.146.86 - mailcious
116.0.21.14
34.95.253.189 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8943 |
2021-04-17 10:18
|
 Ttcmb.exe d239a7aeffee188f2aa966e9f252e4bb
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154)
checkip.dyndns.org(162.88.193.70)
216.146.43.71
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8944 |
2021-04-17 10:11
|
aguerox.exe be64ba16260fa8f15fe08e3fbcc32a0a
AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key |
6
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D306B0B42F37AE8814979F5718988BB.html - rule_id: 969
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2DC6DDDB051F23AE27593EE6177D2CE.html - rule_id: 969
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F974651699F7A075AAAF2F0C9FB48273.html - rule_id: 969
https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2DC6DDDB051F23AE27593EE6177D2CE.html - rule_id: 970
https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D306B0B42F37AE8814979F5718988BB.html - rule_id: 970
https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F974651699F7A075AAAF2F0C9FB48273.html - rule_id: 970
|
2
bornforthis.ml(172.67.222.176) - mailcious
172.67.222.176 - mailcious
|
3
ET INFO DNS Query for Suspicious .ml Domain
ET INFO Suspicious Domain (*.ml) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
http://bornforthis.ml/liverpool-fc-news/
http://bornforthis.ml/liverpool-fc-news/
http://bornforthis.ml/liverpool-fc-news/
https://bornforthis.ml/liverpool-fc-news/
https://bornforthis.ml/liverpool-fc-news/
https://bornforthis.ml/liverpool-fc-news/
|
3.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8945 |
2021-04-16 18:04
|
 winsdk.exe 35ab7b989418f63d814895500fe6617b
Process Kill FindFirstVolume CryptGenKey VirusTotal Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows Tor ComputerName DNS |
1
|
9
pool.hashvault.pro(131.153.159.26) - mailcious
ezstat.ru(88.99.66.31) - mailcious
51.75.169.249
145.239.66.236
176.10.104.240 - mailcious
88.99.66.31 - mailcious
163.172.157.213 - mailcious
54.36.227.247
131.153.76.130 - mailcious
|
8
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174
ET TOR Known Tor Exit Node Traffic group 20
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20
ET POLICY Cryptocurrency Miner Checkin
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8946 |
2021-04-16 09:56
|
 catalog-651041236.xlsm eedd85d33f91ca72acae1df084d2d373Check memory unpack itself Tofsee crashed |
7
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://rosenbaum-milan15y.ru.com/body.html
http://boehm-kavon15lc.ru.com/body.html
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8947 |
2021-04-16 09:56
|
 catalog-64874377.xlsm 608719001a3fbf939763a416e80f1410VirusTotal Malware ICMP traffic unpack itself Tofsee DNS |
7
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
|
4.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8948 |
2021-04-16 09:55
|
 catalog-651450025.xlsm 57aba2732b2168b1914c8b5a49369de4VirusTotal Malware Check memory unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
|
3.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8949 |
2021-04-16 09:37
|
 catalog-64852490.xlsm 7d5bcecf80df4dd2ba51da0ec80037feCheck memory ICMP traffic unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8950 |
2021-04-16 09:35
|
 catalog-649166437.xlsm bd71cc9af8cdeececc41a6484cf5dbf4VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8951 |
2021-04-16 09:34
|
 catalog-649822080.xlsm 23fda0e556cfedba000e4510e40b090cCheck memory unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988
http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8952 |
2021-04-16 09:18
|
 catalog-617228643.xlsm 3c2ffd4eb20488152e4882dffabd6b0dVirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
4
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
https://glsiba.org/drms/body.html
https://jahthroneafricancrafts.com/drms/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8953 |
2021-04-16 09:15
|
 catalog-606434184.xlsm 9c843d4ef72be7252faa977664af9763VirusTotal Malware Check memory ICMP traffic unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
https://glsiba.org/drms/body.html
https://jahthroneafricancrafts.com/drms/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189)
34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8954 |
2021-04-16 07:58
|
"https://ia601505.us.archive.o... Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
https://archive.org/includes/fonts/Iconochive-Regular.eot?
https://ia601505.us.archive.org/8/items/encodingdoc-2021/Encodingdoc2021.txt
https://archive.org/includes/build/css/archive.min.css?v=66127
|
4
ia601505.us.archive.org(207.241.227.115) - mailcious
archive.org(207.241.224.2) - mailcious
207.241.227.115 - mailcious
207.241.224.2 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8955 |
2021-04-15 07:45
|
 Wydvkms.exe 6477b1f3539248de6531ecc34c07c7c3
Azorult .NET framework Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200)
checkip.dyndns.org(216.146.43.71)
131.186.113.70
104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|