| 14971 |
2021-11-05 09:30
|
 vbc.exe 221ee3fdee780aa3b465ae9c6c20560b
Loki PWS Loki[b] Loki.m Generic Malware UPX Socket DNS AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName Software |
2
http://secure01-redirect.net/ga18/fre.php - rule_id: 6830
http://secure01-redirect.net/ga18/fre.php
|
2
secure01-redirect.net(85.143.175.133)
85.143.175.133
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://secure01-redirect.net/ga18/fre.php
|
13.6 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14972 |
2021-11-05 09:31
|
 vbc.exe 2b12e8bec8e8469f62fd8469f5a8f417
RAT Generic Malware UPX AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS |
7
http://www.sgpvbzw.com/bs8f/?rTIHm=VcAFbpst5hoStA4xyoBBe4jmHUZ7z4P8wzSZLmF+NZ34DFgukWtbBnPkXR//dm5eWUvNPNzg&AR0lI8=3fvpe
http://www.bornholm-urlaub.info/bs8f/?rTIHm=GrpiHi+4Y6MdoUye3JOxqzeXFotLmKrwbYoX0FiqOVAho+aI9awmCKI4UeNGjqeithYcKcyI&AR0lI8=3fvpe
http://www.eljkj.com/bs8f/?rTIHm=ftbPZ7dMfBjOzME6x3D2mpPirUb/Cf6WMtu/EK9D+rbfCbfEo11w5yJZT3f/FWT/xhBfpy5G&AR0lI8=3fvpe
http://www.yozotnpasumo2.xyz/bs8f/?rTIHm=piWGFLC1+dPQsrx/4Dzx2N0yqVURvVIQyow38F6jBNs1M7R95ZXn8uBssDTHFK76CneOG/4f&AR0lI8=3fvpe
http://www.swalayan.digital/bs8f/?rTIHm=geEfkjci97OTCJX4DKPyoGUqG/V1UxTKtuPeW68vjG5gR6fY8AMpEFXC1pyDY7q6q7m0S78C&AR0lI8=3fvpe
http://www.handmadequatang.com/bs8f/?rTIHm=2dquk03pLdiH7YiAFVGxRN531CeCn1+K+8HPNLhDegKUPlUFBE5l5/PiO4hbWflYmF5HYOJo&AR0lI8=3fvpe
http://www.rwilogisticsandbrokerage.com/bs8f/?rTIHm=O+ZFCK4COInkbeCtvcbM4cMiAd9wiFdBsN5Esn7lS6PC8Uc1RV355liD1/2ijziZVq0VIlSD&AR0lI8=3fvpe
|
18
www.swalayan.digital(198.54.117.210)
www.yozotnpasumo2.xyz(150.95.255.38)
www.handmadequatang.com(103.75.187.19)
www.bornholm-urlaub.info(172.67.204.251)
www.sgpvbzw.com(107.186.79.52)
www.pinpinyouqian.xyz(176.113.70.78)
www.eljkj.com(114.117.239.86)
www.rwilogisticsandbrokerage.com(104.17.193.73)
www.goodzza.net()
107.186.79.52
103.75.187.19
150.95.255.38 - mailcious
198.54.117.216 - phishing
104.21.44.234
104.17.196.73 - mailcious
114.117.239.86
91.209.70.71
176.113.70.78
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
|
9.8 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14973 |
2021-11-05 09:31
|
9801_1635938030_9423.exe a26c091f560286c77dc695818846a27e
RAT PWS .NET framework Gen1 Gen2 Generic Malware MPRESS UPX Malicious Packer Malicious Library ASPack PE File PE32 DLL .NET EXE OS Processor Check PE64 Malware download Raccoon VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency RecordBreaker Buffer PE MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted heapspray Creates executable files unpack itself Checks Bios Collect installed applications Detects VirtualBox Detects VMWare AppData folder VMware anti-virtualization installed browsers check Tofsee Stealer Windows Browser Email ComputerName Remote Code Execution Firmware DNS crashed |
9
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/70fba09628631dc7968147158bcd96dd2a63758b - rule_id: 7282
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/70fba09628631dc7968147158bcd96dd2a63758b
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/3f01e0ee7d7616e1a5b10f5e09c686af287a09ab - rule_id: 7282
http://91.219.236.97//l/f/IKB87XwB3dP17Spzni02/3f01e0ee7d7616e1a5b10f5e09c686af287a09ab
http://teleliver.top/mixmorty14
http://91.219.236.97/ - rule_id: 7282
http://91.219.236.97/
https://cdn.discordapp.com/attachments/899705176418578565/905408828730900501/malik_2.0.exe
