9901 |
2020-10-31 09:31
|
Inf_EDV_100120_URP_103120.doc 11b0ade6c38d27ba741294173f088621 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/r0Om/KGFKgY7MZosFT/3slxGj56vbMpFwujRh/gkj9Bgn0R27BQVoW/GJLHbjjXki/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
6.0 |
M |
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9902 |
2020-10-31 09:09
|
FILE_PO_10312020EX.doc b864ecba7b8fee96b95159cb9f4d30b2 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/BHsFILw0Hais/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9903 |
2020-10-30 22:39
|
win32.exe 7c0ec544d981d901c7819996d90dacc8 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
6
mail.salujaford.in(199.101.134.84) freegeoip.app(104.28.5.151) checkip.dyndns.org(216.146.43.71) 104.28.4.151 131.186.161.70 199.101.134.84 - suspicious
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SURICATA Applayer Detect protocol only one direction
|
|
17.6 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9904 |
2020-10-30 21:50
|
invoice_771275.doc 2fabe873166b42d734a12c918f792764 Malware download VirusTotal Malware Malicious Traffic exploit crash unpack itself malicious URLs IP Check Tofsee Windows Exploit DNS DDNS crashed |
3
http://wsdybsskillemmulatorsdevelovercommwsity.ydns.eu/bssdoc/win32.exe - malware http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
8
mail.salujaford.in(199.101.134.84) wsdybsskillemmulatorsdevelovercommwsity.ydns.eu(212.162.149.27) - malware freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.161.70) 162.88.193.70 104.28.5.151 212.162.149.27 - suspicious 199.101.134.84 - suspicious
|
8
ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET POLICY PE EXE or DLL Windows file download HTTP SURICATA Applayer Detect protocol only one direction SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
|
|
5.4 |
M |
22 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9905 |
2020-10-30 21:21
|
FAS_100120_OBW_103020.doc 26e46a86e1386111f4c7790bab599869 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ - malware http://173.173.254.105/az1L5Cssv/lIkSns7VdaFih7TC/FZy7YuB4/5EWdgSxwTpnJFO/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9906 |
2020-10-30 18:24
|
Arc_SV7257602192KT.doc 410eee98c357147776c0e926c6336db2 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://annabphotography.co.uk/wp-includes/WdHO/ http://173.173.254.105/VUE9aVj4BJR/14tp40nWJQcBF/ - mailcious
|
6
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious 35.214.15.47 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 35.208.159.220 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9907 |
2020-10-30 18:22
|
http://shivakunwar.com.np/swif... 509bad3e7b3d5770ff5a7d173c65010e VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://annabphotography.co.uk/wp-includes/WdHO/ http://shivakunwar.com.np/swift/ZenW4gwhknqJ1/ http://173.173.254.105/O6x6F5c8/ - mailcious
|
9
pipesplumbingltd.com(35.208.159.220) - mailcious annabphotography.co.uk(35.214.15.47) - mailcious shivakunwar.com.np(72.29.65.177) - mailcious 35.208.159.220 - suspicious 35.214.15.47 - suspicious 72.29.65.177 - suspicious 173.173.254.105 - suspicious 102.182.145.130 - suspicious 117.18.232.200 - suspicious
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
8.6 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9908 |
2020-10-30 18:19
|
https://manweikeji.com/wp-cont... 18933749e6ba858f74cfae5a1a480d14 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
manweikeji.com(103.82.52.25) 103.82.52.25 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9909 |
2020-10-30 13:53
|
http://hankook-hi.co.kr/discor... add2a3411a95dd6e3189600db8b2599c VirusTotal Malware MachineGuid Code Injection Malicious Traffic Check memory Checks debugger RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
6
http://hankook-hi.co.kr/discord-emoji/HG/ - mailcious http://goodherbwebmart.com/ https://seramporemunicipality.org/replacement-vin/Ql4R/ - mailcious https://mayxaycafe.net/wp-includes/UxdWFzYQj/ - mailcious https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/ - mailcious https://homewatchamelia.com/wp-admin/qmK/ - mailcious
|
16
420extracts.ca() - mailcious seramporemunicipality.org(104.28.18.90) - mailcious goodherbwebmart.com(79.172.193.70) imperfectdream.com(35.213.176.43) - mailcious hankook-hi.co.kr(15.164.52.139) - mailcious homewatchamelia.com(172.67.148.194) - mailcious mayxaycafe.net(104.28.7.70) - mailcious enjoymylifecheryl.com(104.18.63.171) - mailcious 79.172.193.70 35.213.176.43 - suspicious 104.28.6.70 15.164.52.139 - suspicious 104.28.19.90 - suspicious 172.67.180.161 172.67.148.194 117.18.232.200 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
