8941 |
2021-04-17 10:22
|
catalog-350434392.xlsm 94e7b5a0f5cecb24336de03de0771631 unpack itself Tofsee DNS |
1
http://jerry-dibbert16ih.ru.com/rocket.html
|
9
alexandrea-friesen16ka.ru.com(34.95.253.189) - mailcious useragent20.barloggio.net(116.0.21.14) - mailcious jerry-dibbert16ih.ru.com(34.95.253.189) ri.posgradocolumbia.edu.py(50.87.146.86) - mailcious casadopai.net.br(192.185.214.152) - mailcious 192.185.214.152 - mailcious 50.87.146.86 - mailcious 116.0.21.14 - mailcious 34.95.253.189 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8942 |
2021-04-17 10:20
|
catalog-359462809.xlsm f00e8a3cb014f7732fe0b5b685304ff2 unpack itself Tofsee DNS |
2
http://alexandrea-friesen16ka.ru.com/rocket.html http://jerry-dibbert16ih.ru.com/rocket.html
|
9
alexandrea-friesen16ka.ru.com(34.95.253.189) useragent20.barloggio.net(116.0.21.14) jerry-dibbert16ih.ru.com(34.95.253.189) ri.posgradocolumbia.edu.py(50.87.146.86) casadopai.net.br(192.185.214.152) 192.185.214.152 50.87.146.86 - mailcious 116.0.21.14 34.95.253.189 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8943 |
2021-04-17 10:18
|
Ttcmb.exe d239a7aeffee188f2aa966e9f252e4bb AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 216.146.43.71 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8944 |
2021-04-17 10:11
|
aguerox.exe be64ba16260fa8f15fe08e3fbcc32a0a AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows ComputerName DNS Cryptographic key |
6
http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D306B0B42F37AE8814979F5718988BB.html - rule_id: 969 http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2DC6DDDB051F23AE27593EE6177D2CE.html - rule_id: 969 http://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F974651699F7A075AAAF2F0C9FB48273.html - rule_id: 969 https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A2DC6DDDB051F23AE27593EE6177D2CE.html - rule_id: 970 https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8D306B0B42F37AE8814979F5718988BB.html - rule_id: 970 https://bornforthis.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-F974651699F7A075AAAF2F0C9FB48273.html - rule_id: 970
|
2
bornforthis.ml(172.67.222.176) - mailcious 172.67.222.176 - mailcious
|
3
ET INFO DNS Query for Suspicious .ml Domain ET INFO Suspicious Domain (*.ml) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
6
http://bornforthis.ml/liverpool-fc-news/ http://bornforthis.ml/liverpool-fc-news/ http://bornforthis.ml/liverpool-fc-news/ https://bornforthis.ml/liverpool-fc-news/ https://bornforthis.ml/liverpool-fc-news/ https://bornforthis.ml/liverpool-fc-news/
|
3.6 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8945 |
2021-04-16 18:04
|
winsdk.exe 35ab7b989418f63d814895500fe6617b Process Kill FindFirstVolume CryptGenKey VirusTotal Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder suspicious TLD WriteConsoleW Tofsee Windows Tor ComputerName DNS |
1
|
9
pool.hashvault.pro(131.153.159.26) - mailcious ezstat.ru(88.99.66.31) - mailcious 51.75.169.249 145.239.66.236 176.10.104.240 - mailcious 88.99.66.31 - mailcious 163.172.157.213 - mailcious 54.36.227.247 131.153.76.130 - mailcious
|
8
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 633 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 647 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174 ET TOR Known Tor Exit Node Traffic group 20 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20 ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8946 |
2021-04-16 09:56
|
catalog-651041236.xlsm eedd85d33f91ca72acae1df084d2d373Check memory unpack itself Tofsee crashed |
7
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://rosenbaum-milan15y.ru.com/body.html http://boehm-kavon15lc.ru.com/body.html
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8947 |
2021-04-16 09:56
|
catalog-64874377.xlsm 608719001a3fbf939763a416e80f1410VirusTotal Malware ICMP traffic unpack itself Tofsee DNS |
7
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html
|
4.8 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8948 |
2021-04-16 09:55
|
catalog-651450025.xlsm 57aba2732b2168b1914c8b5a49369de4VirusTotal Malware Check memory unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html
|
3.8 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8949 |
2021-04-16 09:37
|
catalog-64852490.xlsm 7d5bcecf80df4dd2ba51da0ec80037feCheck memory ICMP traffic unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
2
http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html
|
4.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8950 |
2021-04-16 09:35
|
catalog-649166437.xlsm bd71cc9af8cdeececc41a6484cf5dbf4VirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8951 |
2021-04-16 09:34
|
catalog-649822080.xlsm 23fda0e556cfedba000e4510e40b090cCheck memory unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html - rule_id: 987 http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html - rule_id: 988 http://rosenbaum-milan15y.ru.com/body.html
|
7
glsiba.org(204.11.58.33) jahthroneafricancrafts.com(75.119.136.137) rosenbaum-milan15y.ru.com(34.95.253.189) boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189 204.11.58.33 - malware 75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
2
http://boehm-kavon15lc.ru.com/body.html http://rosenbaum-milan15y.ru.com/body.html
|
3.2 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8952 |
2021-04-16 09:18
|
catalog-617228643.xlsm 3c2ffd4eb20488152e4882dffabd6b0dVirusTotal Malware Check memory unpack itself Tofsee DNS crashed |
4
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
https://glsiba.org/drms/body.html
https://jahthroneafricancrafts.com/drms/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.4 |
|
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8953 |
2021-04-16 09:15
|
catalog-606434184.xlsm 9c843d4ef72be7252faa977664af9763VirusTotal Malware Check memory ICMP traffic unpack itself Tofsee crashed |
4
http://boehm-kavon15lc.ru.com/body.html
http://rosenbaum-milan15y.ru.com/body.html
https://glsiba.org/drms/body.html
https://jahthroneafricancrafts.com/drms/body.html
|
7
glsiba.org(204.11.58.33)
jahthroneafricancrafts.com(75.119.136.137)
rosenbaum-milan15y.ru.com(34.95.253.189)
boehm-kavon15lc.ru.com(34.95.253.189) 34.95.253.189
204.11.58.33 - malware
75.119.136.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
4.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8954 |
2021-04-16 07:58
|
"https://ia601505.us.archive.o... Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
3
https://archive.org/includes/fonts/Iconochive-Regular.eot? https://ia601505.us.archive.org/8/items/encodingdoc-2021/Encodingdoc2021.txt https://archive.org/includes/build/css/archive.min.css?v=66127
|
4
ia601505.us.archive.org(207.241.227.115) - mailcious archive.org(207.241.224.2) - mailcious 207.241.227.115 - mailcious 207.241.224.2 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure
|
|
3.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8955 |
2021-04-15 07:45
|
Wydvkms.exe 6477b1f3539248de6531ecc34c07c7c3 Azorult .NET framework Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(216.146.43.71) 131.186.113.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
14.4 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|