https://cdn.discordapp.com/attachments/896848939771367444/900335715949363280/Antesternal.exe
|
5
teleliver.top(172.67.136.46)
cdn.discordapp.com(162.159.130.233) - malware
91.219.236.97
162.159.129.233 - malware
104.21.62.135
|
8
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
|
3
http://91.219.236.97/
http://91.219.236.97/
http://91.219.236.97/
|
14.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14974 |
2021-11-05 09:31
|
 sefile2.exe 38055b609cbc5df14fd86be301eb6397
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14975 |
2021-11-05 09:34
|
 YConsoleApp117all.exe b86c000007846c924e1f4a82a842686f
RAT Generic Malware task schedule Antivirus AntiDebug AntiVM PE File PE32 .NET EXE Dridex TrickBot VirusTotal Malware AutoRuns suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut ICMP traffic unpack itself suspicious process WriteConsoleW Kovter Windows ComputerName DNS Cryptographic key crashed |
|
5
www.yahoo.com(202.165.107.49)
www.google.com(172.217.31.132)
202.165.107.50
216.58.200.68
185.157.160.198
|
1
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
12.0 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14976 |
2021-11-05 09:34
|
 nwamazx.exe 22f934036d8405eaf679a08f51babbec
RAT PWS .NET framework Gen1 Generic Malware UPX Malicious Library Malicious Packer AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check DLL JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Phishing Cryptocurrency wallets Cryptocurrency PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder WriteConsoleW anti-virtualization installed browsers check OskiStealer Stealer Windows Chrome Browser Email ComputerName Password |
10
http://chrisupdated.xyz/2.jpg
http://chrisupdated.xyz/main.php
http://chrisupdated.xyz/
http://chrisupdated.xyz/7.jpg
http://%s%s:49169/%s
http://chrisupdated.xyz/5.jpg
http://chrisupdated.xyz/3.jpg
http://chrisupdated.xyz/1.jpg
http://chrisupdated.xyz/6.jpg
http://chrisupdated.xyz/4.jpg
|
2
chrisupdated.xyz(172.67.185.197)
104.21.0.108
|
7
ET POLICY Data POST to an image file (jpg)
ET HUNTING Suspicious EXE Download Content-Type image/jpeg
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)
ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing
|
|
15.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14977 |
2021-11-05 09:36
|
 vbc.exe 39da7ab7a964862e9005e9e38d9c7568
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Browser Email ComputerName DNS Cryptographic key Software crashed |
|
1
|
|
|
9.2 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14978 |
2021-11-05 09:36
|
 ethm2305.exe ee30d6928c9de84049aa055417cc767e
Gen2 Formbook Generic Malware UPX Malicious Library PE File PE32 OS Processor Check Malware download VirusTotal Malware suspicious privilege MachineGuid buffers extracted WMI Creates executable files AppData folder sandbox evasion WriteConsoleW Tofsee Windows ComputerName DNS Downloader |
7
http://gohnot.com/2562df92c3d9c9beb09dc01eb070a473/watchdog.exe
http://gohnot.com/2562df92c3d9c9beb09dc01eb070a473/app.exe
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=2Pm2Vvelc%2FXXsXHHrEQVGdDiMoG9Up%2Fh40ogPyGe258%3D&spr=https&se=2021-11-06T01%3A12%3A02Z&rscl=x-e2eid-78e1d25e-46f943f8-8b2efe25-8918ed54-session-68f8ad52-19854c9b-baaa55f8-d37302a2
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=A2SslQnOkfZl7B73Oy527XkRzRFNQ6cU2E2aWTzZkRk%3D&spr=https&se=2021-11-06T00%3A35%3A45Z&rscl=x-e2eid-fddd96b9-73954362-b2baf06f-d24a2790-session-1a8e6819-f63b46e0-85093a15-61dda2aa
