| 48961 |
2020-07-17 11:44
|
http://111.90.148.23/100720.do... 7677a0501aa639d98781a5eb58a91324
VirusTotal Malware Code Injection Malicious Traffic unpack itself Windows utilities Tofsee Windows DNS |
3
http://111.90.148.23/100720.doc
http://111.90.148.23/
http://111.90.148.23/
http://111.90.148.23/100720.doc
http://111.90.148.23/
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
2
111.90.148.23
172.217.175.78
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host DOC Request
ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers
ET INFO Dotted Quad Host DOC Request
|
|
4.2 |
M |
16 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48962 |
2020-07-17 11:37
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
4
http://cert.int-x3.letsencrypt.org/
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
3
104.74.211.103
172.217.175.78
5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48963 |
2020-07-17 11:33
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
4
http://cert.int-x3.letsencrypt.org/
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
3
104.74.211.103
172.217.175.78
5.39.58.66
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48964 |
2020-07-17 11:24
|
http://certify.filejo.com/mmsv... 3244451cde59efe1cc5ba86245dddea4
VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW installed browsers check Windows Exploit Browser ComputerName DNS crashed |
2
http://certify.filejo.com/mmsv/FileJo_setup.exe
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
|
4
117.18.232.200
173.194.219.127
211.239.158.11
43.255.255.96
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
SURICATA HTTP unable to match response to request
|
|
13.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48965 |
2020-07-17 10:54
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates shortcut Creates executable files ICMP traffic exploit crash unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk sandbox evasion Firewall state off VM Disk Size Check human activity check installed browsers check Tofsee Ransomware Interception Windows Exploit Browser ComputerName DNS crashed keylogger |
8
http://client.winamp.com/update?v=5.8&ID=485CF371832800439FE72BAD7E2C2E04&lang=en-US
http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exe
http://client.winamp.com/update?v=5.8&ID=485CF371832800439FE72BAD7E2C2E04&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://client.winamp.com/update/client_session.php?v=5.8&ID=485CF371832800439FE72BAD7E2C2E04&st1=0&st2=0&st3=0&st4=0&st5=0&st6=0&st7=0&st8=0&st9=0&st10=0&st11=0&st12=-1&st13=0&st14=0&st15=0&st16=0&st17=0&st18=0&st19=0&st20=0&st21=0&st22=0&st23=0&st24=0&st25=0&st26=0&lang=en-US
http://client.winamp.com/update/latest-version.php?v=5.8&ID=485CF371832800439FE72BAD7E2C2E04&lang=en-US
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
4
117.18.232.200
172.217.175.4
31.12.71.55
5.39.58.66
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
15.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48966 |
2020-07-17 10:44
|
https://download.nullsoft.com/... 3017f921a6c42a267842cc8bae9384c1
VirusTotal Malware Code Injection Check memory Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed |
3
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
https://download.nullsoft.com/winamp/client/winamp58_3660_beta_full_en-us.exe
https://download.nullsoft.com/winamp/misc/winamp58_3660_beta_full_en-us.exe
|
2
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
6.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48967 |
2020-07-17 09:59
|
http://filehon.com/app/Filehon... b7ea646522c23ec09c73ad415107faa1
Dridex VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Firewall state off installed browsers check Tofsee Windows Exploit Browser ComputerName DNS crashed |
2
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://filehon.com/app/Filehon_setup.exe
|
3
117.18.232.200
211.239.158.11
211.61.156.146
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
12.0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48968 |
2020-07-16 19:30
|
http://abass.ir/ugobuild/chuck... c469fab03c1ec27ab64b8b4fa35e3182
Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory buffers extracted Creates executable files exploit crash unpack itself Windows utilities malicious URLs sandbox evasion installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Software crashed |
3
http://abass.ir/ugobuild/chucksloki.exe
http://195.69.140.147/.op/cr.php/GusoLuXSTqSR4
http://195.69.140.147/.op/cr.php/GusoLuXSTqSR4
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
3
172.217.175.110
194.180.224.87
195.69.140.147
|
11
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
13.0 |
M |
31 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48969 |
2020-07-16 19:12
|
http://www.haeunkim.com/5626.e... f9329056c318c4b1be6931135dc76f9e
Emotet Dridex VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security AppData folder malicious URLs Tofsee Windows Exploit ComputerName DNS Cryptographic key crashed |
9
http://www.haeunkim.com/5626.exe
