| 48481 |
2020-07-20 23:34
|
https://aliyousefpoor.com/wp-a... 51fe38a980f41111074aabdde5ee5124
Dridex VirusTotal Malware Malicious Traffic Tofsee DNS |
2
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
https://update.googleapis.com/service/update2?cup2key=10:3931948972&cup2hreq=5e123fa38a5f0fca8a382a6654ad73525f2788155898562efb0ab9ca0c7b4925
|
4
180.96.62.240
172.217.161.46
216.58.220.99
5.61.27.215
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
2.4 |
M |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48482 |
2020-07-20 23:31
|
http://124.160.126.238/11.exe 5d2e9716be941d7c77c05947390de736
Malware download VirusTotal Cryptocurrency Miner Malware Cryptocurrency AutoRuns Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows Exploit DNS crashed |
4
http://www.362com.com/Update.txt
http://www.362com.com/32.exe
http://124.160.126.238/11.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
4
118.45.42.72
124.160.126.238
172.217.161.46
180.96.62.240
|
7
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Cryptocurrency Miner Checkin
|
|
10.8 |
M |
57 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48483 |
2020-07-20 22:18
|
http://124.160.126.238/tq.exe 9450249ae964853a51d6b55cd55c373e
Malware download VirusTotal Cryptocurrency Miner Malware Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs WriteConsoleW Windows Exploit DNS crashed Downloader |
4
http://www.362com.com/Update.txt
http://124.160.126.238/tq.exe
http://124.160.126.238/11.exe
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.362com.com/Update.txt
|
12
www.362com.com(118.45.42.72)
ssh.362com.com(59.46.53.214)
pool.usa-138.com(180.96.62.240)
ie9cvlist.ie.microsoft.com(117.18.232.200)
down.362com.com(124.160.126.237)
1.1.1.1
114.114.114.114
117.18.232.200
118.45.42.72
124.160.126.238
180.96.62.240
59.46.53.214
|
7
ET INFO Executable Download from dotted-quad Host
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Cryptocurrency Miner Checkin
ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
ET MALWARE JS/Nemucod.M.gen downloading EXE payload
|
|
9.4 |
M |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48484 |
2020-07-20 22:10
|
http://salesforce-ibmcloud.koz... 4a3b3aa0b72d467be7321ceac9d3db92
VirusTotal Malware AutoRuns Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://salesforce-ibmcloud.kozow.com/dinb/iqbtcvforWiTEi.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
https://update.googleapis.com/service/update2?cup2key=10:3879736586&cup2hreq=38573e2bd8d307473452a19c05fd112561639335a4451f1528f0199d3aadc08c
|
5
172.217.161.46
172.217.175.35
185.241.194.126
216.58.197.238
59.18.30.143
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
12.4 |
|
15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48485 |
2020-07-20 22:10
|
http://pycssltsdywinnersintern... 5ce5eb588e9e7e0a52c1666fbb1f96ed
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Windows Exploit DNS crashed Downloader |
1
http://pycssltsdywinnersinternationalevangelix.duckdns.org/pycdoc/vbc.exe
|
1
|
3
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
6.4 |
M |
29 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48486 |
2020-07-20 22:08
|
http://salesforce-ibmcloud.koz... a4195bdf6d0f782598f69bc40c4d7e50
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Tofsee Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
6
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://redirector.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://salesforce-ibmcloud.kozow.com/dinb/n5ZfororigTi07nAdmv.exe
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
http://r4---sn-3u-bh2lk.gvt1.com/edgedl/release2/chrome/AIVpFp8WHZ7NkXF3-7GiVZ8_84.0.4147.89/84.0.4147.89_83.0.4103.116_chrome_updater.exe?cms_redirect=yes&mh=1m&mip=175.208.134.150&mm=28&mn=sn-3u-bh2lk&ms=nvh&mt=1595250319&mv=m&mvi=4&pl=18&shardbypass=yes
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
https://update.googleapis.com/service/update2?cup2key=10:2226628205&cup2hreq=9fa6a99178756f39930792169a297a539150964df3b68b60e055338d9146cedc
https://update.googleapis.com/service/update2
|
5
172.217.161.46
185.241.194.126
216.58.197.238
216.58.220.99
59.18.30.143
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
|
|
17.0 |
M |
22 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48487 |
2020-07-20 22:08
|
http://salesforce-ibmcloud.koz... 3e444097a710ba080d921004e26ae08a
VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Windows Exploit DNS crashed |
1
http://salesforce-ibmcloud.kozow.com/dinb/79slKbtScvtwoCirw.exe
|
1
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
11.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48488 |
2020-07-20 18:31
|
https://robotica.cl/w3ZunC4T3N... 6186934d6ebcbd2761413698113233cf
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
6
iecvlist.microsoft.com(117.18.232.200)
ie9cvlist.ie.microsoft.com(117.18.232.200)
robotica.cl(162.241.89.50)
1.1.1.1
117.18.232.200
162.241.89.50
|
3
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48489 |
2020-07-20 17:46
|
https://robotica.cl/w3ZunC4T3N... 6186934d6ebcbd2761413698113233cf
Dridex VirusTotal Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
6
iecvlist.microsoft.com(117.18.232.200)
ie9cvlist.ie.microsoft.com(117.18.232.200)
robotica.cl(162.241.89.50)
117.18.232.200
1.1.1.1
162.241.89.50
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48490 |
2020-07-20 17:45
|
https://www.gomlab.com/downloa... 04a1b261477eff216d800437c6d613fd
Dridex Malware Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
30