https://msdl.microsoft.com/download/symbols/index2.txt
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb
|
18
vsblobprodscussu5shard10.blob.core.windows.net(20.150.39.196)
e0a50c60a85bfbb9ecf45bff0239aaa3.hash.trumops.com()
server8.trumops.com(104.21.79.9)
267cfcc4-fcc9-4caa-b678-1330c01ab083.uuid.trumops.com()
msdl.microsoft.com(204.79.197.219)
trumops.com()
vsblobprodscussu5shard58.blob.core.windows.net(13.84.56.16)
runmodes.com(104.21.34.203)
server14.trumops.com(172.67.139.144)
gohnot.com(172.67.196.11)
logs.trumops.com()
204.79.197.219
13.84.56.16
172.67.207.136
172.67.196.11
20.150.39.196
104.21.79.9
104.21.34.203
|
7
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET USER_AGENTS Go HTTP Client User-Agent
ET INFO Request for EXE via GO HTTP Client
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO EXE - Served Attached HTTP
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.2 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14979 |
2021-11-05 09:37
|
 clp_wsfmvg.exe 82ec554886de723258094e5509e76556
Emotet Gen1 RAT [m] Generic Malware Generic Malware task schedule Malicious Library UPX Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE64 PE File PE32 .NET EXE VirusTotal Malware AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces AppData folder WriteConsoleW Tofsee Windows ComputerName Remote Code Execution DNS Cryptographic key |
1
|
3
www.google.com(172.217.31.132)
13.107.21.200
216.58.200.68
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
15.2 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14980 |
2021-11-05 09:38
|
 5334_1636030207_6453.exe d32aed7204ae5bf456dc9d1be2c53d9e
RAT NPKI Generic Malware Antivirus Malicious Library UPX AntiDebug AntiVM PE File OS Processor Check PE32 .NET EXE Malware download NetWireRC VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk WriteConsoleW VM Disk Size Check DCRat Windows ComputerName Remote Code Execution DNS crashed |
1
http://188.120.229.34/VideoWindowsPubliccdn.php?sRDQhUYRR1VCUcrGCBiFGxvBMt=ecDOPH1A2PBmSX1uU&tzG=u5jbrt4fBDxy&205613df31fa591f289d7ad292addb55=a50fbbbb03ddd573b80cc9b782586cf0&0e143c60b49591bb229951313b175b9b=QNlJDNmNGNzAjYhZTZ1IzYxgzMwUDOxgzMkJ2M3UjMhJTM5AjZyQ2N&sRDQhUYRR1VCUcrGCBiFGxvBMt=ecDOPH1A2PBmSX1uU&tzG=u5jbrt4fBDxy
|
1
|
1
ET MALWARE DCRAT Activity (GET)
|
|
9.8 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14981 |
2021-11-05 09:39
|
 vbc.exe ab47f89cf986d9e52822873e0052e7d4
Admin Tool (Sysinternals etc ...) Malicious Library UPX PE File PE32 VirusTotal Malware RWX flags setting unpack itself Tofsee crashed |
3
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072606&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1636072608&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3D92B2EF722ED2FA89%26resid%3D92B2EF722ED2FA89%2521117%26authkey%3DAL8-gdX92sl2g5g&lc=1033&id=250206&cbcxt=sky&cbcxt=sky
https://onedrive.live.com/download?cid=92B2EF722ED2FA89&resid=92B2EF722ED2FA89%21117&authkey=AL8-gdX92sl2g5g
|
4
login.live.com(40.126.35.128)
onedrive.live.com(13.107.42.13) - mailcious
20.190.163.21
13.107.42.13 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.2 |
|
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14982 |
2021-11-05 09:43
|
 vbc.exe d06c38d984a2f6e270ff39ece951c090
NSIS Malicious Library UPX PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder DNS |
13
http://www.drproteaches.com/p0se/?Upth=woR5xm3tnDpzscA506QhcYxpqJNYYUoqwaxL1TBnwACXL4ehmoVy8YHXz+Srph4gv85KcD2/&S2Jl9T=JR-Ptri8rrtH
