| 9916 |
2020-10-29 09:55
|
B_OKT_100120_QMJ_102820.doc 3d52fc5a050f184b6b5831c070c18631
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://80.227.52.78/5LsR1nkgomX3l/ZjPBKZ4x4Zvvn/
https://weparditestaa.fi/wp-admin/72uPk/ - malware
https://gayatrienterprise.org/wp-admin/DPBsj/
|
7
www.saintmarcel.com(51.38.224.182)
weparditestaa.fi(192.130.146.156) - malware
gayatrienterprise.org(104.27.153.75)
192.130.146.156 - suspicious
80.227.52.78
104.27.152.75
51.38.224.182
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
15 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9917 |
2020-10-29 09:49
|
file_41974312.doc 6b85477e763034dc0989adb4411c117e
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - mailcious
http://80.227.52.78/WyEu/V0DLlmLJ6b6J/knDpht6D438w/
http://nanettecook.org/wp-admin/x/ - mailcious
https://scalarmonitoring.com/wp-admin/js/widgets/S0A/ - malware
|
5
scalarmonitoring.com(85.50.100.181) - malware
nanettecook.org(74.80.58.254) - mailcious
85.50.100.181 - suspicious
80.227.52.78
74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9918 |
2020-10-29 09:37
|
arc 20201029 1690.doc cff8e0945303bb73e63281b98a613ef1
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/EIYYGmOp/7iyOy1IxHB/HU7itbYSbLMe/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(172.67.140.232) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
160.153.137.210 - suspicious
104.27.160.57
208.113.172.122 - suspicious
|
4
SURICATA TLS invalid record type
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.0 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9919 |
2020-10-29 09:13
|
Attachments-Y369.doc 710a61a57907e8f67cc0776ed93be98c
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://192.198.91.138:443/NT3PzTRU/p1Ml6/zqk7dIQB8/ - mailcious
https://demo.giaoduckidsup.com/wp-includes/P/ - malware
|
11
cacomixtle.net(138.197.1.150) - malware
ayur-herbal.com(160.153.137.210) - malware
enyaxsi.com(45.84.191.215) - malware
demo.giaoduckidsup.com(104.27.160.57) - malware
filmfest.jewishfilm.org(208.113.172.122) - mailcious
138.197.1.150 - suspicious
192.198.91.138 - suspicious
45.84.191.215 - suspicious
104.27.161.57
160.153.137.210 - suspicious
208.113.172.122 - suspicious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
M |
16 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9920 |
2020-10-29 07:57
|
https://aabeds.com/wordpress/O... da3bc612bb90dce6e68becd3ff56f5d8
AutoRuns Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Auto service malicious URLs AntiVM_Disk sandbox evasion VM Disk Size Check human activity check Tofsee Windows Exploit Advertising ComputerName DNS Cryptographic key crashed |
2
http://192.198.91.138:443/dwRyq/B1dGEB3/
https://aabeds.com/wordpress/O/
|
4
aabeds.com(104.31.89.220)
117.18.232.200 - suspicious
192.198.91.138
104.31.89.220
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY HTTP traffic on port 443 (POST)
|
|
10.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9921 |
2020-10-29 07:52
|
https://cacomixtle.net/wp-admi... d31c81b34cabc36bd0089c0651769552
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
cacomixtle.net(138.197.1.150)
138.197.1.150
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9922 |
2020-10-28 21:51
|
arc_EW7843494089FU.doc 5057e8eec54ab03814f7b5b9a6f73748
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://scalarmonitoring.com/wp-admin/js/widgets/S0A/
http://88.153.35.32/CnOcVTFB/e59GKzZswK2VrTa8eG/xO9hy11mC4rMwAHm/LacaElVZGvaJ4KEH/SbruKCeALmA/ - mailcious
http://nanettecook.org/wp-admin/x/
https://scalarmonitoring.com/wp-admin/js/widgets/S0A/
|
5
scalarmonitoring.com(85.50.100.181)
nanettecook.org(74.80.58.254)
85.50.100.181
88.153.35.32 - suspicious
74.80.58.254 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9923 |
2020-10-28 19:10
|
Untitled_VW2874948220CG.doc 7f8b12d54d354fcecea19637aa6739d5
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://florumgroups.net/mysite/C0NYBd/ - malware
http://88.153.35.32/KoWkUXwbg/FGcU/b5bhu6m6A/yEqpojQPrcTWoLy/iKX84TipvygWtQQ/nc3W/ - mailcious
|
5
florumgroups.net(63.250.42.152) - malware
socialplaymedia.com(51.77.201.228)
51.77.201.228
63.250.42.152 - suspicious
88.153.35.32 - suspicious
