9931 |
2020-10-28 10:17
|
https://valenciaexpresslaundry... 09ecf62b70523317e0631ad7d50b669b Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
valenciaexpresslaundry.com(181.214.142.131) - malware 181.214.142.131 - suspicious 117.18.232.200 - suspicious
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9932 |
2020-10-28 10:02
|
lilbaa.exe 51400134bdd5b0eae07a5685c3560771 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger buffers extracted WMI ICMP traffic unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed keylogger |
1
http://checkip.dyndns.org/
|
4
mail.sapgroup.com.pk(95.215.225.23) checkip.dyndns.org(216.146.43.71) 216.146.43.70 - suspicious 95.215.225.23
|
5
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain SURICATA Applayer Detect protocol only one direction ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.2 |
M |
25 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9933 |
2020-10-28 09:34
|
Adobe.pdf.exe bbad437e472d66b7702a2c7671260b27 VirusTotal Malware Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Checks Bios Detects VirtualBox Check virtual network interfaces malicious URLs WriteConsoleW VMware anti-virtualization Tofsee Windows ComputerName Cryptographic key Software |
2
https://hastebin.com/raw/isilotojuy https://hastebin.com/raw/tekasejaki
|
2
hastebin.com(172.67.143.180) - mailcious 104.24.127.89
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.0 |
|
44 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9934 |
2020-10-28 09:03
|
Inv. 0655554.doc 240b691234655ab6f8d51f62d3ea7d71 Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee DNS |
3
http://91.121.200.35:8080/bU9Qy5dS/ https://agenciainfluenciar.com.br/indexing/X/ https://e-spaic.pt/hacks_list/LK/
|
6
agenciainfluenciar.com.br(107.180.71.232) e-spaic.pt(161.97.75.68) 179.15.102.2 107.180.71.232 161.97.75.68 91.121.200.35
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.8 |
|
17 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9935 |
2020-10-27 18:23
|
rep_0HHSEI8DAP5IFU0.doc f0ff84c95b97ee41cf9869d9bc25eb15 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
4
http://107.170.146.252:8080/jz4gNpp6m5qRXw9NLU/FbrMZTF/DHip8bMTk8WVuy4Sna/ - mailcious https://www.theginlibrary.de/wp-includes/ma/ https://toorak.ie/wp-includes/aT/ https://homewatchamelia.com/wp-admin/MQxjrRU/
|
10
www.theginlibrary.de(37.17.224.143) toorak.ie(104.31.82.230) pottershousedurban.co.za(102.130.121.16) - mailcious homewatchamelia.com(172.67.148.194) - mailcious 67.163.161.107 - suspicious 104.31.82.230 102.130.121.16 - suspicious 37.17.224.143 104.28.23.149 - suspicious 107.170.146.252 - suspicious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9936 |
2020-10-27 18:19
|
FILE-2020_10_27-YE455729.doc e6df4c6ce89b90689352e5f18778cd5d Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself malicious URLs Tofsee Windows DNS |
3
http://104.131.92.244:8080/RGc8Ihma897MD9Up/x4JW/F9mrfCWszepi3o/ http://kbppp.ilmci.com/wp-includes/z/ http://www.royalempresshair.com/wp-content/upgrade/Ete/
|
6
www.royalempresshair.com(45.79.219.198) - mailcious kbppp.ilmci.com(103.241.24.165) - mailcious 45.79.219.198 - suspicious 103.241.24.165 - suspicious 45.16.226.117 - suspicious 104.131.92.244
|
5
ET CNC Feodo Tracker Reported CnC Server group 18 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.0 |
|
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9937 |
2020-10-27 17:41
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(50.19.252.36) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.4 |
M |
39 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9938 |
2020-10-27 17:34
|
joj.exe 75c4f2a3e9f895a4d684e41edbc665b6 VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Tor ComputerName crashed |
2
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
2
api.ipify.org(184.73.247.141) 54.225.169.28
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
39 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9939 |
2020-10-27 17:33
|
udi.exe 6c928c0bb16fbe2a4b655cbbdd08c226 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Ransomware Windows Browser Tor Email ComputerName Cryptographic key Software crashed keylogger |
