9916 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/ https://weparditestaa.fi/wp-admin/72uPk/ - malware https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182) weparditestaa.fi(192.130.146.156) - malware gayatrienterprise.org(104.27.153.75) 192.130.146.156 - suspicious 80.227.52.78 104.27.152.75 51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9917 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/ http://nanettecook.org/wp-admin/x/ - mailcious https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware nanettecook.org(74.80.58.254) - mailcious 85.50.100.181 - suspicious 80.227.52.78 74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9918 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(172.67.140.232) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 160.153.137.210 - suspicious 104.27.160.57 208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9919 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware ayur-herbal.com(160.153.137.210) - malware enyaxsi.com(45.84.191.215) - malware demo.giaoduckidsup.com(104.27.160.57) - malware filmfest.jewishfilm.org(208.113.172.122) - mailcious 138.197.1.150 - suspicious 192.198.91.138 - suspicious 45.84.191.215 - suspicious 104.27.161.57 160.153.137.210 - suspicious 208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9920 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8 AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/ https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220) 117.18.232.200 - suspicious 192.198.91.138 104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9921 |
2020-10-29 07:52
|
https://cacomixtle.net/wp-admi... d31c81b34cabc36bd0089c0651769552 Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
cacomixtle.net(138.197.1.150) 138.197.1.150 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9922 |
2020-10-28 21:51
|
arc_EW7843494089FU.doc 5057e8eec54ab03814f7b5b9a6f73748 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ http://88.153.35.32/CnOcVTFB/e59GKzZswK2VrTa8eG/xO9hy11mC4rMwAHm/LacaElVZGvaJ4KEH/SbruKCeALmA/ - mailcious http://nanettecook.org/wp-admin/x/ https://scalarmonitoring.com/wp-admin/js/widgets/S0A/
|
5
scalarmonitoring.com(85.50.100.181) nanettecook.org(74.80.58.254) 85.50.100.181 88.153.35.32 - suspicious 74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9923 |
2020-10-28 19:10
|
Untitled_VW2874948220CG.doc 7f8b12d54d354fcecea19637aa6739d5 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://florumgroups.net/mysite/C0NYBd/ - malware http://88.153.35.32/KoWkUXwbg/FGcU/b5bhu6m6A/yEqpojQPrcTWoLy/iKX84TipvygWtQQ/nc3W/ - mailcious
|
5
florumgroups.net(63.250.42.152) - malware socialplaymedia.com(51.77.201.228) 51.77.201.228 63.250.42.152 - suspicious 88.153.35.32 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9924 |
2020-10-28 18:06
|
link.exe a9cbc59987ec442437ffea45aade05ba Dridex VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Cryptographic key |
1
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
|
2
bprbalidananiaga.co.id(103.253.212.238) 103.253.212.238
|
4
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex ET POLICY HTTP traffic on port 443 (POST)
|
|
9.4 |
M |
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9925 |
2020-10-28 12:26
|
Electronic form.doc eb6a6943bf8db6a0c7003c1c869b3323 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://91.121.200.35:8080/oQduEUzyuXYOG1/iosXbeze6L0YK93Z/r3qIMIMkoLSL/NEUB/oa9411o42Xd/ - mailcious https://agenciainfluenciar.com.br/indexing/X/ - malware https://e-spaic.pt/hacks_list/LK/ - mailcious
|
6
agenciainfluenciar.com.br(107.180.71.232) - malware e-spaic.pt(161.97.75.68) - mailcious 179.15.102.2 - suspicious 107.180.71.232 - suspicious 161.97.75.68 - suspicious 91.121.200.35 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9926 |
2020-10-28 11:38
|
aPfjegjaF.exe 6d8eb085d7dfcfdd55f26262e51fbfdc Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
16
http://morasergiov.ac.ug/ http://217.8.117.77/oJHstwpndf.exe - malware http://morasergiov.ac.ug/vcruntime140.dll http://jamesrlongacre.ug/rc.exe http://morasergiov.ac.ug/nss3.dll http://morasergiov.ac.ug/sqlite3.dll http://jamesrlongacre.ug/ds2.exe http://jamesrlongacre.ug/index.php http://morasergiov.ac.ug/freebl3.dll http://morasergiov.ac.ug/mozglue.dll http://jamesrlongacre.ug/ac.exe http://jamesrlongacre.ug/ds1.exe http://morasergiov.ac.ug/main.php http://morasergiov.ac.ug/msvcp140.dll http://morasergiov.ac.ug/softokn3.dll https://cdn.discordapp.com/attachments/752128569169281083/770252881495326780/Uvop123
|
9
morasergiov.ac.ug(217.8.117.77) discord.com(162.159.136.232) taenaia.ac.ug(79.134.225.121) jamesrlongacre.ug(217.8.117.77) cdn.discordapp.com(162.159.130.233) - malware 79.134.225.121 - suspicious 162.159.136.232 162.159.129.233 - suspicious 217.8.117.77 - suspicious
|
11
ET DROP Spamhaus DROP Listed Traffic Inbound group 38 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE AZORult v3.3 Server Response M3 ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
27.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9927 |
2020-10-28 10:35
|
https://achremittanceservices.... d32109224e04cbdb24ca32fb320f89a1 Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows Tor DNS |
|
3
achremittanceservices.com(68.65.123.61) 68.65.123.61 178.254.45.64
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9928 |
2020-10-28 10:34
|
DOC_96439691.doc 56a98d4ac1377142220a9cfc737a13b3 Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://tangshizhi.com/wp-admin/pcFD/ http://107.170.146.252:8080/x1M3/oedgL4bl1Sxsa/vi44ggjQKWaE/ohU9Y8R8JN/QP7G8wd6RNEPGKnq2/ - mailcious
|
6
tangshizhi.com(202.95.11.52) cuutrolulut.info(208.113.172.110) 107.170.146.252 - suspicious 88.153.35.32 - suspicious 208.113.172.110 202.95.11.52 - suspicious
|
5
ET POLICY Terse Named Filename EXE Download - Possibly Hostile ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9929 |
2020-10-28 10:30
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware 181.214.142.131 - suspicious 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9930 |
2020-10-28 10:21
|
tyuew.exe 4fc3c6a6fc4711ad9907fdf45810829c VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows DNS Cryptographic key crashed |
4
https://ahgwqrq.xyz/getrandombase64.php?get=330F8E490A8A44EFA30583C338272735 https://ahgwqrq.xyz/getrandombase64.php?get=2546F095A204453AA8FD8516FFDCA892 https://ahgwqrq.xyz/getrandombase64.php?get=97D7C843E8234D4687C41F0958409F28 https://ahgwqrq.xyz/getrandombase64.php?get=99DA4645D7AD484294E084764E693136
|
5
www.google.it(172.217.174.99) ahgwqrq.xyz(104.27.180.69) 104.27.180.69 216.58.200.3 185.165.153.249
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|