7.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9910 |
2020-10-30 10:22
|
doc-W853091.doc 4c41263708080a14efb194eac91e47c0 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware http://70.39.251.94:8080/C5oBI1X6pEdWIvL06AS/kU9NVa22gTpJ1OzFj/ - mailcious http://www.royalempresshair.com/wp-content/upgrade/Fj/ - mailcious http://supportessays.com/wp-admin/iuz/ - mailcious http://acredales.com/thank_you/d/ - mailcious
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious www.royalempresshair.com(45.79.219.198) - mailcious supportessays.com(104.31.64.87) - mailcious acredales.com(104.24.113.218) - mailcious 70.39.251.94 - suspicious 190.202.229.74 - suspicious 159.89.19.237 - suspicious 118.69.11.81 104.24.112.218 - suspicious 104.31.65.87 - suspicious 45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9911 |
2020-10-30 10:05
|
File 2020_10_30 796239.doc 8bfbba9fbb71e58f31ac8fa7c1558e50 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware http://acredales.com/thank_you/d/ - mailcious http://70.39.251.94:8080/gH08ep1G32djD/OGpQC/znHaBdCroG6WKt4/dwQ1dtkGmEp/petDAyBCcXDl1G/akDqkvRDvLTBYay2wA/ - mailcious http://supportessays.com/wp-admin/iuz/ - mailcious http://www.royalempresshair.com/wp-content/upgrade/Fj/ - mailcious
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious www.royalempresshair.com(45.79.219.198) - mailcious supportessays.com(104.31.64.87) - mailcious acredales.com(104.24.112.218) - mailcious 70.39.251.94 - suspicious 190.202.229.74 - suspicious 159.89.19.237 - suspicious 118.69.11.81 104.24.112.218 - suspicious 104.31.65.87 - suspicious 45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9912 |
2020-10-30 09:30
|
inf 2020_10_30 E0604.doc d4595a5f1f04dfd12460d298347780e5 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
5
http://70.39.251.94:8080/FDnR/9ABEJRvc1oHHm/5UwDOB/mJSOpac1L7AZEx/Su6F0zTtJtUy1iYE/ - mailcious http://mail.bursaevdenevenakliyat.link/jelab/YSS/ - malware http://acredales.com/thank_you/d/ - mailcious http://supportessays.com/wp-admin/iuz/ - mailcious http://www.royalempresshair.com/wp-content/upgrade/Fj/
|
11
mail.bursaevdenevenakliyat.link(159.89.19.237) - mailcious www.royalempresshair.com(45.79.219.198) - mailcious supportessays.com(104.31.65.87) - mailcious acredales.com(104.24.113.218) - mailcious 70.39.251.94 - suspicious 190.202.229.74 159.89.19.237 - suspicious 118.69.11.81 104.24.113.218 104.31.65.87 - suspicious 45.79.219.198 - suspicious
|
5
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING Possible EXE Download From Suspicious TLD ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9913 |
2020-10-30 09:08
|
EB00575 invoicing.doc add2a3411a95dd6e3189600db8b2599c Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/ https://seramporemunicipality.org/replacement-vin/Ql4R/ https://mayxaycafe.net/wp-includes/UxdWFzYQj/ https://enjoymylifecheryl.com/wp-includes/FPNxoUiCz3/ https://homewatchamelia.com/wp-admin/qmK/
|
15
420extracts.ca() seramporemunicipality.org(104.28.19.90) - mailcious goodherbwebmart.com(79.172.193.70) imperfectdream.com(35.213.176.43) - mailcious casinopalacett.com(148.72.93.189) homewatchamelia.com(104.28.23.149) - mailcious mayxaycafe.net(104.28.6.70) - mailcious enjoymylifecheryl.com(172.67.180.161) 148.72.93.189 - suspicious 172.67.133.164 79.172.193.70 35.213.176.43 - suspicious 104.28.23.149 - suspicious 172.67.132.92 - suspicious 104.18.63.171
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9914 |
2020-10-29 18:18
|
rep_OUX_100120_UDR_102920.doc 9cacd26495c3a84a37794522678a5b0f Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://80.227.52.78/sUH0AfORZCFYqsQlJks/lICeEiUYWsK7Q3Y/ - mailcious https://jtech.com.vn/wp-includes/IhSNuI/
|
11
eclatcollection.com(160.153.138.219) - mailcious www.corsiwebonline.it(5.39.64.201) jtech.com.vn(178.128.116.205) ismlm.xyz(103.129.97.81) conclassdigital.com(69.46.26.202) 80.227.52.78 - suspicious 5.39.64.201 178.128.116.205 160.153.138.219 - suspicious 103.129.97.81 - suspicious 69.46.26.202
|
3
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9915 |
2020-10-29 14:13
|
Invoice 003344656.doc 2dd0c550b545686341a97e367f184105 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://152.32.75.74:443/yxMyBCvRPV0/RVcKAsBr2t0Yo/ - mailcious http://xinhecun.cn/wp-content/VCNbWWDK/ - malware
|
5
xinhecun.cn(8.210.173.81) - malware getpranaveda.xyz(103.129.97.141) - malware 152.32.75.74 - suspicious 103.129.97.141 - suspicious 8.210.173.81 - suspicious
|
7
SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET POLICY HTTP traffic on port 443 (POST)
|
|
4.8 |
M |
27 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|