2
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://api.ipify.org/
|
4
api.ipify.org(184.73.247.141) crt.comodoca.com(91.199.212.52) 91.199.212.52 54.235.83.248
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9940 |
2020-10-27 14:23
|
October Invoice.doc 6417e13118cf88c3a42ed070cae0e8ce Vulnerability Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://61.118.67.173/crbyOZ4qgH8lU9f9/WP5Um4j/sZ9b6WRDmnWJJFgvb/DDSkxjWLp9abnuf/hzkTOA/ https://cardandev.com/balancedteens/N2aAqwmfux/
|
3
cardandev.com(67.43.4.115) 61.118.67.173 67.43.4.115
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9941 |
2020-10-27 09:22
|
BDK_100120_VLM_102720.doc 34cf2c044e2803cb74c2439f759d3dcc Vulnerability VirusTotal Malware Malicious Traffic ICMP traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/ https://arpe-samois.fr/wp-content/eQCw/ - mailcious https://braceyourself.us/wp-admin/J/ - mailcious https://fitthemes.com/wordpress-5.3.2/O/ - mailcious https://nhatcuong.xyz/wp-content/Szx94QD/ - mailcious
|
18
braceyourself.us(139.59.104.96) - mailcious carl99a.com(184.154.69.125) - malware nhatcuong.xyz(104.31.92.104) - mailcious fitthemes.com(172.67.177.180) - mailcious goodherbwebmart.com(141.98.10.47) nakanoyoi5.com(150.95.54.162) - malware 360digest.beyondb-school.com(44.228.91.252) - mailcious arpe-samois.fr(155.133.142.4) - mailcious seitaiken.net(150.95.54.237) - malware 44.228.91.252 - suspicious 184.154.69.125 - suspicious 172.67.177.180 - suspicious 150.95.54.237 - suspicious 139.59.104.96 - suspicious 155.133.142.4 - suspicious 141.98.10.47 150.95.54.162 - suspicious 104.31.93.104
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
5.0 |
M |
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9942 |
2020-10-27 08:52
|
INV_XI2FZ0I0ME.doc 933023dcade70fbac0a87f509997a9b1 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee |
5
http://goodherbwebmart.com/ https://arpe-samois.fr/wp-content/eQCw/ https://braceyourself.us/wp-admin/J/ https://fitthemes.com/wordpress-5.3.2/O/ https://nhatcuong.xyz/wp-content/Szx94QD/
|
18
braceyourself.us(139.59.104.96) carl99a.com(184.154.69.125) nhatcuong.xyz(172.67.200.82) fitthemes.com(172.67.177.180) goodherbwebmart.com(141.98.10.47) nakanoyoi5.com(150.95.54.162) 360digest.beyondb-school.com(44.228.91.252) arpe-samois.fr(155.133.142.4) seitaiken.net(150.95.54.237) 44.228.91.252 184.154.69.125 172.67.177.180 104.31.92.104 150.95.54.237 139.59.104.96 155.133.142.4 141.98.10.47 150.95.54.162 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA TLS invalid record type SURICATA TLS invalid record/traffic
|
|
4.2 |
|
21 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9943 |
2020-10-27 07:30
|
https://redesuperpops.com.br/k... 74558ab0b6c9a3d2202b149413178595 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
|
3
redesuperpops.com.br(192.185.216.181) - mailcious 192.185.216.181 - suspicious 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9944 |
2020-10-26 23:09
|
YTWHQ07D.doc c2d9ba63fdb20492d829a91e82d61153 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
3
http://154.91.33.137:443/bId5SaSuvjcN7/PXUkZe6ozG822h4dgO/q19079zQLoBRwb4H3Z/OeRykP5xjz3IcVDO/ https://computerjungle.it/wp-content/N/ https://www.si-batangaspremier.org/wp-admin/Q/
|
17
polaroidamsterdam.nl(64.225.66.100) www.si-batangaspremier.org(35.185.239.65) computerjungle.it(104.18.51.138) www.lixko.com(49.235.244.65) needhelp.gr(185.70.76.234) bopetsupplies.com(181.215.182.169) vitrinapyme.com(200.54.18.149) maturisampietro.ch(164.138.68.247) 164.138.68.247 104.18.50.138 201.238.235.2 64.225.66.100 35.185.239.65 185.70.76.234 49.235.244.65 181.215.182.169 154.91.33.137
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY HTTP traffic on port 443 (POST)
|
|
4.6 |
|
19 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9945 |
2020-10-26 22:32
|
https://fullelectronica.com.ar... a9cbc59987ec442437ffea45aade05ba Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
3
fullelectronica.com.ar(209.133.222.158) 209.133.222.158 - suspicious 117.18.232.200 - suspicious
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.8 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|