http://www.gomlab.com/browser.gom
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_foot_blog.png?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/grm/ico_grm.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_browser1.png
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_iapp.png?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/gcm/ico_gcm.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_notiinfo.gif?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/common/logo_footer.png?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/gmx/ico_gmx_pro.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/gen/ico_gen.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_foot_face.png?v=1912302
http://www.gomlab.com/
http://www.gomlab.com/gomlab_v2/ui/img/gmm/ico_gmm.png?v=2
http://www.gomlab.com/browser.gom
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_win.png?v=1912302
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.gomlab.com/gomlab_v2/ui/css/browser_info.css?version=2020071601
http://www.gomlab.com/gomlab_v2/ui/img/gmp/ico_gmp.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/gsv/ico_gsv.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/gmx/ico_gmx.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_s_gplay.png?v=1912302
http://www.gomlab.com/favicon.ico
http://www.gomlab.com/gomlab_v2/ui/img/sub/bar_ddd.gif?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/common/logo_on2.png?v=1912302
http://www.gomlab.com/gomlab_v2/ui/img/grc/ico_grc.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/gau/ico_gau.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/ico_browser2.png
http://www.gomlab.com/gomlab_v2/ui/img/gst/ico_gst.png?v=2
http://www.gomlab.com/gomlab_v2/ui/img/common/bu_dot1.gif?v=1912302
https://www.gomlab.com/download/
https://www.gomlab.com/index.gom
|
6
iecvlist.microsoft.com(117.18.232.200)
ie9cvlist.ie.microsoft.com(117.18.232.200)
www.gomlab.com(52.85.194.45)
1.1.1.1
117.18.232.200
54.192.71.137
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48491 |
2020-07-20 16:59
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files ICMP traffic exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe
http://client.winamp.com/update?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&lang=en-US
http://client.winamp.com/update?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://client.winamp.com/update/client_session.php?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://client.winamp.com/update/latest-version.php?v=5.8&ID=C98AD6B966C4434590BFF7F79F6A16E5&lang=en-US
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
9
download.nullsoft.com(5.39.58.66)
www.google.com(172.217.161.36)
client.winamp.com(31.12.71.55)
ie9cvlist.ie.microsoft.com(117.18.232.200)
1.1.1.1
117.18.232.200
172.217.174.100
31.12.71.55
5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
14.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48492 |
2020-07-20 16:53
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware Code Injection RWX flags setting unpack itself Windows utilities Windows |
|
2
download.nullsoft.com(5.39.58.66)
ie9cvlist.ie.microsoft.com(117.18.232.200)
|
|
|
2.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48493 |
2020-07-20 16:45
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed |
8
http://client.winamp.com/update?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe
http://client.winamp.com/update/latest-version.php?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&lang=en-US
http://client.winamp.com/update/client_session.php?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://client.winamp.com/update?v=5.8&ID=FFC44FFBDE2CE643AC778879FCC71C83&lang=en-US
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
9
www.google.com(172.217.161.36)
client.winamp.com(31.12.71.55)
download.nullsoft.com(5.39.58.66)
ie9cvlist.ie.microsoft.com(117.18.232.200)
117.18.232.200
1.1.1.1
172.217.25.68
31.12.71.55
5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
14.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48494 |
2020-07-20 16:39
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/main.jsp
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/main.jpg
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg
http://www.nalara1220.o-r.kr/favicon.ico
|
8
ajax.googleapis.com(172.217.26.10)
www.nalara1220.o-r.kr(35.226.40.154)
ie9cvlist.ie.microsoft.com(117.18.232.200)
iecvlist.microsoft.com(117.18.232.200)
1.1.1.1
117.18.232.200
172.217.175.42
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48495 |
2020-07-20 16:36
|
http://www.nalara1220.o-r.kr/ c032bb944d6fba21799bd5a4df5b6122
Dridex Malware Code Injection Creates executable files RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
11
http://www.nalara1220.o-r.kr/favicon.ico
http://www.nalara1220.o-r.kr/main.jpg
http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
http://www.nalara1220.o-r.kr/CSS/mainC.css
http://www.nalara1220.o-r.kr/intro/bizintro_soca2.jpg
http://www.nalara1220.o-r.kr/intro/bizintro_soca1.jpg
http://www.nalara1220.o-r.kr/CSS/js/lightslider.js
http://www.nalara1220.o-r.kr/
http://www.nalara1220.o-r.kr/CSS/css/lightslider.css
http://www.nalara1220.o-r.kr/main.jsp
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
8
ie9cvlist.ie.microsoft.com(117.18.232.200)
ajax.googleapis.com(172.217.26.10)
iecvlist.microsoft.com(117.18.232.200)
www.nalara1220.o-r.kr(35.226.40.154)
1.1.1.1
117.18.232.200
172.217.175.42
35.226.40.154
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|