| 9901 |
2020-10-31 09:31
|
Inf_EDV_100120_URP_103120.doc 11b0ade6c38d27ba741294173f088621
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9902 |
2020-10-31 09:09
|
FILE_PO_10312020EX.doc b864ecba7b8fee96b95159cb9f4d30b2
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/BHsFILw0Hais/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9903 |
2020-10-30 22:39
|
win32.exe 7c0ec544d981d901c7819996d90dacc8
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
6
mail.salujaford.in(199.101.134.84)
freegeoip.app(104.28.5.151)
checkip.dyndns.org(216.146.43.71)
104.28.4.151
131.186.161.70
199.101.134.84 - suspicious
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
SURICATA Applayer Detect protocol only one direction
|
|
17.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9904 |
2020-10-30 21:50
|
invoice_771275.doc 2fabe873166b42d734a12c918f792764
Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs IP Check Tofsee Windows Exploit DNS DDNS crashed |
3
http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware
http://checkip.dyndns.org/
https://freegeoip.app/xml/175.208.134.150
|
8
mail.salujaford.in(199.101.134.84)
wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware
freegeoip.app(172.67.188.154)
checkip.dyndns.org(131.186.161.70)
162.88.193.70
104.28.5.151
212.162.149.27 - suspicious
199.101.134.84 - suspicious
|
8
ET POLICY External IP Lookup - checkip.dyndns.org
ET POLICY DynDNS CheckIp External IP Address Server Response
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET POLICY PE EXE or DLL Windows file download HTTP
SURICATA Applayer Detect protocol only one direction
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
5.4 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9905 |
2020-10-30 21:21
|
FAS_100120_OBW_103020.doc 26e46a86e1386111f4c7790bab599869
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware
http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9906 |
2020-10-30 18:24
|
Arc_SV7257602192KT.doc 410eee98c357147776c0e926c6336db2
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/
http://173.173.254.105/VUE9aVj4BJR/14tp40nWJQcBF/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
35.214.15.47 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
35.208.159.220 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9907 |
2020-10-30 18:22
|
http://shivakunwar.com.np/swif... 509bad3e7b3d5770ff5a7d173c65010e
VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://annabphotography.co.uk/wp-includes/WdHO/
http://shivakunwar.com.np/swift/ZenW4gwhknqJ1/
http://173.173.254.105/O6x6F5c8/ - mailcious
|
9
pipesplumbingltd.com(35.208.159.220) - mailcious
annabphotography.co.uk(35.214.15.47) - mailcious
shivakunwar.com.np(72.29.65.177) - mailcious
35.208.159.220 - suspicious
35.214.15.47 - suspicious
72.29.65.177 - suspicious
173.173.254.105 - suspicious
102.182.145.130 - suspicious
117.18.232.200 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
8.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9908 |
2020-10-30 18:19
|
https://manweikeji.com/wp-cont... 18933749e6ba858f74cfae5a1a480d14
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
manweikeji.com(103.82.52.25)
103.82.52.25
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9909 |
2020-10-30 13:53
|
http://hankook-hi.co.kr/discor... add2a3411a95dd6e3189600db8b2599c
VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
6
http://hankook-hi.co.kr/discord-emoji/HG/ - mailcious
http://goodherbwebmart.com/
https://seramporemunicipality.org/replacement-vin/Ql4R/ - mailcious
https://mayxaycafe.net/wp-includes/UxdWFzYQj/ - mailcious
https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/ - mailcious
https://homewatchamelia.com/wp-admin/qmK/ - mailcious
|
16
420extracts.ca() - mailcious
seramporemunicipality.org(104.28.18.90) - mailcious
goodherbwebmart.com(79.172.193.70)
imperfectdream.com(35.213.176.43) - mailcious
hankook-hi.co.kr(15.164.52.139) - mailcious
homewatchamelia.com(172.67.148.194) - mailcious
mayxaycafe.net(104.28.7.70) - mailcious
enjoymylifecheryl.com(104.18.63.171) - mailcious
79.172.193.70
35.213.176.43 - suspicious
104.28.6.70
15.164.52.139 - suspicious
104.28.19.90 - suspicious
172.67.180.161
172.67.148.194
117.18.232.200 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9910 |
2020-10-30 10:22
|
