10021 |
2020-10-06 14:01
|
FILE-982.doc 967f1d69e065008f106804ee61098f1c Vulnerability VirusTotal Malware Report Malicious Traffic unpack itself Tofsee Windows DNS |
2
http://movewithketty.com/cgi-bin/LXr/ http://pixnbeats.com/chanakua.org/6/
|
4
185.182.56.215 202.22.141.45 37.187.161.206 67.227.236.51
|
6
ET CNC Feodo Tracker Reported CnC Server group 14 ET CNC Feodo Tracker Reported CnC Server group 17 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP
|
|
5.8 |
M |
40 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10022 |
2020-09-29 11:21
|
zxcv.EXE 92821d6dd83105f5f2d08c43f28fa309 Browser Info Stealer Emotet Malware download FTP Client Info Stealer Vidar Azorult VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Collect installed applications powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Zeus OskiStealer Stealer Windows Browser Email ComputerName DNS Cryptographic key Software crashed Downloader |
24
http://ferreira.ac.ug/index.php http://nadia.ac.ug/ http://nadia.ac.ug/freebl3.dll http://cnmotoparts.online/gate/libs.zip http://cnmotoparts.online/gate/libs.zip http://nadia.ac.ug/mozglue.dll http://nadia.ac.ug/msvcp140.dll http://cnmotoparts.online/gate/libs.zip http://nadia.ac.ug/nss3.dll http://ferreira.ac.ug/ac.exe http://ferreiranadii.ac.ug/ds1.exe http://ferreira.ac.ug/rc.exe http://ferreira.ac.ug/ds1.exe http://cnmotoparts.online/gate/libs.zip http://ferreiranadii.ac.ug/ac.exe http://ferreiranadii.ac.ug/rc.exe http://ferreira.ac.ug/index.php http://nadia.ac.ug/sqlite3.dll http://cnmotoparts.online/file_handler4/file.php?hash=6cdfdf419af0bd0a62dd40155eca58436ab12ba0&js=6695ee24e4a8273aee2ea33a2bde08662448549b&callback=http://cnmotoparts.online/gate http://ferreira.ac.ug/ds2.exe http://nadia.ac.ug/vcruntime140.dll http://cnmotoparts.online/gate/sqlite3.dll http://nadia.ac.ug/softokn3.dll http://nadia.ac.ug/main.php http://cnmotoparts.online/gate/log.php http://ferreiranadii.ac.ug/ds2.exe http://cnmotoparts.online/gate/libs.zip https://telete.in/brikitiki https://cdn.discordapp.com/attachments/752128569169281083/760175342396112916/Acdk123
|
6
161.117.254.2 162.159.134.233 162.159.138.232 194.5.98.95 195.201.225.248 217.8.117.77
|
10
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE AZORult v3.3 Server Response M2 ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
|
|
28.6 |
M |
26 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10023 |
2020-09-29 10:34
|
raw.exe 2d46889b6d794ac1fcf58bf340c4666a VirusTotal Malware Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee ComputerName DNS |
1
https://paste.nrecom.net/view/raw/a4eca577
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
29 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10024 |
2020-09-26 09:46
|
https://www.urban-vpn.network/... 01527bfc480e2a2d52be7fc1f3a792a8 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 192.64.118.23
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10025 |
2020-09-25 14:03
|
https://www.sanambakshi.com/wp... 5c50a1af9fe8c9136fc5738a3154b3ec Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 209.205.123.182
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10026 |
2020-09-25 07:46
|
http://198.12.66.108/jojo.exe ad6564701054b692bcf47b5feb6324a2 Browser Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key crashed keylogger |
7
http://198.12.66.108/jojo.exe http://crt.comodoca.com/COMODORSAAddTrustCA.crt http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml https://paste.nrecom.net/view/raw/19b8a0c3 https://paste.nrecom.net/view/raw/f4b7e260 https://paste.nrecom.net/view/raw/c8cdc044 https://api.ipify.org/
|
5
117.18.232.200 198.12.66.108 37.120.174.218 54.204.14.42 91.199.212.52
|
4
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
16.8 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10027 |
2020-09-24 22:29
|
jojo.exe ad6564701054b692bcf47b5feb6324a2 Browser Info Stealer Email Client Info Stealer Malware AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs WriteConsoleW Tofsee Ransomware Windows Browser Tor Email ComputerName DNS Cryptographic key crashed keylogger |
5
http://crt.comodoca.com/COMODORSAAddTrustCA.crt https://paste.nrecom.net/view/raw/19b8a0c3 https://paste.nrecom.net/view/raw/f4b7e260 https://paste.nrecom.net/view/raw/c8cdc044 https://api.ipify.org/
|
3
37.120.174.218 54.235.83.248 91.199.212.52
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.0 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10028 |
2020-09-24 08:11
|
http://srksmaisw.org/manufactu... e09eef5b5566f81b46ac3ac201d6b794 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
4
http://srksmaisw.org/cdn-cgi/images/icon-exclamation.png?1376755637 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://srksmaisw.org/manufacturer/h/ http://srksmaisw.org/cdn-cgi/styles/cf.errors.css
|
2
104.24.114.68 117.18.232.200
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10029 |
2020-09-23 10:10
|
http://gooddns.ir/bobbyx/XefEz... Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 194.180.224.87
|
3
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.4 |
M |
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10030 |
2020-09-23 09:53
|
http://gooddns.ir/ashleyx/solu... Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 194.180.224.87
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
|
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10031 |
2020-09-23 07:53
|
https://www.victoryuae.co/soon... b33e40c5c4ded6d3c5cd00bbe0c9c9bf Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 144.217.43.12
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10032 |
2020-09-22 15:50
|
REP_IA1J49KDNZR9PQE.doc 5f3a967f8c5bb8925e8754a04f22f9d8 Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Tofsee DNS |
2
http://24.43.32.186/KVmlL5Ce/pHqqTR/VVfHj7zpc0/ https://www.tiendajuanvaldez.com/wp-admin/igkf/
|
3
104.18.49.138 24.43.32.186 34.93.116.168
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
5.4 |
|
30 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10033 |
2020-09-22 13:36
|
https://k.top4top.io/p_1671u02... 63c74e45cb4ba38e8ba6089425a6abd8 Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
2
117.18.232.200 51.159.59.232
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
5.2 |
M |
46 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10034 |
2020-09-22 11:25
|
rc.exe a205712a031be2c61db9cd98c1c29a14 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder malicious URLs Tofsee Interception Windows DNS |
1
https://cdn.discordapp.com/attachments/750959070755815488/751062419425460264/Dexj123
|
3
162.159.129.233 194.5.98.95 23.212.13.232
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
12.0 |
M |
47 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10035 |
2020-09-22 10:10
|
MAIN.exe 7c357e54f775f0042c2d8e36d0c38fa9 Dridex TrickBot VirusTotal Malware PDB Malicious Traffic unpack itself Check virtual network interfaces malicious URLs Tofsee Kovter ComputerName DNS |
3
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt https://172.98.192.214/cSVlo1FeFAInvJDJkZ9P99GLwSTqIGUF https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books https://www.amazon.com/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
|
3
172.98.192.214 23.228.232.82 91.199.212.52
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
5.8 |
M |
48 |
admin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|