9061 |
2021-03-16 13:43
|
cdi.exe 25be85a9de358519cde0817dfad40b23 Azorult .NET framework ftp Client info stealer email stealer browser Google Chrome User Data Win Trojan agentTesla Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) - checkip.dyndns.org(216.146.43.71) - 172.67.188.154 - 131.186.161.70 -
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9062 |
2021-03-15 16:26
|
login.vbs 49f685bf27de38094374336be540b200 Antivirus Malware VBScript powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key DDNS Dropper |
3
https://paste.ee/d/lv0o9/0 https://paste.ee/d/FW6Jp/0 https://paste.ee/d/6Q39G/0
|
5
paste.ee(104.21.45.223) - testandonovameta.duckdns.org(191.190.115.177) - 172.67.219.133 - 104.21.45.223 - 191.190.115.177 -
|
2
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
|
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9063 |
2021-03-14 12:16
|
IMG_0103_Scanned_120_37.pdf e5ac1ed6a1f096b7d16362595f913365 ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.70) 131.186.113.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9064 |
2021-03-12 19:08
|
PO_2173_Scanned_13.pdf 0cb0ce99b82727b4701d9aeab2aa4451 ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 172.67.188.154 131.186.161.70
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
16.0 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9065 |
2021-03-12 19:05
|
1090905469.exe 3ab5db8a82b6ca11f37100b4fa751c72 Azorult .NET framework AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://62.109.7.229/ https://www.bing.com/ https://api.ip.sb/geoip
|
6
www.google.com(216.58.197.132) api.ip.sb(172.67.75.172) 216.58.199.100 104.26.12.31 13.107.21.200 62.109.7.229
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
16.6 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9066 |
2021-03-12 18:57
|
856125340.exe 0e9b44989a3627976703bbe1e259cf62 AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs Tofsee Windows DNS Cryptographic key |
1
https://50n0.tolganfor.ru/SystemNetHttpListenerExceptionU - rule_id: 394
|
2
50n0.tolganfor.ru(81.177.139.41) - malware 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://50n0.tolganfor.ru/SystemNetHttpListenerExceptionU
|
4.8 |
M |
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9067 |
2021-03-12 18:47
|
solution.iops.exe 1f0d7f3144ba0d50374f61c941f5a94e Emotet Trickbot Gen Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName Remote Code Execution DNS crashed |
1
https://85.159.214.61/rob28/TEST22-PC_W617601.51FA6B3783F19317BB7F3DB0B3BF6733/5/kps/
|
10
117.212.193.62 - mailcious 202.142.151.190 103.91.244.102 - mailcious 79.122.166.236 187.190.116.59 - mailcious 85.159.214.61 36.94.202.131 - mailcious 201.184.190.59 80.78.77.116 - mailcious 111.235.66.83
|
5
ET CNC Feodo Tracker Reported CnC Server group 3 ET CNC Feodo Tracker Reported CnC Server group 12 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 1
|
|
9.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9068 |
2021-03-12 18:35
|
IMG_105-10_60_85.pdf b47dd39109575e7b48e55f3e8d402a55 Azorult .NET framework ftp Client info stealer email stealer Win Trojan agentTesla browser Antivirus Google Chrome User Data AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(162.88.193.70) 162.88.193.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response
|
|
17.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9069 |
2021-03-12 18:23
|
eve.exe dc7faccd6a090e655cfa865903b7a70b Azorult .NET framework VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself malicious URLs Tofsee Windows DNS |
4
http://go.microsoft.com/fwlink?linkid=30219&locale=ko-KR&clientType=VISTA_GAMES&clientVersion=6.1.2 http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:3707086078&cup2hreq=592b5a7ff2243112c27bdf312679deb8995ad1805b60657c9d1c3fddf67a8fb2
|
5
movie.metaservices.microsoft.com(65.55.186.115) edgedl.gvt1.com(142.250.34.2) 65.55.186.115 142.250.34.2 104.74.217.16
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.8 |
M |
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9070 |
2021-03-12 18:16
|
1370132254.exe 8ca675896f6c9ad9fe8deb1cc63bf8f5 Azorult .NET framework UltraVNC AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder malicious URLs suspicious TLD installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
6
http://62.109.7.229/ https://sldov.ru/1090905469.exe https://5uxm.itdenther.ru/SystemNetConfigurationConnectionManagementSectionInternalF https://g.itdenther.ru/1986383539.exe https://www.bing.com/ https://api.ip.sb/geoip
|
11
g.itdenther.ru(81.177.139.41) www.google.com(172.217.31.164) api.ip.sb(172.67.75.172) 5uxm.itdenther.ru(81.177.139.41) 0cl.sldov.ru(81.177.139.41) - malware sldov.ru(81.177.139.41) - mailcious 62.109.7.229 104.26.12.31 81.177.139.41 - malware 13.107.21.200 172.217.174.196
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
|
20.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9071 |
2021-03-12 18:15
|
2041131341.exe 526489ddbfd0d84e845ccd132cae5555 UltraVNC VirusTotal Malware PDB Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key crashed |
1
https://5uxm.itdenther.ru/SystemNetConfigurationConnectionManagementSectionInternalF
|
2
5uxm.itdenther.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9072 |
2021-03-12 14:25
|
1873085694.exe fea26a213a022eb79c3f7dee7f9d107a UltraVNC AsyncRAT backdoor VirusTotal Malware Buffer PE PDB Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder malicious URLs suspicious TLD Tofsee Windows Cryptographic key crashed |
3
https://xnw.itdenther.ru/855732125.exe https://pp.sldov.ru/856125340.exe https://50n0.tolganfor.ru/SystemNetHttpListenerExceptionU
|
4
pp.sldov.ru(81.177.139.41) - mailcious 50n0.tolganfor.ru(81.177.139.41) - malware xnw.itdenther.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.6 |
M |
49 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9073 |
2021-03-12 14:24
|
1776646202.exe c4007a10fead6776db900abff2ae55b2 AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows DNS Cryptographic key |
1
https://i.itdenther.ru/SystemNetUnsafeNclNativeMethodsRegistryHelpern
|
2
i.itdenther.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9074 |
2021-03-12 14:14
|
1694582027.exe e4e9be25d58ace415d3c1481986b99ff AsyncRAT backdoor VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs suspicious TLD Tofsee Windows Cryptographic key |
1
https://1pri.oradza.ru/SystemNetHttpListenerDisconnectAsyncResultv
|
2
1pri.oradza.ru(81.177.139.41) 81.177.139.41 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
M |
53 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9075 |
2021-03-12 13:43
|
872027265.exe f9193808726bf166c76170b5020edb00 AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs suspicious TLD installed browsers check Tofsee Ransomware Windows Browser ComputerName Cryptographic key Software crashed |
3
http://tallipere.xyz/ https://uhuua.ru/NewtonsoftJsonUtilitiesReflectionUtilscDisplayClassP https://api.ip.sb/geoip
|
10
WHOIS.APNIC.NET(172.104.79.63) uhuua.ru(81.177.139.41) whois.iana.org(192.0.32.59) tallipere.xyz(94.140.115.156) api.ip.sb(172.67.75.172) 172.104.77.201 192.0.32.59 104.26.12.31 81.177.139.41 - malware 94.140.115.156
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|