|
4
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.0 |
M |
18 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9924 |
2020-10-28 18:06
|
link.exe a9cbc59987ec442437ffea45aade05ba
Dridex VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee Windows ComputerName Cryptographic key |
1
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
|
2
bprbalidananiaga.co.id(103.253.212.238)
103.253.212.238
|
4
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
ET POLICY HTTP traffic on port 443 (POST)
|
|
9.4 |
M |
40 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9925 |
2020-10-28 12:26
|
Electronic form.doc eb6a6943bf8db6a0c7003c1c869b3323
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://91.121.200.35:8080/oQduEUzyuXYOG1/iosXbeze6L0YK93Z/r3qIMIMkoLSL/NEUB/oa9411o42Xd/ - mailcious
https://agenciainfluenciar.com.br/indexing/X/ - malware
https://e-spaic.pt/hacks_list/LK/ - mailcious
|
6
agenciainfluenciar.com.br(107.180.71.232) - malware
e-spaic.pt(161.97.75.68) - mailcious
179.15.102.2 - suspicious
107.180.71.232 - suspicious
161.97.75.68 - suspicious
91.121.200.35 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
14 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9926 |
2020-10-28 11:38
|
aPfjegjaF.exe 6d8eb085d7dfcfdd55f26262e51fbfdc
Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName Cryptographic key Software crashed Downloader |
16
http://morasergiov.ac.ug/
http://217.8.117.77/oJHstwpndf.exe - malware
http://morasergiov.ac.ug/vcruntime140.dll
http://jamesrlongacre.ug/rc.exe
http://morasergiov.ac.ug/nss3.dll
http://morasergiov.ac.ug/sqlite3.dll
http://jamesrlongacre.ug/ds2.exe
http://jamesrlongacre.ug/index.php
http://morasergiov.ac.ug/freebl3.dll
http://morasergiov.ac.ug/mozglue.dll
http://jamesrlongacre.ug/ac.exe
http://jamesrlongacre.ug/ds1.exe
http://morasergiov.ac.ug/main.php
http://morasergiov.ac.ug/msvcp140.dll
http://morasergiov.ac.ug/softokn3.dll
https://cdn.discordapp.com/attachments/752128569169281083/770252881495326780/Uvop123
|
9
morasergiov.ac.ug(217.8.117.77)
discord.com(162.159.136.232)
taenaia.ac.ug(79.134.225.121)
jamesrlongacre.ug(217.8.117.77)
cdn.discordapp.com(162.159.130.233) - malware
79.134.225.121 - suspicious
162.159.136.232
162.159.129.233 - suspicious
217.8.117.77 - suspicious
|
11
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE AZORult v3.3 Server Response M3
ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
|
|
27.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9927 |
2020-10-28 10:35
|
https://achremittanceservices.... d32109224e04cbdb24ca32fb320f89a1
Dridex Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows Tor DNS |
|
3
achremittanceservices.com(68.65.123.61)
68.65.123.61
178.254.45.64
|
4
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9928 |
2020-10-28 10:34
|
DOC_96439691.doc 56a98d4ac1377142220a9cfc737a13b3
Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
2
http://tangshizhi.com/wp-admin/pcFD/
http://107.170.146.252:8080/x1M3/oedgL4bl1Sxsa/vi44ggjQKWaE/ohU9Y8R8JN/QP7G8wd6RNEPGKnq2/ - mailcious
|
6
tangshizhi.com(202.95.11.52)
cuutrolulut.info(208.113.172.110)
107.170.146.252 - suspicious
88.153.35.32 - suspicious
208.113.172.110
202.95.11.52 - suspicious
|
5
ET POLICY Terse Named Filename EXE Download - Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9929 |
2020-10-28 10:30
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware
181.214.142.131 - suspicious
117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9930 |
2020-10-28 10:21
|
tyuew.exe 4fc3c6a6fc4711ad9907fdf45810829c
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows DNS Cryptographic key crashed |
4
https://ahgwqrq.xyz/getrandombase64.php?get=330F8E490A8A44EFA30583C338272735
https://ahgwqrq.xyz/getrandombase64.php?get=2546F095A204453AA8FD8516FFDCA892
https://ahgwqrq.xyz/getrandombase64.php?get=97D7C843E8234D4687C41F0958409F28
https://ahgwqrq.xyz/getrandombase64.php?get=99DA4645D7AD484294E084764E693136
|
5
www.google.it(172.217.174.99)
ahgwqrq.xyz(104.27.180.69)
104.27.180.69
216.58.200.3
185.165.153.249
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.4 |
|
17 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|