Scribd
Upload
2K views191 pages

Ipfire - Localdomain - Intrusion Prevention System-192-382

Uploaded by

Naimur Rahman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views191 pages

Ipfire - Localdomain - Intrusion Prevention System-192-382

Uploaded by

Naimur Rahman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 191

ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.

cgi

ET MALWARE [PTsecurity] Remcos RAT Checkin 69 ET MALWARE [PTsecurity] Remcos RAT Checkin 70
ET MALWARE [PTsecurity] Remcos RAT Checkin 71 ET MALWARE [PTsecurity] Remcos RAT Checkin 72
ET MALWARE [PTsecurity] Remcos RAT Checkin 73 ET MALWARE Malicious XLS DDE rar Drop Attempt (.live)
ET MALWARE Locky CnC Checkin ET MALWARE ELF/Chacha.DDoS/Xor.DDoS Stage 2 CnC Checkin
ET MALWARE Win32/BlackCarat Response from CnC ET MALWARE Win32/BlackCarat XORed (0x77) CnC Checkin
ET MALWARE Zebrocy Backdoor CnC Activity ET MALWARE ArrobarLoader CnC Checkin M1
ET MALWARE Possible APT29 CozyBear/SeaDaddy SSL/TLS Certificate ET MALWARE Possible APT28 DOC Uploader SSL/TLS Certificate
Observed Observed
ET MALWARE Possible DarkTequila SSL/TLS Certificate Observed ET MALWARE Octopus Malware Initial Connectivity Check
ET MALWARE Octopus Malware CnC Server Request ET MALWARE Octopus Malware CnC Server Connectivity Check
ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting
ET MALWARE Octopus Malware CnC Activity
Successful Infection
ET MALWARE MICROPSIA CnC Domain Observed in SNI
ET MALWARE MICROPSIA HTTP Failover CnC Checkin
(samwinchester .club)
ET MALWARE MICROPSIA HTTP Failover Response M1 ET MALWARE MICROPSIA HTTP Failover Response M2
ET MALWARE MICROPSIA Sending JPG Screenshot to CnC with .his ET MALWARE MICROPSIA HTTP Failover Reporting Infected System
Extension Information and RAT Version
ET MALWARE Sharik/Smoke Fake 404 Response with Payload
ET MALWARE Sharik/Smoke CnC Beacon 12
Location
ET MALWARE DNS Query for DNSpionage CnC Domain ET MALWARE TrueBot/Silence.Downloader CnC Checkin
ET MALWARE TrueBot/Silence.Downloader Keep-Alive ET MALWARE MSIL/KeyRedirEx Banker Requesting Redirect/Inject List
ET MALWARE MSIL/KeyRedirEx Banker Receiving Redirect/Inject List ET MALWARE MSIL/KeyRedirEx Banker Receiving Exit Instruction
ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M1 ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M2
ET MALWARE MSIL/Lordix Stealer Exfiltrating Data ET MALWARE MSIL.BackNet Checkin
ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS
Lookup M1 Lookup M2
ET MALWARE APT33/CharmingKitten Shellcode Communicating with
ET MALWARE APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin
CnC
ET MALWARE APT33/CharmingKitten Retrieving New Payload (flowbit
ET MALWARE APT33/CharmingKitten Encrypted Payload Inbound
set)
ET MALWARE Perl/Shellbot.SM IRC CnC Checkin ET MALWARE JavaRAT CnC Init Activity
ET MALWARE JavaRAT CnC Checkin ET MALWARE JavaRAT Keep-Alive (inbound)
ET MALWARE JavaRAT Keep-Alive (outbound) ET MALWARE JavaRAT Sending Screen Size
ET MALWARE JavaRAT Sending Screenshot ET MALWARE JavaRAT Requesting Screen Size
ET MALWARE JavaRAT Requesting Screenshot ET MALWARE MSIL.Kraken.v2 HTTP Pattern
ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2
CnC) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 ET MALWARE Observed Malicious SSL Cert (MageCart Group 3
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 ET MALWARE Observed Malicious SSL Cert (MageCart Group 4
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 ET MALWARE Observed Malicious SSL Cert (MageCart Group 4
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 ET MALWARE Observed Malicious SSL Cert (MageCart Group 4
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 ET MALWARE Observed Malicious SSL Cert (MageCart Group 4
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 ET MALWARE Observed Malicious SSL Cert (MageCart Group 4
Staging Domain) Staging Domain)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 5
ET MALWARE ELF/Muhstik Bot Reporting Vulnerable Server to CnC
Staging Domain)
ET MALWARE JunkMiner Downloader Communicating with CnC ET MALWARE Operation Baby Coin syschk CnC Communication
ET MALWARE ELF/Muhstik Scanner Module Activity ET MALWARE TEMP.Periscope APT Domain in DNS Lookup
ET MALWARE TEMP.Periscope APT Domain in DNS Lookup ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)
ET MALWARE Operation Mystery Baby syschk CnC Communication ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE APT29 Domain in DNS Lookup (pandorasong .com)
ET MALWARE Hades APT Downloader Attempting to Retrieve Stage 2
ET MALWARE Observed Malicious SSL Cert (APT29)
Payload
ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS
ET MALWARE Hades APT Domain in DNS Lookup (findupdatems .com)
Lookup
ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS
Lookup Lookup
ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS
Lookup Lookup
ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS
ET MALWARE JS.InfectedMikrotik Injects Domain Observed in TLS SNI
Lookup

192 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS


ET MALWARE DarkGate CNC Checkin
Lookup
ET MALWARE DarkGate CnC Requesting Data Exfiltration from Bot ET MALWARE DarkGate Domain in DNS Lookup (akamai .la)
ET MALWARE DarkGate Domain in DNS Lookup (hardwarenet .cc) ET MALWARE DarkGate Domain in DNS Lookup (awsamazon.cc)
ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in
ET MALWARE DarkGate Domain in DNS Lookup (battlenet .la)
DNS Lookup)
ET MALWARE HackTool.Linux.SSHBRUTE.A Haiduc Initial Compromise
ET MALWARE ArtraDownloader/TeleRAT Checkin
C2 POST
ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (cdn-
ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)
ampproject .com)
ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup
(bootstraplink .com) (sskimresources .com)
ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (widgets-
ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)
wp .com)
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain) ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
ET MALWARE Observed Malicious SSL Cert (StrongPity Domain) ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)
ET MALWARE L0rdix Stealer CnC Sending Screenshot ET MALWARE L0rdix Stealer CnC Data Exfil
ET MALWARE DNSpionage Commands Embedded in Webpage
ET MALWARE IcedID WebSocket Request
Inbound
ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to
Temp M1 2018-11-29 Temp M2 2018-11-29
ET MALWARE Inbound PowerShell Executing Base64 Decoded VBE
ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)
from Temp 2018-11-29
ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC) ET MALWARE DNS Query for DNSpionage CnC Domain
ET MALWARE DNSpionage Requesting Config ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC
ET MALWARE Observed DNS Query for MageCart Data Exfil Domain ET MALWARE Observed DNS Query for MageCart Data Exfil Domain
ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (Cobalt Group/More_Eggs
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
CnC)
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup
ET MALWARE ELF/Samba CnC Checkin ET MALWARE Win32/DanaBot Harvesting Email Addresses 2
ET MALWARE Observed MongoLock Variant CnC Domain (s .rapid7
ET MALWARE Win32/DanaBot Harvesting Email Addresses 1
.xyz in TLS SNI)
ET MALWARE RedControle Probing Infected System ET MALWARE RedControle Communicating with CnC
ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process
ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin
Started
ET MALWARE Donot (APT-C-35) Stage 1 Requesting Persistence Setup
ET MALWARE Lucky Ransomware Reporting Successful File Encryption
File
ET MALWARE Donot (APT-C-35) Stage 1 Requesting Main Payload ET MALWARE Shamoon V3 CnC Checkin
ET MALWARE Shamoon v3 32bit Propagating Internally via SMB ET MALWARE Shamoon v3 64bit Propagating Internally via SMB
ET MALWARE AveMaria Initial CnC Checkin ET MALWARE Observed GandCrab Domain (gandcrab .bit)
ET MALWARE [PTsecurity] Trickbot Data Exfiltration ET MALWARE Win32/ArtraDownloader Checkin
ET MALWARE Observed DNS Query to known Windshift APT Related
ET MALWARE MSIL.Orion Stealer Exfil via FTP
Domain 1
ET MALWARE Observed DNS Query to known Windshift APT Related
ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC M2
Domain 2
ET MALWARE APT28/Sofacy Zebrocy Go Variant Downloader Error
ET MALWARE APT28/Sofacy Zebrocy Go Variant CnC Activity
POST
ET MALWARE APT28/Sofacy Zebrocy Secondary Payload CnC
ET MALWARE APT28/Sofacy Zebrocy Go Variant Checkin
Checkin
ET MALWARE Ursa Loader CnC Checkin ET MALWARE Observed Malicious SSL Cert (SedUploader)
ET MALWARE TitanFox Loader CnC Checkin ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin
ET MALWARE APT28 Zebrocy/Zekapab Reporting to CnC M3 ET MALWARE Operation Cobra Venom Stage 1 DNS Lookup
ET MALWARE Operation Cobra Venom WSF Stage 1 - File Decode
ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin
Completed

193 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Operation Cobra Venom WSF Stage 2 - CnC Checkin ET MALWARE Observed Malicious SSL Cert (ServHelper RAT CnC)
ET MALWARE ServHelper RAT CnC Domain Observed in SNI ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE ServHelper CnC Inital Checkin ET MALWARE FlawedGrace CnC Activity
ET MALWARE APT DarkHydrus DNS Lookup 1 ET MALWARE APT DarkHydrus DNS Lookup 2
ET MALWARE APT DarkHydrus DNS Lookup 3 ET MALWARE APT DarkHydrus DNS Lookup 4
ET MALWARE APT DarkHydrus DNS Lookup 5 ET MALWARE APT DarkHydrus DNS Lookup 6
ET MALWARE APT DarkHydrus DNS Lookup 7 ET MALWARE APT DarkHydrus DNS Lookup 8
ET MALWARE APT DarkHydrus DNS Lookup 9 ET MALWARE APT DarkHydrus DNS Lookup 10
ET MALWARE APT DarkHydrus DNS Lookup 11 ET MALWARE APT DarkHydrus DNS Lookup 12
ET MALWARE APT DarkHydrus DNS Lookup 13 ET MALWARE APT DarkHydrus DNS Lookup 14
ET MALWARE APT DarkHydrus DNS Lookup 15 ET MALWARE APT DarkHydrus DNS Lookup 16
ET MALWARE APT DarkHydrus DNS Lookup 17 ET MALWARE APT DarkHydrus DNS Lookup 18
ET MALWARE APT DarkHydrus DNS Lookup 19 ET MALWARE APT DarkHydrus DNS Lookup 20
ET MALWARE APT DarkHydrus DNS Lookup 21 ET MALWARE APT DarkHydrus DNS Lookup 22
ET MALWARE APT DarkHydrus DNS Lookup 23 ET MALWARE APT DarkHydrus DNS Lookup 24
ET MALWARE Observed Awad Bot CnC Domain (hawad ET MALWARE Observed Malicious SSL Cert (ColdRiver APT
.000webhostapp .com in TLS SNI) DNSpionage MITM)
ET MALWARE Observed Malicious SSL Cert (ColdRiver APT ET MALWARE Observed Malicious SSL Cert (ColdRiver APT
DNSpionage MITM) DNSpionage MITM)
ET MALWARE Observed Malicious SSL Cert (ColdRiver APT ET MALWARE Observed Malicious SSL Cert (ColdRiver APT
DNSpionage MITM) DNSpionage MITM)
ET MALWARE Observed Cryptor Ransomware CnC Domain
ET MALWARE Possible Sharik/Smoke Loader 7zip Connectivity Check
(e3kok4ekzalzapsf .onion .ws in TLS SNI)
ET MALWARE Observed TrumpHead Ransomware CnC Domain
ET MALWARE APT DarkHydrus DNS Lookup 25
(6bbsjnrzv2uvp7bp .onion .pet in TLS SNI)
ET MALWARE APT DarkHydrus DNS Lookup 26 ET MALWARE APT DarkHydrus DNS Lookup 27
ET MALWARE APT DarkHydrus DNS Lookup 28 ET MALWARE PS/PowerRatankba CnC DNS Lookup
ET MALWARE Observed Malicious SSL Cert (POWERRATANKBA CnC) ET MALWARE PS/PowerRatankba CnC DNS Lookup
ET MALWARE Observed Malicious SSL Cert (MageCart CnC) ET MALWARE Observed Malicious SSL Cert (MageCart CnC)
ET MALWARE MageCart CnC Domain in SNI ET MALWARE MageCart CnC Domain in SNI
ET MALWARE OSX/LamePyre Screenshot Upload ET MALWARE AtomLogger Exfil via FTP
ET MALWARE Atom Logger exfil via SMTP ET MALWARE [PTsecurity] Bitter RAT C2 Response
ET MALWARE Observed Malicious SSL Cert (DonotGroup/Patchwork
ET MALWARE TeamBot CnC Activity
CnC)
ET MALWARE [PTsecurity] Remcos RAT Checkin 85 ET MALWARE [PTsecurity] Remcos RAT Checkin 86
ET MALWARE [PTsecurity] Possible Backdoor.Win32.TeamBot / RTM C2
ET MALWARE W32.Razy Inject Domain in DNS Lookup
Response
ET MALWARE W32.Razy Inject Domain in DNS Lookup ET MALWARE W32.Razy Inject Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (Donot Group/APT-C-35
ET MALWARE W32.Razy Inject Domain in DNS Lookup
CnC)
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE [PTsecurity] Remcos RAT Checkin 87
ET MALWARE Observed Malicious SSL Cert (Zepakab CnC) ET MALWARE CoreDn CnC Checkin M1
ET MALWARE CoreDn CnC Checkin M2 ET MALWARE Observed Malicious SSL Cert (APT32 CnC)
ET MALWARE Observed Malicious SSL Cert (APT32 CnC) ET MALWARE Observed Malicious SSL Cert (APT32 CnC)
ET MALWARE Observed Malicious SSL Cert (APT32 CnC) ET MALWARE Observed Malicious SSL Cert (APT32 CnC)
ET MALWARE Observed Malicious SSL Cert (APT32 CnC) ET MALWARE Observed Malicious SSL Cert (APT32 CnC)
ET MALWARE Cayosin Botnet User-Agent Observed M1 ET MALWARE Cayosin Botnet User-Agent Observed M2
ET MALWARE Peppy/KeeOIL Google Connectivity Check ET MALWARE Observed CDC Ransomware User-Agent
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE BrushaLoader CnC Domain in SNI
ET MALWARE Win32/Remcos RAT Checkin 84 ET MALWARE Possible Astaroth User-Agent Observed
ET MALWARE OSX/Shlayer CnC Activity M1 ET MALWARE OSX/Shlayer CnC Landing M2
ET MALWARE OSX/Shlayer CnC Activity M3 ET MALWARE OSX/Shlayer CnC Activity M4
ET MALWARE Cayosin/Mirai CnC Domain in DNS Lookup ET MALWARE DirectsX CnC Checkin
ET MALWARE Possible SharpShooter Framework Generated VBS
ET MALWARE Possible SharpShooter Framework Generated Script
Script
ET MALWARE Observed Malicious SSL Cert (LazarusGroup CnC) ET MALWARE Punto Loader Checkin
ET MALWARE GanDownloader CnC Checkin ET MALWARE TickGroup Datper CnC Checkin M1
ET MALWARE TickGroup Datper CnC Checkin M2 ET MALWARE TickGroup Datper CnC Checkin M3
ET MALWARE FBot Downloader Generic GET for ARM Payload ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup

194 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BrushaLoader CnC DNS Lookup ET MALWARE BrushaLoader CnC DNS Lookup
ET MALWARE BabyShark CnC Domain in SNI ET MALWARE DonotGroup/Patchwork CnC DNS Lookup
ET MALWARE DonotGroup/Patchwork CnC DNS Lookup ET MALWARE ArtraDownloader CnC Checkin
ET MALWARE OSX/Shlayer Malicious Download Request ET MALWARE JS/Agent.NZH CnC Response
ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC) ET MALWARE Win32/Kribat-A Downloader Activity
ET MALWARE [PTsecurity] Win32/Spy.RTM/Redaman IP Check ET MALWARE Py/MechaFlounder CnC Checkin
ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download
Command Success Command Success
ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload
Command Error Command Success
ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory
Command Error Change Command Success
ET MALWARE Chafer CnC DNS Query ET MALWARE Chafer CnC DNS Query
ET MALWARE Sidewinder CnC DNS Query ET MALWARE MSIL/SkidRat CnC Checkin M1
ET MALWARE FIN6 StealerOne CnC Domain in SNI ET MALWARE FIN6 StealerOne CnC DNS Query
ET MALWARE MSIL/SkidRat User-Agent Observed ET MALWARE MSIL/SkidRat CnC Checkin M2
ET MALWARE MSIL/SkidRat CnC Checkin M3 ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection
ET MALWARE EarthWorm/Termite IoT Agent CnC Response ET MALWARE OSX/EvilOSX Client Receiving Commands
ET MALWARE Observed Malicious SSL Cert (APT32 JEShell CnC) ET MALWARE Win32/Retadup CnC Checkin M1
ET MALWARE Win32/Retadup CnC Checkin M2 ET MALWARE Win32/Retadup Success Response from CnC
ET MALWARE Win32/PirateMatryoshka CnC DNS Query ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Win32/Termite Agent Implant CnC Checkin ET MALWARE Win32/Termite Agent Implant Keep-Alive
ET MALWARE Possible Inbound PowerShell via Invoke-PSImage Stego ET MALWARE Observed Malicious SSL Cert (Gozi CnC)
ET MALWARE Win32/Dorv Stealer Exfiltrating Data to CnC ET MALWARE Win32/Dorv InfoStealer CnC DNS Query
ET MALWARE JasperLoader CnC Checkin ET MALWARE Observed Malicious SSL Cert (Gootkit CnC)
ET MALWARE Inbound JasperLoader Using Array Push Obfuscation ET MALWARE ShadowHammer DNS Lookup
ET MALWARE Possible ShadowHammer DNS Lookup ET MALWARE Possible ShadowHammer DNS Lookup
ET MALWARE MSIL/DataMilk Stealer Communicating with CnC ET MALWARE ChaseBot CnC Checkin
ET MALWARE W32/VBS.SLoad.Backdoor Initial Base64 Encoded OK
ET MALWARE Observed Malicious SSL Cert (ShadowHammer CnC)
Server Response
ET MALWARE ELF/Mirai Variant UA Outbound (Rift) ET MALWARE ELF/Mirai Variant UA Inbound (Rift)
ET MALWARE ELF/Mirai Variant UA Outbound (Tsunami) ET MALWARE ELF/Mirai Variant UA Inbound (Tsunami)
ET MALWARE ELF/Mirai Variant UA Outbound (Yowai) ET MALWARE ELF/Mirai Variant UA Inbound (Yowai)
ET MALWARE ELF/Mirai Variant UA Outbound (Yakuza) ET MALWARE ELF/Mirai Variant UA Inbound (Yakuza)
ET MALWARE ELF/Mirai Variant UA Outbound (Hentai) ET MALWARE ELF/Mirai Variant UA Inbound (Hentai)
ET MALWARE ELF/Mirai Variant UA Outbound (lessie) ET MALWARE ELF/Mirai Variant UA Inbound (lessie)
ET MALWARE ELF/Mirai Variant UA Outbound (Cakle) ET MALWARE ELF/Mirai Variant UA Inbound (Cakle)
ET MALWARE ELF/Mirai Variant UA Outbound (Damien) ET MALWARE ELF/Mirai Variant UA Inbound (Damien)
ET MALWARE ELF/Mirai Variant UA Outbound (Solar) ET MALWARE ELF/Mirai Variant UA Inbound (Solar)
ET MALWARE ELF/Mirai Variant UA Outbound (muhstik) ET MALWARE ELF/Mirai Variant UA Inbound (muhstik)
ET MALWARE ELF/Mirai Variant UA Outbound (Shaolin) ET MALWARE ELF/Mirai Variant UA Inbound (Shaolin)
ET MALWARE MalDoc Request for Payload (TA505 Related) ET MALWARE Xwo CnC Activity
ET MALWARE Win32/Beapy/Lemon_Duck CnC Checkin ET MALWARE PS/Beapy CnC Checkin
ET MALWARE Py/Beapy CnC Checkin ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)
ET MALWARE AHK/BKDR_HTV.ZKGD-A Fake HTTP 500 Containing
ET MALWARE AHK/BKDR_HTV.ZKGD-A CnC Checkin
Encoded Commands Inbound

195 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DNS Query for Known Malicious Domain Observed


ET MALWARE Observed Malicious SSL Cert (Gozi CnC)
Serving Various Phish Campaigns
ET MALWARE DNS Query for Known Malicious Domain Observed ET MALWARE DNS Query for Known Malicious Domain Observed
Serving Various Phish Campaigns Serving Various Phish Campaigns
ET MALWARE DNS Query for Known Malicious Domain Observed ET MALWARE DNS Query for Known Malicious Domain Observed
Serving Various Phish Campaigns Serving Various Phish Campaigns
ET MALWARE DNS Query for Known Malicious Domain Observed ET MALWARE DNS Query for Known Malicious Domain Observed
Serving Various Phish Campaigns Serving Various Phish Campaigns
ET MALWARE DNS Query for Known Malicious Domain Observed ET MALWARE DNS Query for Known Malicious Domain Observed
Serving Various Phish Campaigns Serving Various Phish Campaigns
ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS
Lookup (time-loss .dns05 .com) Lookup (dji-msi .2waky .com)
ET MALWARE Outbound POST Request with ps PowerShell Command ET MALWARE Outbound POST Request with Base64 ps PowerShell
Output Command Output M1
ET MALWARE Outbound POST Request with Base64 ps PowerShell ET MALWARE Outbound POST Request with Base64 ps PowerShell
Command Output M2 Command Output M3
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC) ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
ET MALWARE DonotGroup CnC Domain in DNS Lookup (drivethrough
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
.top)
ET MALWARE DonotGroup CnC Domain in DNS Lookup (drinkeatgood
ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)
.space)
ET MALWARE Observed Malicious SSL Cert (Unattributed CnC) ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)
ET MALWARE Unattributed CnC Domain in DNS Lookup (xsecuremail ET MALWARE Unattributed CnC Domain in DNS Lookup (wipro365
.com) .com)
ET MALWARE Unattributed CnC Domain in DNS Lookup ET MALWARE Unattributed CnC Domain in DNS Lookup (secure-
(microsoftonline-secure-login .com) message .online)
ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypt- ET MALWARE Unattributed CnC Domain in DNS Lookup (secured-mail
email .online) .online)
ET MALWARE Unattributed CnC Domain in DNS Lookup (internal- ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypted-
message .app) message .cloud)
ET MALWARE StealerNeko CnC Checkin ET MALWARE Baldr Stealer Checkin M2
ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup
ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup ET MALWARE Suspected Powershell Empire POST M1
ET MALWARE Suspected Powershell Empire GET M1 ET MALWARE Novaloader Stage 2 VBS Request
ET MALWARE DonotGroup CnC Domain in DNS Lookup ET MALWARE DonotGroup CnC Domain in DNS Lookup
ET MALWARE DonotGroup CnC Domain in DNS Lookup ET MALWARE Megumin v2 Stealer User-Agent
ET MALWARE DonotGroup CnC Domain in DNS Lookup ET MALWARE DonotGroup Stage 2 CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (DonotGroup Stage 2
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
CnC)
ET MALWARE ServHelper CnC Command (Net User) ET MALWARE ServHelper CnC Command (Reg Add)
ET MALWARE ServHelper CnC Command (Whoami) ET MALWARE ServHelper CnC Domain
ET MALWARE ServHelper CnC Domain ET MALWARE ServHelper CnC Domain
ET MALWARE ServHelper CnC Domain ET MALWARE ServHelper CnC Domain
ET MALWARE ServHelper CnC Domain ET MALWARE JAR/Qealler Stealer HTTP Headers Observed
ET MALWARE AridViper CnC Domain in SNI ET MALWARE Win32/Krypton Stealer CnC Checkin
ET MALWARE IcedID Fake Resume Server in DNS Lookup ET MALWARE Observed Malicious DNS Query (ReactGet Group)
ET MALWARE Observed Malicious SSL Cert (ReactGet Group) ET MALWARE Observed Malicious DNS Query (Mirrorthief Group)
ET MALWARE CobaltStrike SMB P2P Default Msagent Named Pipe
ET MALWARE Observed Malicious SSL Cert (Mirrortheif group)
Interaction
ET MALWARE Covenant .NET Framework P2P C&C Protocol Gruntsvc
ET MALWARE PS/Unk.EB.Spreader CnC Checkin
Named Pipe Interaction
ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound
ET MALWARE Wide HTA with PowerShell Execution Inbound
M1
ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound
ET MALWARE Win32/ElectricFish Authentication Packet Observed
M2
ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC) ET MALWARE MirrorThief CnC Domain in DNS Lookup
ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup
ET MALWARE MSIL/Almashreq CnC Checkin ET MALWARE MSIL/Almashreq Executing New Processes
ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC) ET MALWARE MirrorThief CnC in DNS Lookup
ET MALWARE Winnti Payload - XORed Check-in to Infected System
ET MALWARE BlackTech Plead CnC in DNS Lookup
(0xd4413890)
ET MALWARE BlackTech Plead Encrypted Payload Inbound ET MALWARE HTA.BabyShark Checkin
ET MALWARE Mirai Variant Checkin Response ET MALWARE Suspected ExtraPulsar Backdoor
ET MALWARE Unknown VBScript Loader with Encoded PowerShell
ET MALWARE HTA.BabyShark HTTP Exfil
Execution Inbound
ET MALWARE Shade Ransomware Payment Domain in DNS Lookup ET MALWARE SSL/TLS Certificate Observed (Quasar Related)
ET MALWARE Win32/ProtonBot CnC Response ET MALWARE Win32/ProtonBot Stealer Activity

196 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed ProtonBot User-Agent ET MALWARE Observed DNS Query to APT10 Related CnC Domain
ET MALWARE Observed DNS Query to APT10 Related CnC Domain ET MALWARE Observed DNS Query to APT10 Related CnC Domain
ET MALWARE Maze/ID Ransomware Activity ET MALWARE Linux/HiddenWasp CnC Request (set)
ET MALWARE Linux/HiddenWasp CnC Response ET MALWARE DarkHotel Payload Uploading to CnC
ET MALWARE DarkHotel CnC Domain in DNS Lookup ET MALWARE DarkHotel CnC Domain in DNS Lookup
ET MALWARE Executable contained in DICOM Medical Image SMB File
ET MALWARE DarkHotel CnC Domain in DNS Lookup
Transfer
ET MALWARE Executable contained in DICOM Medical Image PACS ET MALWARE Executable contained in DICOM Medical Image
DICOM Protocol Transfer Received from PACS DICOM Device
ET MALWARE Possible APT28 Xtunnel Activity ET MALWARE APT28 CnC Domain DNS Lookup
ET MALWARE APT28 CnC Domain DNS Lookup ET MALWARE APT28 CnC Domain DNS Lookup
ET MALWARE APT28 CnC Domain DNS Lookup ET MALWARE APT28 CnC Domain DNS Lookup
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)
ET MALWARE APT28 CnC Domain DNS Lookup
2019-05-30
ET MALWARE ICEFOG-P Variant CnC Checkin M1 ET MALWARE ICEFOG-P Variant CnC Checkin M2
ET MALWARE PLATINUM Steganographic HTTP Response Page ET MALWARE Win32/Phorpiex Template 3 Active - Outbound
Inbound Malicious Email Spam
ET MALWARE Win32/Phorpiex Template 4 Active - Outbound
ET MALWARE HAWKBALL CnC Initial Request
Malicious Email Spam
ET MALWARE HAWKBALL CnC Activity ET MALWARE HAWKBALL CnC Sending System Information
ET MALWARE Observed Buran Ransomware UA (BURAN) ET MALWARE Observed Buran Ransomware UA (GHOST)
ET MALWARE Buran Ransomware Activity M2 ET MALWARE Buran Ransomware Activity M1
ET MALWARE WSHRAT Keylogger Module Download Command
ET MALWARE WSHRAT CnC Checkin
Inbound
ET MALWARE WSHRAT Credential Dump Module Download Command ET MALWARE Possible Encoded Wide PowerShell (IEX) in Certificate
Inbound Inbound
ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC) ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)
ET MALWARE FIN8 ShellTea CnC in DNS Lookup ET MALWARE FIN8 ShellTea CnC in DNS Lookup
ET MALWARE FIN8 ShellTea CnC in DNS Lookup ET MALWARE FIN8 ShellTea CnC in DNS Lookup
ET MALWARE FIN8 ShellTea CnC in DNS Lookup ET MALWARE Win32/Vools Variant CnC Checkin
ET MALWARE Observed Malicious SSL Cert (MageCart CnC) ET MALWARE Observed Malicious SSL Cert (MageCart CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart CnC) ET MALWARE Observed Malicious SSL Cert (MageCart CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart CnC) ET MALWARE SSL/TLS Certificate Observed (Maldoc CnC)
ET MALWARE Packed Perl with Eval Statement ET MALWARE Chafer Win32/TREKX Uploading to CnC
ET MALWARE Chafer Win32/TREKX Uploading to CnC (Modified CAB) ET MALWARE Chafer CnC Domain in DNS Lookup
ET MALWARE Chafer CnC Domain in DNS Lookup ET MALWARE Chafer CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (IcedID CnC) ET MALWARE Danabot CnC Checkin
ET MALWARE Plurox CnC Domain in DNS Lookup ET MALWARE Plurox CnC Domain in DNS Lookup
ET MALWARE Danabot UA Observed ET MALWARE Observed Turla Domain (vision2030 .tk in TLS SNI)
ET MALWARE Turla DNS Lookup (vision2030 .cf) ET MALWARE Observed Malicious UA (Skuxray)
ET MALWARE Win32/Plurox Backdoor CnC Checkin ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Client Request (set)
ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response
(WAIT) (CONNECT)
ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response
(DISCONNECT) (CERT)
ET MALWARE Possible PowerShell Empire Activity Outbound ET MALWARE HYDSEVEN VBS CnC Host Information Checkin
ET MALWARE DonotGroup APT CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup

197 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Gift Cardshark CnC Domain in DNS Lookup
ET MALWARE Gift Cardshark CnC Domain in DNS Lookup ET MALWARE Observed Malicious SSL Cert (Quasar CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE APT33 CnC Domain in DNS Lookup ET MALWARE APT33 CnC Domain in DNS Lookup
ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup
ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup ET MALWARE APT32 CnC in DNS Lookup
ET MALWARE APT32 CnC in DNS Lookup ET MALWARE APT32 Win32/Ratsnif POSTing Log Message to CnC
ET MALWARE APT32 Win32/Ratsnif Submitting Output of Command
ET MALWARE APT32 Win32/Ratsnif Requesting Command from CnC
to CnC
ET MALWARE APT32 Win32/Ratsnif CnC Checkin ET MALWARE Win32/Remcos RAT Checkin 109
ET MALWARE Observed Godlua Backdoor Domain (helegedada
ET MALWARE Operation Tripoli Related CnC Checkin
.github .io in TLS SNI)
ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in ET MALWARE Observed Godlua Backdoor Domain (d .heheda .tk in
TLS SNI) TLS SNI)
ET MALWARE Observed Godlua Backdoor Domain (c .heheda .tk in ET MALWARE Observed Godlua Backdoor Domain (dd
TLS SNI) .cloudappconfig .com in TLS SNI)
ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig
.com in TLS SNI) .com in TLS SNI)
ET MALWARE Observed Turla/APT34 CnC Domain Domain ET MALWARE Observed Malicious SSL Cert (Turla/APT34 CnC
(dubaiexpo2020 .cf in TLS SNI) Domain)
ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jun 2019- ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Dec 2019-
Dec 2019) (set) Jul 2020) (set)
ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jul 2020- ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Jun
Jan 2021) (set) 2019 - Sep 2020)
ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Sep
ET MALWARE Godlua Backdoor Downloading Encrypted Lua
2020 - Nov 2023)
ET MALWARE Known Malicious Server in DNS Lookup (updatecache
ET MALWARE MuddyWater Payload Sending Screenshot to CnC
.com)
ET MALWARE MuddyWater Payload Sending Command Output to
ET MALWARE MuddyWater Payload Registering with CnC
CnC
ET MALWARE MuddyWater Payload Requesting Command from CnC ET MALWARE MuddyWater Payload CnC Checkin
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Inter Skimmer CnC Domain in DNS Lookup ET MALWARE Inter Skimmer CnC Domain in DNS Lookup
ET MALWARE Inter Skimmer CnC Domain in DNS Lookup ET MALWARE Inter Skimmer CnC Domain in DNS Lookup
ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious
ET MALWARE Inter Skimmer CnC Domain in DNS Lookup
VBScript
ET MALWARE Win32/Unk.VBScript Requesting Instruction from CnC ET MALWARE Amadey CnC Check-In
ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done
ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note ET MALWARE eCh0raix/QNAPCrypt Successful Server Response
ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC
Check Response Command Response
ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC
ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC GET
POST
ET MALWARE SSL/TLS Certificate Observed (StrongPity) ET MALWARE SSL/TLS Certificate Observed (StrongPity)
ET MALWARE SSL/TLS Certificate Observed (StrongPity) ET MALWARE SSL/TLS Certificate Observed (StrongPity)
ET MALWARE SSL/TLS Certificate Observed (StrongPity) ET MALWARE SSL/TLS Certificate Observed (StrongPity)
ET MALWARE SSL/TLS Certificate Observed (StrongPity) ET MALWARE SSL/TLS Certificate Observed (StrongPity)
ET MALWARE SLUB Domain in DNS Lookup ET MALWARE Gamaredon CnC Domain in DNS Lookup
ET MALWARE Gamaredon CnC Domain in DNS Lookup ET MALWARE Gamaredon CnC Domain in DNS Lookup
ET MALWARE Gamaredon CnC Domain in DNS Lookup ET MALWARE Win32/Ketrican CnC Activity
ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0) ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)

198 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/Blacknix CnC Checkin ET MALWARE Win32/Blacknix CnC Heartbeat


