9181 |
2021-03-08 09:11
|
A4ge7vE97nKzwZk.exe 4bf1d28524782e3de6d241c2bb625b5e Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://159.69.119.114:3214/ https://api.ip.sb/geoip
|
3
api.ip.sb(104.26.12.31) 159.69.119.114 172.67.75.172
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9182 |
2021-03-08 09:03
|
A4ge7vE97nKzwZk.exe 4bf1d28524782e3de6d241c2bb625b5e Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces malicious URLs installed browsers check Tofsee Ransomware Windows Browser ComputerName DNS Cryptographic key Software crashed |
2
http://159.69.119.114:3214/ https://api.ip.sb/geoip
|
3
api.ip.sb(172.67.75.172) 104.26.12.31 159.69.119.114
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
14.2 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9183 |
2021-03-06 19:03
|
updatewin.exe 9010fa92cc83afe00fab38703e6ffa77 VirusTotal Malware suspicious privilege Malicious Traffic unpack itself malicious URLs Tofsee DNS |
1
https://reputinodaedo.pw/cfg/ - rule_id: 307
|
2
reputinodaedo.pw(104.21.6.117) - mailcious 172.67.134.209
|
2
ET DNS Query to a *.pw domain - Likely Hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
https://reputinodaedo.pw/cfg/
|
4.0 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9184 |
2021-03-06 18:28
|
5.exe 6a50d5e91b193be284aa02106ee35e97 VirusTotal Malware malicious URLs Tofsee crashed |
|
2
api.faceit.com(104.17.62.50) 104.17.62.50
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9185 |
2021-03-06 09:21
|
http://goaqaba.com/ccwidd/4426... d41d8cd98f00b204e9800998ecf8427e VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://goaqaba.com/favicon.ico
|
3
goaqaba.com(207.244.229.15) - malware www.goaqaba.com(207.244.229.15) 207.244.229.15 - malware
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9186 |
2021-03-06 09:20
|
8.iosssappp.exe df60756a8e33b721b357bd7242f4881a Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName DNS crashed |
1
https://177.47.88.62/rob20/TEST22-PC_W617601.378AC5D337BB31DB195D8B32D85BF05B/5/kps/
|
4
179.191.108.58 - mailcious 154.79.252.132 - mailcious 177.47.88.62 168.232.188.88
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 7
|
|
6.6 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9187 |
2021-03-05 13:51
|
PO_2287_Scanned.pdf.exe efa6aa4c9687bdefad45af4771bf5ad5 VirusTotal Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows DNS |
1
|
3
www.google.com(172.217.175.100) 13.107.21.200 172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9188 |
2021-03-05 13:50
|
PI_1037_Scanned_0547.pdf.exe 37997ca39c9a900255366c354ca2ebbb VirusTotal Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process malicious URLs Tofsee Windows |
1
|
3
www.google.com(172.217.175.100) 216.58.200.4 - suspicious 172.217.163.228
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.4 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9189 |
2021-03-05 13:39
|
MARBLE-SAMPLE-PICTURES.exe 81d474f480901c0244d0d90e88da15f4 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself malicious URLs Tofsee Windows Remote Code Execution DNS |
1
https://cdn.discordapp.com/attachments/816412948242890752/816783648769704017/Cluea
|
4
www.diaamondgranitas.org(185.140.53.230) cdn.discordapp.com(162.159.129.233) - malware 185.140.53.230 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.8 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9190 |
2021-03-04 11:16
|
march loki.exe 5a4946a36347f1caa46109245b2b95c5 VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs Tofsee Windows |
1
|
2
www.google.com(216.58.197.164) 172.217.25.4 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.0 |
M |
35 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9191 |
2021-03-04 10:56
|
139my-6.5.exe 9804ed103792d5c7db767fa5e1876013 VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Detects VMWare AppData folder malicious URLs WriteConsoleW VMware Tofsee Interception Windows Exploit DNS crashed |
11
http://www.139my.com/images/bg_91my.jpg http://www.139my.com/favicon.ico http://www.139my.com/images/footer_91my.jpg http://www.139my.com/Index_img/1Index_c1_r5.jpg http://www.139my.com/ http://www.139my.com/images/bg2.jpg http://www.139my.com/images/banner_91my.jpg http://www.139my.com/Index_Top/New_Au.css http://hi.baidu.com/139my139my/blog/item/ed869ea73e60a2ee37d3ca18.html https://c.cnzz.com/core.php?web_id=1277040139&t=z https://s5.cnzz.com/z_stat.php?id=1277040139&web_id=1277040139
|
15
c.cnzz.com(222.188.8.250) www.178stu.com(103.133.95.9) wg.400wg.com() s5.cnzz.com(222.188.8.250) hi.baidu.com(183.232.231.225) - mailcious www.139my.com(103.133.92.211) cnzz.mmstat.com(205.204.101.182) z9.cnzz.com(203.119.129.115) 183.232.231.225 218.94.207.228 103.133.95.9 106.11.251.20 222.188.8.250 103.133.92.211 106.11.84.7
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9192 |
2021-03-03 13:43
|
Zbfuzznn.exe 6de779f5005c94b57b3d8c72765d9f40 VirusTotal Malware Buffer PE AutoRuns Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself malicious URLs Tofsee Windows Remote Code Execution |
1
https://cdn.discordapp.com/attachments/814523649477574740/816294995577405440/Zbfuz
|
2
cdn.discordapp.com(162.159.130.233) - malware 162.159.133.233 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.4 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9193 |
2021-03-03 13:35
|
SPE_010_317_041.pdf.exe 25e061381c6e2503e84950f3c76b3c3e Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(216.146.43.71) 216.146.43.71 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9194 |
2021-03-03 11:43
|
8.buddy.exe 25396a0ab1c93e8505b3f7e56ba2f0e1 Dridex TrickBot VirusTotal Malware Report suspicious privilege Malicious Traffic Checks debugger buffers extracted RWX flags setting unpack itself Check virtual network interfaces malicious URLs Kovter ComputerName DNS crashed |
1
https://103.76.20.226/rob21/TEST22-PC_W617601.B27B775F5B31B63B7A1BFF26BFFB7CBB/5/kps/
|
8
179.191.108.58 154.79.252.132 117.212.193.62 103.76.20.226 103.91.244.102 187.190.116.59 - mailcious 45.234.248.66 108.170.20.72 - mailcious
|
7
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET CNC Feodo Tracker Reported CnC Server group 7 ET CNC Feodo Tracker Reported CnC Server group 3 ET CNC Feodo Tracker Reported CnC Server group 2 ET CNC Feodo Tracker Reported CnC Server group 17 ET CNC Feodo Tracker Reported CnC Server group 1
|
|
8.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9195 |
2021-03-03 10:23
|
setup_2-2.exe 0d93d4c4e466675bca3fb9705654e9c7 VirusTotal Malware suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files unpack itself malicious URLs AntiVM_Disk suspicious TLD VM Disk Size Check installed browsers check Tofsee Ransomware Browser ComputerName DNS |
1
|
4
giddosdownload.github.io(185.199.108.153) yip.su(88.99.66.31) - mailcious 88.99.66.31 - mailcious 185.199.111.153 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET DNS Query for .su TLD (Soviet Union) Often Malware Related
|
|
7.8 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|