| 91 |
2020-07-22 12:33
|
http://systemidentifytheprotoc... 16dc050b380c8161b7973a01b8c7b879
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs Tofsee Windows Exploit Browser Email ComputerName Trojan DNS Cryptographic key Software crashed |
3
http://systemidentifytheprotocolwindowsserverse.duckdns.org/bdds/svchost.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
https://update.googleapis.com/service/update2?cup2key=10:2361864108&cup2hreq=4aa23fae9d2c72400de0f4942172c054fd7571e90dd7d91e71f8713bd25138b7
|
3
149.202.29.75
172.217.161.46
172.217.175.35
|
4
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
15.6 |
|
8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 92 |
2020-07-22 12:37
|
Inv ET5808_565971217.doc e83403331092ea4ebf89495eb3823deb
Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
https://update.googleapis.com/service/update2?cup2key=10:3600143997&cup2hreq=d6ba3fa9c72673912a7188b0e5b14c328b9ff53bc9f86ff5eedf251cdf1cc49b
|
2
172.217.161.46
172.217.27.67
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 93 |
2020-07-22 12:41
|
Inv-XBGH1130_23212865.doc c2e592fbfb05a17f76becd999e52a01b
Vulnerability VirusTotal Malware unpack itself Tofsee DNS |
1
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.4 |
|
19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 94 |
2020-07-22 13:19
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
|
3
117.18.232.200
172.217.31.138
35.226.40.154
|
3
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 95 |
2020-07-22 13:32
|
http://afboxmarket.com/antonio... b5396c9184694dbf1ee6e27ab075258c
VirusTotal Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
2
http://afboxmarket.com/antoniostart/3880o9dudttc.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
2
172.217.161.46
64.34.67.250
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
5.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 96 |
2020-07-22 13:37
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 97 |
2020-07-22 13:39
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 98 |
2020-07-22 13:52
|
견적서20200702,pdf.exe 3b9887f9f9ff50f1c1862b654dea0b80
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Tofsee DNS |
1
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
1
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
8.8 |
|
31 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 99 |
2020-07-22 13:53
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 100 |
2020-07-22 13:54
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 101 |
2020-07-22 13:55
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 102 |
2020-07-22 13:56
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 103 |
2020-07-22 13:57
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 104 |
2020-07-22 13:59
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 105 |
2020-07-22 13:59
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
7
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(216.58.220.138)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.31.170
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|