ET MALWARE Proyecto RAT Variant - Yopmail Login attempt (set) ET MALWARE Proyecto RAT Variant - Yopmail Stage 2 CnC Retrieval
ET MALWARE Possible Outbound WebShell GIF ET MALWARE Possible Outbound WebShell JPEG
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE FIN8 ShellTea CnC in DNS Query
ET MALWARE FIN8 ShellTea CnC in DNS Query ET MALWARE FIN8 ShellTea CnC in DNS Query
ET MALWARE FIN8 ShellTea CnC in DNS Query ET MALWARE FIN8 ShellTea CnC in DNS Query
ET MALWARE FIN8 ShellTea CnC in DNS Query ET MALWARE FIN8 ShellTea CnC in DNS Query
ET MALWARE FIN8 ShellTea CnC in DNS Query ET MALWARE FIN8 ShellTea CnC in DNS Query
ET MALWARE FIN8 ShellTea CnC in DNS Query ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner
ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin ET MALWARE Observed Malicious SSL Cert (Various CnC)
ET MALWARE LooCipher Ransomware Onion Domain ET MALWARE Phorpiex CnC Domain in DNS Lookup
ET MALWARE Win32/Phorpiex Template 5 Active - Outbound
ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami
Malicious Email Spam
ET MALWARE Win32/ArtraDownloader Checkin ET MALWARE Covenant Framework Default HTTP Beacon
ET MALWARE Covenant Framework HTTP Hello World Server
ET MALWARE Covenant Framework HTTP Beacon
Response
ET MALWARE Possible Covenant Framework Grunt Stager HTTP ET MALWARE Possible Covenant Framework Grunt Stager HTTP
Download (Grunt.GruntStager) Download (DynamicInvoke)
ET MALWARE Possible Covenant Framework Grunt PowerShell Stager ET MALWARE Possible Covenant Framework Grunt MSBuild Stager
HTTP Download HTTP Download
ET MALWARE Observed Malicious SSL Cert (AZORult CnC) ET MALWARE Observed Malicious SSL Cert (Various CnC)
ET MALWARE Observed Malicious SSL Cert (Various CnC) ET MALWARE Win32/Eris Ransomware CnC Checkin
ET MALWARE Win32/Onliner CnC Checkin ET MALWARE Win32/Onliner Receiving Commands from CnC
ET MALWARE Win32/Onliner Requesting Additional Modules ET MALWARE Win32/Onliner Mailer Module Communicating with CnC
ET MALWARE Win32/Onliner Template 1 Active - Malicious Outbound
ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1
Email Spam
ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2 ET MALWARE Win32/Varenyky Spambot CnC in DNS Query
ET MALWARE Win32/Varenyky Spambot CnC in DNS Query ET MALWARE Win32/Varenyky Spambot CnC in DNS Query
ET MALWARE Win32/Varenyky Spambot CnC in DNS Query ET MALWARE Win32/Varenyky Spambot CnC in DNS Query
ET MALWARE Win32/Varenyky Spambot CnC in DNS Query ET MALWARE Win32/Varenyky Spambot CnC in DNS Query
ET MALWARE Win32/Varenyky Spambot CnC in DNS Query ET MALWARE Win32/Varenyky Spambot CnC in DNS Query
ET MALWARE HVNC USR Init Detected ET MALWARE HVNC BOT Detected
ET MALWARE ELF/Emptiness v1 CnC Checkin ET MALWARE ELF/Emptiness v1.1 CnC Checkin
ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC
ET MALWARE ELF/Emptiness v1 UDP Flood Command Inbound
Checkin
ET MALWARE ELF/Emptiness v1 DNS Flood Command Inbound ET MALWARE ELF/Emptiness v1 HTTP Flood Command Inbound
ET MALWARE ELF/Emptiness v1.1 UDP Flood Command Inbound ET MALWARE ELF/Emptiness v1.1 DNS Flood Command Inbound
ET MALWARE ELF/Emptiness v1.1 HTTP Flood Command Inbound ET MALWARE ELF/Emptiness v2 XOR UDP Flood Command Inbound
ET MALWARE ELF/Emptiness v2 XOR DNS Flood Command Inbound ET MALWARE ELF/Emptiness v2 XOR HTTP Flood Command Inbound
ET MALWARE ELF/Emptiness v2 XOR Exec Command Inbound ET MALWARE ELF/Emptiness v2 XOR Update Command Inbound
ET MALWARE ELF/Mirai.shiina v3 CnC Checkin ET MALWARE ELF/Emptiness CnC Domain in DNS Query
ET MALWARE ELF/Emptiness CnC Domain in DNS Query ET MALWARE ELF/Emptiness CnC Domain in DNS Query
ET MALWARE ELF/Emptiness CnC Domain in DNS Query ET MALWARE ELF/Emptiness CnC Domain in DNS Query
ET MALWARE ELF/Emptiness CnC Domain in DNS Query ET MALWARE ELF/Emptiness CnC Domain in DNS Query
ET MALWARE ELF/Emptiness CnC Domain in DNS Query ET MALWARE ELF/Mirai.shiina CnC Domain in DNS Query
ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in
HTTP Response M1 HTTP Response M2
ET MALWARE MedusaHTTP Variant CnC Checkin ET MALWARE Win32/DarkRAT CnC Activity
ET MALWARE [TGI] Py.Machete HTTP CnC Exfil ET MALWARE [TGI] Py.Machete FTP Exfil 1
ET MALWARE [TGI] Py.Machete FTP Exfil 2 ET MALWARE Win32/Dostre CnC Activity
ET MALWARE Clipsa Stealer - CnC Checkin ET MALWARE Clipsa Stealer - Coinminer Download
ET MALWARE Clipsa Stealer - Exfiltration Activity ET MALWARE BalkanDoor CnC Checkin
ET MALWARE BalkanDoor CnC Checkin - Server Response ET MALWARE MyKings Bootloader Variant Requesting Payload M1
ET MALWARE MyKings Bootloader Variant Requesting Payload M2 ET MALWARE MyKings Bootloader Variant Requesting Payload M3
ET MALWARE TwoFace WebShell Detected ET MALWARE GlitchPOS CnC Checkin
ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1 ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2
ET MALWARE Win32/Alpha Stealer v1.5 PWS Exfil via HTTP ET MALWARE LYCEUM MSIL/DanBot CnC Checkin
ET MALWARE LYCEUM CnC Domain Observed in DNS Query ET MALWARE LYCEUM CnC Domain Observed in DNS Query
ET MALWARE LYCEUM CnC Domain Observed in DNS Query ET MALWARE LYCEUM CnC Domain Observed in DNS Query
ET MALWARE LYCEUM CnC Domain Observed in DNS Query ET MALWARE LYCEUM CnC Domain Observed in DNS Query
ET MALWARE LYCEUM CnC Domain Observed in DNS Query ET MALWARE LYCEUM CnC Domain Observed in DNS Query
ET MALWARE LYCEUM CnC Domain Observed in DNS Query ET MALWARE Domen SocEng Redirect - Landing Page Observed
ET MALWARE Domen SocEng CnC Observed in DNS Query ET MALWARE Domen SocEng CnC Observed in DNS Query
ET MALWARE Domen SocEng CnC Observed in DNS Query ET MALWARE Possible APT28 Maldoc CnC Checkin
ET MALWARE Observed Glupteba CnC Domain (venoxcontrol .com in
ET MALWARE Win32/Laturo Stealer CnC Checkin
TLS SNI)

199 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Glupteba CnC Domain in DNS Lookup ET MALWARE Glupteba CnC Domain in DNS Lookup
ET MALWARE Glupteba CnC Domain in DNS Lookup ET MALWARE Glupteba CnC Domain in DNS Lookup
ET MALWARE Glupteba CnC Domain in DNS Lookup ET MALWARE Glupteba CnC Domain in DNS Lookup
ET MALWARE Glupteba CnC Domain in DNS Lookup ET MALWARE Glupteba CnC Domain in DNS Lookup
ET MALWARE HTTP Request for Possible ELF/LiLocked Ransomware
ET MALWARE ELF/LiLocked Ransom Note in HTTP Response
Note
ET MALWARE Possible PHP.MAILER WebShell Generic Request ET MALWARE Possible PHP.MAILER WebShell Register Shutdown
Inbound Function Request Inbound
ET MALWARE [TGI] BlackRAT Checkin ET MALWARE [TGI] BlackRAT Checkin Response
ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC) ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)
ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC) ET MALWARE TransparentTribe APT Maldoc CnC Checkin
ET MALWARE Possible TransparentTribe APT CnC Activity ET MALWARE Suspected Tunna Proxy M1
ET MALWARE Suspected Tunna Proxy M2 ET MALWARE Suspected Tunna Proxy M3
ET MALWARE Suspected Tunna Proxy M4 ET MALWARE Possible Tunna Proxy Activity (Response)
ET MALWARE Possible Tunna Proxy Closing Connection ET MALWARE Suspected Tunna Proxy M1 (Outbound)
ET MALWARE Suspected Tunna Proxy M2 (Outbound) ET MALWARE Suspected Tunna Proxy M3 (Outbound)
ET MALWARE Suspected Tunna Proxy M4 (Outbound) ET MALWARE Possible Tunna Proxy Activity (Response)
ET MALWARE Possible Tunna Proxy Closing Connection ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC) ET MALWARE DonotGroup CnC Observed in DNS Query
ET MALWARE DonotGroup CnC Observed in DNS Query ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)
ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube
Profile) M2 Profile)
ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube
ET MALWARE Glupteba CnC Observed in DNS Query
Profile)
ET MALWARE Glupteba CnC Observed in DNS Query ET MALWARE Glupteba CnC Observed in DNS Query
ET MALWARE Glupteba CnC Observed in DNS Query ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-09-17 1)
ET MALWARE Win32/Tflower Ransomware CnC Checkin ET MALWARE Observed Cobalt Strike User-Agent
ET MALWARE Plead TSCookie CnC Checkin M1 ET MALWARE Plead TSCookie CnC Checkin M2
ET MALWARE Plead TSCookie CnC Checkin M3 ET MALWARE Plead TSCookie CnC Checkin M4
ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE DonotGroup CnC Domain Observed in DNS Query
ET MALWARE DonotGroup CnC Domain Observed in DNS Query ET MALWARE Tortoiseshell/HMH Download Request
ET MALWARE Observed OSX/GMERA.A CnC Domain (appstockfolio
ET MALWARE Tortoiseshell/SysKit CnC Activity
.com in TLS SNI)
ET MALWARE OSX/GMERA.B CnC Checkin ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
ET MALWARE DonotGroup CnC Domain Observed in DNS Query ET MALWARE Observed Malicious SSL Cert (DeadlyKiss APT)
ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS
Query Query
ET MALWARE PHPStudy CnC Domain in DNS Lookup ET MALWARE DNSG - Data Exfiltration via DNS
ET MALWARE Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup ET MALWARE DNSBin Demo - Data Exfil
ET MALWARE DNSBin Demo - Data Inbound ET MALWARE DNSChanger CnC Domain in DNS Lookup
ET MALWARE DNSChanger CnC Domain in DNS Lookup ET MALWARE DNSChanger CnC Domain in DNS Lookup
ET MALWARE DNSChanger CnC Domain in DNS Lookup ET MALWARE DNSChanger CnC Domain in DNS Lookup
ET MALWARE Possible Win32/Get2 Downloader Activity ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords
ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs
ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server)
ET MALWARE Nemours/Proyecto RAT CnC Checkin
2019-10-07
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server)
2019-10-03 2019-10-03
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server)
2019-10-02 2019-10-01
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server)
2019-09-30 2019-09-27
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in
ET MALWARE DonotGroup CnC Domain Observed in DNS Query
SNI 2019-09-27
ET MALWARE CASHY200 CnC Domain in DNS Lookup ET MALWARE CASHY200 CnC Domain in DNS Lookup
ET MALWARE CASHY200 CnC Domain in DNS Lookup ET MALWARE CASHY200 CnC Domain in DNS Lookup
ET MALWARE CASHY200 Style DNS Query - Initial Hello Beacon ET MALWARE CASHY200 Style DNS Query - Sending Hostname
ET MALWARE CASHY200 Style DNS Query - Sending Number of
ET MALWARE CASHY200 Style DNS Query - Finished Sending Results
Queries
ET MALWARE CASHY200 Style DNS Query - Sending Command
ET MALWARE CASHY200 Style DNS Query - Getting CnC Data
Results
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server)
2019-10-08 2019-10-08

200 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE CASHY200 Style DNS Query - Request Command ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS
Beacon Query
ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS
Query Query
ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS
Query Query
ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS
ET MALWARE APT Mustang Panda Payload - CnC Checkin
Query
ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant
ET MALWARE Observed Malicious SSL Cert (APT MustangPanda CnC)
CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Staging ET MALWARE Observed Malicious SSL Cert (MageCart Staging
Domain) Domain)
ET MALWARE Possible APT 41 Fake Server Response ET MALWARE APT 41 CnC Domain Observed in DNS Query
ET MALWARE APT 41 CnC Domain Observed in DNS Query ET MALWARE APT 41 CnC Domain Observed in DNS Query
ET MALWARE APT 41 CnC Domain Observed in DNS Query ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE PolyglotDuke Domain Observed
ET MALWARE PolyglotDuke Domain Observed ET MALWARE MiniDuke Domain Observed
ET MALWARE MiniDuke Domain Observed ET MALWARE FatDuke Domain Observed
ET MALWARE FatDuke Domain Observed ET MALWARE FatDuke Domain Observed
ET MALWARE FatDuke Domain Observed ET MALWARE FatDuke Domain Observed
ET MALWARE APT 41 LOWKEY Backdoor - Initalisation Bytes Received
ET MALWARE LiteDuke Domain Observed
from CnC
ET MALWARE APT-C-27 CnC Domain Observed in DNS Query ET MALWARE APT-C-27 CnC Domain Observed in DNS Query
ET MALWARE APT-C-27 CnC Domain Observed in DNS Query ET MALWARE APT-C-27 CnC Domain Observed in DNS Query
ET MALWARE APT-C-27 CnC Domain Observed in DNS Query ET MALWARE APT-C-27 CnC Domain Observed in DNS Query
ET MALWARE Steganographic Encoded WAV File Inbound via HTTP ET MALWARE Steganographic Encoded WAV File Inbound via HTTP
M1 M2
ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Sending ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Prepare to
Data Receive Data
ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Receive
ET MALWARE APT 41 LOWKEY Backdoor - Ping Command Inbound
Data
ET MALWARE APT 41 LOWKEY Backdoor - Ping Success Code sent to ET MALWARE APT 41 LOWKEY Backdoor - Ping Error Code sent to
CnC CnC
ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - PID ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] -
Injection Command Establishing Connection with New Host
ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] -
Relay Successfully Activated on New Host Exchanging RC4 & XOR Encrypted Data with Internal Host
ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close
Socket Command Observed Named Pipe Command Observed
ET MALWARE Unk Spam Bot Template 1 Active - Outbound Malicious
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
Email Spam
ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server)
ET MALWARE Observed Win32/Orion Logger SMTP Exfil Subject Line
2019-10-08
ET MALWARE Win32/Orion Logger SMTP Base64 Exfil ET MALWARE Observed Malicious SSL Cert (APT32 CnC)
ET MALWARE Lazarus CnC Domain Observed in DNS Query ET MALWARE Lazarus CnC Domain Observed in DNS Query
ET MALWARE Lazarus CnC Domain Observed in DNS Query ET MALWARE Lazarus CnC Domain Observed in DNS Query
ET MALWARE Lazarus CnC Domain Observed in DNS Query ET MALWARE Lazarus CnC Domain Observed in DNS Query
ET MALWARE Observed Malicious SSL Cert (CobInt CnC) ET MALWARE Suspected Zebrocy Implant CnC Checkin
ET MALWARE MSIL/Diezen CnC Checkin M2 ET MALWARE MSIL/Diezen CnC Checkin M1
ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query
ET MALWARE Observed Malicious SSL Cert (MalDoc DL) 2019-10-24 ET MALWARE BadPatch CnC Activity
ET MALWARE Instagram Like Bot (like4u) CnC Activity M1 ET MALWARE Instagram Like Bot (like4u) CnC Activity M2
ET MALWARE Instagram Like Bot (like4u) CnC Domain in DNS Lookup ET MALWARE Netwire RAT Client Check-in (socket created)
ET MALWARE Patchwork APT CnC Beacon 2 ET MALWARE Win32/Phorpiex CnC Checkin
ET MALWARE Kimsuky CnC Domain Observed in DNS Query ET MALWARE Kimsuky CnC Domain Observed in DNS Query
ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query
ET MALWARE Observed Malicious SSL Cert (StrongPity CnC) ET MALWARE StrongPity CnC Domain Observed in DNS Query
ET MALWARE MSIL.L4L Stealer IP Check ET MALWARE MSIL.L4L Stealer Screenshot Exfiltration
ET MALWARE MSIL.L4L Stealer Systeminfo Exfiltration ET MALWARE Win32/CryptInject.BE!MTB Stealer CnC Checkin
ET MALWARE Possible Darkhotel Higasia Downloader Requesting ET MALWARE Possible Darkhotel Higasia Downloader Connectivity
Module Check
ET MALWARE Possible Darkhotel Higasia Downloader Checkin ET MALWARE Observed Malicious SSL Cert (Turla CnC)
ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup

201 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup
ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup
ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup ET MALWARE Win32/IcedID WebSocket Request M2
ET MALWARE Observed AHK Downloader Request Structure ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x86)
ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x64) ET MALWARE Platinum APT Activity
ET MALWARE Platinum APT - Titanium Hardcoded String Observed ET MALWARE Gamaredon CnC Domain Observed in DNS Query
ET MALWARE Gamaredon CnC Domain Observed in DNS Query ET MALWARE DADJOKE/Rail Tycoon Initial Macro Execution
ET MALWARE DADJOKE/Rail Tycoon Payload Extraction ET MALWARE DADJOKE/Rail Tycoon Payload Execution
ET MALWARE Possible Gamaredon HEAD Request for .dot file on
ET MALWARE Win32/AnteFrigus Ransomware Activity
ddns.net
ET MALWARE Observed Malicious SSL Cert (Possible APT33 CnC) ET MALWARE Gamaredon CnC Domain Observed in DNS Query
ET MALWARE Win32/1xxbot CnC Checkin ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-11-15)
ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC) ET MALWARE Observed CobInt CnC Domain in TLS SNI
ET MALWARE Observed CobInt CnC Domain in TLS SNI ET MALWARE ELF/Mirai Variant UA Outbound (ph0ne)
ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86) ET MALWARE Observed Buran Ransomware UA
ET MALWARE SuperSocialat Plugin Backdoor Code Execution Attempt ET MALWARE Possible Pipka JS Skimmer CnC Request
ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed
M1 M2
ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed
M3 M4
ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed
M5 M6
ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed
ET MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-11-18
M7
ET MALWARE Win32/Agent Tesla SMTP Clipboard Exfil ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC) ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)
ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC) ET MALWARE Lemon_Duck Powershell - Install Tracking
ET MALWARE Lemon_Duck Powershell - RDP Credential Exfil ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE Mirai Variant User-Agent (Outbound)
ET MALWARE Mirai Variant User-Agent (Outbound) ET MALWARE MuddyWater Payload - CnC Checkin
ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload
Requested M1 Requested M2
ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 1 ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 2
ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 3 ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 4
ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 5 ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC) ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)
ET MALWARE Cyborg Ransomware - Downloading Desktop
ET MALWARE Observed Malicious SSL Cert (Possible Godlua CnC)
Background
ET MALWARE SSL/TLS Certificate Observed (Various Crimeware) ET MALWARE Win32/Beapy CnC Domain in DNS Lookup
ET MALWARE Win32/Beapy CnC Domain in DNS Lookup ET MALWARE Win32/Emotet CnC Activity (POST) M5
ET MALWARE Win32/Emotet CnC Activity (POST) M6 ET MALWARE Legion Loader Activity Observed (Mylegion666)
ET MALWARE Legion Loader Activity Observed (salmonella-
ET MALWARE Legion Loader Activity Observed (YourUserAgent)
symptome)
ET MALWARE Legion Loader Activity Observed (suspira) ET MALWARE Legion Loader Activity Observed (lilith)
ET MALWARE Legion Loader Activity Observed (legion) ET MALWARE Legion Loader Activity Observed (the devil)
ET MALWARE Legion Loader Activity Observed ET MALWARE Legion Loader Activity Observed (Amen)
ET MALWARE Legion Loader Activity Observed (satan) ET MALWARE Legion Loader Activity Observed (neva-project)
ET MALWARE SSL/TLS Certificate Observed (Magecart) ET MALWARE Possible Magecart Credit Card Information JS Script
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Buer Loader Update Request
ET MALWARE Buer Loader Download Request ET MALWARE Buer Loader Successful Payload Download
ET MALWARE SSL/TLS Certificate Observed (Buer Loader) ET MALWARE Tick Group Payload - Reporting Error to CnC
ET MALWARE Tick Group Payload - Submitting Encrypted Data to
ET MALWARE Malicious SSL Certificate detected (PyXie)
CnC
ET MALWARE Malicious SSL Certificate detected (PyXie) ET MALWARE Malicious SSL Certificate detected (PyXie)
ET MALWARE Malicious SSL Certificate detected (PyXie) ET MALWARE Malicious SSL Certificate detected (PyXie)
ET MALWARE Malicious SSL Certificate detected (PyXie) ET MALWARE Malicious SSL Certificate detected (PyXie)
ET MALWARE Malicious SSL Certificate detected (PyXie) ET MALWARE TickGroup BROLER.F CnC Check-in
ET MALWARE TickGroup ABK Backdoor CnC Check-in ET MALWARE Possible TickGroup Snack CnC Activity
ET MALWARE Possible TickGroup Coolbee/Avenger CnC Activity ET MALWARE Possible TickGroup Casper CnC Activity
ET MALWARE MedusaHTTP Variant CnC Checkin M2 ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Observed Buran Ransomware UA ET MALWARE Observed Malicious SSL Cert (MageCart)
ET MALWARE Win32/Snatch Ransomware - Encryption Started ET MALWARE Win32/Snatch Ransomware - Encryption Finished

202 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SSL/TLS Certificate Observed (Get2 CnC) ET MALWARE Possible APT38 CnC Domain Observed in DNS Query
ET MALWARE Possible APT38 CnC Domain Observed in DNS Query ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE Malicious SSL Cert (Magecart)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC) ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)
ET MALWARE AZORult v3.3 Server Response M1 ET MALWARE AZORult v3.3 Server Response M2
ET MALWARE AZORult v3.3 Server Response M3 ET MALWARE AZORult v3.2 Server Response M1
ET MALWARE AZORult v3.2 Server Response M2 ET MALWARE AZORult v3.2 Server Response M3
ET MALWARE MalDoc Exfil (2019-12-12) ET MALWARE CrownAdPro CnC Activity M1
ET MALWARE DiamondFox HTTP Post CnC Checkin M3 ET MALWARE Win32/Unk.BrowserStealer CnC Keep-Alive
ET MALWARE Win32/Unk.BrowserStealer CnC Checkin ET MALWARE Win32/Unk.BrowserStealer Data Exfil M1
ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2 ET MALWARE Win32/Unk.BrowserStealer Data Exfil M3
ET MALWARE Observed DNS Query for APT40 Possible DADSTACHE
ET MALWARE Observed Buran Ransomware UA
CnC Domain
ET MALWARE ShivaGood Ransomware CnC Checkin ET MALWARE Win32/BlackNET CnC Checkin
ET MALWARE Win32/BlackNET CnC Keep-Alive ET MALWARE Win32/BlackNET CnC Requesting Command
ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC) ET MALWARE Win32/MailerBot CnC Activity
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC) ET MALWARE XServer Backdoor Communication Setup Request
ET MALWARE XServer Backdoor Communication Setup Initiate ET MALWARE OilRig APT PowDesk Powershell Check
ET MALWARE Possible XServer Backdoor Certificate Observed ET MALWARE Win32/Valak
ET MALWARE Win32/Valak ET MALWARE Win32/Valak
ET MALWARE Win32/Valak - Stage 2 - Response - Task ET MALWARE Win32/Valak - Stage 2 - Response - Plugin
ET MALWARE Win32/Valak - Plugin Data Exfil ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)
ET MALWARE Observed Malicious SSL Cert (Upatre CnC) ET MALWARE Observed Upatre CnC Domain in TLS SNI
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Observed Magecart CnC Domain in TLS SNI
ET MALWARE Malicious SSL Cert (Magecart) ET MALWARE Dark Nexus IoT Variant User-Agent (Outbound)
ET MALWARE Win32/ViSystem CnC Checkin ET MALWARE Arechclient2 Backdoor CnC Init
ET MALWARE Arechclient2 Backdoor CnC Checkin ET MALWARE Arechclient2 Backdoor CnC Keep-Alive
ET MALWARE Observed Buran Ransomware UA ET MALWARE Lampion CnC Activity
ET MALWARE Kimsuky Operation Blue Estimate CnC Activity ET MALWARE Legion Loader Activity Observed (carlos_castaneda)
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Observed Magecart CnC Domain in TLS SNI
ET MALWARE Malicious SSL Cert (Magecart) ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Observed Magecart CnC Domain in TLS SNI ET MALWARE Malicious SSL Cert (Magecart)
ET MALWARE DonotGroup CnC Domain Observed in DNS Query ET MALWARE Zeoticus Ransomware CnC Activity
ET MALWARE AstroBot CnC Activity ET MALWARE Mermaid Ransomware Variant CnC Activity M1
ET MALWARE Win32/Rarog Stealer CnC Checkin ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
ET MALWARE Magician/M461c14n Ransomware CnC Checkin ET MALWARE Legion Loader Activity Observed
ET MALWARE DonotGroup Staging Domain Observed in DNS Query ET MALWARE Win32/Filecoder.NZK Variant
ET MALWARE APT/TransparentTribe Style Request ET MALWARE APT/TransparentTribe CnC Checkin
ET MALWARE Win32/PSW.QQPass.OZV Variant Checkin ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC
Domain Domain
ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC
Domain Domain
ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC
Domain Domain
ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC
ET MALWARE [401TRG] PS/PowDesk Checkin (APT34)
Domain
ET MALWARE DonotGroup CnC Domain Observed in DNS Query ET MALWARE PowerTrick Task Request
ET MALWARE PowerTrick Task Checkin M1 ET MALWARE PowerTrick Task Checkin M2
ET MALWARE PowerTrick Task Answer ET MALWARE Satan/5ss5c Ransomware CnC Activity
ET MALWARE PowerTrick Known Key 1 ET MALWARE PowerTrick Known Key 2
ET MALWARE PowerTrick download ver1 bot ET MALWARE PowerTrick download ver2 bot
ET MALWARE PowerTrick download bot known key ET MALWARE Observed Possible PowerSploit/PowerView .ps1 Inbound
ET MALWARE Observed Certificate Containing Double Base64
ET MALWARE PowerSploit/PowerView SMTP Data Exfil
Encoded Executable Inbound
ET MALWARE Observed Certificate Containing Possible Base64
ET MALWARE Win32/Emotet CnC Activity (POST) M7
Encoded Powershell Inbound
ET MALWARE Observed Certificate Base64 Encoded Executable
ET MALWARE SMS-Bomber Activity
Inbound
ET MALWARE Win32/MillionLoader CnC Init Activity ET MALWARE Win32/MillionLoader CnC Activity (Outbound)
ET MALWARE Win32/MillionLoader CnC Activity (Inbound) ET MALWARE CrownAdPro CnC Activity M2
ET MALWARE CrownAdPro CnC Activity M3 ET MALWARE CrownAdPro CnC Activity M4

203 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE CrownAdPro CnC Activity M5 ET MALWARE Group 21 CnC Domain Observed in DNS Query
ET MALWARE Nemty Ransomware CnC Checkin ET MALWARE Observed Nemty Ransomware Payment Page
ET MALWARE Nemty Ransomware Payment Page ID File Upload ET MALWARE MilkyBoy CnC Activity
ET MALWARE MilkyBoy CnC Data Exfil ET MALWARE Observed Malicious SSL Cert (AZORult CnC)
ET MALWARE Observed Malicious SSL Cert (AZORult CnC) ET MALWARE MageCart CnC Domain Observed in DNS Query
ET MALWARE Nexus Stealer CnC Data Exfil ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Observed Magecart CnC Domain in TLS SNI ET MALWARE Malicious SSL Cert (Magecart)
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Observed Magecart CnC Domain in TLS SNI
ET MALWARE Observed Thanatos Ransomware Variant Pico User-
ET MALWARE Malicious SSL Cert (Magecart)
Agent
ET MALWARE Observed Malicious SSL Cert (ELF/Rekoobe CnC) ET MALWARE ELF/Rekoobe CnC Observed in DNS Query
ET MALWARE Gamaredon CnC Observed in DNS Query ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE ELF/Muhstik - IRC CnC Checkin
ET MALWARE Mermaid Ransomware Variant CnC Activity M2 ET MALWARE Mermaid Ransomware Variant CnC Activity M3
ET MALWARE Observed Unk.PowerShell Loader CnC Domain in TLS
ET MALWARE Possible Generic RAT over Telegram API
SNI
ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query
ET MALWARE Hisoka CnC Domain Observed in DNS Query ET MALWARE Mimikatz x86 Executable Transfer Over SMB
ET MALWARE Mimikatz x64 Executable Transfer Over SMB ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB
ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB ET MALWARE Mimikatz x86 Executable Download Over HTTP
ET MALWARE Mimikatz x64 Executable Download Over HTTP ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP
ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin
ET MALWARE Possible Winnti TLS Certificate Observed ET MALWARE Possible Winnti TLS Certificate Observed
ET MALWARE Possible Winnti TLS SNI Observed ET MALWARE Possible Winnti TLS SNI Observed
ET MALWARE Possible Winnti DNS Lookup ET MALWARE Possible Winnti DNS Lookup
ET MALWARE DonotGroup CnC Observed in DNS Query ET MALWARE CryptoPatronum Ransomware CnC Checkin
ET MALWARE Parallax CnC Activity M6 (set) ET MALWARE Parallax CnC Response Activity M6
ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow
ET MALWARE Win32/Emotet CnC Activity (POST) M8
Profile)
ET MALWARE APT34 TONEDEAF 2.0 Requesting Commands from CnC ET MALWARE APT34 TONEDEAF 2.0 Uploading to CnC
ET MALWARE Possible APT34 TONEDEAF 2.0 User-Agent Observed ET MALWARE Observed Malicious SSL Cert (APT34 CnC)
ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)
ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR
ET MALWARE MINEBRIDGE/MINEDOOR CnC Checkin
CnC)
ET MALWARE Malicious SSL Certificate detected (Patchwork CnC) ET MALWARE Patchwork Backdoor Checkin
ET MALWARE Patchwork Backdoor - Sending Task Results ET MALWARE Patchwork Backdoor - Requesting Task
ET MALWARE Emotet Wifi Bruter Module Checkin ET MALWARE Possible Satan Cryptor GeoIP Lookup
ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC)
ET MALWARE Win32/AZORult V3.2 Client Checkin M1
2020-02-09
ET MALWARE Win32/AZORult V3.2 Client Checkin M2 ET MALWARE Win32/AZORult V3.2 Client Checkin M3
ET MALWARE Win32/AZORult V3.3 Client Checkin M1 ET MALWARE Win32/AZORult V3.3 Client Checkin M2
ET MALWARE Win32/AZORult V3.3 Client Checkin M3 ET MALWARE Mozart Loader CnC Checkin (getid)
ET MALWARE Mozart Loader Command Request (gettasks) ET MALWARE Mozart Loader Command Request (getupdates)
ET MALWARE Mozart Loader Command Request (reporttask) ET MALWARE Mozart Loader Command Request (reportupdates)
ET MALWARE APT40/Dadstache Related DNS Lookup ET MALWARE APT40/Dadstache Related DNS Lookup
ET MALWARE APT40/Dadstache Related DNS Lookup ET MALWARE APT40/Dadstache Related DNS Lookup
ET MALWARE APT40/Dadstache Related DNS Lookup ET MALWARE APT40/Dadstache Related DNS Lookup
ET MALWARE APT40/Dadstache Related DNS Lookup ET MALWARE APT40/Dadstache Related DNS Lookup
ET MALWARE Possible APT40/Dadstache Stage 2 Payload Beacon ET MALWARE DNS Query to MINEBRIDGE CnC Domain (123faster .top)
ET MALWARE DNS Query to MINEBRIDGE CnC Domain (conversia91 ET MALWARE DNS Query to MINEBRIDGE CnC Domain (fatoftheland
.top) .top)
ET MALWARE DNS Query to MINEBRIDGE CnC Domain (creatorz123 ET MALWARE DNS Query to MINEBRIDGE CnC Domain (compilator333
.top) .top)
ET MALWARE TA402/Molerats Pierogi Backdoor Activity ET MALWARE TA402/Molerats Pierogi CnC Response (Command)
ET MALWARE TA402/Molerats Pierogi CnC Response (Download) ET MALWARE TA402/Molerats Pierogi CnC Response (Screenshot)
ET MALWARE TA402/Molerats Pierogi CnC Activity (Upload) ET MALWARE Win32/AZORult V3.2 Client Checkin M4
ET MALWARE Win32/AZORult V3.2 Client Checkin M5 ET MALWARE Win32/AZORult V3.2 Client Checkin M6
ET MALWARE Win32/AZORult V3.3 Client Checkin M4 ET MALWARE Win32/AZORult V3.3 Client Checkin M5
ET MALWARE Win32/AZORult V3.3 Client Checkin M6 ET MALWARE Win32/AZORult V3.2 Client Checkin M7
ET MALWARE Win32/AZORult V3.2 Client Checkin M8 ET MALWARE Win32/AZORult V3.2 Client Checkin M9

204 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/AZORult V3.3 Client Checkin M7 ET MALWARE Win32/AZORult V3.3 Client Checkin M8
ET MALWARE Win32/AZORult V3.3 Client Checkin M9 ET MALWARE POWERTON CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (FIN7/GRIFFON CnC) ET MALWARE Kimsuky Related CnC
ET MALWARE Possible Kimsuky Related Exfil ET MALWARE Possible Kimsuky Related Download
ET MALWARE Kimsuky Related CnC ET MALWARE Parallax RAT CnC Domain Observed in DNS Query
ET MALWARE Parallax CnC Activity M7 (set) ET MALWARE Parallax CnC Response Activity M7
ET MALWARE Win32/AZORult V3.2 Client Checkin M10 ET MALWARE Win32/AZORult V3.2 Client Checkin M11
ET MALWARE Win32/AZORult V3.2 Client Checkin M12 ET MALWARE Win32/AZORult V3.3 Client Checkin M10
ET MALWARE Win32/AZORult V3.3 Client Checkin M11 ET MALWARE Win32/AZORult V3.3 Client Checkin M12
ET MALWARE Win32/AZORult V3.2 Client Checkin M13 ET MALWARE Win32/AZORult V3.2 Client Checkin M14
ET MALWARE Win32/AZORult V3.2 Client Checkin M15 ET MALWARE Win32/AZORult V3.3 Client Checkin M13
ET MALWARE Win32/AZORult V3.3 Client Checkin M14 ET MALWARE Win32/AZORult V3.3 Client Checkin M15
ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC) ET MALWARE Win32/Sarwent Variant CnC Activity
ET MALWARE ELF/Mirai User-Agent Observed (Outbound) ET MALWARE Win32/Sarwent Initial Checkin
ET MALWARE Win32/Sarwent Initial Checkin CnC Response ET MALWARE Netwire RAT Check-in (set)
ET MALWARE Possible NK APT SLICKSHOES Host Checkin ET MALWARE Win32/AZORult V3.2 Client Checkin M16
ET MALWARE Win32/AZORult V3.2 Client Checkin M17 ET MALWARE Win32/AZORult V3.2 Client Checkin M18
ET MALWARE Win32/AZORult V3.3 Client Checkin M16 ET MALWARE Win32/AZORult V3.3 Client Checkin M17
ET MALWARE Win32/AZORult V3.3 Client Checkin M18 ET MALWARE Win32/AZORult V3.2 Client Checkin M19
ET MALWARE Win32/AZORult V3.2 Client Checkin M20 ET MALWARE Win32/AZORult V3.2 Client Checkin M21
ET MALWARE Win32/AZORult V3.3 Client Checkin M19 ET MALWARE Win32/AZORult V3.3 Client Checkin M20
ET MALWARE Win32/AZORult V3.3 Client Checkin M21 ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)
ET MALWARE Spark Backdoor CnC Domain Query ET MALWARE Possible Charming Kitten Backdoor Checkin
ET MALWARE Possible Charming Kitten Backdoor CnC Activity ET MALWARE Mermaid Ransomware Variant CnC Activity M4
ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M1 ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M2
ET MALWARE PHPs Labyrinth Backdoor Stage1 CnC Activity ET MALWARE Suspected Gamaredon Downloader Activity
ET MALWARE Observed Malicious SSL Cert (MageCart CnC) ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 12) ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 12) ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 12) ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS
SNI SNI
ET MALWARE Observed Malicious SSL Cert (PHPs Labyrinth Stage1
ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query
CnC)
ET MALWARE Observed Malicious SSL Cert (MageCart Group 12) ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21)
ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 2) ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)
ET MALWARE Observed Malicious SSL Cert (Get2 CnC) ET MALWARE ObliqueRAT CnC Heartbeat Packet
ET MALWARE ObliqueRAT CnC Checkin ET MALWARE Observed Adwind RAT CnC DNS Query
ET MALWARE Observed Adwind RAT CnC DNS Query ET MALWARE Observed Adwind RAT CnC DNS Query
ET MALWARE Observed Malicious SSL Cert (Get2 CnC) ET MALWARE JS/Ostap Maldoc Check-in
ET MALWARE Legion Loader Activity Observed (heil_satan) ET MALWARE GoLang Discord Token Grabber Exfil
ET MALWARE Observed Ursnif Domain in TLS SNI ET MALWARE Observed Ursnif Domain in TLS SNI
ET MALWARE Win32/Qbot/Quakbot Downloader - Requesting
ET MALWARE Baraka Ransomware CnC activity email SMTP
Secondary Download
ET MALWARE MalDoc Retrieving Possible Ostap Payload ET MALWARE Observed Malicious SSL Cert (Get2 CnC)
ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC) ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)
ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC) ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query
ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query ET MALWARE Observed GoBotKR Domain in TLS SNI
ET MALWARE Observed GoBotKR Domain in TLS SNI ET MALWARE Observed GoBotKR Domain in TLS SNI
ET MALWARE Observed GoBotKR Domain in TLS SNI ET MALWARE Observed GoBotKR Domain in TLS SNI
ET MALWARE Observed Magecart Domain (webscriptly .com in TLS
ET MALWARE Magecart CnC Domain in DNS Lookup
SNI)
ET MALWARE Observed Malicious SSL Cert (Get2 CnC) ET MALWARE CROSSWALK CnC Checkin
ET MALWARE Observed Malicious SSL Cert (MageCart) ET MALWARE Observed Malicious SSL Cert (MageCart)
ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded ET MALWARE Kimsuky Related Host Data Exfil
ET MALWARE Polaris Botnet User-Agent (Outbound) ET MALWARE Magniber Ransomware Retrieving Instructions