http://www.bestexpecting.com/p0se/?Upth=aASfAAL76qMqqLN3P5FTu5qU9JswWMTr4/m2v90Be8FVcTL4yVaKxlDSmQkhSQbnDGJjdHVZ&S2Jl9T=JR-Ptri8rrtH
http://www.islandrentals.biz/p0se/?Upth=swsh7jkH3Jayx1oBVzw679OGrX1puxEck2MRsug9EfA8sAUa4DViYtQbxqQy6tgBaEK34XmX&S2Jl9T=JR-Ptri8rrtH
http://www.antelbd.com/p0se/?Upth=9erJsbmg89xRlz0M2UbGQGsoL3knU+btxwpJSlEvKwY//6Ro8ymG4cTM8A9G1IzAegjGNHN5&S2Jl9T=JR-Ptri8rrtH
http://www.bailios.com/p0se/?Upth=8oLSLrJeYc+K0ytzOJikqVU0igr6L5hpGSYkGAIomLt8RmfP6w1jUuRWukm53rjVgQXpPW5Y&S2Jl9T=JR-Ptri8rrtH
http://www.discsoverylandco.com/p0se/?Upth=BteP4tPaBKGelLixwpfDlG/9A6mmS+0MA34DaBA3zGLeePe9IT5he11Epx4cASOQEPkGi3lZ&S2Jl9T=JR-Ptri8rrtH
http://www.rapidfreecredit.com/p0se/?Upth=EgoGtPvOzMQIHn+MI9K9SlgAXJGJBFkzaqro+xII3Owtt3Khuq48OlyGMf8ozr+N8CoP+XHl&S2Jl9T=JR-Ptri8rrtH
http://www.zzsline.com/p0se/?Upth=kthmE/oWyD4fjO8tHH8xHUIk2isBffkb9Kt5y5yO+PwFSvLgMBfFKRyBis2HAYR5aHyddc0l&p0D=AfhHLL9
http://www.attractivereviews.com/p0se/?Upth=ovk/jIrnGvNklwPKoDa/FgXcfy4LLp6cpdBpVVYi4PmHjc59s+hx7TQFj4PK4LVd8vVfURbY&S2Jl9T=JR-Ptri8rrtH
http://www.officesetupofficesetup.com/p0se/?Upth=EYinZUgnnSwJyPV9oEessIoGQkE3PhJa69jO6sH1XRv94op+1srhHlr5FDeZOdoaC0vdviNL&S2Jl9T=JR-Ptri8rrtH
http://www.oprimanumerodos.com/p0se/?Upth=xlYZ5X0oz3/WSnhnuO8VLYURni7dK5M/z3/1M5B1eWdqmk4yw0hlgYU/AWpZpglM84vVPpwr&S2Jl9T=JR-Ptri8rrtH
http://www.puss888.com/p0se/?Upth=kikFeNiO3Wy3pwtISJcM7/vkxkaOrG97TwCy9kP35exs7OvQFm8ZXay1fTQTva1c0oVEPLTK&S2Jl9T=JR-Ptri8rrtH
http://www.ss5312.com/p0se/?Upth=VXm5Q0G4kF4WmG3lTMiXsUIcZR7Z75QHUAb2U0i9WhY0TVcNQnEKdNZZrn4ryxNGGf72+MNM&S2Jl9T=JR-Ptri8rrtH
|
33
www.zzsline.com(172.67.202.198)
www.bestexpecting.com(23.227.38.74)
www.bailios.com(154.23.202.51)
www.officesetupofficesetup.com(23.27.138.15)
www.mrteez.club()
www.puss888.com(104.21.8.56)
www.antelbd.com(103.148.14.203)
www.drproteaches.com(162.241.253.114)
www.oprimanumerodos.com(34.102.136.180)
www.graylinkelectric.com()
www.rapidfreecredit.com(162.241.218.178)
www.ss5312.com(67.211.65.43)
www.iscinet.com()
www.serestovfleacollar.com()
www.islandrentals.biz(199.34.228.77)
www.discsoverylandco.com(166.88.19.180)
www.attractivereviews.com(156.240.151.190)
199.34.228.77
156.240.151.190
166.88.19.180 - mailcious
104.21.8.56
23.27.138.15
172.67.202.198
34.102.136.180 - mailcious
172.67.207.136
162.241.218.178
172.67.196.11
67.211.65.43
154.23.202.51
23.227.38.74 - mailcious
162.241.253.114
104.21.79.9
103.148.14.203 - mailcious
|
2
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Observed DNS Query to .biz TLD
|
|
7.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14983 |
2021-11-05 09:44
|
 index-295687290.xls 4309aadc0b51d58084832e45cba1e1dd
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14984 |
2021-11-05 09:46
|
 index-294441975.xls 294c6091ed8f9b30fabca946bc2e48ee
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://decinfo.com.br/s4hfZyv7NFEM/y9.html
https://imprimija.com.br/BIt2Zlm3/y5.html
https://stunningmax.com/JR3xNs7W7Wm1/y1.html
|
6
imprimija.com.br(108.179.192.18)
stunningmax.com(23.111.163.242)
decinfo.com.br(108.179.193.34)
23.111.163.242
108.179.193.34 - mailcious
108.179.192.18
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14985 |
2021-11-05 10:43
|
 watchdog.exe e0a50c60a85bfbb9ecf45bff0239aaa3
PE File PE32 VirusTotal Malware Creates executable files WriteConsoleW Trojan |
|
|
|
|
4.4 |
|
50 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|