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
https://support.apple.com/
https://support.apple.com/etc/designs/support/publish/JS/pattern/head.js
https://ldrmars.casa/
https://ldrmars.casa/background.png
https://support.microsoft.com/
https://support.microsoft.com/socbundles/jsll
https://australiansdefence.best/image/?id=017EE2D6508B61F01F0000000000FF40000006
|
9
104.244.42.131
104.74.198.240
104.75.24.133
104.76.28.23
117.18.232.200
139.59.56.38
139.60.161.87
162.241.225.96
23.35.220.4
|
14
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
11.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48970 |
2020-07-16 17:58
|
http://ondisk.co.kr/setup/setu... 59e3ec33ec5c771db3dbe349c63a732a
Code Injection Check memory Creates executable files RWX flags setting unpack itself Windows utilities suspicious process AppData folder malicious URLs WriteConsoleW Windows ComputerName DNS |
2
http://ondisk.co.kr/setup/setup_cdownload.php
http://image.ondisk.co.kr/app/ondisk_setup_manual_x64_1.0.1.5.7.exe
|
2
110.45.187.11
139.150.252.43
|
1
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
7.8 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48971 |
2020-07-16 17:47
|
http://www.megafile.co.kr/webh... 64b3d8176d57912781321f74bbc64e89
Dridex VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger WMI Creates executable files exploit crash unpack itself Windows utilities suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS crashed |
3
http://www.megafile.co.kr/webhard/update/ManualInstall.php
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.megafile.co.kr/webhard/update/new/1.0.8.10/Megafile_ManualInstall.exe
|
3
103.239.242.8
117.18.232.200
211.239.158.11
|
5
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
|
|
12.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48972 |
2020-07-16 17:42
|
http://www.megafile.co.kr/webh... 64b3d8176d57912781321f74bbc64e89
VirusTotal Malware Code Injection Creates executable files exploit crash unpack itself Windows utilities AppData folder Tofsee Windows Exploit DNS crashed |
3
http://www.megafile.co.kr/webhard/update/ManualInstall.php
http://www.megafile.co.kr/webhard/update/new/1.0.8.10/Megafile_ManualInstall.exe
https://clients2.google.com/service/check2?crx3=true&appid=%7B430FD4D0-B729-4F61-AA34-91526481799D%7D&appversion=1.3.35.452&applang=&machine=1&version=1.3.35.452&userid=&osversion=6.1&servicepack=Service%20Pack%201
|
2
103.239.242.8
172.217.175.110
|
2
ET POLICY PE EXE or DLL Windows file download HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.6 |
|
10 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48973 |
2020-07-16 17:09
|
http://tedec.com/dl/webupdate.... 22cc193a547944f685e79c52acc235a2
VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Windows Exploit DNS crashed Password |
10
http://www.tedec.com/dl/webupdate.00002
http://tedec.com/dl/webupdate.exe
http://www.tedec.com/dl/webupdate.00005
http://www.tedec.com/dl/webupdate.00003
http://www.tedec.com/dl/webupdate.00006
http://www.tedec.com/dl/webupdate.00004
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.tedec.com/dl/webupdate.00007
http://www.tedec.com/dl/webupdate.00008
http://www.tedec.com/dl/webupdate.00001
|
2
117.18.232.200
74.208.236.97
|
3
ET HUNTING Suspicious Windows Executable WriteProcessMemory
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
11.2 |
M |
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48974 |
2020-07-16 16:58
|
http://tedec.com/dl/webupdate.... 22cc193a547944f685e79c52acc235a2
VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities AppData folder malicious URLs Windows Exploit DNS crashed Password |
10
http://www.tedec.com/dl/webupdate.00002
http://tedec.com/dl/webupdate.exe
http://www.tedec.com/dl/webupdate.00005
http://www.tedec.com/dl/webupdate.00003
http://www.tedec.com/dl/webupdate.00006
http://www.tedec.com/dl/webupdate.00004
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.tedec.com/dl/webupdate.00007
http://www.tedec.com/dl/webupdate.00008
http://www.tedec.com/dl/webupdate.00001
|
2
117.18.232.200
74.208.236.97
|
2
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
11.6 |
M |
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 48975 |
2020-07-16 16:54
|
http://tedec.com/dl/webupdate.... 22cc193a547944f685e79c52acc235a2
VirusTotal Malware Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Windows Exploit DNS crashed Password |
10
http://www.tedec.com/dl/webupdate.00002
http://tedec.com/dl/webupdate.exe
http://www.tedec.com/dl/webupdate.00005
http://www.tedec.com/dl/webupdate.00003
http://www.tedec.com/dl/webupdate.00006
http://www.tedec.com/dl/webupdate.00004
http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
http://www.tedec.com/dl/webupdate.00007
http://www.tedec.com/dl/webupdate.00008
http://www.tedec.com/dl/webupdate.00001
|
2
117.18.232.200
74.208.236.97
|
3
ET HUNTING Suspicious Windows Executable WriteProcessMemory
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
|
|
11.2 |
M |
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|