205 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup
ET MALWARE Kimsuky Related Host Data Exfil ET MALWARE Backdoor.Win32.Agent.myttae User-Agent
ET MALWARE Legion Loader Activity Observed (heil_moloch) ET MALWARE Kimsuky Related Host Data Exfil
ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query ET MALWARE Win32/LODEINFO CnC Checkin
ET MALWARE Inbound MonetizeUs/LNKR Struct ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)
ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR) ET MALWARE Observed Malicious SSL Cert (MalDoc 2020-03-09)
ET MALWARE Observed JS/Skimmer (likely Magecart) CnC Domain in ET MALWARE Observed JS/Skimmer (likely Magecart) Domain in TLS
DNS Lookup SNI (imprintcenter .com)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE MSIL/Firebird RAT CnC Checkin ET MALWARE MalDoc Retrieving msiexec Commands via DNS TXT
ET MALWARE ViperSoftX CnC Activity M1 ET MALWARE ViperSoftX CnC Activity M2
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)
ET MALWARE Observed Malicious SSL Cert (ServHelper CnC) ET MALWARE PXJ Ransomware CnC Activity
ET MALWARE Suspected SandCat Related Communication (POST) ET MALWARE VBS/TrojanDownloader.Agent.SEB Checkin
ET MALWARE VBS/TrojanDownloader.Agent.SEB Reporting Network
ET MALWARE VBS/TrojanDownloader.Agent.SEB Keep-Alive
Info
ET MALWARE Observed DNS Query to Vicious Panda CnC Domain ET MALWARE Observed DNS Query to Vicious Panda CnC Domain
ET MALWARE Observed DNS Query to Vicious Panda CnC Domain ET MALWARE Observed DNS Query to Vicious Panda CnC Domain
ET MALWARE Observed DNS Query to Vicious Panda CnC Domain ET MALWARE Observed DNS Query to Vicious Panda CnC Domain
ET MALWARE HTTPTool User-Agent ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
ET MALWARE Higaisa CnC Activity ET MALWARE Win32/Unk.Joia CnC Activity
ET MALWARE Observed Malicious SSL Cert (Win32/SandCat CnC) ET MALWARE Win32/SandCat CnC Checkin
ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response ET MALWARE Polaris Botnet User-Agent (Outbound)
ET MALWARE MZRevenge Ransomware CnC ET MALWARE Observed Malicious SSL Cert (Get2 CnC)
ET MALWARE Observed Malicious SSL Cert (Get2 CnC) ET MALWARE Observed Malicious SSL Cert (Get2 CnC)
ET MALWARE Observed Malicious SSL Cert (Get2 CnC) ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)
ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw) ET MALWARE MSIL/Modi RAT CnC Checkin (DesktopPreview)
ET MALWARE MSIL/Modi RAT CnC Command Inbound (plugin) ET MALWARE Possible APT28 Phishing Domain in DNS Query
ET MALWARE Possible APT28 Phishing Domain in DNS Query ET MALWARE Possible APT28 Phishing Domain in DNS Query
ET MALWARE Possible APT28 Phishing Domain in DNS Query ET MALWARE Possible APT28 Phishing Domain in DNS Query
ET MALWARE Possible APT28 Phishing Domain in DNS Query ET MALWARE Possible APT28 Phishing Domain in DNS Query
ET MALWARE Possible APT28 Phishing Domain in DNS Query ET MALWARE Possible APT28 Phishing Domain in DNS Query
ET MALWARE CoreDDRAT Initial Checkin ET MALWARE CoreDDRAT CnC Activity
ET MALWARE CoreDDRAT KeepAlive Message ET MALWARE CoreDDRAT Screenshot Exfil
ET MALWARE Observed Buer Loader CnC Domain (kkjjhhdff .site in
ET MALWARE Sekhmet Ransomware CnC Activity
TLS SNI)
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC) ET MALWARE Win32/RaaLoader CnC Activity
ET MALWARE Observed MSIL/n2019cov (COVID-19) Ransomware CnC
ET MALWARE MSIL/n2019cov (COVID-19) Ransomware CnC Checkin
Domain in TLS SNI
ET MALWARE Win32/Milum CnC ET MALWARE Cobalt Strike Malleable C2 (Havex APT)
ET MALWARE Cobalt Strike Malleable C2 (Magnitude EK) ET MALWARE Cobalt Strike Malleable C2 (Meterpreter)
ET MALWARE Cobalt Strike Malleable C2 (OneDrive) ET MALWARE Cobalt Strike Malleable C2 (Adobe RTMP)
ET MALWARE Observed Glupteba CnC Domain in TLS SNI ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE Observed DNS Query to Stitch C2 Domain
ET MALWARE Observed DNS Query to Stitch C2 Domain ET MALWARE Buer Loader Update Request
ET MALWARE Win32/Tofsee Covid19 Spam Template 1 Active -
ET MALWARE Mirai Variant User-Agent (Outbound)
Outbound Email Spam
ET MALWARE Win32/Tofsee Unique Email Body Byte Sequence
ET MALWARE Win32/Tofsee Malformed Spam Template String
Observed
ET MALWARE Linux/Agent.HX CnC Activity (set) ET MALWARE Linux/Agent.HX CnC Activity M1
ET MALWARE Linux/Agent.HX CnC Activity M2 ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE Suspected Stitch Variant Backdoor CnC
ET MALWARE Suspected CHAOS CnC Inbound (download command) ET MALWARE Suspected CHAOS CnC Inbound (upload command)
ET MALWARE Suspected CHAOS CnC Inbound (screenshot command) ET MALWARE Suspected CHAOS CnC Inbound (keylogger start)
ET MALWARE Suspected CHAOS CnC Inbound (persistence enable) ET MALWARE Suspected CHAOS CnC Inbound (getos)
ET MALWARE Suspected CHAOS CnC Inbound (openurl) ET MALWARE FTCode Stealer Init Activity
ET MALWARE FTCode Stealer CnC Activity ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE Malicious VBE Script (COVID-19 Phish 2020-04-03) ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin
ET MALWARE Parallax CnC Activity M8 (set) ET MALWARE Parallax CnC Response Activity M8
ET MALWARE Sarwent CnC Response (cmd_exec) ET MALWARE Sarwent CnC Response (powershell_exec)
ET MALWARE Sarwent CnC Response (rdp_exec) ET MALWARE Sarwent CnC Response (update_exec)
ET MALWARE Sarwent CnC Response (download_exec) ET MALWARE Sarwent CnC Command (update)
ET MALWARE Sarwent CnC Command (download) ET MALWARE Sarwent CnC Command (powershell)
ET MALWARE Sarwent CnC Command (rdp) ET MALWARE Observed Sidewinder APT User-Agent

206 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE KPOT Stealer Initial CnC Activity M4 ET MALWARE Sorano Stealer CnC Checkin
ET MALWARE Suspicious Zipped Filename in Outbound POST Request
ET MALWARE ELF Linux/Dnsamp.AB Variant CnC
(Passwords.txt)
ET MALWARE Win32/RocketX Stealer CnC Exfil ET MALWARE Lemon_Duck Powershell CnC Checkin M2
ET MALWARE Possible Kimsuky APT Connectivity Check via
ET MALWARE Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)
Document
ET MALWARE MSIL/Agent.TRM Checkin Response ET MALWARE MSIL/Agent.TRM Task Command
ET MALWARE MSIL/Agent.TRM Data Exfil (sysinfo) ET MALWARE Possible DACLS RAT CnC (Log Check)
ET MALWARE Possible DACLS RAT CnC (Log Server Reporting) ET MALWARE Possible DACLS RAT Log Collector Download
ET MALWARE DCRat Initial CnC Activity ET MALWARE Win32/Agent.AAIB Variant CnC
ET MALWARE DDG Botnet CnC Job Request ET MALWARE DDG Botnet CnC Slave POST
ET MALWARE DDG Botnet Miner Download ET MALWARE DCRat CnC Activity
ET MALWARE Observed DNS Query to Redkeeper Ransomware ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet
Domain Masquerading as SNI Request to live .com
ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC) ET MALWARE ELF/Mirai Variant CnC Activity
ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext
ET MALWARE Observed Malicious SSL Cert (FIN7/JSSLoader CnC)
CnC)
ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext
ET MALWARE Win32/CONFUCIUS_B CnC Checkin
CnC)
ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2 ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)
ET MALWARE AgentTesla Exfil via FTP ET MALWARE AgentTesla HTML System Info Report Exfil via FTP
ET MALWARE 401TRG SMB Create AndX Request For Emotet
ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
Spreader
ET MALWARE Various Ransomware/Stealer Style External IP Address
ET MALWARE Targeted Activity - CnC Domain in SNI
Check (myip .ch)
ET MALWARE Observed PoetRAT Domain (dellgenius .hoptop .org in
ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)
TLS SNI)
ET MALWARE Cobalt Strike Malleable C2 (Custom) ET MALWARE Cobalt Strike Malleable C2 (Custom)
ET MALWARE MalDoc Requesting Payload 2020-04-21 ET MALWARE JS Skimmer Domain in DNS Lookup
ET MALWARE Suspicious Long NULL DNS Request - Possible DNS
ET MALWARE JS Skimmer Domain in DNS Lookup
Tunneling
ET MALWARE NanoCore RAT CnC 27 ET MALWARE METALJACK APT32 CnC Host Checkin
ET MALWARE METALJACK APT32 DNS Lookup (m.topiccore.com) ET MALWARE METALJACK APT32 DNS Lookup (jcdn.jsoid.com)
ET MALWARE METALJACK APT32 DNS Lookup (libjs.inquirerjs.com) ET MALWARE METALJACK APT32 DNS Lookup (vitlescaux.com)
ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK) ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)
ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK) ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)
ET MALWARE Parallax CnC Activity M9 (set) ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)
ET MALWARE Observed Malicious SSL Cert (Gozi ISFB) ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)
ET MALWARE ASNAROK Related Domain in DNS Lookup ET MALWARE ASNAROK Related Domain in TLS SNI
ET MALWARE ASNAROK CnC Domain in DNS Lookup ET MALWARE ASNAROK Domain in TLS SNI
ET MALWARE AntSword Webshell User-Agent Observed ET MALWARE DonotGroup CnC Domain in DNS Query
ET MALWARE Parallax CnC Response Activity M9 ET MALWARE BAZAR CnC Domain in DNS Lookup
ET MALWARE BAZAR CnC Domain in DNS Lookup ET MALWARE BAZAR CnC Domain in DNS Lookup
ET MALWARE BAZAR CnC Domain in DNS Lookup ET MALWARE BAZAR CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (W32/
ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
TrojanDownloader.Agent.FBF Variant CnC)
ET MALWARE IcedID CnC Domain in SNI ET MALWARE IcedID CnC Domain in SNI
ET MALWARE Win32/IcedID Requesting Encoded Binary M4 ET MALWARE Win32/Kryptik.HCZR Variant Initial Checkin
ET MALWARE NAZAR EYService Pong response ET MALWARE NAZAR EYService OSInfo response
ET MALWARE NAZAR EYService File exfiltrate response ET MALWARE MINEBRIDGE CnC Request
ET MALWARE MINEBRIDGE CnC Response ET MALWARE Rhabdo CnC Activity M1
ET MALWARE JAWS Webserver Unauthenticated Shell Command
ET MALWARE Rhabdo CnC Activity M2
Execution
ET MALWARE IXWARE Stealer Domain in DNS Lookup ET MALWARE IXWARE Stealer Domain in DNS Lookup
ET MALWARE WEBMONITOR RAT CnC Domain in DNS Lookup
ET MALWARE IXWARE Stealer CnC Activity
(dabmaster.wm01 .to)
ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL
ET MALWARE Nazar Implant - Sending Ping Response to CnC
2020-05-05)
ET MALWARE Nazar Implant - Sending Basic System Info to CnC ET MALWARE nspps Backdoor CnC Activity
ET MALWARE nspps Backdoor - Sending SOCKS Details ET MALWARE nspps Backdoor - Task Response
ET MALWARE Observed Default CobaltStrike SSL Certificate ET MALWARE Observed Cobalt Strike Stager Domain in DNS Query
ET MALWARE JsOutProx Variant CnC Activity ET MALWARE Ragnarok Ransomware CnC Activity M1
ET MALWARE Ragnarok Ransomware CnC Activity M2 ET MALWARE EVILNUM CnC Response
ET MALWARE D-Link ShareCenter (DNS-320/325) RCE (Outbound) ET MALWARE Zebrocy Screenshot Upload
ET MALWARE W32/Agent.XXZBEN Downloader Activity ET MALWARE EVILNUM CnC Connectivity Check
ET MALWARE EVILNUM CnC Host Checkin ET MALWARE MAZE Ransomware Payment Domain in DNS Lookup
ET MALWARE MAZE Ransomware Payment Domain DNS Lookup ET MALWARE Unk.VBSLoader Retrieving Payload

207 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE MSIL/Modi RAT CnC Command Outbound (aw) ET MALWARE MSIL/Modi RAT CnC Command Inbound (in)
ET MALWARE MSIL/Modi RAT CnC Command Outbound (ds) ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound
ET MALWARE M3RAT CnC Checkin Outbound ET MALWARE Unk.VBSLoader Retrieving Payload
ET MALWARE PowerShell Downloader CnC Activity ET MALWARE MASSLOGGER Client Data Exfil (POST)
ET MALWARE Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in
ET MALWARE Hakbit/Thanos Ransomware Exfil via FTP
DNS Query
ET MALWARE Possible Win32/Qbot/Quakbot Checkin via HTTP GET ET MALWARE Taurus Stealer CnC Host Checkin
ET MALWARE Taurus Stealer CnC Exfil ET MALWARE AutoHotkey Downloader Checkin via IPLogger
ET MALWARE GandCrab Style External IP Check (Spoofed Yahoo
ET MALWARE BACKCONFIG CnC Downloader Activity
Host)
ET MALWARE Suspected USBFERRY CnC ET MALWARE AgentTesla Exfil Via SMTP
ET MALWARE Win32/Ramsay CnC Checkin ET MALWARE Win32/Ramsay CnC Domain in DNS Query
ET MALWARE Observed Win32/DecryptStealer Exfil Domain
ET MALWARE Win32/Ramsay CnC Domain in DNS Query
(geroipanel .site in TLS SNI)
ET MALWARE Parallax CnC Activity M10 (set) ET MALWARE Parallax CnC Response Activity M10
ET MALWARE BigLock Ransomware CnC Activity (info) ET MALWARE BigLock Ransomware CnC Activity (gen)
ET MALWARE BigLock Ransomware CnC Activity (id) ET MALWARE BigLock Ransomware CnC Activity (ext)
ET MALWARE BigLock Ransomware CnC Activity (name) ET MALWARE NORTHSTAR Client CnC Checkin
ET MALWARE NORTHSTAR Client Data POST ET MALWARE NORTHSTAR Interactive Client CnC
ET MALWARE NORTHSTAR Command Sent to Client ET MALWARE NORTHSTAR Command Response
ET MALWARE eleethub botnet CnC Domain in DNS Lookup
ET MALWARE Observed JS/Magecart Domain in TLS SNI (manag .icu)
(irc.eleethub .com)
ET MALWARE eleethub botnet CnC Domain in DNS Lookup
ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com)
(ghost.eleethub .com)
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE SystemdMiner CnC Activity
ET MALWARE BF Botnet CnC Checkin ET MALWARE Suspected APT15/NICKEL KETRUM CnC Activity (GET)
ET MALWARE Observed MAZE Ransomware CnC Domain ET MALWARE Observed MAZE Ransomware CnC Domain
(checksoffice .me in TLS SNI) (plaintsotherest .net in TLS SNI)
ET MALWARE Observed MAZE Ransomware CnC Domain
ET MALWARE Konni Stage 2 Payload Exfiltrating Data
(thesawmeinrew .net in TLS SNI)
ET MALWARE Possible Konni Encrypted Stage 2 Payload Inbound via
ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-05-27)
HTTP
ET MALWARE Socelars Stealer CnC Activity ET MALWARE COMRAT CnC
ET MALWARE Backdoor.Elise Style IP Check M2 ET MALWARE OSX/SHLAYER CnC Checkin
ET MALWARE Gamaredon Style MalDoc .dot Download on
ET MALWARE Higasia CnC Activity
freedynamicdns .org
ET MALWARE Observed OSX/NukeSped Variant CnC Domain ET MALWARE Observed OSX/NukeSped Variant CnC Domain
(fudcitydelivers .com) in TLS SNI (sctemarkets .com) in TLS SNI
ET MALWARE TURLA NETFLASH CnC ET MALWARE ELF/Kinsing Payload Request M1
ET MALWARE Observed DNS Query to known Avaddon Ransomware
ET MALWARE ELF/Kinsing Payload Request M2
Payment Domain
ET MALWARE Win32/Avaddon Ransomware Style External IP Address
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
Check
ET MALWARE Blaze/Supreme Bot Activity ET MALWARE Blaze/Supreme Bot Activity M2
ET MALWARE Observed Malicious SSL Cert (OZH Rat) ET MALWARE Higaisa CnC (ipconfig)
ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) Backdoor CnC Domain)
ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9
Backdoor CnC Domain) Backdoor CnC Domain)
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE FRat WebSocket Request M1
ET MALWARE Win32/LODEINFO v0.3.6 CnC Checkin ET MALWARE Win32/LODEINFO v0.3.5 CnC Checkin
ET MALWARE Downloader Retrieving Malicious Powershell in DNS
ET MALWARE Echelon/Mist Stealer CnC Activity
Response
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC) ET MALWARE DonotGroup Staging Domain in DNS Query
ET MALWARE DonotGroup Staging Domain in DNS Query ET MALWARE DonotGroup Staging Domain in DNS Query
ET MALWARE Request for Malicious .dat File ET MALWARE Observed Koadic Header Structure
ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC) ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST
ET MALWARE FRat WebSockets Request M2 ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) GET
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike Malleable
ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-06-18)
C2 Domain)
ET MALWARE SSL/TLS Certificate Observed (DiplomatLoader) ET MALWARE Possible DNS Tunneling Observed
ET MALWARE Operation Interception Beacon ET MALWARE Win32/Ispen BADNEWS CnC Beacon
ET MALWARE STRRAT CnC Checkin ET MALWARE STRRAT Initial HTTP Activity
ET MALWARE STRRAT Requesting License Check ET MALWARE Win32/Ispen BADNEWS Fake User-Agent
ET MALWARE Win32/Adware.Agent.NSU CnC Activity ET MALWARE HTTPCore CnC Task Request
ET MALWARE HTTPCore CnC Task Response ET MALWARE HTTPCore CnC Tasking File
ET MALWARE CollectorStealer CnC Exfil ET MALWARE VikroStealer CnC Exfil

208 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE VikroStealer Retrieving Config ET MALWARE Observed VikroStealer CnC Domain in TLS SNI
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE Operation Interception Payload CnC Checkin ET MALWARE Patchwork Staging Domain in DNS Query
ET MALWARE Observed VikroStealer CnC Domain in TLS SNI ET MALWARE SluttyPutty isDebuggerPresent in Fake Putty Executable
ET MALWARE HiveRAT CnC Activity M1 ET MALWARE Jupyter Stealer Reporting System Information
ET MALWARE GoldenSpy CnC Activity ET MALWARE Rovnix CnC Domain in DNS Query
ET MALWARE GoldenSpy CnC Activity ET MALWARE RHttpCtrl Backdoor CnC
ET MALWARE RCtrl Backdoor CnC Checkin M2 ET MALWARE Possible IndigoDrop/Cobalt Strike Download
ET MALWARE RCtrl Backdoor CnC Checkin M1 ET MALWARE RezoStealer CnC Checkin
ET MALWARE LumOffice Checkin ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)
ET MALWARE Trojan/MSIL.DOTHETUK CnC Activity ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Observed StrongPity CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain in TLS SNI
ET MALWARE Suspected Glupteba Download ET MALWARE Suspected Glupteba Download
ET MALWARE Glupteba CnC Checkin ET MALWARE Evil Google Drive Download
ET MALWARE AlinaPOS Exfiltration via DNS ET MALWARE AlinaPOS Exfiltration via DNS
ET MALWARE AlinaPOS Exfiltration via DNS ET MALWARE AlinaPOS Exfiltration via DNS
ET MALWARE AlinaPOS Exfiltration via DNS ET MALWARE Lucifer CnC Checkin
ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE Observed Malicious SSL Cert (Zeromax Stealer CnC)
ET MALWARE Observed Malicious SSL Cert (TaurusStealer CnC) ET MALWARE Observed TaurusStealer CnC Domain in TLS SNI
ET MALWARE SuperKillerX Checkin Activity ET MALWARE SuperKillerX CnC Activity
ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cddn .site) ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cxizi .net)
ET MALWARE Magecart/Skimmer Domain in DNS Lookup (yzxi .net) ET MALWARE Hakbit/Thanos Ransomware BMP Download
ET MALWARE Observed Malicious SSL Cert (Zloader CnC) ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response
ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2
String Len 1) (Group String Len 2+)
ET MALWARE FRAT Downloader Activity ET MALWARE FRAT Downloader Error Report POST
ET MALWARE ELF/BASHLITE vbot Variant CnC ET MALWARE Win32/DTStealer CnC Activity
ET MALWARE Supercharge Component Download (ps1) ET MALWARE Supercharge Component Download (exe)
ET MALWARE EvilNum CnC Checkin ET MALWARE EvilNum CnC Checkin Response
ET MALWARE EvilNum CnC Client Data Exfil ET MALWARE EvilNum CnC Client Data Exfil
ET MALWARE EvilNum CnC Client Data Exfil ET MALWARE EvilNum CnC Error Report
ET MALWARE APT29/WellMess CnC Activity ET MALWARE MASSLOGGER Client Data Exfil (POST) M2
ET MALWARE BYOB - Python Backdoor Stager Download ET MALWARE BYOB - Python Backdoor Loader Download
ET MALWARE NEWPASS CnC Client Checkin ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound) ET MALWARE Win32/PSW.Agent.OIN CnC Activity
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Win32/Fujacks Variant CnC Activity ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE IP Grabber CnC Activity ET MALWARE JS/Ostap CnC Activity
ET MALWARE Observed Malicious SSL Cert (JS/Ostap CnC) ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-07-29)

209 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL


ET MALWARE ThiefQuest CnC Domain in DNS Lookup
2020-07-30)
ET MALWARE Observed Lazarus APT MalDoc DL Domain in TLS SNI ET MALWARE Win32/PurpleWave Stealer Requesting Config
ET MALWARE Win32/PurpleWave Stealer CnC Exfil ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Matiex Keylogger Exfil Via Telegram ET MALWARE OILRIG CnC POST
ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cloud-
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
sources .com)
ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cdn- ET MALWARE TAIDOOR CnC Domain in DNS Lookup
filestorm .com) (www.cnaweb.mrslove .com)
ET MALWARE TAIDOOR CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (Get2 CnC)
(www.infonew.dubya .net)
ET MALWARE YAHOOYLO Stealer CnC Exfil ET MALWARE Unknown AutoIt Bot - Initial Server Response
ET MALWARE Suspected APT32/Oceanlotus Maldoc CnC ET MALWARE IcedID Observed Domain (loadfreeman .casa in TLS SNI)
ET MALWARE Observed IcedID Domain (deactivate .best in TLS SNI) ET MALWARE Observed IcedID Domain (deactivate .pw in TLS SNI)
ET MALWARE Observed IcedID Domain (80frontluzkher .xyz in TLS
ET MALWARE Observed IcedID Domain (bruzilovv .top in TLS SNI)
SNI)
ET MALWARE Observed IcedID Domain (ldrtoyota .casa in TLS SNI) ET MALWARE AutoHotKey offthewall Downloader Requesting Payload
ET MALWARE Suspected Lockscreen Ransomware Activity ET MALWARE Observed DCRat CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain (nothingtodo .co in TLS
ET MALWARE APT Mustang Panda CnC Activity
SNI)
ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
ET MALWARE Win32/Tofsee Pharma Spam Template Active -
ET MALWARE Observed Malicious SSL Cert (More_eggs CnC)
Outbound Email Spam
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE Win32/TrojanDownloader.Agent.FC CnC Activity
ET MALWARE Ave Maria RAT CnC Domain in DNS Lookup
ET MALWARE Qudox CnC Actiivty
(uknwn.linkpc .net)
ET MALWARE Drovorub cloud.auth Module Server Response ET MALWARE Drovorub file Module Server Response
ET MALWARE Drovorub monitor Module Server Response ET MALWARE Drovorub shell Module Server Response
ET MALWARE Drovorub tunnel Module Server Response ET MALWARE Echelon/DarkStealer Variant CnC Exfil
ET MALWARE Suspected REDCURL CnC Activity M2 ET MALWARE Possible KONNI URI Path Observed
ET MALWARE Possible KONNI CnC Activity ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE Suspected REDCURL CnC Activity M1 ET MALWARE Trickbot/Anchor ICMP Request
ET MALWARE Echelon/DarkStealer Variant CnC Exfil M2 ET MALWARE Observed Malicious SSL Cert (GRIFFON CnC)
ET MALWARE GORGON APT Download Activity ET MALWARE GORGON APT Download Activity M2
ET MALWARE Mekotio HTTP Method (111SA) ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)
ET MALWARE Observed APT/SideWinder CnC Domain in TLS SNI ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
ET MALWARE DeathStalker/Janicab CnC Checkin ET MALWARE DeathStalker/Powersing CnC Checkin
ET MALWARE Win32/Agent.ACBD CnC Activity ET MALWARE Suspected Zebrocy Downloader Traffic
ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC) ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query

210 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Phorpiex CnC Domain in DNS Query ET MALWARE Phorpiex CnC Domain in DNS Query
ET MALWARE Observed Get2 CnC Domain in TLS SNI ET MALWARE Observed Get2 CnC Domain in TLS SNI
ET MALWARE W32/Downloader_x.EJK!tr CnC Activity ET MALWARE Grandoreiro Downloader Activity
ET MALWARE GoldenSpy Domain Observed ET MALWARE Babax Stealer Exfil via Telegram
ET MALWARE Win32/AgentTesla Variant Exfil via Telegram ET MALWARE Grandoreiro CnC Activity (vbs)
ET MALWARE Grandoreiro CnC Activity (iso) ET MALWARE MassLogger Client Data Exfil SMTP
ET MALWARE MSIL/CoinMiner Performing System Checkin ET MALWARE C3Pool CoinMiner Setup Script Download
ET MALWARE Upatre User-Agent ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)
ET MALWARE Zyklon CnC Activity ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Lemon_Duck Linux Shell Script CnC Activity ET MALWARE Lemon_Duck CnC Activity
ET MALWARE Observed MageCart CnC Domain in TLS SNI ET MALWARE TURLA APT CnC Activity
ET MALWARE Win32/TaskPerformer Downloader CnC Activity ET MALWARE MSIL/Juliens Botnet CnC Activity M1
ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging
ET MALWARE APT29/Wellness CnC Host Checkin
CnC)
ET MALWARE Win32/Spy.Agent.PZE Variant CnC Activity ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI
ET MALWARE Reimageplus Ransomware Checkin ET MALWARE Win32/Valak Variant CnC
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC) ET MALWARE Win32/Emotet CnC Activity (POST) M10
ET MALWARE Observed CoinMiner CnC Domain (enoyq5xy70oq .x ET MALWARE Observed GoLang Dropper Domain (en7dftkjiipor .x
.pipedream .net in TLS SNI) .pipedream .net in TLS SNI)
ET MALWARE Observed CoinMiner CnC Domain (endpsbn1u6m8f .x ET MALWARE Observed CoinMiner CnC Domain (en24zuggh3ywlj .x
.pipedream .net in TLS SNI) .pipedream .net in TLS SNI)
ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil M1 ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound
ET MALWARE Observed MassLogger Domain in TLS SNI (ecigroup-tw
ET MALWARE MassLogger Client Exfil (POST) M3
.com)
ET MALWARE Observed MageCart CnC Domain (mcdnn .me in TLS ET MALWARE Observed MageCart CnC Domain (mcdnn .net in TLS
SNI) SNI)
ET MALWARE Observed Magecart Exfil Domain (imags .pw in TLS SNI) ET MALWARE MageCart JS Retrieval
ET MALWARE MageCart Exfil URI ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP
ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup
ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup ET MALWARE Unicorn Stealer Activity (POST)
ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin
ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)
M1
ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin
ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)
M2
ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC) ET MALWARE Moist Stealer CnC Exfil
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC) ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC) ET MALWARE Win32/Sehyioa Variant Activity (POST)
ET MALWARE Win32/Sehyioa Variant Activity (Download) ET MALWARE Exorcist 2.0 Ransomware CnC Activity
ET MALWARE PS/SunCrypt Ransomware CnC Activity ET MALWARE Win32/Predator Variant Dropper Activity
ET MALWARE ELF/Mirai Variant User-Agent (Outbound) ET MALWARE FinSpy Related WinRAR Activity
ET MALWARE FinSpy Related Flash Installer Activity ET MALWARE APT39/Chafer Payload - CnC Checkin M1
ET MALWARE APT39/Chafer Payload - CnC Checkin M2 ET MALWARE Trojan.Win32.Codenox.gyezu CnC Activity
ET MALWARE Mozi Botnet DHT Config Sent ET MALWARE Vicious Panda Checkin
ET MALWARE Observed Malicious SSL Cert (CoreDn/BLINDINGCAN
ET MALWARE Vicious Panda CnC Activity
Activity)
ET MALWARE Ttint XORed CnC Checkin ET MALWARE Observed Ttint CnC Domain in DNS Query
ET MALWARE Observed Ttint CnC Domain in DNS Query ET MALWARE Observed Ttint CnC Domain in DNS Query
ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht
ET MALWARE Observed Ttint Update CnC Domain in DNS Query
.com in TLS SNI)
ET MALWARE Observed BLINDINGCAN Domain (www .automercado ET MALWARE Observed BLINDINGCAN Domain (www .ne-ba .org in
.co .cr in TLS SNI) TLS SNI)
ET MALWARE BUILDINGCAN CnC Activity ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)
ET MALWARE TA428 Tmanger Checkin ET MALWARE TA428 Infostealer CnC Host Checkin
ET MALWARE XDMonitor Sending Debug Messages ET MALWARE XDUpload Uploading Directory Listting
ET MALWARE XDUpload Uploading Files ET MALWARE XDUpload Sending File Upload Progress
ET MALWARE XDUpload Sending Screenshot Upload Progress ET MALWARE XDMonitor Checkin Activity
ET MALWARE Observed FinSpy Domain (browserupdate .download in
ET MALWARE SLOTHFULMEDIA RAT CnC (POST)
TLS SNI)

211 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Malicious SSL Cert (MosaicRegressor


ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
WinHTTP Downloader)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)
ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer) ET MALWARE Fullz House Credit Card Skimmer Data Exfil
ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound ET MALWARE Observed Malicious SSL Cert (Strongpity CnC)
ET MALWARE Aerial Keylogger DNS Request ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
ET MALWARE Observed PoetRAT Domain (slimip .accesscam .org in
ET MALWARE Tonto_SPM Backdoor CnC Activity
TLS SNI)
ET MALWARE MontysThree HTTPTransport Module Activity ET MALWARE ELF/Mirai Variant User-Agent (Outbound)
ET MALWARE PowerGhost Staging CnC in DNS Query ET MALWARE PowerGhost Checkin CnC in DNS Query
ET MALWARE PoetRAT Upload via HTTP ET MALWARE PoetRAT CnC Domain in DNS Lookup
ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST
ET MALWARE StormKitty Data Exfil via Telegram
to gate.php
ET MALWARE StormKitty Exfil via AnonFiles ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE Observed IcedID CnC Domain in TLS SNI ET MALWARE Observed IcedID CnC Domain in TLS SNI
ET MALWARE GravityRAT CnC Domain (bollywoods .co .in in DNS
ET MALWARE GravityRAT CnC Domain (chat2hire .net in DNS Lookup)
Lookup)
ET MALWARE GravityRAT CnC Domain (chuki .mozillaupdates .us in
ET MALWARE GravityRAT CnC Domain (click2chat .org in DNS Lookup)
DNS Lookup)
ET MALWARE GravityRAT CnC Domain (daily .windowsupdates .eu in
ET MALWARE GravityRAT CnC Domain (cvstyler .co .in in DNS Lookup)
DNS Lookup)
ET MALWARE GravityRAT CnC Domain (dailybuild .mozillaupdates .com
ET MALWARE GravityRAT CnC Domain (enigma .net .in in DNS Lookup)
in DNS Lookup)
ET MALWARE GravityRAT CnC Domain (gyzu .mozillaupdates .us in
ET MALWARE GravityRAT CnC Domain (gozap .co .in in DNS Lookup)
DNS Lookup)
ET MALWARE GravityRAT CnC Domain (melodymate .co .in in DNS ET MALWARE GravityRAT CnC Domain (nortonupdates .online in DNS
Lookup) Lookup)
ET MALWARE GravityRAT CnC Domain (nightly .windowsupdates .eu in ET MALWARE GravityRAT CnC Domain (nightlybuild .mozillaupdates
DNS Lookup) .com in DNS Lookup)
ET MALWARE GravityRAT CnC Domain (orangevault .net in DNS ET MALWARE GravityRAT CnC Domain (sake .mozillaupdates .us in
Lookup) DNS Lookup)
ET MALWARE GravityRAT CnC Domain (savitabhabi .co .in in DNS
ET MALWARE GravityRAT CnC Domain (sharify .co .in in DNS Lookup)
Lookup)
ET MALWARE GravityRAT CnC Domain (teraspace .co .in in DNS
ET MALWARE GravityRAT CnC Domain (strongbox .in in DNS Lookup)
Lookup)
ET MALWARE GravityRAT CnC Domain (titaniumx .co .in in DNS ET MALWARE GravityRAT CnC Domain (msoftserver .eu in DNS
Lookup) Lookup)
ET MALWARE GravityRAT CnC Domain (microsoftupdate .in in DNS
ET MALWARE GravityRAT CnC Domain (wesharex .net in DNS Lookup)
Lookup)
ET MALWARE GravityRAT CnC Domain (zen .mozillaupdates .us in DNS
ET MALWARE GravityRAT CnC Domain (x-trust .net in DNS Lookup)
Lookup)
ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC) ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)
ET MALWARE MSIL/GravityRAT CnC Checkin M2 ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
ET MALWARE SolarSys CnC Activity M1 ET MALWARE Mustang Panda/RedDelta Activity
ET MALWARE Mustang Panda/RedDelta Downloader Activity ET MALWARE Win32/Ficker Stealer Activity
ET MALWARE Possible T-RAT Encrypted Zip Request M1 ET MALWARE Bazaloader Variant Activity
ET MALWARE Bazaloader Variant Activity ET MALWARE Win32/Spy.Pavica.FH Variant CnC Activity
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Magecart CnC Domain Observed in DNS Query
ET MALWARE Magecart CnC Domain Observed in DNS Query ET MALWARE Amarula IRC Botnet Connection Request
ET MALWARE Terse Upload to Free Image Hosting Provider (uploads
ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)
.im) - Likely Malware
ET MALWARE DTLoader Binary Request ET MALWARE DTLoader Encoded Binary - Server Response
ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI) ET MALWARE Win32/Ficker Stealer Activity M2
ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert
ET MALWARE Win32/Ficker Stealer Activity M3
Inbound (lol)

212 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert
Inbound (office) Inbound (Texsa)
ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound
ET MALWARE ComRAT CnC Domain in DNS Lookup
(Mountainvew)
ET MALWARE ComRAT CnC Domain in DNS Lookup ET MALWARE ComRAT CnC Domain in DNS Lookup
ET MALWARE ComRAT CnC Domain in DNS Lookup ET MALWARE ComRAT CnC Domain in DNS Lookup
ET MALWARE ComRAT CnC Domain in DNS Lookup ET MALWARE Win32/Ymacco.AA67 CnC Activity
ET MALWARE Python/PBot Browser Hijacker Activity ET MALWARE Observed BazarLoader Domain (vighik .xyz in TLS SNI)
ET MALWARE Observed BazarLoader Domain (cntrhum .xyz in TLS
ET MALWARE Observed BazarLoader Domain (doldig .xyz in TLS SNI)
SNI)
ET MALWARE Observed BazarLoader Domain (sh78bug .xyz in TLS
ET MALWARE Observed BazarLoader Domain (dghns .xyz in TLS SNI)
SNI)
ET MALWARE Observed BazarLoader Domain (bigjamg .xyz in TLS
ET MALWARE Observed BazarLoader Domain (numklo .xyz in TLS SNI)
SNI)
ET MALWARE Observed BazarLoader Domain (gut45bg .xyz in TLS
ET MALWARE Observed BazarLoader Domain (moig .xyz in TLS SNI)
SNI)
ET MALWARE Trickbot Anchor ICMP Request ET MALWARE LolliCrypt Ransomware Sending Data to CnC
ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter
ET MALWARE D1onis Stealer Sending Data to CnC
CnC)
ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter
ET MALWARE Kimsuky KGH Malware Suite Checkin M1
CnC)
ET MALWARE Kimsuky KGH Backdoor Secondary Payload Download
ET MALWARE Kimsuky KGH Malware Suite Checkin M2
Request
ET MALWARE Kimsuky CSPY Downloader Activity ET MALWARE Kimsuky KGH Backdoor CnC Activity
ET MALWARE W32/Kimsuky Sending Encrypted System Information to
ET MALWARE Kimsuky KGH Backdoor CnC Activity M2
CnC
ET MALWARE Kimsuky WildCommand CnC Activity ET MALWARE Win32/PurpleWave Stealer CnC Exfil M2
ET MALWARE Pay2Key Ransomware - Sending RSA Key ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon
ET MALWARE Suspected Snugy DNS Backdoor CnC Activity
ET MALWARE DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67
(Hostname Send)
ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer
ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI
CnC Exfil
ET MALWARE CCleaner Backdoor DGA Domain (ab1de19d80ae6 .com)
ET MALWARE APT Lazarus Nukesped Downloader
in DNS Lookup
ET MALWARE ModPipe CnC Activity (POST) ET MALWARE ModPipe CnC Activity (Response)
ET MALWARE Win32/Phorpiex Template 6 Active - Outbound
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
Malicious Email Spam
ET MALWARE Observed DonotGroup CnC in DNS Query ET MALWARE Win32/SDBbot CnC Checkin
ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity ET MALWARE Observed DNS Query to Blackrota Domain
ET MALWARE Observed Blackrota Domain (blackrato .ga in TLS SNI) ET MALWARE Observed Malicious SSL Cert (Blackrota)
ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc
ET MALWARE Geocon CnC Request
2020-11-30)
ET MALWARE Observed DNS Query to WHO Themed Malware
ET MALWARE Win32/Trickbot Data Exfiltration
Delivery Domain
ET MALWARE Observed DNS Query to WHO Themed Malware ET MALWARE Observed DNS Query to WHO Themed Malware
Delivery Domain Delivery Domain
ET MALWARE Observed DNS Query to WHO Themed Malware ET MALWARE Observed DNS Query to WHO Themed Malware
Delivery Domain Delivery Domain
ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot
ET MALWARE Possible SombRAT Initial DNS Lookup
.accesscam .org)
ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns
.webredirect .org) .mywire .org)
ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup
.webredirect .org) (allmedicalpro .com)
ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup
(mediqhealthcare .com) (gofinancesolutions .com)
ET MALWARE Observed Jupyter Stealer CnC Domain (gogohid .com
ET MALWARE DarkIRC Bot CnC Domain Lookup
in TLS SNI)
ET MALWARE Observed Jupyter Stealer CnC Domain ET MALWARE Observed Jupyter Stealer CnC Domain (vincentolife
(blackl1vesmatter .org in TLS SNI) .com in TLS SNI)
ET MALWARE Win32/IcedID Requesting Encoded Binary M5 ET MALWARE APT LuckyMouse Polpo Malware CnC
ET MALWARE APT28/Sofacy Zebrocy CnC DNS Lookup (support-
ET MALWARE APT LuckyMouse Polpo Malware CnC
cloud .life)
ET MALWARE Suspected APT LuckyMouse BlueTraveller CnC ET MALWARE APT LuckyMouse Polpo Malware CnC
ET MALWARE [Fireeye] Backdoor.BEACON M2 ET MALWARE [Fireeye] Backdoor.BEACON M6

213 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud


ET MALWARE [Fireeye] Backdoor.BEACON M1
.com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
thedoccloud .com deftsecurity .com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
freescanonline .com websitetheme .com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
highdatabase .com incomeupdate .com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
databasegalore .com panhardware .com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to zupertech ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
.com virtualdataserver .com
ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to
ET MALWARE [Fireeye] Backdoor.SUNBURST M1
digitalcollege .org
ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to
ET MALWARE [Fireeye] Backdoor.SUNBURST M2
avsvmcloud .com
ET MALWARE [Fireeye] Backdoor.SUNBURST M3 ET MALWARE [Fireeye] Backdoor.SUNBURST M4
ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(avsvmcloud .com) (digitalcollege .org)
ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(freescanonline .com) (deftsecurity .com)
ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
(thedoccloud .com) (virtualdataserver .com)
ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to
digitalcollege .org freescanonline .com
ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to
deftsecurity .com thedoccloud .com
ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound
virtualdataserver .com (incomeupdate .com)
ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound
(zupertech .com) (databasegalore .com)
ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound
ET MALWARE [Fireeye] Backdoor.BEACON M3
(panhardware .com)
ET MALWARE [Fireeye] Backdoor.BEACON M4 ET MALWARE [Fireeye] Backdoor.BEACON M5
ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound
ET MALWARE [Fireeye] Observed SUNBURST DGA Request
(websitetheme .com)
ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(highdatabase .com) (thedoccloud .com in TLS SNI)
ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(incomeudpate .com in TLS SNI) (panhardware .com in TLS SNI)
ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(freescanonline .com in TLS SNI) (databasegalore .com in TLS SNI)
ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(highdatabase .com in TLS SNI) (websitetheme .com in TLS SNI)
ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain
(zupertech .com in TLS SNI) (deftsecurity .com in TLS SNI)
ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup
ET MALWARE MICROPSIA CnC Checkin
(tocaoonline .com)
ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup
(qh2020 .org) (tinmoivietnam .com)
ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup
(tocaoonline .org) (facebookdeck .com)
ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup
(nhansudaihoi13 .org) (thundernews .org)
ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (webcodez
(solartrackingsystem .net) .com)
ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (lcomputers ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit
.com) .com)
ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (kubecloud ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound
.com) (globalnetworkissues .com)
ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to webcodez
solartrackingsystem .net .com
ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to
lcomputers .com seobundlekit .com
ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to
kubecloud .com globalnetworkissues .com
ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in
.net in TLS SNI) TLS SNI)

214 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com
TLS SNI) in TLS SNI)
ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues
TLS SNI) .com in TLS SNI)
ET MALWARE Observed AridViper CnC Domain in TLS SNI ET MALWARE Observed AridViper CnC Domain in TLS SNI
ET MALWARE Observed AridViper CnC Domain in TLS SNI ET MALWARE Observed AridViper CnC Domain in TLS SNI
ET MALWARE Observed AridViper CnC Domain in TLS SNI ET MALWARE Observed AridViper CnC Domain in TLS SNI
ET MALWARE Observed AridViper CnC Domain in TLS SNI ET MALWARE Observed AridViper CnC Domain in TLS SNI
ET MALWARE Observed AridViper CnC Domain in TLS SNI ET MALWARE Observed AridViper CnC Domain in TLS SNI
ET MALWARE Foudre Checkin M2 ET MALWARE Foudre Checkin M1
ET MALWARE FormBook CnC Checkin (GET) ET MALWARE FormBook CnC Checkin (POST) M2
ET MALWARE Foudre Checkin M3 ET MALWARE Foudre Checkin M4
ET MALWARE Observed SystemBC CnC Domain in DNS Query ET MALWARE Observed SystemBC CnC Domain in DNS Query
ET MALWARE Observed SystemBC CnC Domain in DNS Query ET MALWARE Observed SystemBC CnC Domain in DNS Query
ET MALWARE Observed SystemBC CnC Domain in DNS Query ET MALWARE Observed SystemBC CnC Domain in DNS Query
ET MALWARE Observed SystemBC CnC Domain in DNS Query ET MALWARE Observed SystemBC CnC Domain in DNS Query
ET MALWARE Observed SystemBC CnC Domain in DNS Query ET MALWARE Observed SystemBC CnC Domain in DNS Query
ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup
(vgca.homeunix .org) (office365.blogdns .com)
ET MALWARE AHK.CREDSTEALER.A MalDoc Retrieving Payload ET MALWARE AHK.CREDSTEALER.A CnC Activity
ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell
ET MALWARE AHK.CREDSTEALER.A CnC Exfil
Access Request
ET MALWARE Smanager CnC Domain in DNS Lookup ET MALWARE Smanager CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (PhantomNet/Smanager
ET MALWARE FormBook CnC Checkin (GET)
CnC)
ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain
ET MALWARE Worm.Win32.Balucaf.A Checkin
in TLS SNI (mobilnweb .com)
ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain
ET MALWARE FormBook CnC Checkin (GET)
in DNS Query
ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup
(sephardimension .com) (besaintegration .com)
ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (dmnadmin ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sendbits
.com) .m2stor4ge .xyz)
ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (myrric-uses
ET MALWARE NuggetPhantom Module Download Request
.singlejets .com)
ET MALWARE Observed Cobalt Strike CnC Domain in TLS SNI (cs
ET MALWARE MSIL/Azula Logger CnC Activity
.lg22l .com)
ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup
(mykessef .com) (mihannevis .com)
ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (idtpl
ET MALWARE Win32/Ymacco.AA1C Activity
.org)
ET MALWARE ElectroRAT CnC Checkin ET MALWARE ElectroRAT Command from Server (Screenshot)
ET MALWARE ElectroRAT Command from Server (Get folder content) ET MALWARE Jupyter Stealer Reporting System Information M2
ET MALWARE Malicious XSL file download (FTP) ET MALWARE Possible IceRat CnC Acitivty
ET MALWARE IceRat Backdoor Checkin ET MALWARE IceRat CnC Acitivty M2
ET MALWARE Win32/Injector.ULH CnC Activity ET MALWARE Observed Malicious SSL Cert (ElegyRAT)
ET MALWARE Amadey Stealer CnC ET MALWARE Known Sinkhole Response Kryptos Logic
ET MALWARE PlugX DNS Lookup ET MALWARE Observed Malicious SSL Cert (MassLogger)
ET MALWARE Arbitrium-RAT CnC Activity ET MALWARE Arbitrium-RAT Observed User-Agent (JustKidding)
ET MALWARE Observed OSX/WizardUpdate Domain in TLS SNI (
ET MALWARE OSX/WizardUpdate CnC Activity
.dlvplayer .com)
ET MALWARE [401TRG] SUNBURST Related DNS Lookup to
ET MALWARE ELF/Freakout IRC Checkin
infinitysoftwares .com
ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound
(infinitysoftwares .com in TLS SNI) (infinitysoftwares .com)
ET MALWARE [401TRG] SUNBURST Related DNS Lookup to bigtopweb ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain
.com (bigtopweb .com in TLS SNI)
ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound
ET MALWARE Trojan-Dropper.Win32.Sysn.cdjy CnC Activity
(bigtopweb .com)
ET MALWARE Observed Targeted Attack Malicious SSL Cert
ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
(angeldonationblog .com)
ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI ET MALWARE Observed Targeted Attack Malicious SSL Cert
(codevexillium .org) (investbooking .de)
ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI ET MALWARE Observed Targeted Attack Malicious SSL Cert
(krakenfolio .com) (opsonew3org .sg)
ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI
(transferwiser .io) (transplugin .io)

215 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (rninhsss ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (dexercisep
.com) .com)
ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI
ET MALWARE Sn0wsLogger CnC Exfil M1
(blog .br0vvnn .io)
ET MALWARE Sn0wsLogger CnC Exfil M2 ET MALWARE TeamTNT Gattling Gun AWS Creds Exfil
ET MALWARE TeamTNT Gattling Gun CnC Domain in DNS Lookup ET MALWARE Observed Malicious SSL Cert (Magecart/Skimmer CnC)
ET MALWARE NIGHTSCOUT Poison Ivy Variant CnC Domain in DNS
ET MALWARE Win32/PivNoxy CnC Activity
Lookup (cdn. cloudistcdn .com)
ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (q. ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup
cloudistcdn .com) (update .boshiamys .com)
ET MALWARE Win32/SystemBC CnC Checkin ET MALWARE Win32/TrickBot maserv Module Command
ET MALWARE Win32/TrickBot maserv Module CnC Activity ET MALWARE Snake Keylogger CnC Exfil via Telegram
ET MALWARE Win32/TrojanDownloader.Small.AWO CnC Activity ET MALWARE Win32/Detplock Checkin via SMTP
ET MALWARE Observed Buer Loader Domain (officewestunionbank
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)
.com in TLS SNI)
ET MALWARE MSIL/CoderVir Stealer Zip Upload ET MALWARE JEUSD CnC Domain Observed in DNS Query
ET MALWARE AppleJeus - JMT Trading CnC Activity (Windows
ET MALWARE AppleJeus - JMT Trading CnC Activity (OSX Variant)
Variant)
ET MALWARE AppleJeus - JMT Trading CnC Domain in DNS Lookup ET MALWARE AppleJeus - Union Crypto CnC Domain in DNS Lookup
(jmttrading .org) (unioncrypto .vip)
ET MALWARE AppleJeus - Union Crypto CnC Activity ET MALWARE Suspected Fancy Bear (APT28) Maldoc CnC
ET MALWARE FIN7/Carbanak Staging Domain in DNS Lookup ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup
(civilizationidium .com) (kupaywallet .com)
ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup
ET MALWARE AppleJeus - Kupay Wallet CnC Activity
(levelframeblog .com)
ET MALWARE AppleJeus - CoinGoTrade CnC Domain in DNS Lookup ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup
(coingotrade .com) (airbseeker .com)
ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup
(globalkeystroke .com) (woodmate .it)
ET MALWARE AppleJeus - Dorusio CnC Domain in DNS Lookup
ET MALWARE OSX/NukeSped Variant CnC Activity
(dorusio .com)
ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup
(ants2whale .com) (qnalytica .com)
ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS
ET MALWARE Win32/LODEINFO v0.4.x CnC Checkin
SNI
ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS
ET MALWARE SSL/TLS Certificate Observed (WRAT)
SNI
ET MALWARE WRAT Dropper (TLS SNI) ET MALWARE MSIL/Spy.Keylogger.ENJ Variant CnC Activity
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE VoidRay Downloader CnC Activity
(simsimsalabim .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(perfectscenario .top) (mariofart8 .top)
ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup
(billionaireshore .top) (vikingsofnorth .top)
ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup
(realityarchitector .top) (gentlebouncer .top)
ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (brainassault ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (greatersky
.top) .top)
ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (unicornhub ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup
.top) (corporatelover .top)
ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup
ET MALWARE MINEBRIDGE CnC Activity
(bloggersglobbers .top)
ET MALWARE MINEBRIDGE CnC Activity ET MALWARE MINEBRIDGE CnC Activity
ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC) ET MALWARE BazaBackdoor Variant CnC Activity M4
ET MALWARE Inception Group CnC Observed in DNS Query (ms-
ET MALWARE Gameredon Loader Activity
check-new-update .com)
ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (ms- ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup
officeupdate .com) (newmsoffice .com)
ET MALWARE Suspected APT32/OceanLotus Activity ET MALWARE Ursnif Payload Request (cook32.rar)
ET MALWARE Ursnif Payload Request (cook64.rar) ET MALWARE Ursnif Payload Request (grab32.rar)
ET MALWARE Ursnif Payload Request (grab64.rar) ET MALWARE W32/Echmark CnC Activity M2
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Cobalt Strike CnC Activity
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Cobalt Strike Beacon CnC
(teastycandycoffe .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE SUNSHUTTLE CnC Activity
(thereisnoscheme .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Cobalt Strike Beacon (WooCommerce Profile)
(nyqualitypizza .top)

216 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/CopperStealer CnC Activity ET MALWARE Win32/CopperStealer CnC Activity M2


ET MALWARE Win32/CopperStealer CnC Activity M3 ET MALWARE Win32/CopperStealer Installer Started
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(thelegendofberia .top) (hitfromthebong .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE ELF/RedXOR CnC Checkin
(autopartslarry .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE ELF/RedXOR CnC Response
(mynameisgarfield .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(mansizeprofile .top) (letsmakesome .fun)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(gogowormdealer .top) (seattlecarwash .fun)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Lazarus Maldoc CnC
(pleaseletmesleep .fun)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE PlugX/Korplug CnC Activity
(return2monkey .fun)
ET MALWARE ShadowPad CnC Domain in DNS Lookup (ns .rtechs ET MALWARE ShadowPad CnC Domain in DNS Lookup (soft .mssysinfo
.org) .xyz)
ET MALWARE Project Plague CnC Activity ET MALWARE Jasmin Ransomware C2 Checkin
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE ELF/BASHLITE CnC Activity (Response)
(youaresoslow .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Win32/IcedID Request Cookie
(followmeasap13 .top)
ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC) ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check
(finalcountdown .top)
ET MALWARE W32/Trickbot C2 (networkDll module) ET MALWARE Trickbot Checkin Response
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Possible Ransomware HTTP POST to Onion Link Domain
(mydrinksare .top)
ET MALWARE Netbounce Related Activity (Program Wrapper) ET MALWARE Netbounce User-Agent (Netbounce)
ET MALWARE Netbounce Proxy Activity ET MALWARE Netbounce Proxy User-Agent (idk)
ET MALWARE Netbounce Program Wrapper Download ET MALWARE Win32/MALWARECAT Exfil via SMTP
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(habbybearshop .top) (youcanfindmeonthe .top)
ET MALWARE Cobalt Strike Beacon Activity ET MALWARE Kimsuky Maldoc Activity
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (chMiner/RAT)
(nameyourcatlikeshedeserved .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)
(onthewire1 .top)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
(companyllc .top) (rpirpiwhyyouleaveyourhorse .top)
ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP) ET MALWARE Win32/Girostat Stealer (POST)
ET MALWARE HiddenTears Ransomware Activity (GET) ET MALWARE MSIL/TrojanDownloader.Small.CLJ CnC Activity
ET MALWARE Konni Related Activity ET MALWARE Cobalt Strike Activity
ET MALWARE Black KingDom Ransomware Related Activity ET MALWARE Cobalt Strike Activity
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE X-Files Stealer CnC Exfil Activity M1
(videomart .top)
ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Observed Malicious SSL Cert (Win32/Unk Downloader
ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)
CnC)
ET MALWARE Win32/Unk Downloader CnC Activity ET MALWARE Valyria Maldoc Activity (GET)
ET MALWARE GCleaner Downloader Activity M1 ET MALWARE GCleaner Downloader Activity M2
ET MALWARE GCleaner Downloader Activity M3 ET MALWARE Campo Loader Activity (GET)
ET MALWARE Cobalt Strike Beacon (Amazon Profile) M2 ET MALWARE Cobalt Strike Beacon (Bing Profile)
ET MALWARE Ousaban Related Maldoc Activity ET MALWARE Cobalt Strike Beacon Activity
ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup ET MALWARE Cobalt Strike Beacon Activity
ET MALWARE Win32/NitroStealer/exoStub CnC Exfil ET MALWARE Nitro Stealer Exfil Activity (Response)
ET MALWARE Win32/MereTam.A Ransomware CnC Init Activity ET MALWARE Win32/MereTam.A Ransomware CnC Checkin
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE DonotGroup Template Download
(lifemaindecision .top)
ET MALWARE Pult Downloader Activity ET MALWARE Parallax CnC Activity (set) M14
ET MALWARE Observed Malicious SSL Cert (Python RAT (Aurora
ET MALWARE Parallax CnC Response Activity M14
Campaign))
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI
ET MALWARE TA402/Molerats Related VBS Retrieval
(heroofthe .top)

217 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed StrongPity CnC Domain (hierarchicalfiles .com ET MALWARE Observed StrongPity CnC Domain (resolutionplatform
in TLS SNI) .com in TLS SNI)
ET MALWARE Observed StrongPity CnC Domain (pulmonyarea .com in ET MALWARE Observed StrongPity CnC Domain (hardwareoption
TLS SNI) .com in TLS SNI)
ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI ET MALWARE Observed StrongPity CnC Domain (applicationrepo
(shehootastayonwhatshelirned .top) .com in TLS SNI)
ET MALWARE Observed StrongPity CnC Domain (uppertrainingtool ET MALWARE Observed StrongPity CnC Domain
.com in TLS SNI) (hostoperationsystems .com in TLS SNI)
ET MALWARE Ozone/Darktrack RAT Variant - Client Hello (set) ET MALWARE Ozone/Darktrack RAT Variant - Server Hello
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE OilRig SideTwist CnC Domain in DNS Lookup
(lomhasnopryiyome .top in TLS SNI) (sarmsoftware .com)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
(tapewormorchestra .top in TLS SNI) (belochkaneprihoditodna .top in TLS SNI)
ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile) ET MALWARE Cobalt Strike Malleable C2 (MSDN Query Profile)
ET MALWARE Cobalt Strike Malleable C2 Webbug Profile ET MALWARE Cobalt Strike Malleable C2 Amazon Profile
ET MALWARE Cobalt Strike Malleable C2 OCSP Profile ET MALWARE Cobalt Strike Malleable C2 (jquery Profile)
ET MALWARE Cobalt Strike Malleable C2 (Microsoft Update GET) ET MALWARE Saint Bot CnC Activity
ET MALWARE Cobalt Strike Malleable C2 (TrevorForget Profile) ET MALWARE Cobalt Strike Malleable C2 (Wordpress Profile)
ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile) ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
(whatsthescore .top in TLS SNI) (annafraudy .top in TLS SNI)
ET MALWARE Magecart/Skimmer - AngryBeaver Exfil Attempt ET MALWARE Kimsuky Maldoc Activity (GET)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
(youareperfect2day .top in TLS SNI) (mindbreaker .top in TLS SNI)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Remcos 3.x Unencrypted Checkin
(attentionmagnet .top in TLS SNI)
ET MALWARE Observed Win32/Wacapew.A!ml Domain in TLS SNI
ET MALWARE Remcos 3.x Unencrypted Server Response
(zytrox .tk)
ET MALWARE Remcos Builder License Check ET MALWARE Cobalt Strike Stager Time Check M1
ET MALWARE Cobalt Strike Stager Time Check M2 ET MALWARE Suspected PULSECHECK Webshell Access Inbound
ET MALWARE Possibly SLIGHTPULSE Related - Suspicious POST to
ET MALWARE Magecart/Skimmer - _try_action Exfil Attempt
Specific URI Path
ET MALWARE Observed Magecart/Skimmer - _try_action CnC Domain ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
(cdn-frontend .com in TLS SNI) (newageiscoming .top in TLS SNI)
ET MALWARE HabitsRAT Checkin ET MALWARE Unk.PSAttack Activity
ET MALWARE Observed DNS Query to Ursnif CnC Domain
ET MALWARE Likely Evil Request for uac.exe With Minimal Headers
(vorulenuke. us)
ET MALWARE Observed DNS Query to Ursnif CnC Domain
ET MALWARE Possible STEADYPULSE Webshell Accessed M2
(horulenuke .us)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Possible STEADYPULSE Webshell Accessed M1
(gimmegimmejimmy .top in TLS SNI)
ET MALWARE 44 Caliber Stealer Data Exfil via Discord ET MALWARE Lunar Builder Exfil via Discord M1
ET MALWARE Observed DNS Query to MoserPass Download Domain
ET MALWARE Win32/CollectorStealer CnC Exfil M2
(passwordstate-18ed2 .kxcdn .com)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
ET MALWARE MSIL/MosaiqueRAT CnC Checkin
Lookup (linda-callaghan .icu)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
Lookup (mikkelbourke .pro) Lookup (scorerabbate .site)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
Lookup (overingtonray .info) Lookup (marwapetersson .info)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
Lookup (belcherjacky .info) Lookup (gallant-william .icu)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
Lookup (ansonwhitmore .live) Lookup (irenewansley .icu)
ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS
ET MALWARE MICROPSIA CnC Checkin M2
Lookup (norayowell .info)
ET MALWARE MICROPSIA Screenshot Upload M2 ET MALWARE MICROPSIA Screenshot Upload M3
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (birdmilk
ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)
.top in TLS SNI)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stockme
(footballstar .top in TLS SNI) .top in TLS SNI)
ET MALWARE PHP Skimmer CnC Domain in DNS Lookup (secure-
ET MALWARE PHP Skimmer Exfil Attempt
authorize .net)
ET MALWARE SharpNoPSExec EXE Lateral Movement Tool ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
Downloaded (blogsolutions .top in TLS SNI)
ET MALWARE Observed Lunar Builder Domain (lunarbuilder
ET MALWARE Lunar Builder Exfil Attempt
.000webhostapp .com in TLS SNI)
ET MALWARE Lunar Builder CnC Activity ET MALWARE Win32/Koubbeh Sending Windows System Info

218 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SupremeLogger CnC Checkin ET MALWARE TA471 Malicious AutoIT File Upload
ET MALWARE Win32/TrojanDropper.Agent.RLO CnC Acitivty ET MALWARE Win32/XRat.AT Variant CnC Activity
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE PurpleFox EK Landing Page Domain in SNI
(realonlinetrend .top in TLS SNI)
ET MALWARE Malicious lnk Activity ET MALWARE Buer - DomainInfo User-Agent
ET MALWARE Observed DarkSide Ransomware Domain (baroquetees
ET MALWARE Observed DNS Query to Buer - DomainInfo Domain
.com in TLS SNI)
ET MALWARE ELF/DarkNexus User-Agent ET MALWARE [FIREEYE] PULSECHECK Webshell Access Outbound
ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M1 ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M2
ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M1 ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M2
ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M3
ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 ET MALWARE Suspected HARDPULSE Request
ET MALWARE Pingback Shell Command Issued ET MALWARE Pingback Download Command Issued
ET MALWARE Pingback Upload Command Issued ET MALWARE Pingback Exec Command Issued
ET MALWARE Kimsuky APT CnC Domain in DNS Lookup ET MALWARE Kimsuky APT CnC Domain in DNS Lookup
ET MALWARE Kimsuky APT CnC Domain in DNS Lookup ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Pingback Exep Command Issued
(number1g .top in TLS SNI)
ET MALWARE Pingback OK Issued ET MALWARE Suspected Sliver DNS CnC
ET MALWARE Observed DarkSide Ransomware Domain (catsdegree
ET MALWARE Unk.CoinMiner Loader Checkin
.com in TLS SNI)
ET MALWARE Observed DarkSide Ransomware Domain (temisleyes ET MALWARE Observed DarkSide Ransomware Domain (rumahsia
.com in TLS SNI) .com in TLS SNI)
ET MALWARE Suspected SombRAT DNS Activity (TXT) ET MALWARE Cobalt Strike Beacon Activity (UNC2447)
ET MALWARE Cobalt Strike Beacon Activity (UNC2447) ET MALWARE Cobalt Strike Beacon Observed (MASB UA)
ET MALWARE Ares Activity (POST) ET MALWARE Win32/Tnega Activity (GET)
ET MALWARE Suspected Ares Loader Activity (GET) ET MALWARE Observed Cobalt Strike User-Agent
ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed -
ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)
Possible Cobalt Stirke)
ET MALWARE Observed Cobalt Strike CnC Domain (security-desk
ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)
.com in TLS SNI)
ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS
ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)
SNI
ET MALWARE Observed Cobalt Strike CnC Domain (dimentos .com in
ET MALWARE Remote Desktop Spy Install Checkin
TLS SNI)
ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id
ET MALWARE Cobalt Strike Malleable C2 Profile (btn_bg)
Cookie)
ET MALWARE Cobalt Strike Malleable C2 Profile (bg) ET MALWARE VenusLocker Associated User-Agent Activity
ET MALWARE Observed MageCart Group 12 Domain (zolo .pw in TLS
ET MALWARE VenusLocker Activity
SNI)
ET MALWARE Observed MageCart Group 12 Domain (pathc .space in
ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
TLS SNI)
ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M1 ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M2
ET MALWARE Win32/RiskWare.YouXun.AD CnC Activity ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)
ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC) ET MALWARE DecryptmyFiles Ransomware CnC (POST)
ET MALWARE Observed DecryptmyFiles Ransomware User-Agent ET MALWARE Observed Silver Implant Domain (raspoly .biz in TLS
(uniquesession) SNI)
ET MALWARE Observed Malicious SSL Cert (Silver Implant) ET MALWARE Suspected Bizarro Banker Activity (POST)
ET MALWARE NightfallGT Discord Token Grabber ET MALWARE NightfallGT Discord Nitro Ransomware
ET MALWARE Win32/SystemBC CnC Checkin (null key) M1 ET MALWARE Win32/SystemBC CnC Checkin (null key) M2
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3
Response
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Suspected Kimsuky Activity (GET)
(number2g .top in TLS SNI)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Teslarvng Ransomware CnC Activity M1
(genericalphabet .top in TLS SNI)
ET MALWARE Teslarvng Ransomware CnC Activity M2 ET MALWARE Teslarvng Ransomware CnC Activity M3
ET MALWARE Lemon_Duck Powershell CnC Activity M14 ET MALWARE Lemon_Duck Powershell CnC Checkin M6
ET MALWARE Lemon_Duck Powershell CnC Activity M15 ET MALWARE Suspected Gootkit Activity
ET MALWARE OSX/MapperState CnC Domain in DNS Lookup ET MALWARE OSX/MapperState CnC Activity
ET MALWARE Suspected Sidewinder Activity (GET) ET MALWARE BazaLoader CnC Activity
ET MALWARE Unknown Actor Targeting Minority Groups Activity
ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
(GET)
ET MALWARE Observed Malicious Domain Targeting Minority Groups ET MALWARE Unknown Actor Targeting Minority Groups Activity
(officemodel .org in TLS SNI) (POST)
ET MALWARE Observed Malicious Domain Targeting Minority Groups ET MALWARE Observed Malicious Domain Targeting Minority Groups
(tcahf .org in TLS SNI) Domain (unohcr .org in TLS SNI)