doc-W853091.doc 4c41263708080a14efb194eac91e47c0
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware
http://70.39.251.94:8080/C5oBI1X6pEdWIvL06AS/kU9NVa22gTpJ1OzFj/ - mailcious
http://www.royalempresshair.com/wp-content/upgrade/Fj/ - mailcious
http://supportessays.com/wp-admin/iuz/ - mailcious
http://acredales.com/thank_you/d/ - mailcious
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious
www.royalempresshair.com(45.79.219.198) - mailcious
supportessays.com(104.31.64.87) - mailcious
acredales.com(104.24.113.218) - mailcious
70.39.251.94 - suspicious
190.202.229.74 - suspicious
159.89.19.237 - suspicious
118.69.11.81
104.24.112.218 - suspicious
104.31.65.87 - suspicious
45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9911 |
2020-10-30 10:05
|
File 2020_10_30 796239.doc 8bfbba9fbb71e58f31ac8fa7c1558e50
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware
http://acredales.com/thank_you/d/ - mailcious
http://70.39.251.94:8080/gH08ep1G32djD/OGpQC/znHaBdCroG6WKt4/dwQ1dtkGmEp/petDAyBCcXDl1G/akDqkvRDvLTBYay2wA/ - mailcious
http://supportessays.com/wp-admin/iuz/ - mailcious
http://www.royalempresshair.com/wp-content/upgrade/Fj/ - mailcious
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious
www.royalempresshair.com(45.79.219.198) - mailcious
supportessays.com(104.31.64.87) - mailcious
acredales.com(104.24.112.218) - mailcious
70.39.251.94 - suspicious
190.202.229.74 - suspicious
159.89.19.237 - suspicious
118.69.11.81
104.24.112.218 - suspicious
104.31.65.87 - suspicious
45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9912 |
2020-10-30 09:30
|
inf 2020_10_30 E0604.doc d4595a5f1f04dfd12460d298347780e5
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://70.39.251.94:8080/FDnR/9ABEJRvc1oHHm/5UwDOB/mJSOpac1L7AZEx/Su6F0zTtJtUy1iYE/ - mailcious
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware
http://acredales.com/thank_you/d/ - mailcious
http://supportessays.com/wp-admin/iuz/ - mailcious
http://www.royalempresshair.com/wp-content/upgrade/Fj/
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious
www.royalempresshair.com(45.79.219.198) - mailcious
supportessays.com(104.31.65.87) - mailcious
acredales.com(104.24.113.218) - mailcious
70.39.251.94 - suspicious
190.202.229.74
159.89.19.237 - suspicious
118.69.11.81
104.24.113.218
104.31.65.87 - suspicious
45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9913 |
2020-10-30 09:08
|
EB00575 invoicing.doc add2a3411a95dd6e3189600db8b2599c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/
https://seramporemunicipality.org/replacement-vin/Ql4R/
https://mayxaycafe.net/wp-includes/UxdWFzYQj/
https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/
https://homewatchamelia.com/wp-admin/qmK/
|
15
420extracts.ca()
seramporemunicipality.org(104.28.19.90) - mailcious
goodherbwebmart.com(79.172.193.70)
imperfectdream.com(35.213.176.43) - mailcious
casinopalacett.com(148.72.93.189)
homewatchamelia.com(104.28.23.149) - mailcious
mayxaycafe.net(104.28.6.70) - mailcious
enjoymylifecheryl.com(172.67.180.161)
148.72.93.189 - suspicious
172.67.133.164
79.172.193.70
35.213.176.43 - suspicious
104.28.23.149 - suspicious
172.67.132.92 - suspicious
104.18.63.171
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9914 |
2020-10-29 18:18
|
rep_OUX_100120_UDR_102920.doc 9cacd26495c3a84a37794522678a5b0f
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://80.227.52.78/sUH0AfORZCFYqsQlJks/lICeEiUYWsK7Q3Y/ - mailcious
https://jtech.com.vn/wp-includes/IhSNuI/
|
11
eclatcollection.com(160.153.138.219) - mailcious
www.corsiwebonline.it(5.39.64.201)
jtech.com.vn(178.128.116.205)
ismlm.xyz(103.129.97.81)
conclassdigital.com(69.46.26.202)
80.227.52.78 - suspicious
5.39.64.201
178.128.116.205
160.153.138.219 - suspicious
103.129.97.81 - suspicious
69.46.26.202
|
3
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9915 |
2020-10-29 14:13
|
Invoice 003344656.doc 2dd0c550b545686341a97e367f184105
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://152.32.75.74:443/yxMyBCvRPV0/RVcKAsBr2t0Yo/ - mailcious
http://xinhecun.cn/wp-content/VCNbWWDK/ - malware
|
5
xinhecun.cn(8.210.173.81) - malware
getpranaveda.xyz(103.129.97.141) - malware
152.32.75.74 - suspicious
103.129.97.141 - suspicious
8.210.173.81 - suspicious
|
7
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|