10081 |
2020-07-22 12:41
|
Inv-XBGH1130_23212865.doc c2e592fbfb05a17f76becd999e52a01b Vulnerability VirusTotal Malware unpack itself Tofsee DNS |
1
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10082 |
2020-07-22 12:37
|
Inv ET5808_565971217.doc e83403331092ea4ebf89495eb3823deb Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3600143997&cup2hreq=d6ba3fa9c72673912a7188b0e5b14c328b9ff53bc9f86ff5eedf251cdf1cc49b
|
2
172.217.161.46 172.217.27.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10083 |
2020-07-22 12:33
|
http://systemidentifytheprotoc... 16dc050b380c8161b7973a01b8c7b879 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs Tofsee Windows Exploit Browser Email ComputerName Trojan DNS Cryptographic key Software crashed |
3
http://systemidentifytheprotocolwindowsserverse.duckdns.org/bdds/svchost.exe https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:2361864108&cup2hreq=4aa23fae9d2c72400de0f4942172c054fd7571e90dd7d91e71f8713bd25138b7
|
3
149.202.29.75 172.217.161.46 172.217.175.35
|
4
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download ET POLICY PE EXE or DLL Windows file download HTTP
|
|
15.6 |
|
8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10084 |
2020-07-22 11:16
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
3
117.18.232.200 172.217.175.10 35.226.40.154
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10085 |
2020-07-22 11:09
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
|
3
117.18.232.200 172.217.175.42 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10086 |
2020-07-21 18:27
|
https://class.britishonline.co... 02032a73a8b1788cdcc567b749812444 Dridex VirusTotal Malware Code Injection Malicious Traffic unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3707306346&cup2hreq=c6650cc85daddb70cb5a15cc5b595ca756623b68fd207a5b82b48c27753b4697
|
3
162.214.20.225 172.217.161.46 172.217.31.163
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10087 |
2020-07-21 18:18
|
F_UUW_070120_VNF_072120.doc 0cd06145a71c3f2bab7722fd5788579d Emotet Malware download Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee Windows DNS |
4
http://124.45.106.173:443/v697hn969KD/SdW4m7CyGF7fO/ http://fijipiscinas.com/wp-admin/ympm/ http://124.45.106.173:443/v697hn969KD/SdW4m7CyGF7fO/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:3085698260&cup2hreq=36dd01ca863135a0fcc19a814c372b19579f151cdf003292659415797bbe952c
|
5
123.254.105.242 124.45.106.173 172.217.161.46 216.58.220.99 68.183.113.209
|
6
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE - Served Attached HTTP ET POLICY HTTP traffic on port 443 (POST) ET MALWARE Win32/Emotet CnC Activity (POST) M8
|
|
5.4 |
|
20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10088 |
2020-07-21 18:18
|
https://bloomcareltd.co.uk/wp-... 85321df51c43c38d4bc6927ee7cea7a9 Dridex VirusTotal Malware Code Injection unpack itself Windows utilities malicious URLs Tofsee Windows DNS |
|
1
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
3.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10089 |
2020-07-21 18:17
|
FILE-2020_07_21-195317.doc 589ee490769a1737f7365d7c5655008e Vulnerability Malware Malicious Traffic unpack itself Tofsee Windows DNS |
4
http://r8---sn-3u-bh2sd.gvt1.com/edgedl/release2/chrome/AIHcSO5F2NZdUg_Cy-Cbgy8_84.0.4147.89/84.0.4147.89_chrome_installer.exe?cms_redirect=yes&mh=eA&mip=175.208.134.150&mm=28&mn=sn-3u-bh2sd&ms=nvh&mt=1595322864&mv=m&mvi=8&pl=18&shardbypass=yes http://r8---sn-3u-bh2sd.gvt1.com/edgedl/release2/chrome/AIHcSO5F2NZdUg_Cy-Cbgy8_84.0.4147.89/84.0.4147.89_chrome_installer.exe?cms_redirect=yes&mh=eA&mip=175.208.134.150&mm=28&mn=sn-3u-bh2sd&ms=nvh&mt=1595322864&mv=m&mvi=8&pl=18&shardbypass=yes http://redirector.gvt1.com/edgedl/release2/chrome/AIHcSO5F2NZdUg_Cy-Cbgy8_84.0.4147.89/84.0.4147.89_chrome_installer.exe https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:4039676881&cup2hreq=00ab76e6bd8dbeb018fa1aa7d74b24303a0f5bcc3abe6436c03ac71ae149bf77
|
4
172.217.175.35 172.217.175.46 172.217.25.238 211.114.65.19
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO EXE - Served Attached HTTP
|
|
3.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10090 |
2020-07-21 14:28
|
doc-5382.docm ae18ed686e82ba41cebc162245c7fc42 VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:655737552&cup2hreq=002ee30e1176121f00b9eb338c474169f91320cfd3f0e9a4d5fee500a87a838a
|
2
172.217.161.46 172.217.175.35
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10091 |
2020-07-21 14:23
|
doc-5382.docm ae18ed686e82ba41cebc162245c7fc42 VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:2387805627&cup2hreq=5454ed19c95f66fa17bec024b06636f6045cc341c7a2dd617f379c96e2f6a971
|
2
172.217.161.46 172.217.25.227
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.0 |
|
20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10092 |
2020-07-21 14:19
|
qes48.exe 9c6cfc58709751f6e90b4c9be2d7aef2 Emotet Malware download VirusTotal Malware Malicious Traffic unpack itself malicious URLs sandbox evasion Tofsee Windows Advertising ComputerName DNS Cryptographic key |
3
http://74.207.230.187:8080/aC2ofMcBWgbLj6/ecV8/teBZyacEeGNOPK7/jv6Vrenj/2egZ/ https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201 https://update.googleapis.com/service/update2?cup2key=10:4273442666&cup2hreq=5d322bd6b1dc761e2a73a0527f95aed928ce885b06ee206898c16e86a29303ff
|
4
172.217.161.46 172.217.31.131 201.212.78.182 74.207.230.187
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/Emotet CnC Activity (POST) M8
|
|
8.0 |
M |
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10093 |
2020-07-21 13:38
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/CSS/mainC.css http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
|
3
117.18.232.200 172.217.31.138 35.226.40.154
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10094 |
2020-07-21 13:09
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/ http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml http://www.nalara1220.o-r.kr/main.jsp
|
3
117.18.232.200 172.217.26.10 35.226.40.154
|
3
ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10095 |
2020-07-21 12:53
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122 Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js http://www.nalara1220.o-r.kr/CSS/mainC.css http://www.nalara1220.o-r.kr/ http://www.nalara1220.o-r.kr/main.jsp http://www.nalara1220.o-r.kr/CSS/js/lightslider.js http://www.nalara1220.o-r.kr/CSS/css/lightslider.css http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
3
117.18.232.200 172.217.31.138 35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|