219 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Unknown Actor Targeting Minority Groups CnC Activity ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) EnvyScout Fingerprint Checkin ET MALWARE SharpPanda APT Downloader Activity (GET)
ET MALWARE Observed JSSLoader Domain (deprivationant .com in
ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin
TLS SNI)
ET MALWARE Observed CobaltStrike Loader Domain (cybersecyrity ET MALWARE Observed CobaltStrike CnC Domain (defendersecyrity
.com in TLS SNI) .com in TLS SNI)
ET MALWARE Cobalt Strike C2 Profile (news_indexedimages) ET MALWARE Vidar Stealer - FaceIt Checkin Response
ET MALWARE Observed Magecart Skimmer Domain (googie-analitycs ET MALWARE Observed Magecart Skimmer Domain (googie-analytics
.site in TLS SNI) .online in TLS SNI)
ET MALWARE Observed Magecart Skimmer Domain (googie-analytics ET MALWARE Observed Magecart Skimmer Domain
.website in TLS SNI) (googletagsmanager .website in TLS SNI)
ET MALWARE Evilnum Activity (GET) ET MALWARE FIN7 JSSLoader Variant Activity (POST)
ET MALWARE Observed JSSLoader Variant Domain (legislationient
ET MALWARE FIN7 JSSLoader Variant Activity (GET)
.com in TLS SNI)
ET MALWARE CNRarypt Ransomware CnC Activity ET MALWARE APT34 Related Activity (GET)
ET MALWARE APT34 Related DNS Tunneling Activity ET MALWARE Lyceum Group Activity (DNS)
ET MALWARE SharpPanda APT Maldoc Activity ET MALWARE Win32/DCRat CnC Exfil
ET MALWARE FatalRAT CnC Activity ET MALWARE sysrv.ELF Exploit Success Payload Request
ET MALWARE ALFA Shell APT33 DNS Lookup (solevisible .com) ET MALWARE APT28/SkinnyBoy Checkin
ET MALWARE Observed Magecart Skimmer Domain (analiticsweb .site
ET MALWARE APT28/SkinnyBoy Payload Request
in TLS SNI)
ET MALWARE MSIL/NoCry Ransomware Checkin Via Discord ET MALWARE Win32/PlagueBot User-Agent
ET MALWARE ETag HTTP Header Observed at JPCERT Sinkhole ET MALWARE ETag HTTP Header Observed at CNCERT Sinkhole
ET MALWARE Known Sinkhole Response Header ET MALWARE Known Sinkhole Response Header
ET MALWARE QuasarRAT/zgRAT C2 Activity (set) ET MALWARE zgRAT Activity
ET MALWARE ELF/Facefish Empty Payload (set) ET MALWARE ELF/Facefish Server Response (201)
ET MALWARE ELF/Facefish Client Response (202) ET MALWARE ELF/Facefish Session Closing (400)
ET MALWARE Kimsuky Maldoc Activity (GET) ET MALWARE Observed DNS Query to Known Gelsemium CnC
ET MALWARE Observed DNS Query to Known Gelsemium CnC ET MALWARE Observed DNS Query to Known Gelsemium CnC
ET MALWARE Observed Puzzlemaker Remote Shell Domain (media-
ET MALWARE Observed DNS Query to Known Gelsemium CnC
seoengine .com in TLS SNI)
ET MALWARE Possible Puzzlemaker Remote Shell Activity (GET) ET MALWARE DonotGroup Maldoc Activity (GET)
ET MALWARE Observed Lazarus Maldoc CnC Domain (shopweblive
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
.com in TLS SNI)
ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK
ET MALWARE Observed FIN7 CnC Domain (injuryless .com in TLS SNI)
Campaign)
ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE TA456 GrumpyGrocer Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)
(hotjar .info)
ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Andariel Backdoor Activity (Checkin)
ET MALWARE Andariel Backdoor Actvity (Response) ET MALWARE Cobalt Strike Malleable C2 Profile (extension.css)
ET MALWARE UNC2628 BEACON Activity (GET) ET MALWARE UNC2628 Malicious MSHTA Activity (GET)
ET MALWARE Observed Malicious SSL Cert (Gelsemium CnC) ET MALWARE APT Operation Sidecopy lnk Activity (GET)
ET MALWARE Matanbuchus CnC Domain in DNS Lookup (eonsabode
ET MALWARE Observed Malicious SSL Cert (Klingon RAT)
.at)
ET MALWARE Cobalt Strike Malleable C2 Profile wordpress_ Cookie
ET MALWARE Linux DarkRadiation Ransomware Activity (wget)
Test
ET MALWARE Linux DarkRadiation Ransomware Activity (curl) ET MALWARE Linux DarkRadiation Ransomware Activity Attack Check
ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil ET MALWARE a310Logger Stealer Exfil (SMTP)
ET MALWARE DonotGroup Maldoc Activity (GET) ET MALWARE Maldoc Downloading from Dropbox via API
ET MALWARE ReverseRAT Activity (POST) M3 ET MALWARE ReverseRAT Activity (POST) M4
ET MALWARE AllaKore CnC Activity ET MALWARE ReverseRAT Activity (POST) M1
ET MALWARE ReverseRAT Activity (POST) M2 ET MALWARE lu0bot Loader HTTP Request
ET MALWARE lu0bot CnC Domain in DNS Lookup ET MALWARE lu0bot CnC Domain in DNS Lookup
ET MALWARE lu0bot CnC Domain in DNS Lookup ET MALWARE lu0bot CnC Domain in DNS Lookup
ET MALWARE lu0bot Loader HTTP Response ET MALWARE ChaChi RAT Client CnC (POST)
ET MALWARE ChaChi RAT Server Response ET MALWARE ChaChi RAT Client CnC (POST)
ET MALWARE GCleaner Related Downloader User-Agent ET MALWARE Observed Malicious SSL Cert (TA456 GrumpyGrocer)
ET MALWARE Malware Delivery Landing Page via JS Redirect ET MALWARE Observed Malware Delivery Domain (analyticsnet .top
(2021-06-24) in TLS SNI)
ET MALWARE Observed Malware Delivery Landing Page Domain
ET MALWARE Kimsuky Related Activity (GET)
(bigeront .top in TLS SNI)
ET MALWARE Kimsuky Related Activity (init) ET MALWARE Kimsuky Related Activity (down)
ET MALWARE Kimsuky Related Activity (ping) ET MALWARE Kimsuky Related Activity (GET)
ET MALWARE NightfallGT Mercurial Grabber ET MALWARE APT-C-23 Activity (GET)

220 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Kimsuky Related Activity (POST) ET MALWARE APT-C-23 Activity (POST)


ET MALWARE Ransomware Decryptor Domain in DNS Query ET MALWARE Ransomware Decryptor Domain in DNS Query (decoder
(decryptor .top) .re)
ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B) ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
ET MALWARE REvil Exfil SFTP Certificate Inbound ET MALWARE Valyria Downloader Activity
ET MALWARE Andariel Backdoor Activity (Checkin) ET MALWARE Reborn Stealer 2021 Exfil attempt via Telegram
ET MALWARE QuasarRAT/zgRAT C2 Activity (set) ET MALWARE zgRAT Activity M2
ET MALWARE Observed MageCart Group 12 Domain (toolser .pw in
ET MALWARE IndigoZebra APT xCaon/Textpadx Activity (POST)
TLS SNI)
ET MALWARE IndigoZebra APT BoxCaon DropBox Activity (POST) ET MALWARE Diavol CnC Checkin
ET MALWARE Diavol Communicating with CnC - Register M1 ET MALWARE Diavol Communicating with CnC - Register M2
ET MALWARE Diavol Communicating with CnC - Key Request ET MALWARE Diavol Communicating with CnC - Services Request
ET MALWARE Diavol Communicating with CnC - Priority Request ET MALWARE Diavol Communicating with CnC - Ignore Request
ET MALWARE Diavol Communicating with CnC - Ext Request ET MALWARE Diavol Communicating with CnC - Wipe Request
ET MALWARE Diavol Communicating with CnC - Landing Request ET MALWARE Diavol HTTP Cookie Observed
ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain
ET MALWARE Mirai pTea Variant - Initial CnC Checkin Outbound ET MALWARE Mirai pTea Variant - Initial CnC Checkin Inbound
ET MALWARE Mirai pTea Variant - Bot Upload Command Outbound ET MALWARE Mirai pTea Variant - Info Submission Outbound
ET MALWARE Mirai pTea Variant - Info Submission Inbound ET MALWARE Mirai pTea Variant - Attack Command Outbound
ET MALWARE Mirai pTea Variant - Attack Command Inbound ET MALWARE Mirai pTea Variant - Bot Upload Command Inbound
ET MALWARE xCaon Embedded Encrypted Command in Webpage ET MALWARE Kaseya VSA Exploit Activity M1 (SET)
ET MALWARE Kaseya VSA Exploit Activity M2 (SET) ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M1
ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M2 ET MALWARE Possible Kaseya VSA Exploit URI Structure Inbound
ET MALWARE Maldoc Retrieving Payload 2021-07-06 ET MALWARE Possible Siloscape IRC CnC JOIN Command Observed
ET MALWARE WaterDropX PRISM CnC Checkin ET MALWARE WaterDropX PRISM CnC Response
ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging
CnC) CnC)
ET MALWARE Observed Malicious SSL Cert (NHS UK Covid Passport
ET MALWARE BazaLoader Activity (GET)
Phish)
ET MALWARE Malicious Dropper Activity (GET) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE BIOPASS RAT Related Domain in DNS Lookup (0x3s
ET MALWARE Cobalt Strike Beacon Activity (GET)
.com)
ET MALWARE BIOPASS RAT Python Activity (GET) ET MALWARE BIOPASS RAT Go Activity (GET)
ET MALWARE Observed Malicious SSL Cert (SideWinder APT CnC) ET MALWARE WildPressure/Milum CnC Activity
ET MALWARE Operation SpoofedScholars Activity (GET) ET MALWARE Observed Malicious SSL Cert (Maldoc/Zloader CnC)
ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming) ET MALWARE Win32/Fareit Variant Activity (POST)
ET MALWARE Observed AZORult CnC Domain (miscrosoftworrd
ET MALWARE Win32/Tofsee Connectivity Check M2
.000webhostapp .com in TLS SNI)
ET MALWARE Win32/Tofsee Connectivity Check M3 ET MALWARE ReverseRAT Activity (POST) M5
ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (msstore ET MALWARE Candiru Spyware CnC Domain in DNS Lookup
.io) (adtracker .link)
ET MALWARE Candiru Spyware CnC Domain in DNS Lookup
ET MALWARE Unk.DPRK MalDoc SysInfo CnC Exfil
(cdnmobile .io)
ET MALWARE MargulasRAT Checkin M1 ET MALWARE MargulasRAT Keep-Alive Outbound M1
ET MALWARE MargulasRAT Keep-Alive Inbound M1 ET MALWARE MargulasRAT Checkin M2
ET MALWARE MargulasRAT Keep-Alive Outbound M2 ET MALWARE MargulasRAT Keep-Alive Inbound M2
ET MALWARE Gasket CnC Checkin ET MALWARE Gasket Requesting Commands from CnC
ET MALWARE Mespinoza Ransomware - Pre-Encryption File Exfil to
ET MALWARE Gasket Submitting Logs to CnC
CnC
ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-
ET MALWARE DTLoader Binary Request M2
brain-company .xyz in TLS SNI)
ET MALWARE Win32/NitroStealer CnC Exfil M2 ET MALWARE Suspected DonotGroup Dropper Activity
ET MALWARE Suspected DonotGroup Dropper Telegram API Activity ET MALWARE ELF/Miner Activity (GET)
ET MALWARE ELF/Miner Loader Activity M1 (GET) ET MALWARE ELF/Miner Loader Activity M2 (GET)
ET MALWARE Observed Win32.Raccoon Stealer Domain
ET MALWARE Cobalt Strike Beacon Activity (GET)
(cheapfacechange .top in TLS SNI)
ET MALWARE Possible DarkRats Tor Traffic ET MALWARE BOUNCEBEAM Backdoor CnC Activity
ET MALWARE Observed BOUNCEBEAM Backdoor CnC Domain
ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)
(cloudflare .5156game .com in TLS SNI)
ET MALWARE Observed CobaltStrike CnC Domain (krinsop .com in ET MALWARE Observed CobaltStrike CnC Domain (charity-wallet .com
TLS SNI) in TLS SNI)
ET MALWARE Observed CobaltStrike CnC Domain (gmbfrom .com in
ET MALWARE KPOT Stealer Initial CnC Activity M5
TLS SNI)
ET MALWARE Observed Magecart Skimmer Domain (cloudflare-cdnjs ET MALWARE Observed Magecart Skimmer Domain (static-zdassets
.com in TLS SNI) .com in TLS SNI)
ET MALWARE W32/Echmark/MarkiRAT CnC Host Checkin ET MALWARE W32/Echmark/MarkiRAT CnC Request
ET MALWARE W32/Echmark/MarkiRAT CnC Response ET MALWARE Dmechant Exfil Cryptowallets via SMTP

221 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Dmechant Exfil Passwords via SMTP ET MALWARE RustyBuer CnC Domain in SNI
ET MALWARE Webshell Upload Command Inbound - Possibly Iran-
ET MALWARE Webshell Landing Outbound - Possibly Iran-based
based
ET MALWARE Webshell Access with Known Password Inbound - ET MALWARE Webshell Execute Command Inbound - Possibly Iran-
Possibly Iran-based based M1
ET MALWARE Anchor_DNS stickseed Variant CnC Checkin ET MALWARE Observed Malsmoke Staging Domain in SNI
ET MALWARE Observed ZLoader CnC Domain in SNI ET MALWARE Observed ZLoader CnC Domain in SNI
ET MALWARE Gamaredon CnC Domain in DNS Lookup (clank .hazari
ET MALWARE W32/Echmark/MarkiRAT CnC Activity M3
.ru)
ET MALWARE Gamaredon CnC Domain in DNS Lookup (lump .semara ET MALWARE Gamaredon CnC Domain in DNS Lookup (lovers .semara
.ru) .ru)
ET MALWARE Gamaredon CnC Domain in DNS Lookup (aconitum .xyz) ET MALWARE Gamaredon CnC Domain in DNS Lookup (blattodea .ru)
ET MALWARE Gamaredon CnC Domain in DNS Lookup (hierodula
ET MALWARE Gamaredon CnC Domain in DNS Lookup (tomond .ru)
.online)
ET MALWARE ClipBanker Variant Activity (POST) ET MALWARE Lunar Builder Exfil via Discord M2
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (page
ET MALWARE Lunar Builder Exfil Response
.googledocpage .com)
ET MALWARE Maldoc Activity Sending Windows User Info (GET) ET MALWARE 44Calibar Variant Exfil via Telegram
ET MALWARE Observed CobaltStrike CnC Domain (stg .pesrado .com
ET MALWARE Maldoc Activity Sending Windows User Info (GET)
in TLS SNI)
ET MALWARE Kimsuky Related Activity (GET) ET MALWARE Kimsuky Related Activity (GET)
ET MALWARE Observed MSIL/Heracles Variant CnC Domain (stainless
ET MALWARE MSIL/Heracles Variant CnC Activity
.fun in TLS SNI)
ET MALWARE Kimsuky Related Activity (GET) ET MALWARE Kimsuky Related Maldoc Activity (POST)
ET MALWARE Kimsuky Related Maldoc Activity (GET) ET MALWARE Kimsuky Related Script Activity (GET)
ET MALWARE Observed DCRat CnC Domain (dud-shotline
ET MALWARE Kimsuky Related Maldoc Activity (HEAD)
.000webhostapp .com in TLS SNI)
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Lemon_Duck CnC Domain in DNS Lookup ET MALWARE Lemon_Duck CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (FIN8 Staging CnC) ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)
ET MALWARE Observed Malicious SSL Cert (FIN8 CnC) ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)
ET MALWARE Observed Malicious SSL Cert (Meterpreter Paranoid
ET MALWARE Gamaredon Maldoc Activity (GET)
Mode CnC)
ET MALWARE Observed Win32.Raccoon Stealer Domain (hellowoodie
ET MALWARE Win32/CandyOpen/UniClient Activity (POST)
.top in TLS SNI)
ET MALWARE Win32/CandyOpen/UniClient Activity (GET) ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M1
ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M2 ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M3
ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden
.com) .com)
ET MALWARE Observed Cobalt Strike CnC Domain (www
ET MALWARE BlackMatter CnC Activity
.msfthelpdesk .com in TLS SNI)
ET MALWARE Suspected Jupyter Stealer Related Activity (GET) ET MALWARE Jupyter Stealer Reporting System Information M2
ET MALWARE Unknown Rootkit Download Activity (GET) ET MALWARE Unknown Rootkit Checkin Activity (getSystemInfo)
ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3 ET MALWARE SSV Agent CnC Activity
ET MALWARE Observed SSV Agent CnC Domain (edgecloudc .com in ET MALWARE Observed SSV Agent CnC Domain (be-government
TLS SNI) .com in TLS SNI)
ET MALWARE Observed SSV Agent CnC Domain (gitcloudcache .com ET MALWARE Observed SSV Agent CnC Domain (hostupoeui .com in
in TLS SNI) TLS SNI)
ET MALWARE Observed SSV Agent CnC Domain (drmtake .tk in TLS ET MALWARE Observed SSV Agent CnC Domain (rsnet-devel .com in
SNI) TLS SNI)
ET MALWARE Observed SSV Agent CnC Domain (flushcdn .com in
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2
TLS SNI)
ET MALWARE Win32/TrickBot CnC Initial Checkin M2 ET MALWARE TrickBot Related Activity (GET)
ET MALWARE Observed Maldoc CnC Domain (cloud-documents .com
ET MALWARE Maldoc CnC Domain in DNS Lookup
in TLS SNI)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz
(gopstoporchestra .top in TLS SNI) .com in TLS SNI)
ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Thallium CnC Domain in DNS Lookup
ET MALWARE Quasar CnC Domain in DNS Lookup (societyf500 .ddns
ET MALWARE SideCopy Group Activity (GET)
.net)
ET MALWARE Observed SSL/TLS Cert (Splashtop Remote Support) ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup

222 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Cobalt Strike CnC Domain (yuxicu .com in


ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup
TLS SNI)
ET MALWARE Observed Cobalt Strike CnC Domain (gojihu .com in
ET MALWARE Suspected TeamTNT Linux Miner Activity
TLS SNI)
ET MALWARE Observed Malicious SSL Cert (Ursnif Injects) ET MALWARE Suspected Malicious VBS Script Activity
ET MALWARE IIStealer CnC Domain in DNS Lookup (xinxx .allsoulu
ET MALWARE IIStealer Inbound Exfil Request
.com)
ET MALWARE IIStealer Inbound Exfil Request M2 ET MALWARE Unknown DPRK Threat Actor Activity (GET)
ET MALWARE Win32/DownloadAdmin Activity ET MALWARE Suspected Praying Mantis Threat Actor Activity
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain
ET MALWARE Cobalt Strike Beacon Observed
(msresearchcenter .top in TLS SNI)
ET MALWARE MSIL/Black Hat Worm Server Response ET MALWARE MSIL/Black Hat Worm Checkin
ET MALWARE GoBrut/StealthWorker Requesting Brute Force List
ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity
(flowbit set)
ET MALWARE Unknown Chinese Threat Actor Malicious Redirect
ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin
Activity
ET MALWARE Unknown Chinese Threat Actor CnC Domain in DNS ET MALWARE Gamaredon CnC Domain in DNS Lookup (office360-
Lookup expert .online)
ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (ntc-pk
ET MALWARE Gamaredon Maldoc Activity (GET)
.sytes .net)
ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (nitb
ET MALWARE APT-C-48 Related Activity Retrieving ConsoleHost (GET)
.pk-gov .org)
ET MALWARE Stealbit Variant Data Exfil M1 ET MALWARE Stealbit Variant Data Exfil M2
ET MALWARE PCRat/Gh0st CnC Beacon Request (Xfire variant) ET MALWARE Win32/PSW.Agent.OMP Variant CnC Activity
ET MALWARE Observed BLUELIGHT Payload Domain (storage .jquery
ET MALWARE DarkWay Client Checkin
.services in TLS SNI)
ET MALWARE Win32/BLUELIGHT OAuth Login Attempt ET MALWARE Win32/BLUELIGHT OAuth Login Attempt M2
ET MALWARE MSIL/Agent.DNL CnC Activity M1 ET MALWARE MSIL/Agent.DNL Server Response Task (whoami)
ET MALWARE Win32/Malgent!MSR Dropper Requesting Payload ET MALWARE Win32/Malgent!MSR User-Agent
ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark Uploading
Checkin to CnC
ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www
.magicalgirlonlive .com) .getkiplayer .com)
ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www
.supapureigemu .com) .chirigame .com)
ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1 ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2
ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3 ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4
ET MALWARE Observed Karen Ransomware CnC Checkin ET MALWARE Observed Karen Ransomware Powershell Loader
ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh
ET MALWARE NSO Group Pegasus Related Data Exfil (POST)
.io in TLS SNI)
ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M2 ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M3
ET MALWARE Win32/a310Logger Clipboard Exfil via SMTP ET MALWARE Win32/a310Logger Data Exfil via SMTP
ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS
Lookup Lookup
ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft
.microcaft .xyz) .com-view .space)
ET MALWARE Konni RAT Exfiltrating Data ET MALWARE Win32/Sinresby.B Downloader CnC Activity M1
ET MALWARE Win32/Sinresby.B Downloader CnC Activity M2 ET MALWARE Konni RAT Querying CnC for Commands
ET MALWARE GCleaner Downloader Activity M4 ET MALWARE Cobalt Strike Malleable C2 (Custom Profile)
ET MALWARE Observed Cobalt Strike CnC Domain (windowsupdatesc ET MALWARE Observed Cobalt Strike CnC Domain (securityupdateav
.com in TLS SNI) .com in TLS SNI)
ET MALWARE Observed Cobalt Strike CnC Domain
ET MALWARE SNIcat - Detected C2 Commands (LIST)
(defenderupdateav .com in TLS SNI)
ET MALWARE SNIcat - Detected C2 Commands (LS) ET MALWARE SNIcat - Detected C2 Commands (SIZE)
ET MALWARE SNIcat - Detected C2 Commands (LD) ET MALWARE SNIcat - Detected C2 Commands (CB)
ET MALWARE SNIcat - Detected C2 Commands (CD) ET MALWARE SNIcat - Detected C2 Commands (EX)
ET MALWARE SNIcat - Detected C2 Commands (ALIVE) ET MALWARE SNIcat - Detected C2 Commands (EXIT)
ET MALWARE SNIcat - Detected C2 Commands (finito) ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)
ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdn ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (git-api
.net) .com)
ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdnw5
ET MALWARE W32/Witch.3FA0!tr CnC Actiivty
.net)
ET MALWARE Javascript Displays malicious download page ET MALWARE Javascript Click and Removal of Download Element
ET MALWARE Suspected Cobalt Strike Beacon Activity (DNS) ET MALWARE MSIL/Document Stealer Exfil
ET MALWARE Win32/GenCBL.XS CnC Activity ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE HCRootkit CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Activity (GET)
(ywbgrcrupasdiqxknwgceatlnbvmezti .com)

223 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE HCRootkit CnC Domain in DNS Lookup ET MALWARE HCRootkit CnC Domain in DNS Lookup
(yhgrffndvzbtoilmundkmvbaxrjtqsew .com) (wcmbqxzeuopnvyfmhkstaretfciywdrl .name)
ET MALWARE HCRootkit CnC Domain in DNS Lookup ET MALWARE HCRootkit CnC Domain in DNS Lookup
(ruciplbrxwjscyhtapvlfskoqqgnxevw .name) (pdjwebrfgdyzljmwtxcoyomapxtzchvn .com)
ET MALWARE HCRootkit CnC Domain in DNS Lookup ET MALWARE HCRootkit CnC Domain in DNS Lookup
(nfcomizsdseqiomzqrxwvtprxbljkpgd .name) (hkxpqdtgsucylodaejmzmtnkpfvojabe .com)
ET MALWARE HCRootkit CnC Domain in DNS Lookup ET MALWARE HCRootkit CnC Domain in DNS Lookup
(etzndtcvqvyxajpcgwkzsoweaubilflh .com) (esnoptdkkiirzewlpgmccbwuynvxjumf .name)
ET MALWARE Win32/44Caliber Stealer Variant Activity (POST) ET MALWARE Observed Pegasus Domain (hooklevel .com in TLS SNI)
ET MALWARE Observed Pegasus Domain (api1r3f4 .redirectweburl ET MALWARE Observed DNS Query to Pegasus Domain (start-anew
.com in TLS SNI) .net)
ET MALWARE Observed DNS Query to Pegasus Domain (news-now ET MALWARE Observed DNS Query to Pegasus Domain (reunionlove
.co) .net)
ET MALWARE Observed DNS Query to Pegasus Domain (helpusfind
ET MALWARE Magecart CnC Domain in DNS Lookup
.biz)
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE Magecart CnC Domain in DNS Lookup ET MALWARE Magecart CnC Domain in DNS Lookup
ET MALWARE BlackMatter CnC Domain in DNS Lookup
ET MALWARE FIN7 JSSLoader Variant Activity (GET)
(nowautomation .com)
ET MALWARE FIN7 Related CnC Domain in DNS Lookup
ET MALWARE Win32/Enemyfear Stealer Exfil
(tnskvggujjqfcskwk .com)
ET MALWARE FIN7 Related CnC Domain in DNS Lookup
ET MALWARE Go/Hack Browser Data Exfil Attempt
(bypassociation .com)
ET MALWARE Observed Lazarus Related Domain (share .bloomcloud
ET MALWARE BleachGap Ransomware Checkin (POST)
.org in TLS SNI)
ET MALWARE Win32/Syndicasec Encoded Response Embedded in ET MALWARE Win32/Syndicasec Encoded Response Embedded in
XML HTML Title Tags Inbound HTML Title Tags Inbound
ET MALWARE Win32/Unk.Coinminer Checkin ET MALWARE Maldoc OneDrive Download Activity (GET)
ET MALWARE W32/Bingoml!tr CnC Activity ET MALWARE Win32/Mingloa CnC Checkin
ET MALWARE Maldoc Checkin Activity (GET) ET MALWARE Maldoc Checkin Activity (GET)
ET MALWARE Win32/PSW.WOW.NLZ CnC Activity ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI
ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI
ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI
ET MALWARE MSIL/Small.FU Variant CnC Activity M1 ET MALWARE MSIL/Small.FU Variant CnC Activity M2
ET MALWARE MSIL/Small.FU Variant CnC Activity M3 ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Cobalt Strike Beacon Activity (GET) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Win32/Vermilion Stager Activity (GET) ET MALWARE Win32/Vermilion Stager Activity (GET)
ET MALWARE MSIL/Black Hat Worm Server Response ET MALWARE Win32/GenKryptik.FKJZ CnC Exfil
ET MALWARE Sidewalk CnC Checkin ET MALWARE Bladabindi/njrat CnC Checkin
ET MALWARE SQUIRRELWAFFLE Loader Activity (POST) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Win32/Delf.OKR Variant CnC M1 ET MALWARE Win32/Delf.OKR Variant CnC M2
ET MALWARE Fake Software Download Redirect Leading to Malware
ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
M1
ET MALWARE Fake Software Download Redirect Leading to Malware ET MALWARE Fake Software Download Redirect Leading to Malware
M2 M3
ET MALWARE TransparentTribe Related CnC Activity ET MALWARE Win32/Bisonal Backdoor CnC Domain in DNS Lookup
ET MALWARE Win32/Bisonal Backdoor CnC Activity (POST) ET MALWARE OSX/ZuRu Activity (POST)
ET MALWARE Observed Elysium Stealer Domain (phonefix .bar in TLS ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency
SNI) download)
ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt ET MALWARE Gamaredon Maldoc Activity (GET)
ET MALWARE SQUIRRELWAFFLE Server Response ET MALWARE Win32/Numando Banker CnC Activity
ET MALWARE Possible SQUIRRELWAFFLE Server Response ET MALWARE APT/Bitter Related CnC Domain in DNS Lookup
ET MALWARE APT/Bitter Maldoc Activity ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)
ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M1 ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M2
ET MALWARE NSIS/TrojanDownloader.Agent.NZK Server Response ET MALWARE Observed Malicious SSL Cert (Cobalt Strike)
ET MALWARE GCleaner Downloader Activity M5 ET MALWARE MirrorBlast Checkin
ET MALWARE MSIL/Monitor.PCTattletale.A Checkin (POST) ET MALWARE APT/FamousSparrow Activity (POST)
ET MALWARE APT/FamousSparrow CnC Domain in DNS Lookup
ET MALWARE TinyTurla CnC Activity
(credits.offices-analytics .com)
ET MALWARE JS/Spy.Agent.AW Download ET MALWARE MirrorBlast CnC Activity M2
ET MALWARE MirrorBlast CnC Activity M3 ET MALWARE Jupyter Stealer CnC Checkin

224 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Maldoc CnC Domain in DNS Lookup (r .significantbyte


ET MALWARE Maldoc Domain in DNS Lookup (aljazeera .cc)
.com)
ET MALWARE Maldoc Sending Windows System Information (POST) ET MALWARE Win32/Sabsik.FL.B!ml CnC Activity
ET MALWARE FoggyWeb Backdoor Incoming Request (GET) ET MALWARE FoggyWeb Backdoor Incoming Request (POST)
ET MALWARE Possible FoggyWeb Backdoor Server Response ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)
ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information
ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)
(POST)
ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST) ET MALWARE ReflectiveGnome Download Activity
ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET) ET MALWARE Win32/Colibri Loader Activity
ET MALWARE Win32/AZORult V3.2 Client Checkin M22 ET MALWARE Win32/AZORult V3.2 Client Checkin M23
ET MALWARE Win32/AZORult V3.2 Client Checkin M24 ET MALWARE Win32/AZORult V3.3 Client Checkin M22
ET MALWARE Win32/AZORult V3.3 Client Checkin M23 ET MALWARE Win32/AZORult V3.3 Client Checkin M24
ET MALWARE Megalodon/Gomorrah/CosaNostra HTTP Bot CnC Exfil ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE TAG28 Associated CnC Domain in DNS Lookup ET MALWARE TAG28 Associated CnC Domain in DNS Lookup
(samuelblog .me) (samuelblog .site)
ET MALWARE TAG28 Associated CnC Domain in DNS Lookup ET MALWARE TAG28 Associated CnC Domain in DNS Lookup
(samuelblog .info) (samuelblog .website)
ET MALWARE TAG28 Associated CnC Domain in DNS Lookup
ET MALWARE S400 RAT Client Checkin
(samuelblog .xyz)
ET MALWARE S400 RAT Server Response ET MALWARE S400 RAT Client Checkin via Discord
ET MALWARE ChamelGang Related CnC Domain in DNS Lookup ET MALWARE ChamelGang Related CnC Domain in DNS Lookup
(newtrendmicro .com) (centralgoogle .com)
ET MALWARE ChamelGang Related CnC Domain in DNS Lookup ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (cdn-
(microsoft-support .net) chrome .com)
ET MALWARE ChamelGang Related CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Activity (GET)
(mcafee-upgrade .com)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil
ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (JPEG) ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)
ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (RIFF) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE ELF/MachO.Netwire Connectivity Check ET MALWARE W32.Netwire Connectivity Check
ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in
ET MALWARE MirrorBlast KiXtart Downloader Client Request
TLS SNI)
ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in ET MALWARE Wintervivern Related CnC Domain in DNS Lookup
TLS SNI) (securetourspd .com)
ET MALWARE Wintervivern Related CnC Domain in DNS Lookup ET MALWARE Wintervivern Related CnC Domain in DNS Lookup
(secure-daddy .com) (centr-security .com)
ET MALWARE Wintervivern Related CnC Domain in DNS Lookup
ET MALWARE Wintervivern Activity (GET)
(securemanag .com)
ET MALWARE Wintervivern Activity M2 (GET) ET MALWARE Wintervivern Retrieving Task
ET MALWARE Wintervivern Checkin ET MALWARE Wintervivern Activity (GET) M3
ET MALWARE MirrorBlast KiXtart Downloader Server Response ET MALWARE Observed DNS Query to Known PUA Host Domain
ET MALWARE Observed HTTP Request to Known PUA Host Domain ET MALWARE Observed HTTP Request to Known PUA Host Domain
ET MALWARE Winter Vivern Retrieving Commands ET MALWARE Wintervivern Activity M4 (GET)
ET MALWARE Wintervivern Activity M5 (GET) ET MALWARE W32.Tomiris C2 (init)
ET MALWARE Observed Elysium Stealer Domain in TLS SNI (get- ET MALWARE Observed Elysium Stealer Domain in TLS SNI
europe-group .bar) (download-serv-234116 .xyz)
ET MALWARE Observed Elysium Stealer Domain in TLS SNI (manholi
ET MALWARE Tordal/Hancitor/Chanitor Checkin
.xyz)
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
(sharemanage .elwoodasset .xyz) (dshellelink .gcloud-share .com)
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dev ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
.sslsharecloud .net) (signverydn .sharebusiness .xyz)
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
ET MALWARE MirrorBlast KiXtart Downloader Client Request M2
(gsheet .gdocsdown .com)
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (share ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
.devprocloud .com) (product .onlinedoc .dev)
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (www ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in
.googlesheetpage .org) TLS SNI)
ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in
TLS SNI) TLS SNI)
ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in
ET MALWARE ESPecter Bootkit Initialization Activity (GET)
TLS SNI)
ET MALWARE DonotGroup APT DNS Lookup (bulk .fun) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE DonotGroup Related Domain in DNS Lookup ET MALWARE DonotGroup Related Domain in DNS Lookup
(ppadoaolnwod .xyz) (officeframework .online)
ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET) ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)

225 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DonotGroup Related Domain in DNS Lookup ET MALWARE Observed Malicious FIN12 Related SSL Cert
(mimeversion .top) (serviceswork .net)
ET MALWARE Android/AhMyth RAT Init Checkin ET MALWARE Android/AhMyth RAT WebSocket Session
ET MALWARE Android/AhMyth RAT Command Inbound (Location ET MALWARE Android/AhMyth RAT Command Inbound (Contacts
Manager) Manager)
ET MALWARE Android/AhMyth RAT Command Inbound (SMS ET MALWARE Android/AhMyth RAT Command Inbound (Call
Manager) Manager)
ET MALWARE Android/AhMyth RAT Command Inbound (Files ET MALWARE Android/AhMyth RAT Command Inbound (Camera
Manager) Manager)
ET MALWARE Observed Lazarus Related Domain (docs .gsheetpage
ET MALWARE Observed Malicious FIN12 Related SSL Cert
.com in TLS SNI)
ET MALWARE Observed FIN12 Related Cobalt Strike Domain (netrie
ET MALWARE Win32/Grimagent CnC Activity
.com in TLS SNI)
ET MALWARE Observed FIN12 Related Domain (hdhuge .com in TLS
ET MALWARE FIN12 Related ICECANDLE/Cobalt Strike Activity (GET)
SNI)
ET MALWARE FIN12 Related WHITEDAGGER/Cobalt Strike Beacon ET MALWARE FIN12 Related WEIRDLOOP/Cobalt Strike Beacon
Activity (GET) Activity (GET)
ET MALWARE Suspected Lazarus APT Related Activity (GET) ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
ET MALWARE Win32/Agent.RTQ CnC Activity ET MALWARE DCRAT Activity (GET)
ET MALWARE Win32/Limbozar Ransomware Activity (POST) ET MALWARE Win32/MysterySnail RAT CnC Domain in DNS Lookup
ET MALWARE Interactsh Control Panel (DNS) ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC) ET MALWARE Jasper URI Path Observed M1
ET MALWARE Jasper URI Path Observed M2 ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)
ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC) ET MALWARE IcedID CnC Domain in SSL/TLS SNI
ET MALWARE IcedID CnC Domain in SSL/TLS SNI ET MALWARE IcedID CnC Domain in SSL/TLS SNI
ET MALWARE Win32/Agent.UHC CnC Activity ET MALWARE W32/Witch.3FA0!tr CnC Actiivty M2
ET MALWARE ELF/FontOnLake Related CnC Domain in DNS Lookup
ET MALWARE Maldoc Activity (GET)
(hm2 .yrnykx .com)
ET MALWARE Harvester Group Downloader Activity (GET) ET MALWARE Win32/Backdoor.Graphon Checkin Activity (GET)
ET MALWARE [CISA AA21-291A] Possible BlackMatter Ransomware ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK
Lateral Movement Associated)
ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK
ET MALWARE Trojan:Win32/Sabsik.FL.B!ml CnC Activity
Associated)
ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1 ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2
ET MALWARE Win32/Remcos RAT Checkin 756 ET MALWARE Ousaban Banker Checkin M1
ET MALWARE Ousaban Banker Server Response M1 ET MALWARE Ousaban Banker Checkin M2
ET MALWARE Ousaban Banker Server Response M2 ET MALWARE Ousaban Banker KeepAlive
ET MALWARE Ousaban Banker KeepAlive Response ET MALWARE Win32/WinDealer CnC Activity (Checkin)
ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup
(magento-plugin .com) (cdn-cgi .net)
ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup
ET MALWARE Cobalt Strike Activity (GET)
(trustdomains .net)
ET MALWARE Suspected Middle East Threat Group Domain in DNS ET MALWARE Suspected Middle East Threat Group Domain in DNS
Lookup (liveupdatedriver .com) Lookup (dnsnamefinder .com)
ET MALWARE Win32.Application.ThunderN.A Checkin ET MALWARE TinyNuke VNC Checkin
ET MALWARE Observed CloudAtlas APT Related Domain ET MALWARE CloudAtlas APT Related CnC Domain in DNS Lookup
(checklicensekey .com in TLS SNI) (checklicensekey .com)
ET MALWARE Observed DonotGroup Maldoc Related Domain
ET MALWARE CloudAtlas APT Maldoc Activity (GET)
(digitalresolve .live in TLS SNI)
ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup
ET MALWARE DonotGroup Maldoc Activity (GET)
(digitalresolve .live)
ET MALWARE Win32/Sabsik Config Downloader ET MALWARE JsOutProx CnC Activity - Outbound
ET MALWARE JsOutProx CnC Activity - Inbound ET MALWARE slock Ransomware CnC Activity
ET MALWARE Casbaneiro CnC Host Checkin M2 ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M1
ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M2 ET MALWARE Win32/Kryptik.HNBU CryptoMiner - GetTasks Request
ET MALWARE Win32/Kryptik.HNBU CryptoMiner - Report Request ET MALWARE Win32/Small.NO Checkin
ET MALWARE Observed Cobalt Strike Related Domain (croperdate ET MALWARE Observed Cobalt Strike Related Domain (kaslose .com
.com in TLS SNI) in TLS SNI)
ET MALWARE Observed Cobalt Strike Related Domain (cdnwin .xyz in ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving
TLS SNI) Commands)
ET MALWARE Win32/Agent.UWW Variant Activity (Sending System
ET MALWARE Fake Google Chrome Notifications Installer
Information)
ET MALWARE Win32/Sabsik.FL.B!ml Checkin ET MALWARE Go/PSW.Agent_AGen.A Data Exfil
ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander ET MALWARE Win32/CollectorStealer - Returning Client GeoIP
.com) Information
ET MALWARE Observed Win32/CollectorStealer User-Agent M2 ET MALWARE Observed Win32/CollectorStealer User-Agent M1
ET MALWARE Win32/CollectorStealer - Uploading System Information ET MALWARE Win32/CollectorStealer CnC Exfil M3

226 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE TA450 Nagual CnC Activity ET MALWARE APT-C-59 Related Domain in DNS Lookup
ET MALWARE Downloaded .bat Disables Windows Defender ET MALWARE Downloaded .bat Disables Real Time Monitoring
ET MALWARE Trojan-Dropper.MSIL CnC Traffic - GET ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST
ET MALWARE Lazarus Related Maldoc Activity ET MALWARE W32/Pterodo.CL CnC Checkin
ET MALWARE Win32/Pterodo.NG Checkin 2 ET MALWARE W32/Pterodo CnC Checkin
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE SolarMarker Backdoor Related Domain in DNS Lookup ET MALWARE Gamaredon/Armageddon Related Domain in DNS
(noelfpar .com) Lookup (bitsadmin .ddns .net)
ET MALWARE Gamaredon/Armageddon Related Domain in DNS ET MALWARE Gamaredon/Armageddon CnC Activity (Sending
Lookup (list-sert .ddns .net) Windows System Information)
ET MALWARE Gamaredon/Armageddon Activity (Retrieving Remote
ET MALWARE Datoploader Activity (GET)
.dot)
ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace- ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-
network .digital) technologies .digital)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1
ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2 ET MALWARE RedLine - GetArguments Request
ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity
(Beacon) (Download)
ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity
ET MALWARE Lyceum Backdoor CnC Activity M1
(Upload)
ET MALWARE Lyceum Backdoor CnC Activity M2 ET MALWARE Lyceum Backdoor CnC Activity M3
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE LYCEUM CnC Domain in DNS Lookup ET MALWARE LYCEUM CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup
ET MALWARE Malicious Cobalt Strike SSL Cert (asurecloud .tech)
(rackspare-technology .digital)
ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in ET MALWARE Cobalt Strike Related Domain in DNS Lookup
TLS SNI) (asureupdate .pro)
ET MALWARE Downloaded Script Disables Firewall/Antivirus ET MALWARE WBK Download from dotted-quad Host
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine
.app) .biz)
ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup
in TLS SNI) (akamaclouds .tech)
ET MALWARE Observed Malicious Cobalt Strike SSL Cert
ET MALWARE Cobalt Strike Activity (GET)
(setupfastonline .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax
(akamalupdate .site) .vg)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(azuresecure .tech) (securesurvey .cloud)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox ET MALWARE Cobalt Strike Related Domain in DNS Lookup
.tech) (electronicwhosaleonline .com)
ET MALWARE LNK/Agent.GX CnC Traffic ET MALWARE Jasper URI Path Observed M3
ET MALWARE Jasper URI Path Observed M4 ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)
ET MALWARE Parallax CnC Activity (set) M15 ET MALWARE Parallax CnC Response Activity M15
ET MALWARE Parallax CnC Activity (set) M16 ET MALWARE Parallax CnC Response Activity M16
ET MALWARE Observed StrongPity Domain (lurkingnet .com in TLS ET MALWARE Observed StrongPity Domain (autoconfirmations .com
SNI) in TLS SNI)
ET MALWARE Observed StrongPity Domain (singlefunctionapp .com in
ET MALWARE Win32/Trojan.Nymeria CnC
TLS SNI)
ET MALWARE Observed Compromised Domain (cryptoarenastore
ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)
.com in TLS SNI) (2021-11-12)
ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1 ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2
ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3 ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4
ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5 ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6
ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7 ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8
ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9 ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10
ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19 ET MALWARE Observed Malicious SSL Cert (BitRAT)
ET MALWARE W32/Emotet CnC Beacon 3 ET MALWARE MalDoc Retrieving Payload 2021-06-15
ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5
.com)
ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01 ET MALWARE Danabot Key Exchange Request

227 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Matanbuchus Loader CnC M1 ET MALWARE Matanbuchus Loader CnC M2


ET MALWARE Matanbuchus Loader CnC M3 ET MALWARE Matanbuchus Loader CnC M4
ET MALWARE Matanbuchus Loader Server Response ET MALWARE Danabot Associated Activity (GET)
ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg
ET MALWARE Cobalt Strike Activity (GET)
.knonwsec .com)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE ABCbot CnC Instruction (stop)
ET MALWARE ABCbot CnC Exfil ET MALWARE ABCbot CnC Instruction (syn)
ET MALWARE ABCbot CnC Instruction (dns) ET MALWARE ABCbot CnC Instruction (bigudp)
ET MALWARE Unattributed WebShell Access - File Upload ET MALWARE Unattributed WebShell Access - Command Execution
ET MALWARE ELF/AbcBot CnC Checkin ET MALWARE ELF/AbcBot Requesting Commands from CnC
ET MALWARE TA408 Related Activity (GET) ET MALWARE lu0bot Loader HTTP Request M2
ET MALWARE lu0bot Loader HTTP Response M2 ET MALWARE Candiru Related Domain in DNS Lookup (llink .link)
ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .app) ET MALWARE Candiru Related Domain in DNS Lookup (url-tiny .co)
ET MALWARE Candiru Related Domain in DNS Lookup (bitly .tel) ET MALWARE Candiru Related Domain in DNS Lookup (instagrarn .co)
ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .space) ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Dridex CnC Request - Spam/Worm Component
ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam
ET MALWARE Dridex Dotted Quad CnC Request (flowbit set)
Module
ET MALWARE W32/Snojan.BNQKZQH User-Agent ET MALWARE W32/Snojan.BNQKZQH CnC Activity
ET MALWARE SideCopy Related Domain in DNS Lookup (securedesk
ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (a .pwn-t .tk)
.one)
ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (zuppohealth
ET MALWARE Cobalt Strike Activity (GET)
.com)
ET MALWARE Dridex CnC Request - Spam/Worm Component ET MALWARE Win32/InfoTester Checkin
ET MALWARE DonotGroup Related Domain in DNS Lookup (wordfile
ET MALWARE DonotGroup Maldoc Activity (GET)
.live)
ET MALWARE Datoploader Activity M2 (GET) ET MALWARE MSIL/Bobik CnC Traffic
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (checkauj
ET MALWARE W32.DarkVNC Variant Checkin
.com)
ET MALWARE Observed Win32.Raccoon Stealer CnC Domain ET MALWARE Kimsuky Related Activity Sending Windows Information
(stanculinaryblog .top in TLS SNI) (POST)
ET MALWARE Chinotto CnC Activity (hello) ET MALWARE Chinotto CnC Activity (command)
ET MALWARE Chinotto CnC Activity (result) ET MALWARE Chinotto CnC Activity (file)
ET MALWARE Magecart Exfil Domain in DNS Lookup (convert-server
ET MALWARE Sidewinder APT Maldoc Activity
.com)
ET MALWARE Lazarus APT Related Domain in DNS Lookup (ny
ET MALWARE Gamaredon Related Maldoc Activity (GET)
.silvergatehr .com)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE SpyAgent C&C Activity (Request)
ET MALWARE SpyAgent C&C Activity (Response) ET MALWARE AgentTesla Communicating with CnC Server
ET MALWARE Win64/Agent.NL Variant CnC Activity ET MALWARE TA505 P2P CnC Checkin
ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup
ET MALWARE Win32/Hancitor Checkin
(afrepublic .xyz)
ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup
(newsroom247 .xyz) (afghannewsnetwork .com)
ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
(republicofaf .xyz) Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
Lookup Lookup
ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS
ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup
Lookup

228 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS
Lookup Lookup
ET MALWARE Maldoc Activity (set) ET MALWARE Maldoc Retrieving Binary
ET MALWARE APT15/NICKEL KETRUM CnC Activity (POST) ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M3
ET MALWARE ELF/MooBot Mirai DDoS Variant Server Keep Alive ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response M2
ET MALWARE APT15/NICKEL Related CnC Activity (POST) ET MALWARE Cobalt Strike Beacon Activity (GET)
ET MALWARE Ransomware.Hidden-Tear Variant CnC Checkin ET MALWARE Win32/Gasti.tm Checkin Activity
ET MALWARE Maldoc Retrieving Remote Template (GET) ET MALWARE SideCopy APT Related Activity (GET)
ET MALWARE Linux/Tsunami Downloader ET MALWARE Linux/Tsunami Remote Shell M1
ET MALWARE Linux/Tsunami Downloader ET MALWARE Linux/Tsunami Remote Shell M2
ET MALWARE Kimsuky Related Domain in DNS Lookup ET MALWARE Kimsuky Related Domain in DNS Lookup
ET MALWARE Kimsuky Related FTP File Download ET MALWARE Kimsuky Related CnC Activity
ET MALWARE Kimsuky Related CnC Activity ET MALWARE Kimsuky Related Malicious VBScript Inbound M3
ET MALWARE Kimsuky Related Malicious VBScript Inbound M4 ET MALWARE Kimsuky Related CnC Activity
ET MALWARE Possible Kimsuky Related Malicious VBScript ET MALWARE Kimsuky Related CnC Activity
ET MALWARE MSIL/Khonsri Ransomware CnC Activity ET MALWARE Cobalt Strike Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Activity (GET)
(bqtconsulting .com)
ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS
ET MALWARE Cobalt Strike Activity (GET)
Lookup (www .carelessnessing .com)
ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS
Lookup (www .weekendorg .com) Lookup (www .aexhausts .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (news ET MALWARE Cobalt Strike Related Domain in DNS Lookup (koltary
.networkslaoupdate .com) .com)
ET MALWARE lu0bot Loader HTTP Request M3 ET MALWARE DCRat CnC Activity M11
ET MALWARE DCRat CnC Activity M12 ET MALWARE DCRat CnC Activity M13
ET MALWARE ELF/Muhstik Botnet CnC Activity ET MALWARE ELF/Mirai Botnet CnC Activity
ET MALWARE Win32/DarkWatchman Checkin Activity (POST) ET MALWARE Octopus Backdoor Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (gawocag
ET MALWARE Win32/BazarLoader Activity (GET)
.com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hiduwu
ET MALWARE Cobalt Strike Activity (GET)
.com)
ET MALWARE Phorpiex Botnet Downloader Activity (GET) ET MALWARE Phorpiex Botnet Downloader Activity (GET)
ET MALWARE Phorpiex Botnet Downloader Activity (GET) ET MALWARE Phorpiex Botnet Downloader Activity (GET)
ET MALWARE Phorpiex Botnet Downloader Activity (GET) ET MALWARE Phorpiex Botnet Downloader Activity (GET)
ET MALWARE MageCart Skimmer Domain in DNS Lookup (bootstrap2
ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
.xyz)
ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup ET MALWARE Andariel Backdoor Activity (Checkin)
ET MALWARE Kimsuky Related Maldoc Retrieving Template (GET) ET MALWARE MuddyWater APT Related Maldoc Checkin M1
ET MALWARE Suspected MuddyWater Related CnC Activity ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
ET MALWARE Win32/X-Files Stealer Activity ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Konni Group CnC Domain in DNS Lookup ET MALWARE Konni Group CnC Domain in DNS Lookup
ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response
ET MALWARE Konni Group CnC Domain in DNS Lookup
M1
ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1 ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup
ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M1 ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup
ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response
ET MALWARE PurpleFox Backdoor/Rootkit Download Request M2
M2
ET MALWARE PurpleFox Backdoor/Rootkit Checkin ET MALWARE Maldoc Retrieving Remote Template (GET)
ET MALWARE APT/Bitter Related Checkin Activity (GET) ET MALWARE APT/Sidewinder CnC Domain in DNS Lookup (afcat .xyz)
ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request
ET MALWARE APT/Donot Group Checkin Activity (GET)
.soundedge .live)
ET MALWARE Quasar CnC Domain in DNS Lookup ET MALWARE Quasar CnC Domain in DNS Lookup
ET MALWARE Win32/Emotet HTML Template Response ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)
ET MALWARE TA453 Related CnC Domain in DNS Lookup
ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)
(0standavalue0 .xyz)
ET MALWARE TA453 Related CnC Domain in DNS Lookup ET MALWARE TA453 Related CnC Domain in DNS Lookup
(0storageatools0 .xyz) (0brandaeyes0 .xyz)
ET MALWARE TA453 Related Activity (POST) ET MALWARE TA453 Related Activity (FTP)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jersydok
ET MALWARE Zloader Related Download Activity (GET)
.com)
ET MALWARE Win32/Delf.TJJ Variant CnC Activity ET MALWARE TellYouThePass Ransomware Checkin Activity (GET)
ET MALWARE APT/Bitter Related CnC Activity ET MALWARE Maldoc Retrieving Additional Resources (GET)
ET MALWARE Possible Pegasus Related DNS Lookup (mobile-analytics
ET MALWARE Possible Pegasus Related DNS Lookup (solo-hoy .com)
.netweb-cloud-services .com)
ET MALWARE Possible Pegasus Related DNS Lookup (deportes24-7
ET MALWARE Observed DNS Query to Pegasus Domain
.com)

229 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Possible Win32/SysJoker Retrieving CnC Information


ET MALWARE Observed DNS Query to Pegasus Domain
(GET)
ET MALWARE SysJoker Dropper Related Domain in DNS Lookup ET MALWARE SysJoker Related Domain in DNS Lookup (bookitlab
(github .url-mini .com) .tech)
ET MALWARE SysJoker Related Domain in DNS Lookup (graphic- ET MALWARE SysJoker Related Domain in DNS Lookup (office360-
updater .com) update .com)
ET MALWARE SysJoker Related Domain in DNS Lookup (winaudio-
ET MALWARE Win32/Small.NQT!tr CnC Activity
tools .com)
ET MALWARE Kimsuky APT Related Domain in DNS Lookup (gooeglle ET MALWARE OceanLotus APT Related Domain in DNS Lookup
.mypressonline .com) (confusion-cerulean-samba .glitch .me)
ET MALWARE Powershell Octopus Backdoor Sending System
ET MALWARE Win32/Injector.DSQR CnC Activity (POST)
Information (POST)
ET MALWARE Powershell Octopus Backdoor Activity (POST) ET MALWARE Powershell Octopus Backdoor Activity (GET)
ET MALWARE Lazarus APT Related Domain in DNS Lookup (lm-career
ET MALWARE Cobalt Strike Activity (GET)
.com)
ET MALWARE Donot APT Related Domain in DNS Lookup (printerjobs ET MALWARE Donot APT Related Domain in DNS Lookup
.xyz) (seasonsbackup .xyz)
ET MALWARE Donot APT Related Domain in DNS Lookup
ET MALWARE Win32/Suspected Reverse Shell Connection
(submitonline .club)
ET MALWARE Donot APT Related Domain in DNS Lookup
ET MALWARE MSIL/Injector.VVP Downloader Activity M1
(oceansurvey .club)
ET MALWARE Donot APT Related Domain in DNS Lookup ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup
(dataupdates .live) (kinopoisksu .com)
ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (m
(glbaitech .com) .necemarket .com)
ET MALWARE Microcin Backdoor Related Domain in DNS Lookup ET MALWARE Lazarus APT Maldoc Related Domain in DNS Lookup
(holdmem .dbhubspi .com) (markettrendingcenter .com)
ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin
ET MALWARE W32/Witch.3FA0!tr CnC Activity M3
(generic)
ET MALWARE Win32/Tiggre Variant Activity Sending System Files ET MALWARE Win32/Spark Backdoor Related Domain in DNS Lookup
(POST) (bundanesia .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (portal ET MALWARE Suspected APT28 Related Domain in DNS Lookup
.gfinanzen .net) (wordkeyvpload .net)
ET MALWARE Suspected APT28 Related Domain in DNS Lookup
ET MALWARE Suspected APT28 Related Domain in DNS Lookup
(jimbeam .live)
ET MALWARE Maldoc Activity (GET) ET MALWARE DazzleSpy Related Domain in DNS Lookup
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND)
ET MALWARE DazzleSpy Related Domain in DNS Lookup
109
ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded ET MALWARE Win32/ClipBanker.OC CnC Activity M1
ET MALWARE Win32/ClipBanker.OC CnC Activity M2 ET MALWARE Win32/GrandaMisha Sending System Information (POST)
ET MALWARE Lazarus APT Related Domain in DNS Lookup ET MALWARE Lazarus APT Related Domain in DNS Lookup
(yourblogcenter .com) (allinfostudio .com)
ET MALWARE Lazarus APT Related Domain in DNS Lookup (docusign
ET MALWARE PowerShell Script Downloading Emotet DLL
.agency)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE Suspicious Zipped Filename in Outbound POST Request ET MALWARE Suspicious Zipped Filename in Outbound POST Request
(passwords.txt) M2 (Passwords.txt) M2
ET MALWARE Win32.SpyEyes.bllw CnC Exfil ET MALWARE Gamaredon MalDoc CnC Exfil
ET MALWARE VBS/Dojos Downloader Activity M2 ET MALWARE StrifeWater Rat CnC Activity
ET MALWARE Gamaredon Related VBS Activity (GET) ET MALWARE StrifeWater RAT CnC Activity M2
ET MALWARE Win32/Variant.Zusy.402698 Checkin ET MALWARE Emotet Post Drop C2 Comms
ET MALWARE Likely Geodo/Emotet Downloading PE ET MALWARE Likely Geodo/Emotet Downloading PE - Fake UA
ET MALWARE Likely Geodo/Emotet CnC Beacon ET MALWARE W32/Emotet Empty CnC Beacon
ET MALWARE W32/Emotet.v4 Checkin ET MALWARE W32/Emotet.v4 Checkin 2
ET MALWARE Emotet Post Drop C2 Comms M2 ET MALWARE W32/Emotet.v4 Checkin 3
ET MALWARE IcedID/Emotet Certificate Observed M1 ET MALWARE W32/Emotet CnC Checkin
ET MALWARE Win32/Emotet CnC Checkin (POST) ET MALWARE Win32/Emotet CnC Checkin Response
ET MALWARE Win32/Emotet CnC Activity (POST) ET MALWARE Win32/Emotet CnC Activity (POST) M2
ET MALWARE Win32/Spy.Agent.POX Variant CnC ET MALWARE Win32/Emotet CnC Activity (POST) M3
ET MALWARE Win32/Emotet CnC Activity (POST) M4 ET MALWARE Evil PDF Retrieving Emotet Payload
ET MALWARE Group 21 Payload CnC Checkin ET MALWARE W32.Geodo/Emotet Checkin Fake 404 Response
ET MALWARE Emotet Certificate Observed M2 ET MALWARE Office Macro Emotet Download URI Nov 24 2021
ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response ET MALWARE Parallax CnC Activity M17 (set)
ET MALWARE Parallax CnC Response Activity M17 ET MALWARE Subterranean Security Domain in DNS Lookup
ET MALWARE Subterranean Crimson Rat - GetInfo Command ET MALWARE Subterranean Crimson Rat - AssignID Command
ET MALWARE Subterranean Crimson Rat - FileManager pwd
ET MALWARE Subterranean Crimson Rat - FileManager List Command
Command

230 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Subterranean Crimson Rat - GetClientLog Command ET MALWARE Subterranean Crimson Rat - Client Traffic
ET MALWARE Emotet CnC Beacon ET MALWARE Win32/Emotet CnC Activity (POST) M9
ET MALWARE Arid Viper APT Related Domain in DNS Lookup
ET MALWARE Win32/Emotet CnC Activity (POST) M11
(deangelomcnay .news)
ET MALWARE Arid Viper APT Related Domain in DNS Lookup ET MALWARE Arid Viper APT Related Domain in DNS Lookup
(earlahenry .com) (nicholasuhl .website)
ET MALWARE Arid Viper APT Related Domain in DNS Lookup ET MALWARE Arid Viper APT Related Domain in DNS Lookup
(cooperron .me) (dorothymambrose .live)
ET MALWARE Arid Viper APT Related Domain in DNS Lookup
ET MALWARE MacOS/UpdateAgent.A CnC Activity M1
(juliansturgill .info)
ET MALWARE MacOS/UpdateAgent.A CnC Activity M2 ET MALWARE SManager Backdoor Domain in DNS Lookup
ET MALWARE SManager Backdoor Domain in DNS Lookup ET MALWARE TinyNuke VNC Checkin M2
ET MALWARE TinyNuke VNC Checkin M3 ET MALWARE Suspected Win32/Hancitor Checkin
ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity ET MALWARE Win32/Pteranodon CnC Exfil (POST)
ET MALWARE Win32/Colibri Loader Activity M2 ET MALWARE Win32/Colibri Loader Activity M3
ET MALWARE TA402/Molerats CnC Checkin ET MALWARE TA402/Molerats Payload Downloaded
ET MALWARE Observed Lazarus APT Related Domain (designautocad ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup
.org in TLS SNI) (designautocad .org)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Win32/Pteranodon CnC Exfil (POST) M2 ET MALWARE TA402/Molerats CnC Activity
ET MALWARE TA402/Molerats Related Malware Domain in DNS
ET MALWARE TA402/Molerats External IP Lookup Activity
Lookup
ET MALWARE TA402/Molerats Related Malware Domain in DNS ET MALWARE Cobalt Strike Related Domain in DNS Lookup (sdilok
Lookup .com)
ET MALWARE Observed Cobalt Strike Related Domain (world ET MALWARE Cobalt Strike Related Domain in DNS Lookup (world
.healthamericacu .com in TLS SNI) .healthamericacu .com)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Observed ZLoader Related Domain (lkjhgfgsdshja .com
ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
in TLS SNI)
ET MALWARE Maldoc Domain in DNS Lookup (travelcrimea .info) ET MALWARE Observed Maldoc Domain (travelcrimea .info in TLS SNI)
ET MALWARE DangerousPassword APT Related Domain in DNS ET MALWARE Observed DangerousPassword APT Related Domain
Lookup (shopapptech .com) (shopapptech .com in TLS SNI)
ET MALWARE Observed DangerousPassword APT Related Domain ET MALWARE DangerousPassword APT Related Domain in DNS
(shopapppro .com in TLS SNI) Lookup (shopapppro .com)
ET MALWARE DangerousPassword APT Related Domain in DNS ET MALWARE Observed DangerousPassword APT Related Domain
Lookup (www .datacentre .center) (datacentre .center in TLS SNI)
ET MALWARE sLoad Related CnC Domain in DNS Lookup ET MALWARE Observed sLoad Related Domain (angedionisu .eu in
(angedionisu .eu) TLS SNI)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Redline Stealer Related Domain in DNS Lookup
ET MALWARE Gamaredon CnC Domain in DNS Lookup
(windows-upgraded .com)
ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup
ET MALWARE Win32/PrivateLoader Related Activity (GET)
(fouratlinks .com)
ET MALWARE Win32.Raccoon Stealer Checkin M6 ET MALWARE Win32.Raccoon Stealer Checkin Response M4
ET MALWARE Win32.Raccoon Stealer Checkin Response M5 ET MALWARE Bitter APT Activity (GET)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup
ET MALWARE Go/Anubis Registration Activity
(ledikexive .com)
ET MALWARE Go/Anubis CnC Activity (POST) ET MALWARE Win32/DarkWatchman Activity (POST)
ET MALWARE Suspected RULER.Hacktool HTML Payload ET MALWARE Win32/Spy.Socelars.S CnC Activity M4 (GET)
ET MALWARE Suspicious Domain (judgebryantweekes .com) in TLS
ET MALWARE Suspicious Domain (lawyeryouwant .com) in TLS SNI
SNI
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE DangerousPassword APT Related Domain in DNS
ET MALWARE Kimsuky APT Related Activity (GET)
Lookup (doc .filesaves .cloud)
ET MALWARE Moses Staff APT Related Domain in DNS Lookup
ET MALWARE MSIL/GenKryptik.FQRH Download Request
(techzenspace .com)
ET MALWARE MosesStaff APT Related Activity (POST) ET MALWARE Win32/QuasarRAT CnC Traffic
ET MALWARE Suspected Gamaredon APT Related Maldoc Activity
ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M2
(GET)
ET MALWARE Win32/Pterodo Activity (POST) ET MALWARE Win32/Pterodo Activity (POST)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)

231 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup
ET MALWARE Gamaredon Maldoc Activity (GET)
(tobaccosafe .xyz)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup (font ET MALWARE DonotGroup APT Related Domain in DNS Lookup
.backuplogs .xyz) (srvrfontsdrive .xyz)
ET MALWARE JS/TrojanDownloader.Agent.TXV CnC Activity ET MALWARE ReverseRat 2.0 CnC Checkin M2
ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .cc) ET MALWARE APT10 Related Domain in DNS Lookup (08mma .com)
ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .top) ET MALWARE APT10 Related Domain in DNS Lookup (3mmlq .com)
ET MALWARE APT10 Related Domain in DNS Lookup (7cnbo .com) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE Buhtrap SourSnack Domain in DNS Lookup (widget
ET MALWARE Gamaredon APT Related Activity (GET)
.forum-pokemon .com)
ET MALWARE Gamaredon APT Related Activity (POST) ET MALWARE Malicious lnk Downloader Activity (GET)
ET MALWARE Malicious Downloader Activity (GET) ET MALWARE Suspected PlugX Checkin Activity (GET)
ET MALWARE PurpleFox Backdoor Related Domain in DNS Lookup (qq
ET MALWARE PlugX Activity (POST)
.c1c .ren)
ET MALWARE Suspected PlugX Checkin Activity (udp) ET MALWARE Win32/Pterodo CnC Activity (GET)
ET MALWARE Win32/Pterodo CnC Activity (POST) ET MALWARE Win32/Pterodo CnC Activity (POST)
ET MALWARE Win32/Pterodo CnC Activity (POST) ET MALWARE Win32/PurpleFox Related Activity (GET)
ET MALWARE Win32/Trickbot Data Exfiltration M2 ET MALWARE Win32/Trickbot Data Exfiltration M3
ET MALWARE Win32/Trickbot Data Exfiltration M4 ET MALWARE SunSeed Lua Downloader Activity (GET)
ET MALWARE SunSeed Downloader Retrieving Binary (set) ET MALWARE SunSeed Download Retrieving Binary
ET MALWARE Gamaredon APT Maldoc Related Activity (POST) ET MALWARE MuddyWater APT Related Telegram Activity
ET MALWARE Observed Malicious Filename in Outbound POST
ET MALWARE Win32/Backdoor.Daxin CnC Activity
Request (Browsers/Cookies/Microsoft Edge_)
ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Kimsuky APT BabyShark/SHARPEXT Related Domain in ET MALWARE Suspected Gamaredon APT Related Maldoc Activity
DNS Lookup (worldinfocontact .club) (GET)
ET MALWARE Observed DangerousPassword APT Related Domain
ET MALWARE Cobalt Strike Activity (POST)
(cop .osonlines .co in TLS SNI)
ET MALWARE DangerousPassword APT Related Domain in DNS
ET MALWARE Win32/PurpleFox Related Domain in DNS Lookup
Lookup
ET MALWARE Win32/PurpleFox Retrieving File (GET) ET MALWARE Win32/PlugX Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jaxebiridi
ET MALWARE Win32/BumbleBee Loader Activity (GET)
.com)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Win32/Pterodo Activity (POST)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Win32/Arkei Stealer CnC Checkin (POST)
ET MALWARE Win32/Arkei Stealer CnC Checkin (GET) ET MALWARE TA402/Molerats Related Domain in DNS Lookup
ET MALWARE TA402/Molerats Related Domain in DNS Lookup ET MALWARE MSIL/BlackGuard Stealer Variant Exfil via Telegram
ET MALWARE MSIL/BlackGuard Stealer Exfil Activity ET MALWARE SystemBC Powershell bot registration
ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup
ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2
(xbeta .online)
ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity
ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST)
(POST)
ET MALWARE TA450 GRAMDOOR Telegram CnC Activity (POST) ET MALWARE TransparentTribe CnC Domain in DNS Lookup
ET MALWARE SoulSearcher Malware Domain in DNS Lookup (gmy
ET MALWARE TransparentTribe CnC Domain in DNS Lookup
.cimadlicks .net)
ET MALWARE SoulSearcher Malware Domain in DNS Lookup ET MALWARE SoulSearcher Malware Domain in DNS Lookup (app
(community .weblives .net) .tomelife .com)
ET MALWARE SoulSearcher Checkin M1 ET MALWARE SoulSearcher Checkin M2
ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 ET MALWARE HermeticWizard - WMI Spreader - Remote Process
(NT Create AndX Request) Creation M1
ET MALWARE Win32/Pripyat Activity (POST) ET MALWARE Win32/ArmyOfUkraine Bot Activity
ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB1
ET MALWARE HermeticWizard - File Copy via SMB
(NT Create AndX Request)
ET MALWARE MuddyWater APT Related Activity (POST) ET MALWARE MuddyWater APT Related Activity (GET)
ET MALWARE HermeticWizard - SMB Spreader - Remote Process ET MALWARE HermeticWizard - WMI Spreader - Remote Process
Creation Creation M2
ET MALWARE HermeticWizard - SMB Spreader - File Copy via SMB1
ET MALWARE Win32/Remcos RAT Checkin 781
(NT Create AndX Request)
ET MALWARE APT41 KEYPLUG Related Domain in DNS Lookup ET MALWARE Successful Cobalt Strike Shellcode Download (x32)
ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1 ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2
ET MALWARE Kimsuky Related Host Data Exfil M3 ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup
ET MALWARE Win32/Webdor.NAC Variant CnC Activity
(tvasahi .online)
ET MALWARE Linux/B1txor20 Backdoor Related Domain in DNS
ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup
Lookup

232 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1 ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2


ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent ET MALWARE Observed Cobalt Strike CnC Domain in DNS Lookup
(-hobot-) (nirsoft .me)
ET MALWARE Observed Cobalt Stike CnC Domain (nirsoft .me in TLS
ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)
SNI)
ET MALWARE Win32/PlugX Related Activity ET MALWARE SideCopy APT MargulasRAT Related Activity
ET MALWARE rat-test CnC Response ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Loki Locker Ransomware CnC Activity ET MALWARE Loki Locker Ransomware User-Agent
ET MALWARE Loki Locker Ransomware Server Response (Public Key)
ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup
M1
ET MALWARE Loki Locker Ransomware Server Response (Public Key)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup
M2
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE VNCStartServer USR Variant CnC Beacon
ET MALWARE VNCStartServer BOT Variant CnC Beacon ET MALWARE Win32/Qbot CnC Activity M2
ET MALWARE Linux/B1txor20 Backdoor Connectivity Check ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M1
ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M2 ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M3
ET MALWARE Observed Qbot Style SSL Certificate ET MALWARE TA471/UNC2589 Related Activity (GET)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (runfs .icu) ET MALWARE Bitter APT Backdoor Related Activity
ET MALWARE DonotGroup Pult Downloader Activity (POST) ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil
ET MALWARE StrongPity Host Checkin ET MALWARE AllaKore RAT CnC Checkin M1
ET MALWARE AllaKore RAT Set Keep-Alive Observed ET MALWARE AllaKore RAT ID Command Observed
ET MALWARE Lazarus APT Related Maldoc Activity (GET) ET MALWARE Cobalt Strike Related Activity (GET)
ET MALWARE Arid Gopher Related Domain in DNS Lookup (grace-
ET MALWARE Cobalt Strike Related Activity (POST)
fraser .site)
ET MALWARE Arid Gopher Related Domain in DNS Lookup (pam- ET MALWARE Arid Gopher Related Domain in DNS Lookup
beesly .site) (mozelllittel .com)
ET MALWARE Suspected Mustang Panda APT Related Activity (GET) ET MALWARE Mustang Panda APT Related Activity (GET)
ET MALWARE StrongPity APT Related Domain in DNS Lookup
ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)
(sessionprotocol .com)
ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup
ET MALWARE Sidecopy APT Backdoor Related Activity (POST)
(product2020 .mrbasic .com)
ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup
ET MALWARE Win32/Pterodo Activity (POST)
(kokotech .xyz)
ET MALWARE Gamaredon APT Related Maldoc Activity (GET) ET MALWARE Kimsuky APT Related Host Data Exfil M4
ET MALWARE ConPtyShell Client Response ET MALWARE ConPtyShell Server Command (whoami)
ET MALWARE ConPtyShell Server Close Shell ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin
ET MALWARE Nobelium APT Related Domain in DNS Lookup
ET MALWARE Generic AsyncRAT Style SSL Cert
(theskoolieblog .com)
ET MALWARE Nobelium APT Related Domain in DNS Lookup ET MALWARE Win32/CrimsonRAT Variant Sending Command
(ernesttheskoolie .com) (inbound)
ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 ET MALWARE Win32/CrimsonRAT Variant Sending System Information
(inbound) (outbound)
ET MALWARE Observed GhostWriter APT Related Cobalt Strike ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS
Domain (ao3 .hmgo .pw in TLS SNI) Lookup (hmgo .pw)
ET MALWARE Observed DNS Query to Win32/
ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)
TrojanDownloader.Agent.GEM Domain
ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command
ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch
Fetch
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) ET MALWARE FIN7 JSSLoader Activity (GET)
ET MALWARE FIN7 JSSLoader Activity (POST) ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup
ET MALWARE Win32/SodaMaster domain observed in DNS query
ET MALWARE Kimsuky APT Related Host Data Exfil M5
(www. rare-coisns. com)
ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www.
ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1
rare-coisns. com)
ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response
ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2
M3
ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response
ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)
M4
ET MALWARE TransparentTribe APT Related Activity (POST) ET MALWARE TransparentTribe APT Related Backdoor Activity
ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz) ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)
ET MALWARE Win32/Farfli.CUY KeepAlive M1 ET MALWARE Win32/Backdoor Checkin (POST)
ET MALWARE Win32/Backdoor Retrieving Task (POST) ET MALWARE Win32/Backdoor Sending Task Status (POST)
ET MALWARE Win32/Backdoor Related Domain in DNS Lookup ET MALWARE Observed Win32/Backdoor Related Domain (swordoke
(swordoke .com) .com in TLS SNI)
ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS
ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
Lookup (dost .igov-service .net)

233 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Cobalt Strike Related Domain in DNS Lookup


ET MALWARE Cobalt Strike Related Activity (GET)
(wikipedia-book .vote)
ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
ET MALWARE Trojan.Verblecon User Agent Observed
(gaymers .ax)
ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
.ax in TLS SNI) (jonathanhardwick .me)
ET MALWARE Observed Trojan.Verblecon Related Domain ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup
(jonathanhardwick .me in TLS SNI) (.verble .rocks)
ET MALWARE Observed Trojan.Verblecon Related Domain (.verble ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble
.rocks in TLS SNI) .software)
ET MALWARE Observed Trojan.Verblecon Related Domain (verble
ET MALWARE MSIL/Lightning Stealer Exfil Activity
.software in TLS SNI)
ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz
ET MALWARE MustangPanda APT Dropper Activity (POST)
in TLS SNI)
ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup
(eterprx .net) (eternitypr .net)
ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net
.net in TLS SNI) in TLS SNI)
ET MALWARE Win32/Eternity Stealer Activity (POST) ET MALWARE Win32/PlugX/Talisman Activity (POST)
ET MALWARE Suspected Lazarus APT Related Backdoor Activity
ET MALWARE Win32/Killav.CM CnC Response
(POST) M1
ET MALWARE Win32/Killav.CM Checkin M2 ET MALWARE MSIL/Unk.CoinMiner Downloader
ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon)
ET MALWARE Win32/WindowsDefender Bypass Download Request
GET request observed
ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate
.com) .com)
ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com) ET MALWARE Deep Panda CnC Check-In
ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker
.mirtonewbacker .com) .com) in TLS SNI
ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in
(umpulumpu .ru) TLS SNI
ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop)
(greenblguard .shop) in TLS SNI
ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in
(onetwostep .at) TLS SNI
ET MALWARE BlackGuard_v2 Data Exfiltration Observed ET MALWARE Observed DNS Query to POWERPLANT Domain
ET MALWARE Observed DNS Query to POWERPLANT Domain ET MALWARE Observed DNS Query to POWERPLANT Domain
ET MALWARE Observed DNS Query to POWERPLANT Domain ET MALWARE Observed DNS Query to POWERPLANT Domain
ET MALWARE Observed DNS Query to POWERPLANT Domain ET MALWARE Observed DNS Query to POWERPLANT Domain
ET MALWARE Observed DNS Query to POWERPLANT Domain ET MALWARE Win32/POWERPLANT CnC Exfil (Query)
ET MALWARE Win32/POWERPLANT CnC Exfil (INIT) ET MALWARE Observed DNS Query to LOADOUT Domain
ET MALWARE Observed DNS Query to LOADOUT Domain ET MALWARE Observed DNS Query to LOADOUT Domain
ET MALWARE Observed DNS Query to LOADOUT Domain ET MALWARE Win32/LOADOUT CnC Activity
ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode) ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)
ET MALWARE Win32/Agent.USB Variant CnC Activity ET MALWARE MSIL/Unk.CoinMiner Downloader
ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader) ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)
ET MALWARE Suspected Lazarus APT Related Backdoor Activity
ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)
(POST) M2
ET MALWARE Android Infostealer CnC Check-In ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)
ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)
ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com) ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)
ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net) ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)
ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline
ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)
.net)
ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com) ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)
ET MALWARE Win32/FFDroider CnC Activity ET MALWARE TA455 CnC Domain in DNS Lookup
ET MALWARE TA455 CnC Domain in DNS Lookup ET MALWARE Win32/FFDroider CnC Activity M2
ET MALWARE TA455 Related CnC Domain in DNS Lookup ET MALWARE TA455 Related CnC Domain in DNS Lookup
ET MALWARE TA455 Related CnC Domain in DNS Lookup ET MALWARE TA455 Related CnC Domain in DNS Lookup
ET MALWARE Observed DNS Query to TA455 Domain (careers-finder
ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)
.com)
ET MALWARE Observed DNS Query to TA455 Domain (supportskype ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom
.com) .co)
ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice
.co) .com)
ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive
.co) .me)

234 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to TA455 Domain (edge- ET MALWARE Observed DNS Query to TA455 Domain (online-audible
cloudservices .com) .com)
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup
(updatedefender .net) .org)
ET MALWARE Observed DNS Query to TA455 Domain (helpdesk- ET MALWARE Observed DNS Query to TA455 Domain
product .com) (defenderupdate .ddns .net)
ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns
ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)
.net)
ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes ET MALWARE Observed DNS Query to TA455 Domain
.co) (microsoftdefender .info)
ET MALWARE Observed DNS Query to TA455 Domain (outlookde
ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)
.live)
ET MALWARE Observed DNS Query to TA455 Domain (online-chess ET MALWARE Observed DNS Query to TA455 Domain (exprogroup
.live) .org)
ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn
ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)
.com)
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain (listen-books
(sauditourismguide .com) .com)
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn
(updateservices .co) .co)
ET MALWARE Observed DNS Query to TA455 Domain (office-shop ET MALWARE Observed DNS Query to TA455 Domain
.me) (sharepointnotify .com)
ET MALWARE Observed DNS Query to TA455 Domain (globaltalent ET MALWARE Observed DNS Query to TA455 Domain
.in) (savemoneytrick .com)
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
(microsoftedgesh .info) (outlookdelivery .com)
ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup ET MALWARE Observed DNS Query to TA455 Domain
.com) (onedriveupdate .net)
ET MALWARE Observed DNS Query to TA455 Domain (getadobe ET MALWARE Observed DNS Query to TA455 Domain (googleservices
.ddns .net) .co)
ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)
(librarycollection .org)
ET MALWARE Observed DNS Query to TA455 Domain (elecresearch ET MALWARE Observed DNS Query to TA455 Domain (applytalents
.org) .com)
ET MALWARE Observed DNS Query to TA455 Domain (updateddns ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring
.ddns .net) .com)
ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs
.online) .com)
ET MALWARE Observed DNS Query to TA455 Domain (funnychess ET MALWARE Observed DNS Query to TA455 Domain (talent-
.online) recruitment .org)
ET MALWARE Observed DNS Query to TA455 Domain (googleupdate ET MALWARE Observed DNS Query to TA455 Domain (updatedns
.co) .ddns .net)
ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies ET MALWARE Observed DNS Query to TA455 Domain (talktalky
.net) .azurewebsites .net)
ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline
ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)
.com)
ET MALWARE Pegasus Domain in DNS Lookup ET MALWARE Pegasus Domain in DNS Lookup
ET MALWARE Pegasus Domain in DNS Lookup ET MALWARE Pegasus Domain in DNS Lookup
ET MALWARE Pegasus Domain in DNS Lookup ET MALWARE Pegasus Domain in DNS Lookup
ET MALWARE Pegasus Domain in DNS Lookup ET MALWARE Pegasus Domain in DNS Lookup
ET MALWARE Pegasus Domain in DNS Lookup ET MALWARE Pegasus Domain in DNS Lookup
ET MALWARE Observed Vidar Stealer Domain (computerprotect .me)
ET MALWARE Vidar Stealer CnC Domain in DNS Lookup
in TLS SNI
ET MALWARE Observed DNS Query to Winnti Domain ET MALWARE Observed DNS Query to Winnti Domain
ET MALWARE Win32/Farfli.CUY CnC Server Response ET MALWARE Win32/Farfli.CUY KeepAlive M2
ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA
or USERPROFILE Environment Variable M1 or USERPROFILE Environment Variable M2
ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA
or USERPROFILE Environment Variable M3 or USERPROFILE Environment Variable M4
ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz)
ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2
M2
ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC
M1 Beacon
ET MALWARE NetSupport RAT with System Information ET MALWARE Observed SocGholish Domain in TLS SNI
ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel
ET MALWARE Snatch Ransomware Checkin (POST)
.co)
ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote
ET MALWARE Win32/Farfli.CUY Downloader
Template Request M1

235 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote


ET MALWARE MSIL/Crimson CnC Server Command (info) M1
Template Request M2
ET MALWARE MSIL/Crimson Receiving Command (ping) M1 ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup
(ebook .port25 .biz) (mert .my03 .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail
ET MALWARE Cobalt Strike Related Activity (GET)
.igov-service .net)
ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-
ET MALWARE TransparentTribe APT Related Activity (POST)
service .net in TLS SNI)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(showsvc .com) (wicommerece .com)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(upservicemc .com) (netpixelds .com)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(allmyad .com) (ananoka .com)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(gvgnci .com) (msfbckupsc .com)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(polanicia .com) (informaxima .org)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(worldchangeos .com) (liongracem .com)
ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup
(jmarrycs .com) (am-reader .com)
ET MALWARE Fodcha Bot CnC Checkin ET MALWARE Fodcha Bot CnC Client Heartbeat
ET MALWARE Fodcha Bot CnC Heartbeat Response ET MALWARE Observed DNS Query to Fodcha Bot Domain
ET MALWARE Observed DNS Query to Fodcha Bot Domain ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain
ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1
ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2 ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check
ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands
ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE EvilNominatus Ransomware Related Domain in DNS
ET MALWARE Malicious VBS Sending System Information (POST)
Lookup
ET MALWARE Possible Gamaredon APT Related Malicious Shortcut
ET MALWARE Gamaredon APT Related Activity (GET)
Activity (GET)
ET MALWARE Observed DNS Query to ShadowPad Domain (supership ET MALWARE Observed DNS Query to ShadowPad Domain
.dynv6 .net) (greatsong .soundcast .me)
ET MALWARE Observed DNS Query to ShadowPad Domain
ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(supermarket .ownip .net)
ET MALWARE Observed DNS Query to Hilal RAT Domain (signin
ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)
.dedyn .io)
ET MALWARE Observed DNS Query to Hilal RAT Domain (archery ET MALWARE Observed DNS Query to Hilal RAT Domain (market
.dedyn .io) .vinam .me)
ET MALWARE Observed DNS Query to Hilal RAT Domain (market ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg
.dedyn .io) .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf
.com) .com)
ET MALWARE MSIL/Crimson Rat CnC Exfil ET MALWARE MSIL/Crimson Rat CnC Server Response
ET MALWARE MSIL/Crimson CnC Server Command (info) M3 ET MALWARE MSIL/Crimson Client Command Response (info)
ET MALWARE Matrix Max Stealer Exfiltration Observed ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed
ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow
TLS SNI .online)
ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally
ET MALWARE Zingo/GinzoStealer Data Exfiltration M2
.ru in TLS SNI)
ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads ET MALWARE Suspected TA404 APT Related Activity M1
ET MALWARE Suspected TA404 APT Related Activity M2 ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)
ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais
.com) .com)
ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com) ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij
.com) .com)
ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin ET MALWARE DPRK APT Related Maldoc Activity (POST)
ET MALWARE DPRK APT Related Domain in DNS Lookup
ET MALWARE DPRK APT Related Maldoc Activity (POST) M2
(beastmodser .club)
ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT) ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin
ET MALWARE Cobalt Strike X-Client Header (notevil) ET MALWARE MSIL/Crimson Receiving Command (dirs list)
ET MALWARE MSIL/Crimson Receiving Command (folders list) ET MALWARE MSIL/Crimson Receiving Command (files list)
ET MALWARE MSIL/Crimson Receiving Command (getavs) ET MALWARE MSIL/CrimsonRAT Activity (POST)
ET MALWARE Win32/Shuckworm CnC Exfil M1 ET MALWARE Win32/Shuckworm CnC Exfil M2

236 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/Pterodo CnC VNC Connect Request ET MALWARE Win32/ChromeBack Extention Payload Fetch
ET MALWARE Win32/ChromeBack Browser Hijacker Query
ET MALWARE Win32/ChromeBack CnC Checkin
Redirection
ET MALWARE Win32/ChromeBack Browser Hijacker Sync ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon
ET MALWARE Win32/ChromeBack Browser Hijacker (getAd) ET MALWARE Kratos Silent Miner Checkin via Discord
ET MALWARE 000Stealer CnC Checkin ET MALWARE 000Stealer Data Exfiltration M1
ET MALWARE Win32/Blacktech Plead CnC Activity (GET) ET MALWARE BlackTech FlagPro Dropper Activity (GET)
ET MALWARE BlackCat Ransomware Related Domain in TLS SNI ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup
(updatedaemon .com) (updatedaemon .com)
ET MALWARE Observed BlackCat Ransomware Related SSL Cert
ET MALWARE Win32/Blacktech Plead CnC Activity (POST)
(updatedaemon .com)
ET MALWARE Arkei/Vidar/Mars Stealer Variant ET MALWARE Zingo/GinzoStealer Data Command List Fetch
ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin ET MALWARE 000Stealer Data Exfiltration M2
ET MALWARE Observed DNS Query to Certishell Domain ET MALWARE Observed DNS Query to Certishell Domain (reality
(forummanazera .sk) .skarabeus .sk)
ET MALWARE Observed DNS Query to Certishell Domain (msrousinov ET MALWARE Observed DNS Query to Certishell Domain
.cz) (googleprovider .ru)
ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit ET MALWARE Observed DNS Query to Certishell Domain (freetips
.stuba .sk) .php5 .sk)
ET MALWARE Observed DNS Query to Certishell Domain (sivpici ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss
.php5 .sk) .eu)
ET MALWARE Observed DNS Query to Certishell Domain (limousine- ET MALWARE Observed DNS Query to Certishell Domain (ms
service .cz) .rousinov .cz)
ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf
ET MALWARE Win32/Vodkagats Loader Requesting Payload
.cz)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime) ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands)
ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate) ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1
ET MALWARE Observed Malicious SSL Cert for IRS Credential Phish ET MALWARE Observed Malicious SSL Cert IRS Credential Phish
Domain (supportmicrohere .com) Domain (jbdelmarket .com)
ET MALWARE Innostealer Domain in DNS Lookup (windows11-upgrade ET MALWARE Innostealer Domain in DNS Lookup (windows-11info
.com) .com)
ET MALWARE Innostealer Domain in DNS Lookup (windows11- ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS
infoserver .com) SNI
ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS
ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI
SNI
ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (main .dailynk ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (lit-
.us) peak-25706 .herokuapp .com)
ET MALWARE GOLDBACKDOOR Domain (lit-peak-25706 .herokuapp
ET MALWARE GOLDBACKDOOR Domain (main .dailynk .us) in TLS SNI
.com) in TLS SNI
ET MALWARE Innostealer Domain in DNS Lookup windows-server031
ET MALWARE Innostealer Domain in DNS Lookup (seventyfor .site)
.com)
ET MALWARE Innostealer Domain (windows-server031 .com) in TLS
ET MALWARE Innostealer Domain (seventyfor .site) in TLS SNI
SNI
ET MALWARE Common RAT Connectivity Check Observed ET MALWARE TA410 APT FlowCloud Dependency Download M1
ET MALWARE TA410 APT FlowCloud Dependency Download M2 ET MALWARE TA410 APT FlowCloud Dependency Download M3
ET MALWARE TA410 APT FlowCloud Dependency Download M4 ET MALWARE Possible TA410 APT FlowCloud Dependency Download
ET MALWARE DPRK APT Related Maldoc Activity (POST) ET MALWARE TA410 APT FlowCloud Hardcoded Request (POST)
ET MALWARE TraderTraitor CnC Domain (cryptais .com) in DNS
ET MALWARE TraderTraitor CnC Domain (alticgo .com) in DNS Lookup
Lookup
ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS
ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup
Lookup
ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS ET MALWARE TraderTraitor CnC Domain (creaideck .com) in DNS
Lookup Lookup
ET MALWARE Observed TraderTraitor Domain (alticgo .com) in TLS
ET MALWARE TraderTraitor CnC Domain (dafom .dev) in DNS Lookup
SNI
ET MALWARE Observed TraderTraitor Domain (cryptais .com) in TLS ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS
SNI SNI
ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in
ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS SNI
TLS SNI
ET MALWARE Observed TraderTraitor Domain (creaideck .com) in TLS
ET MALWARE Observed TraderTraitor Domain (dafom .dev) in TLS SNI
SNI
ET MALWARE TraderTraitor dafom CnC Checkin M1 (POST) ET MALWARE TraderTraitor dafom CnC Checkin M2 (POST)
ET MALWARE TraderTraitor AlticGO CnC Checkin (POST) ET MALWARE MoneroOcean Installer Batch Script Inbound
ET MALWARE TA410 APT LookBack Client HTTP Activity (POST) ET MALWARE [ESET] TA410 APT LookBack HTTP Server Response
ET MALWARE DDoS Win32/Nitol.A Checkin ET MALWARE Win32.ServStart.D Checkin
ET MALWARE China Based APT Related Domain in DNS Lookup (p1
ET MALWARE Nobelium APT Related Activity (GET)
.offline-microsoft .com)

237 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE China Based APT Related Domain in DNS Lookup


ET MALWARE Nerbian RAT CnC Checkin
(portal .super-encrypt .com)
ET MALWARE Nerbian RAT Data Exfiltration ET MALWARE Win32/Farfli.BAL CnC Activity
ET MALWARE Likely Mirai Related Outbound Shell Request ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc)
ET MALWARE Lazarus APT Related Domain in DNS Lookup
ET MALWARE DeathStalker APT Related Maldoc Activity (GET)
(onlinestockwatch .net)
ET MALWARE Maldoc Retrieving Remote Template (GET) ET MALWARE PoshC2 Downloader Activity (GET)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daji8 .me) ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (fbi .am)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (11i .me)
(shopingchina .net)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (googie
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daj8 .me)
.ph)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (rootkit ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (github
.tools) .wiki)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (whoamis
(mircrosoftscoulds .com) .info)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (dajuw
.name) .com)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe- ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (update
flash .wiki) .adobe .wiki)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (flash ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux
.wy886066 .com) .wy01 .vip)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (exmail
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup
.googie .com .ph)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux ET MALWARE Earth Berberoka CnC Domain in DNS Lookup
.wy01 .com) (mmimdown .oss-cn-hongkong .aliyuncs .com)
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (agph
ET MALWARE Earth Berberoka CnC Domain in DNS Lookup
.ivi66 .net)
ET MALWARE Win32/PlugX Variant CnC Activity ET MALWARE UsefulTyphon CnC Activity M1
ET MALWARE UsefulTyphon CnC Activity M2 ET MALWARE PhantomNet/Smanager Related Domain in DNS Lookup
ET MALWARE JS/Cryxos Stealer Variant Sending Data to Telegram
ET MALWARE Kimsuky APT PebbleDash Related Activity (GET)
(POST)
ET MALWARE PoshC2 - Observed Default URI Structure M1 ET MALWARE PoshC2 - Observed Default URI Structure M2
ET MALWARE PoshC2 - Observed Default URI Structure M3 ET MALWARE PoshC2 - Observed Default URI Structure M4
ET MALWARE PoshC2 - Observed Default URI Structure M5 ET MALWARE PoshC2 - Observed Default URI Structure M6
ET MALWARE PoshC2 - Observed Default URI Structure M7 ET MALWARE PoshC2 - Observed Default URI Structure M8
ET MALWARE PoshC2 - Observed Default URI Structure M9 ET MALWARE PoshC2 - Observed Default URI Structure M10
ET MALWARE PoshC2 - Observed Default URI Structure M11 ET MALWARE PoshC2 - Observed Default URI Structure M12
ET MALWARE PoshC2 - Observed Default URI Structure M13 ET MALWARE PoshC2 - Observed Default URI Structure M15
ET MALWARE PoshC2 - Observed Default URI Structure M16 ET MALWARE PoshC2 - Observed Default URI Structure M17
ET MALWARE PoshC2 - Observed Default URI Structure M18 ET MALWARE PoshC2 - Observed Default URI Structure M19
ET MALWARE PoshC2 - Observed Default URI Structure M20 ET MALWARE PoshC2 - Observed Default URI Structure M21
ET MALWARE PoshC2 - Observed Default URI Structure M22 ET MALWARE PoshC2 - Observed Default URI Structure M23
ET MALWARE PoshC2 - Observed Default URI Structure M24 ET MALWARE PoshC2 - Observed Default URI Structure M25
ET MALWARE PoshC2 - Observed Default URI Structure M26 ET MALWARE PoshC2 - Observed Default URI Structure M27
ET MALWARE PoshC2 - Observed Default URI Structure M28 ET MALWARE PoshC2 - Observed Default URI Structure M29
ET MALWARE PoshC2 - Observed Default URI Structure M30 ET MALWARE PoshC2 - Observed Default URI Structure M31
ET MALWARE PoshC2 - Observed Default URI Structure M32 ET MALWARE Eternity Stealer Screen Capture Activity
ET MALWARE Eternity Stealer CnC Domain in DNS Lookup
ET MALWARE Eternity Stealer Data Exfiltration Activity
(wasabiwallet .online)
ET MALWARE Stonefly APT Related Domain in DNS Lookup ET MALWARE Stonefly APT Related Domain in DNS Lookup
(semiconductboard .com) (tecnojournals .com)
ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup
(eleed .cloud) (eleed .online)
ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup ET MALWARE TA452 Related Domain in DNS Lookup
ET MALWARE TA452 Related Domain in DNS Lookup ET MALWARE TA452 Related Domain in DNS Lookup
ET MALWARE Win32/Wacatac.B Loader CnC Checkin ET MALWARE Win32/Wacatac.B Payload Download
ET MALWARE Win32/Throwback CnC Activity (POST) ET MALWARE Win32/Throwback Server Response (Incoming)
ET MALWARE Malicious ELF Activity ET MALWARE Win32/Borr Stealer Variant Sending System Information
ET MALWARE PennyWise Stealer Data Exfil M1 ET MALWARE Win32/SiMay RAT Activity (GET)
ET MALWARE IceApple User-Agent observed ET MALWARE Restylink Domain in DNS Lookup (differentfor .com)
ET MALWARE Restylink Domain in DNS Lookup (mbusabc .com) ET MALWARE Restylink Domain in DNS Lookup (disknxt .com)
ET MALWARE Restylink Domain in DNS Lookup (officehoster .com) ET MALWARE Restylink Domain in DNS Lookup (spffusa .org)
ET MALWARE Restylink Domain in DNS Lookup (sseekk .xyz) ET MALWARE Restylink Domain in DNS Lookup (youmiuri .com)
ET MALWARE BlueShtorm Infostealer Data Exfiltration ET MALWARE Win32/NetDooka Framework RAT CnC Activity
ET MALWARE Win32/NetDooka Framework Related Activity (POST) ET MALWARE Win32/NetDooka Framework RAT Sending Session ID

238 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/NetDooka Framework RAT Sending System


ET MALWARE Win32/NetDooka Framework RAT Sending File
Information M1
ET MALWARE Win32/NetDooka Framework RAT Sending System ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup
Information M2 (kleinm .de)
ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de)
ET MALWARE PowerShell/CustomRAT CnC Traffic
in TLS SNI
ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen
ET MALWARE Cobalt Strike Related Activity (GET)
.net)
ET MALWARE Transparent Tribe APT Related Domain in DNS Lookup ET MALWARE ReVBShell Command Response
ET MALWARE DCRat Related CnC Domain in DNS Lookup ET MALWARE DCRat Related CnC Domain in DNS Lookup
ET MALWARE Observed DCRat Related Domain (crystalfiles .ru in TLS
ET MALWARE Observed Malicious SSL Cert (DCRat)
SNI)
ET MALWARE Bitter APT Related Domain in DNS Lookup
ET MALWARE oRAT Related CnC Domain in DNS Lookup
(emshedulersvc .com)
ET MALWARE Bitter APT Related Domain in DNS Lookup ET MALWARE Bitter APT Related Domain in DNS Lookup
(huandocimama .com) (diyefosterfeeds .com)
ET MALWARE Bitter APT Related Activity (GET) ET MALWARE Bitter APT Related Activity (GET)
ET MALWARE J-Spy JSP webshell response ET MALWARE J-Spy JSP webshell request
ET MALWARE Win32/ArtraDownloader CnC Activity (GET) ET MALWARE Sidewinder APT Related Domain in DNS Lookup
ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (img
ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download
.elliotterusties .com)
ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www
.miniboxmail .com) .microtreely .com)
ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www
.minzdravros .com) .miniboxmail .com)
ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www
.microtreely .com) .minzdravros .com)
ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (img ET MALWARE Malicious Rust Crate Related Domain in DNS Lookup
.elliotterusties .com) (api .kakn .li)
ET MALWARE Python CTX Library Backdoor Domain in DNS Lookup
ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)
(anti-theft-web .herokuapp .com)
ET MALWARE Observed Python CTX Library Backdoor Domain (anti-
ET MALWARE GuLoader Domain in DNS Lookup (zoneofzenith .com)
theft-web .herokuapp .com) in TLS SNI
ET MALWARE Cobalt Strike Related Activity (GET) ET MALWARE Cobalt Strike Related Activity (GET)
ET MALWARE Cobalt Strike Related Activity (GET) ET MALWARE Cobalt Strike Related Activity (GET)
ET MALWARE Patchwork APT Related Domain in DNS Lookup
ET MALWARE Win32/SiMay RAT Activity M2 (GET)
(dayspringdesk .xyz)
ET MALWARE Downloader/Win.MalXll.R466354 Payload Request ET MALWARE Gamaredon APT Maldoc Related Activity (GET)
ET MALWARE Patchwork APT Related Activity (POST) ET MALWARE Patchwork APT Related Activity M2 (POST)
ET MALWARE SocGholish Related Domain in DNS Lookup ET MALWARE SocGholish Related Domain in DNS Lookup (irsgetwell
(irsbusinessaudit .net) .net)
ET MALWARE Observed DNS Query to bablosoft Domain (downloads
ET MALWARE MSIL/Spy.Agent.CVT CnC Exfil
.bablosoft .com)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Tandem Espionage CnC Domain (cugdwpnykghx .ru) in
(paknavy .comsats .xyz) DNS Lookup
ET MALWARE Tandem Espionage CnC Domain (zpuxmwmwdxxk .ru) ET MALWARE Tandem Espionage CnC Domain (rhjebiuujydv .ru) in
in DNS Lookup DNS Lookup
ET MALWARE Tandem Espionage CnC Domain (rwwmefkauiaa .ru) in ET MALWARE Tandem Espionage CnC Domain (sanlygeljek .ru) in DNS
DNS Lookup Lookup
ET MALWARE Tandem Espionage CnC Domain (sinelnikovd .ru) in DNS ET MALWARE Tandem Espionage CnC Domain (wzqyuwtdxyee .ru) in
Lookup DNS Lookup
ET MALWARE Tandem Espionage CnC Domain (zyzkikpfewuf .ru) in ET MALWARE Tandem Espionage CnC Domain (ckrddvcveumq .ru) in
DNS Lookup DNS Lookup
ET MALWARE Tandem Espionage CnC Domain (dwrfqitgvmqn .ru) in ET MALWARE Tandem Espionage CnC Domain (aztkiryhetxx .ru) in
DNS Lookup DNS Lookup
ET MALWARE Tandem Espionage CnC Domain (dvizhdom .ru) in DNS ET MALWARE Grandoreiro Banking Trojan DGA Domain in DNS
Lookup Lookup (freedynamicdns. org)
ET MALWARE Nim Based Downloader Activity (GET) ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin
ET MALWARE Pandorahvnc/Pikolo RAT Checkin Activity
(Inbound)
ET MALWARE APT SideWinder CnC Domain in DNS Lookup (cdn-in. ET MALWARE APT SideWinder CnC Domain in DNS Lookup (cdn-dl.
net) cn)
ET MALWARE Suspected BPFDoor UDP Magic Packet (Inbound) ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound)
ET MALWARE Mustang Panda APT PlugX Related Domain in DNS
ET MALWARE Suspected BPFDoor ICMP Magic Packet (Inbound)
Lookup (myanmarnewsonline .org)
ET MALWARE Mustang Panda APT PlugX Related Domain in DNS
ET MALWARE TA457 Related Activity (POST)
Lookup (hilifimyanmar .com)
ET MALWARE TA457 Related Activity M2 (POST) ET MALWARE TA457 Related Activity M3 (POST)

239 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup
(chrom3 .net) (pakgov .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (aspbin ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-
.net) edu .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (s3-cdn ET MALWARE Sidewinder APT Related Domain in DNS Lookup (bitlyy
.net) .me)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (tin-url ET MALWARE Sidewinder APT Related Domain in DNS Lookup (nrots
.com) .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (gov- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (govpk-
pok .net) mail .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (d01fa ET MALWARE Sidewinder APT Related Domain in DNS Lookup (kdf-
.net) mail .com)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-
aws .net) top .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (filesrvr
src .net) .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn- ET MALWARE Sidewinder APT Related Domain in DNS Lookup
pak .net) (dawnpk .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ap1- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (vpn-
port .net) secure .co)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (sd1-bin ET MALWARE Suspected Sidewinder APT Phishing Activity - Landing
.net) Page URI Pattern
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paf-
ET MALWARE SideWinder APT antibot script
gov .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup
(docuserve .ltd) (fileserve .work)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cvix ET MALWARE Sidewinder APT Related Domain in DNS Lookup (edu-cx
.live) .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup
(paknvay-pk .net) (ministry-pk .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cr20g
(ppinewsagency .live) .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (iugur ET MALWARE Sidewinder APT Related Domain in DNS Lookup (moma-
.live) pk .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (mod- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cloud-
pk .com) apt .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew ET MALWARE Sidewinder APT Related Domain in DNS Lookup
.org) (bahariafoundation .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pak-
(bbcnew .cn) gov .com)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup (csd-pk
(pakgov .org) .co)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (fdn- ET MALWARE Sidewinder APT Related Domain in DNS Lookup
trace .net) (pakmarines .com)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pafwa
(pkrepublic .org) .info)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (int- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (kpt-pk
secure .org) .net)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (gov- ET MALWARE Sidewinder APT Related Domain in DNS Lookup (krlwin
mail .net) .org)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pak- ET MALWARE Observed DOUBLEBACK CnC Domain (bestcake .ca in
web .com) TLS SNI)
ET MALWARE DOUBLEBACK CnC Activity ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Polonium CreepyDrive Implant Request
ET MALWARE Polonium CreepyDrive Upload Request ET MALWARE Polonium CreepyDrive Download Request
ET MALWARE TA401 Arid Viper CnC Domain in DNS Lookup (sknzy-
ET MALWARE Polonium CreepyDrive Client CnC Response
mysl .vip)
ET MALWARE Observed Malicious SSL Cert (Darkme CnC) ET MALWARE Observed Malicious SSL Cert (Darkme CnC)
ET MALWARE Observed Malicious SSL Cert (Darkme CnC) ET MALWARE Win32/Darkme Trojan Checkin M1
ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
ET MALWARE Win32/Darkme Trojan Checkin M2
(muasaashshaj .com)
ET MALWARE Win32/Darkme CnC Domain in DNS Lookup ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(pallomnareraebrazo .com) (aka7newmalp23 .com)
ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (8as1s2 ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (938jss
.com) .com)
ET MALWARE Win32/Darkme CnC Domain in DNS Lookup ET MALWARE Win32/Darkme CnC Domain in DNS Lookup
(kalpoipolpmi .net) (cspapop110 .com)

240 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/Darkme CnC Domain in DNS Lookup ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup
(csmmmsp099q .com) (bukjut11 .com)
ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup
(puccino .altervista .org) (1b)
ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup ET MALWARE Deathstalker/Evilnum Delivery Domain (bukjut11 .com) in
(storangefilecloud .vip) TLS SNI
ET MALWARE Deathstalker/Evilnum Delivery Domain (puccino ET MALWARE Deathstalker/Evilnum Delivery Domain
.altervista .org) in TLS SNI (storangefilecloud .vip) in TLS SNI
ET MALWARE WatchDog Coinminer Payload Delivery Domain in DNS
ET MALWARE Observed Win32/SVCReady Loader User-Agent
Lookup (oracle .zzhreceive .top)
ET MALWARE Win32/SVCReady Loader CnC Activity ET MALWARE Win32/SVCReady Loader Requesting Payload
ET MALWARE PlugX CnC Beacon ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2
ET MALWARE Gh0st RAT Backdoor Checkin ET MALWARE Win32/SVCReady Loader CnC Activity M2
ET MALWARE Win32/SVCReady Loader - Logs ET MALWARE Win32/SVCReady Loader - SysInfo M1
ET MALWARE Win32/SVCReady Loader - SysInfo M2 ET MALWARE Win32/SVCReady Loader - Screenshot
ET MALWARE Transparent Tribe APT Related Backdoor Receiving ET MALWARE Transparent Tribe APT Related Backdoor Sending
Command (Inbound) System Information
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (nod-
ET MALWARE Earth Berberoka Domain in DNS Lookup
update .it)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Generic Stealer Config Download Request ET MALWARE Generic Stealer Config from Server
ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/ ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/
BabyShark Staging Domain) BabyShark Staging Domain)
ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/ ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/
BabyShark Staging Domain) BabyShark Staging Domain)
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE Observed DNS Query to TA455 Domain ET MALWARE Observed DNS Query to TA455 Domain
ET MALWARE TA401 Arid Viper Related Activity (POST) ET MALWARE GoLang Popping Eagle Trojan Related Activity (POST)
ET MALWARE njRAT v65.0 CnC Checkin ET MALWARE Win32/RecordBreaker CnC Checkin M1
ET MALWARE APT-Q-37/Manling Flower Payload - CnC Checkin ET MALWARE ELF/Mirai Variant Activity (Outbound)
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (dragon
(blacknurse .lib) .lib)
ET MALWARE Kinsing Botnet Related Domain in DNS Lookup ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (tempest
(babaroga .lib) .lib)
ET MALWARE Suspected APT-Q-37 Related Activity (Outbound) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Symbiote CnC Domain in DNS Lookup (assets .fans) ET MALWARE Symbiote CnC Domain in DNS Lookup (dpf .fm)
ET MALWARE Symbiote CnC Domain in DNS Lookup (bancodobrasil
ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .cx)
.dev)
ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .wf) ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET MALWARE Win32/Gomorrah Stealer Data Exfiltration ET MALWARE Win32/Agent.Fish Data Exfiltration
ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (kealkun ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (ping
.16mb .com) .otwalkun .16mb .com)
ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC ET MALWARE Win32.Agent.kawe SMTP Stealer
ET MALWARE MegalodonHTTP/LuciferHTTP/Gomorrah Client Action ET MALWARE Sidewinder APT Related Domain in DNS Lookup
M2 (bahriafoundation .live)
ET MALWARE Aoqin Dragon APT Related Activity (GET) ET MALWARE PingPull ICMP Activity (Outbound)
ET MALWARE Gallium APT Related Domain in DNS Lookup (hinitial
ET MALWARE PingPull Related Activity (POST)
.com)
ET MALWARE Gallium APT Related Domain in DNS Lookup
ET MALWARE PingPull Related Activity (Outbound)
(micfkbeljacob .com)
ET MALWARE PingPull ICMP Activity M2 (Outbound) ET MALWARE Aoqin Dragon APT Related Activity (GET)
ET MALWARE Loxes/Mongall Related CnC Beacon (GET) ET MALWARE Loxes/Mongall Related CnC Beacon M2 (GET)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (navy-
ET MALWARE Loxes/Mongall Related CnC Beacon M3 (GET)
mil-bd .jmicc .xyz)

241 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE MalDoc Retrieving Qbot Payload 2022-06-14 ET MALWARE Observed DNS Query to Maldoc Domain (webnar .info)
ET MALWARE Observed DNS Query to Maldoc Domain (sportpony ET MALWARE Observed DNS Query to Maldoc Domain (spprospekt
.ch) .com .br)
ET MALWARE Observed DNS Query to Maldoc Domain (procoach .jp) ET MALWARE Observed DNS Query to Maldoc Domain (suidi .com)
ET MALWARE Observed DNS Query to Maldoc Domain
ET MALWARE Win32/Upgilf CnC Beacon
(regenerationcongo .com)
ET MALWARE Suspected Gamaredon APT Related Activity (GET) ET MALWARE Loxes/Mongall Related CnC Beacon M4 (GET)
ET MALWARE APT/Bitter CnC Exfiltration via TCP ET MALWARE Panchan Mining Rig CnC Activity (Inbound)
ET MALWARE Maldoc Retrieving Payload 2022-06-15 ET MALWARE Maldoc Retrieving Payload 2022-06-15
ET MALWARE Maldoc Retrieving Payload 2022-06-15 ET MALWARE Win32/Grandoreiro Loader Checkin Activity (POST)
ET MALWARE Win32/Tiggre!rfn Zipped Exfil ET MALWARE TA457 Backdoor CnC Response
ET MALWARE Base64 Encoded Windows Command Prompt
ET MALWARE TA457 Backdoor CnC Activity
(Outbound)
ET MALWARE Suspected Cobalt Strike Beacon User-Agent String ET MALWARE Win32/MassLogger FTP Data Exfiltration
ET MALWARE Win32/Criminal RAT CnC Checkin ET MALWARE Win32.Zegost CnC Checkin
ET MALWARE Win32.Banker Trojan CnC Checkin ET MALWARE CopperStealer - Browser Stealer Exfil via Telegram
ET MALWARE CopperStealer - Remote Desktop - CnC Server Request ET MALWARE CopperStealer - Remote Desktop - CnC Server
via Pastebin Response via Pastebin
ET MALWARE CopperStealer - Remote Desktop - Initial Checkin ET MALWARE CopperStealer - Remote Desktop - Task Request
ET MALWARE Unknown CN Related APT Domain in DNS Lookup
ET MALWARE Win32/TrojanDownloader.Agent.FLZ CnC Activity
(upportteam .lingrevelat .com)
ET MALWARE Unknown CN Related APT Activity (GET) ET MALWARE System Information Being Sent in User-Agent
ET MALWARE Win32/IceXLoader Sending Command
ET MALWARE Win32/IceXLoader Sending Initial Checkin (POST)
Acknowledgement (POST)
ET MALWARE Win32/IceXLoader Sending System Information (POST) ET MALWARE Win64/Agent.BP Checkin
ET MALWARE Win64/Agent.BP System Info Exfil ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE CN Based APT Related Activity (POST)
ET MALWARE CN Based APT Related Domain in DNS Lookup (open ET MALWARE CN Based APT Related Domain in DNS Lookup (sign
.zerdeopen .top) .sanaqsign .org)
ET MALWARE TA459 Related Activity (Inbound) ET MALWARE Konni APT MalDoc Activity (GET)
ET MALWARE Win32/Unknown Stealer Command (filegrab)
ET MALWARE Win32/Unknown Stealer Command (loader) (Outbound)
(Outbound)
ET MALWARE Win32/Unknown Stealer Command (domaindetect) ET MALWARE Win32/Unknown Stealer Command (geoblock)
(Outbound) (Outbound)
ET MALWARE Win32/Unknown Stealer Command Response (filegrab)
ET MALWARE Win32/Unknown Stealer CnC Log Exfil
(Inbound)
ET MALWARE Win32/APT28 Host Fingerprint Exfiltration via IMAP ET MALWARE [Akamai] Panchan Miner Botnet Checkin
ET MALWARE SharpPanda APT Activity (GET) ET MALWARE Cobalt Strike Malleable C2 Amazon Profile Variant (GET)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (mailh
ET MALWARE Win32/Agent.RDE Checkin
.alit .live)
ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS
Lookup (collectiontelemetrysystem .com) Lookup (telemetrysystemcollection .com)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (extic .icu) ET MALWARE Win32/Delf.TJJ CnC Checkin M1
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (ysl .jxwan
ET MALWARE Win32/Delf.TJJ CnC Checkin M2
.com)
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (udo .jxwan ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636
.com) .com)
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg
.com) .jipinwan .com)
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky
.com) .com)
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51
.cn) .com)
ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky ET MALWARE ToddyCat Ninja Backdoor CnC Domain in DNS Lookup
.com) (eohsdnsaaojrhnqo .windowshost .us)
ET MALWARE ToddyCat Ninja Backdoor CnC ET MALWARE DonotGroup Maldoc Activity (GET)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup (who ET MALWARE DonotGroup APT Related Domain in DNS Lookup (rus
.worksolution .buzz) .feedpolicy .xyz)
ET MALWARE Win32/Wacatac Ransomware Variant Retrieving File ET MALWARE Observed DNS Query to DarkCrystal Rat Domain
(GET) (datagroup .ddns .net) (2022-06-27)
ET MALWARE Observed DNS Query to Win32/
ET MALWARE DarkCrystal Rat Stealer Data Exfiltration Activity
TrojanDropper.Agent.SLC Domain
ET MALWARE Win32/Ymacco.AA60 Checkin ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE ZuoRAT send_http_msg_php Call to ssid.php ET MALWARE ZuoRAT send_http_msg_php Call to dns.php
ET MALWARE ZuoRAT send_http_msg_php Call to arp.php ET MALWARE ZuoRAT Windows Loader Shellcode Retrieval
ET MALWARE ZuoRAT CBeacon CnC ET MALWARE ZuoRAT GoBeacon CnC

242 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Win32/CHAOS RAT/AlfaC2 Checkin ET MALWARE Win32/Wacapew.C!ml Checkin


ET MALWARE EvilNum APT Related Domain in DNS Lookup ET MALWARE EvilNum APT Related Domain in DNS Lookup (msdllopt
(bookaustriavisit .com) .com)
ET MALWARE EvilNum APT Related Domain in DNS Lookup ET MALWARE EvilNum APT Related Domain in DNS Lookup (estimefm
(pcamanalytics .com) .org)
ET MALWARE EvilNum APT Related Domain in DNS Lookup (imageztun ET MALWARE ShadowPad Backdoor Related Domain in DNS Lookup
.com) (grandfoodtony .com)
ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M6 ET MALWARE Win32/a310Logger Variant Data Exfil via SMTP
ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart
Payload CnC) Payload CnC)
ET MALWARE LinPEAS Privilege Escalation Script Response (With ET MALWARE LinPEAS Privilege Escalation Script Response (Without
Banner) Banner)
ET MALWARE SilentLibrarian Domain in DNS Lookup (login .cardiff
ET MALWARE Observed Malicious SSL Cert (SilentLibrarian)
.acuk .me)
ET MALWARE Troj_Yahoya Variant CnC Checkin ET MALWARE Win32/Fynloski.AA CnC Checkin
ET MALWARE Win32/Wacatac.B!ml CnC Checkin ET MALWARE Win32/Wacatac.B!ml Data Exfiltration
ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil (set) ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil
ET MALWARE Golang/Kaos/YamaBot CnC Activity ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Win32/Remcos RAT Checkin 809 ET MALWARE Win32/Remcos RAT Checkin 810
ET MALWARE Golang/Kaos/YamaBot CnC Activity M2 (POST) ET MALWARE Generic CMD Remote Shell
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE BluStealer - SysInfo Exfil via Telegram M2
ET MALWARE Win32/RecordBreaker Checkin M2 ET MALWARE Lazarus APT Related Valefor/VSingle CnC Beacon
ET MALWARE Lazarus APT Related Domain in DNS Lookup (ougreen
ET MALWARE Lazarus APT Related VSingle Backdoor Activity (GET)
.com)
ET MALWARE Observed Malicious SSL Cert (Microsoft Security
ET MALWARE Suspected Brute Ratel CnC Activity (POST)
localhost)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup
ET MALWARE Cobalt Strike Activity (GET)
(bitsbfree .com)
ET MALWARE TA471/UNC2589 Related Domain in DNS Lookup
ET MALWARE Win32/TrojanDownloader.AutoHK.MT CnC Checkin
(skreatortemp .site)
ET MALWARE Bitter APT AlmondRAT CnC Checkin ET MALWARE Bitter APT ZxxZ Downloader CnC Checkin
ET MALWARE Bitter APT Domain in DNS Lookup (huandocimama
ET MALWARE TontoTeam APT Related Bisonal CnC Activity
.com)
ET MALWARE CN Based APT Related Domain in DNS Lookup ET MALWARE CN Based APT Related Domain in DNS Lookup (news
(supportteam .lingrevelat .com) .wooordhunts .com)
ET MALWARE CN Based APT Related Domain in DNS Lookup
ET MALWARE MSIL/PSW.Agent.RXP Checkin
(instructor .giize .com)
ET MALWARE MSIL/Spy.Agent.AES Zipped Exfil ET MALWARE MSIL/Spy.Agent.DYS Exfil
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE HiveRAT CnC Activity M2 ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (syriahr
ET MALWARE NoMercy Stealer CnC Checkin
.eu)
ET MALWARE NoMercy Data Exfiltration M1 ET MALWARE NoMercy Data Exfiltration M2
ET MALWARE X-Files Stealer CnC Exfil Activity M2 ET MALWARE Cobalt Strike Related Activity (GET)
ET MALWARE MSIL/PSW.Discord.AIY CnC Exfil ET MALWARE MSIL/Agent.CTK Checkin
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Win32/HackTool.Agent.CS SMTP Scanner CnC Checkin
ET MALWARE Win32/HackTool.Agent.CS SMTP activity ET MALWARE Win64/Agent.qwiakk CnC Checkin
ET MALWARE Possible Raspberry Robin Activity (GET) ET MALWARE Unknown APT Related Domain in DNS Lookup
ET MALWARE Win32/H0lyGh0st Ransomware CnC Activity (GET Public
ET MALWARE Win32/H0lyGh0st Ransomware Exfil Activity (POST)
Key)
ET MALWARE Win32/H0lyGh0st Ransomware CnC Response ET MALWARE JS/TrojanDropper.Agent.OHE CnC Checkin
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole
ET MALWARE Win32/H0lyGh0st CnC Activity
Cookie Value btst
ET MALWARE Win32/Wacapew CnC Checkin ET MALWARE Win32/Wacapew.C!ml CnC Checkin
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE PlugX Related Domain in DNS Lookup (wpsup .daj8 .me) ET MALWARE PlugX Related Domain in DNS Lookup (wps .daj8 .me)
ET MALWARE Win32/Sality.NBA CnC Checkin ET MALWARE JS.SocGholish CnC Activity (POST)
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew
ET MALWARE ChromeLoader Activity (GET)
.kpt-gov .org)
ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup
(crossfity .com) (techspaceinfo .com)

243 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE APT29/CloakedUrsa Google Drive Authentication


ET MALWARE HTML/TrojanDropper.Agent.T Payload Inbound
(POST)
ET MALWARE Win32/MSIL.Heracles Checkin ET MALWARE Win32/Stealerium Stealer Checkin via Discord
ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin ET MALWARE TA444 Related Domain in DNS Lookup
(Inbound) (documentworkspace .io)
ET MALWARE TA444 Related Domain in DNS Lookup (googlesheet
ET MALWARE TA444 Related Domain in DNS Lookup (fclouddown .co)
.info)
ET MALWARE Win32/Shrine.A CnC Checkin ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Bitter APT Payload Request
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paf-
ET MALWARE Downloaded .PNG With Embedded File (.sh)
gov .org)
ET MALWARE MSIL/Spy.Agent.CSS Exfil ET MALWARE Loli Stealer CnC Domain in DNS Lookup (webstealer .ru)
ET MALWARE 8220 Gang Related Domain in DNS Lookup (onlypirate
ET MALWARE Win32/Loli Stealer CnC Activity
.top)
ET MALWARE 8220 Gang Related Domain in DNS Lookup (letmaker ET MALWARE 8220 Gang Related Domain in DNS Lookup
.top) (oracleservice .top)
ET MALWARE VBS/Agent.6B29!tr CnC Checkin ET MALWARE Unknown Maldoc CnC Activity (2022-07-25)
ET MALWARE Win32/Kryptik.GSKY CnC Checkin ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian) ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)
ET MALWARE Gamaredon APT Related Activity (GET) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE Win32/VB.QPK CnC Checkin
ET MALWARE Win32/VB.NBI CnC Checkin ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin
ET MALWARE Win32/SuperBOT CnC Checkin ET MALWARE Win32/Unknown VBScript Backdoor Activity (GET)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup
ET MALWARE W32.DarkVNC Variant Checkin
(zuyonijobo .com)
ET MALWARE Observed Cobalt Strike Domain (zuyonijobo .com) in
ET MALWARE Cobalt Strike Malleable C2 Beacon (Custom)
TLS SNI
ET MALWARE IIS Backdoor CnC Command Inbound ET MALWARE MSIL/Filecoder.EK CnC Checkin
ET MALWARE Win32/SystemHijack.gen CnC Checkin ET MALWARE Trojan.Dropper.HTML.Agent Payload
ET MALWARE RKO Remote File Upload Attempt ET MALWARE Win32/Small.NMZ CnC Checkin
ET MALWARE Win32/VBS.Sload Activity (GET) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE TA444 Related Domain in DNS Lookup (inst ET MALWARE TA444 Related Domain in DNS Lookup (web
.shconstmarket .com) .shconstmarket .com)
ET MALWARE TA444 Related Domain in DNS Lookup (wordonline
ET MALWARE Manjusaka CnC Server Response
.cloud)
ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (ui .0x0x0x0x0 .xyz) ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (rp .oiwcvbnc2e
in DNS Lookup .stream) in DNS Lookup
ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (aj .0x0x0x0x0 ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (xs .0x0x0x0x0
.best) in DNS Lookup .club) in DNS Lookup
ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (qb .1c1c1c1c .best) in ET MALWARE W32/CoinMinerESJ!tr CnC Domain (ox .mygoodluck
DNS Lookup .best) in DNS Lookup
ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/
ET MALWARE Win32/Agent.TWI CnC Checkin
SubZero)
ET MALWARE Observed DNS Query to Known Knotweed/SubZero ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/
Domain SubZero)
ET MALWARE Observed DNS Query to Known Knotweed/SubZero ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/
Domain SubZero)
ET MALWARE Observed DNS Query to Known Knotweed/SubZero
ET MALWARE Suspected BTC Swapper Activity (GET)
Domain
ET MALWARE Ave Maria/Warzone RAT Credential Exfil ET MALWARE Possible T-RAT Encrypted Zip Request M2
ET MALWARE ENV Variable Data Exfiltration Domain (ovz1 .j19544519
ET MALWARE ENV Variable Data Exfiltration Attempt (HTTP POST)
.pr46m .vps .myjino .ru) in DNS Lookup
ET MALWARE RedGuard Framework Related Request Activity ET MALWARE Observed Malicious SSL Cert (RedGuard Framework)
ET MALWARE SSL/TLS Certificate Observed (Link Implant Default) ET MALWARE Link Implant CnC Activity (POST)
ET MALWARE Lazarus APT Related Domain in DNS Lookup ET MALWARE Woody RAT CnC Domain (microsoft-telemetry .ru) in
(mktrending .com) DNS Lookup
ET MALWARE Woody RAT CnC Domain (kurmakata .duckdns .org) in
ET MALWARE Woody RAT CnC Domain (oakrussia .ru) in DNS Lookup
DNS Lookup
ET MALWARE Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS
ET MALWARE Woody RAT CnC Domain (fns77 .ru) in DNS Lookup
Lookup
ET MALWARE Woody RAT Payload Delivery Domain (garmandesar ET MALWARE Woody RAT Payload Delivery Domain (fcloud .nciinform
.duckdns .org) in DNS Lookup .ru) in DNS Lookup
ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (pgp .eu .com)
ET MALWARE Woody RAT CnC Checkin
in DNS Lookup
ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (skype .se .net)
(windowsupadates .com) in DNS Lookup in DNS Lookup

244 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (telegram- ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-pgp
update .com) in DNS Lookup .com) in DNS Lookup
ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (server-avira ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (avira .ltd) in
.com) in DNS Lookup DNS Lookup
ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (uk2privat .com) ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (cloud-avira
in DNS Lookup .com) in DNS Lookup
ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-real
ET MALWARE Win32/Agent.UOI CnC Checkin
.com) in DNS Lookup
ET MALWARE Win64/Spy.Agent.EU CnC Checkin ET MALWARE Win32.ClipBanker.uhn Exfil
ET MALWARE SHARPEXT CnC Domain in DNS Lookup (gonamod .com) ET MALWARE SHARPEXT CnC Domain in DNS Lookup (siekis .com)
ET MALWARE Lazarus APT Related Activity (GET) ET MALWARE ELF/RapperBot CnC Checkin M1
ET MALWARE ELF/RapperBot CnC Checkin M2 ET MALWARE Patchwork APT Related Activity M3 (POST)
ET MALWARE CosmicStrand Rootkit Related Domain in DNS Lookup ET MALWARE Observed DNS Query to ErbiumStealer Domain (erbium
(update .bokts .com) .ml)
ET MALWARE Win32/ErbiumStealer Panel CnC Checkin ET MALWARE Win32/ErbiumStealer CnC Activity (GetBuild)
ET MALWARE Win32/RA-based.NCX CnC Checkin ET MALWARE Win32/RecordBreaker - Observed UA M1
ET MALWARE Win32/RecordBreaker - Observed UA M2 ET MALWARE Win32/RecordBreaker - Library Request
ET MALWARE Observed DNS Query to ROMCOM RAT Domain ET MALWARE Observed DNS Query to ROMCOM RAT Domain
(combinedresidency .org) (optasko .com)
ET MALWARE Win32/Korplug.HQ CnC Activity ET MALWARE Win32/Lilith Stealer getFile Command
ET MALWARE Win32/Lilith Stealer registerBot CnC Checkin ET MALWARE Win32/Lilith Stealer getCommands Command
ET MALWARE Win32/Lilith Stealer uploadFile Data Exfiltration Attempt ET MALWARE Win32/Packed.BlackMoon.A CnC Checkin
ET MALWARE Win.Backdoor.Kolobko-9950676-0 Retrieving CnC ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
Commands in DNS Lookup (mycisco-helpdesk .ml)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (ciscovpn2 .com) in DNS Lookup (primecisco .com)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (cisco-helpdesk .cf) in DNS Lookup (ciscovpn1 .com)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (mycisco .cf) in DNS Lookup (pwresetcisco .com)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (devcisco .com) in DNS Lookup (ciscovpn3 .com)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (cisco-help .cf) in DNS Lookup (mycisco .gq)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain
in DNS Lookup (helpzonecisco .com) in DNS Lookup (devciscoprograms .com)
ET MALWARE Observed DNS Query to Win.Backdoor.Kolobko Domain ET MALWARE Arkei/Vidar/Mars Stealer Variant CnC checkin
in DNS Lookup (kazaboldu .net) commands
ET MALWARE Arkei/Vidar/Mars Stealer Variant Data Exfiltration
ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request
Attempt
ET MALWARE Win32/CopperStealer CnC Domain (ec083aa56dc0449a
ET MALWARE Win32/VB.QTV CnC Checkin
.com) in DNS Lookup
ET MALWARE Shuckworm CnC Domain (destroy .asierdo .ru) in DNS
ET MALWARE Shuckworm CnC Domain (leonardis .ru) in DNS Lookup
Lookup
ET MALWARE Shuckworm/Gamaredon CnC Domain (heato .ru) in DNS ET MALWARE Shuckworm/Gamaredon CnC Domain (motoristo .ru) in
Lookup DNS Lookup
ET MALWARE Shuckworm CnC Domain (a0698649 .xsph .ru) in DNS ET MALWARE Shuckworm/Gamaredon CnC Domain (pasamart .ru) in
Lookup DNS Lookup
ET MALWARE RShell CnC Domain (linux .updatelive-oline .com) in DNS
ET MALWARE RShell Backdoor Keepalive
Lookup
ET MALWARE RShell CnC Domain (time .ntp-server .asia) in DNS
ET MALWARE RShell CnC Domain (center .veryssl .org) in DNS Lookup
Lookup
ET MALWARE RShell Backdoor Initial CnC Checkin ET MALWARE Win32/GRAT2 Client CnC Checkin
ET MALWARE Observed DNS Query to TA444 Domain
ET MALWARE Observed DNS Query to TA444 Domain (finxiio .com)
(cooporatestock .com)
ET MALWARE Observed DNS Query to TA444 Domain (1drvmicrosoft ET MALWARE Observed DNS Query to TA444 Domain (ledger-cloud
.com) .com)
ET MALWARE Observed DNS Query to TA444 Domain (globiscapital
ET MALWARE Observed DNS Query to TA444 Domain (wpsonline .co)
.co)
ET MALWARE Observed DNS Query to UNC3890 Domain (pfizerpoll
ET MALWARE Win32/GRAT2 Client Data Exfil
.com)
ET MALWARE Observed DNS Query to UNC3890 Domain (naturaldolls ET MALWARE Observed DNS Query to UNC3890 Domain (rnfacebook
.store) .com)
ET MALWARE Observed DNS Query to UNC3890 Domain (xxx-doll ET MALWARE Observed DNS Query to UNC3890 Domain (celebritylife
.com) .news)
ET MALWARE Observed DNS Query to UNC3890 Domain ET MALWARE Observed DNS Query to UNC3890 Domain (fileupload
(office365update .live) .shop)
ET MALWARE CargoBay User-Agent ET MALWARE Shuckworm Backdoor Screenshot Upload Attempt

245 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE JSSLoader CnC Domain (essentialsmassageanddayspa ET MALWARE Observed JSSLoader Domain


.com) in DNS Lookup (essentialsmassageanddayspa .com) in TLS SNI
ET MALWARE JSSLoader Initial Checkin ET MALWARE Win32/Atomsilo Ransomware Activity (POST)
ET MALWARE Successful CargoBay Exfil ET MALWARE CargoBay CnC Activity
ET MALWARE DonotGroup APT Related Domain in DNS Lookup ET MALWARE DonotGroup APT Related Domain in DNS Lookup (esr
(clipboardgames .xyz) .suppservices .xyz)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup ET MALWARE DonotGroup APT Related Domain in DNS Lookup
(globalseasurfer .xyz) (worldpro .buzz)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup ET MALWARE DonotGroup APT Related Domain in DNS Lookup
(doctorstrange .buzz) (fitnesscheck .xyz)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup ET MALWARE DonotGroup APT Related Domain in DNS Lookup (ser
(beetelson .xyz) .dermlogged .xyz)
ET MALWARE DonotGroup APT Related Domain in DNS Lookup
ET MALWARE VileRAT Related Domain in DNS Lookup (hubflash .co)
(kotlinn .xyz)
ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Check-in
ET MALWARE Suspected VileRAT Related Request Activity (GET)
Activity (GET)
ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Identity ET MALWARE TA453/CharmingKitten HYPERSCRAPE Tool Sending
Check Activity (GET) System Information (POST)
ET MALWARE Confucious APT Related Domain in DNS Lookup
ET MALWARE Trojan:Win32/WinLNK.APA!MTB Payload Request
(bonimoni .xyz)
ET MALWARE Confucious APT Related Domain in DNS Lookup
ET MALWARE Win32/RecordBreaker CnC Exfil (Cookies)
(viterwin .club)
ET MALWARE HTTPRevShell Initial CnC Checkin ET MALWARE OSX/SHLAYER CnC Activity M2
ET MALWARE Possible OSX/SHLAYER Checkin M2 ET MALWARE Win32/Matanbuchus Loader Activity (POST)
ET MALWARE Win32/Grandoreiro Sending System Information (POST) ET MALWARE Win32/Grandoreiro Related Activity (GET)
ET MALWARE Win32/Filecoder.GC CnC Credentials Exfil ET MALWARE PyPI Malicious Library Update Payload Checkin
ET MALWARE PyPI Phishing/Malware Data Exfiltration Domain ET MALWARE Observed PyPI Phishing/Malicious Library Data
(linkedopports .com) in DNS Lookup Exfiltration Domain (linkedopports .com) in TLS SNI
ET MALWARE PyPI Malicious Library Payload Delivery Domain ET MALWARE Observed PyPI Malicious Library Payload Delivery
(python-release .com) in DNS Lookup Domain (python-release .com) in TLS SNI
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (telecomly
ET MALWARE Win32/Unknown CnC Activity
.info)
ET MALWARE Win32/Caypnamer.A RAT CnC Keepalive ET MALWARE Win32/Caypnamer.A RAT CnC Initial Checkin
ET MALWARE Win32/Meimaii Checkin ET MALWARE VBS/Kimsuky.O Host Fingerprint Exfil
ET MALWARE Win32/Nitrokod CnC Domain (nitrokod .com) in DNS
ET MALWARE VBS/Kimsuky UA Observed
Lookup
ET MALWARE Win32/Nitrokod CnC Domain (Intelserviceupdate .com) ET MALWARE Win32/Nitrokod CnC Domain (nvidiacenter .com) in DNS
in DNS Lookup Lookup
ET MALWARE Win32/Nitrokod Domain (intelserviceupdate .com) in
ET MALWARE Win32/Nitrokod Domain (nitrokod .com) in TLS SNI
TLS SNI
ET MALWARE Win32/Nitrokod Domain (nvidiacenter .com) in TLS SNI ET MALWARE Win32/Sabsik.FL.B!ml Exfil
ET MALWARE PureCrypter Requesting Injector M1 ET MALWARE PureCrypter Requesting Injector M2
ET MALWARE PureCrypter Requesting Injector - Known Campaign ID ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M1 M2
ET MALWARE PureCrypter Requesting Injector - Known Campaign ID ET MALWARE PureCrypter Requesting Injector - Known Campaign ID
M3 M4
ET MALWARE PureCrypter Requesting Injector - Known Campaign ID ET MALWARE Cobalt Strike Related Domain in DNS Lookup (fuvataren
M5 .com)
ET MALWARE Observed DNS Query to TA444 Domain (wps
ET MALWARE Win32/Orchard Botnet Activity M2
.wpsonline .co)
ET MALWARE Observed DNS Query to TA444 Domain ET MALWARE Observed DNS Query to TA444 Domain (unchained-
(documentshare .info) capital .co)
ET MALWARE Observed DNS Query to TA444 Domain (cloud ET MALWARE Observed DNS Query to TA444 Domain (shconstmarket
.globiscapital .co) .com)
ET MALWARE Observed DNS Query to TA444 Domain (stablehouses ET MALWARE Observed DNS Query to TA444 Domain (edit .wpsonline
.info) .co)
ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica ET MALWARE Observed DNS Query to TA444 Domain (salt1ending
.us .org) .com)
ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka
ET MALWARE Observed DNS Query to TA444 Domain (cloud .jbic .us)
.info)
ET MALWARE Observed DNS Query to TA444 Domain (vote .anobaka ET MALWARE Observed DNS Query to TA444 Domain (cloud .wpic
.info) .ink)
ET MALWARE ErbiumStealer Variant CnC Activity (getstub) ET MALWARE ErbiumStealer Domain (erbium .ml) in TLS SNI
ET MALWARE Malicious SSL Certificate detected (BoratRat) ET MALWARE Win32/VictoryGate/Orchard Botnet CnC Checkin
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dofixifa
ET MALWARE Win32/Orchard Botnet Activity
.co)
ET MALWARE Win32.Stealer.alwu Data Exfiltration Attempt ET MALWARE Win32/Sabsik.EN.D!ml CnC Checkin

246 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Evilnum APT Related Domain in DNS Lookup (image


ET MALWARE Suspected Win32/TinyNode Activity (Outbound)
.jamespage .net)
ET MALWARE ErbiumStealer Response From Panel ET MALWARE ErbiumStealer Response From CnC
ET MALWARE ErbiumStealer CnC Domain (ozaron .beget .tech) in DNS ET MALWARE Observed ErbiumStealer Domain (ozaron .beget .tech)
Lookup in TLS SNI
ET MALWARE ErbiumStealer CnC Domain (a0715952 .xsph .ru) in DNS
ET MALWARE Trojan.Proxy.Small.Z CnC Checkin
Lookup
ET MALWARE Suspected Chinese Based APT Malware Retrieving File ET MALWARE Chinese Based APT Related Domain in DNS Lookup
(GET) (ramblercloud .com)
ET MALWARE Observed Chinese APT Related Domain (ramblercloud ET MALWARE Observed DNS Query to Temporary File Hosting
.com in TLS SNI) Domain (temp .sh)
ET MALWARE Observed DNS Query to EvilProxy Domain (msdnmail ET MALWARE Observed DNS Query to EvilProxy Domain (evilproxy
.net) .pro)
ET MALWARE Observed DNS Query to EvilProxy Domain
ET MALWARE Observed DNS Query to EvilProxy Domain (rproxy .io) (pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd
.onion)
ET MALWARE Observed DNS Query to EvilProxy Domain (top-cyber ET MALWARE Observed DNS Query to TA444 Domain
.club) (careersbankofamerica .us)
ET MALWARE Observed DNS Query to TA444 Domain (azure-protect
ET MALWARE Observed DNS Query to TA444 Domain (mufg .tokyo)
.online)
ET MALWARE Win32/MagicRAT CnC Checkin M1 ET MALWARE Win32/MagicRAT CnC Checkin M2
ET MALWARE Win32/MagicRAT Additional Payload URI M1 ET MALWARE Win32/MagicRAT Additional Payload URI M2
ET MALWARE Win32/MagicRAT Additional Payload URI M3 ET MALWARE Win32/MagicRAT Additional Payload URI M4
ET MALWARE MagicRAT CnC Domain (gendoraduragonkgp126 .com) ET MALWARE Chinese Based APT Related Malware Sending System
in DNS Lookup Information (POST)
ET MALWARE Bitter APT Related Domain in DNS Lookup (signal- ET MALWARE Bitter APT Related Domain in DNS Lookup
premium-app .org) (signalpremium .com)
ET MALWARE Bitter APT Related Domain in DNS Lookup
ET MALWARE Win32/Qbot CnC Activity M3 (POST)
(youtubepremiumapp .com)
ET MALWARE Gamaredon APT Related Activity (GET) ET MALWARE Win32/Zegost!ml CnC Checkin
ET MALWARE Observed DNS Query to TA444 Domain (azure-
ET MALWARE Win32/MagicRAT CnC Activity M1
protection .cloud)
ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica ET MALWARE Observed TA444 Domain (bankofamerica .nyc in TLS
.nyc) SNI)
ET MALWARE Observed TA444 Domain (azure-protection .cloud in ET MALWARE Observed TA444 Domain (careersbankofamerica .us in
TLS SNI) TLS SNI)
ET MALWARE Observed TA444 Domain (azure-protect .online in TLS
ET MALWARE Observed TA444 Domain (mufg .tokyo in TLS SNI)
SNI)
ET MALWARE MSIL/TrojanDownloader.Agent.ITY Screenshot Upload
ET MALWARE Win32/Wacapew.C!ml CnC Checkin
Attempt
ET MALWARE Win64/Spy.Agent.EU CnC Checkin ET MALWARE Win32/MagicRAT CnC Activity M2
ET MALWARE PowerShell/PowHeartBeat CnC Domain (central
ET MALWARE Sidecopy APT Related Backdoor Activity
.suhypercloud .org) in DNS Lookup
ET MALWARE PowerShell/PowHeartBeat CnC Domain (airplane .travel- ET MALWARE Win32/TrojanDownloader.VB.RTN Payload Delivery
commercials .agency) in DNS Lookup Request
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Gamaredon Related Maldoc Activity (GET)
ET MALWARE Gamaredon Related Maldoc Activity (GET) ET MALWARE Bitter APT CHM CnC Activity (GET) M1
ET MALWARE Observed DNS Query to Malicious Powershell Payload
ET MALWARE Powershell/PowHeartBeat CnC Checkin - ICMP
domain (onerecovery .click)
ET MALWARE Observed DNS Query to Reverse Shell Payload Domain ET MALWARE Observed Malicious Powershell Payload Delivery
(opentunnel .quest) Domain (onerecovery .click) in TLS SNI
ET MALWARE Observed Reverse Shell Payload Delivery Domain
ET MALWARE Powershell/PowHeartBeat CnC Checkin - HTTPS
(opentunnel .quest) in TLS SNI
ET MALWARE OSX/XCSSET Related Domain in DNS Lookup ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
(appledocs .ru) (gurumades .ru)
ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (kinksdoc ET MALWARE OSX/XCSSET Related Domain in DNS Lookup
.ru) (superdocs .ru)
ET MALWARE OSX/XCSSET Related Domain in DNS Lookup ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (gismolow
(cosmodron .com) .com)
ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (melindas ET MALWARE OSX/XCSSET Related Domain in DNS Lookup (adobefile
.ru) .ru)
ET MALWARE Observed DNS Query to Default Brute Ratel C2 Domain
ET MALWARE Brute Ratel Fake User-Agent
(evasionlabs .com)
ET MALWARE Brute Ratel CnC Activity (xml-c2) M1 ET MALWARE Brute Ratel CnC Activity (xml-c2) M2
ET MALWARE Brute Ratel CnC Activity (json-c2) M1 ET MALWARE Brute Ratel CnC Activity (json-c2) M2

247 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to TA444 Domain (careers


ET MALWARE Observed DNS Query to TA444 Domain (cloud .tptf .ltd)
.bankofamerica .nyc)
ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica ET MALWARE Observed DNS Query to TA444 Domain (bankofamerica
.offerings .cloud) .tel)
ET MALWARE Observed DNS Query to TA444 Domain (cloud .mufg
ET MALWARE Observed TA444 Domain (cloud .tptf .ltd in TLS SNI)
.uk)
ET MALWARE Observed TA444 Domain (bankofamerica .tel in TLS SNI) ET MALWARE Observed TA444 Domain (cloud .mufg .uk in TLS SNI)
ET MALWARE Observed TA444 Domain (bankofamerica .offerings ET MALWARE Observed TA444 Domain (careers .bankofamerica .nyc
.cloud in TLS SNI) in TLS SNI)
ET MALWARE Windows/OriginLogger CnC Domain (originpro .me) in ET MALWARE Windows/OriginLogger CnC Domain (originproducts
DNS Lookup .xyz) in DNS Lookup
ET MALWARE Windows/OriginLogger CnC Domain (originlogger .com) ET MALWARE Windows/OriginLogger CnC Domain (originproducts
in DNS Lookup .pw) in DNS Lookup
ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ptcl-
ET MALWARE Win64/Spy.Agent.EE CnC Checkin Server Response
gov .com)
ET MALWARE Mercury APT Related Domain in DNS Lookup
ET MALWARE Win32.Agent.Y!c CnC Checkin
(sygateway .com)
ET MALWARE Warzone RAT Response (Inbound) ET MALWARE Golang/Webbfustator DNS Tunneling Activity
ET MALWARE Win32/Agent.XXZ Checkin ET MALWARE Win32/Covagent Checkin
ET MALWARE Gamaredon Information Stealer Data Exfiltration
ET MALWARE Win32/QQPass Checkin
Attempt
ET MALWARE Gamaredon CnC Domain (kuckuduk .ru) in DNS Lookup ET MALWARE Gamaredon CnC Domain (celticso .ru) in DNS Lookup
ET MALWARE DonotGroup Related Domain in DNS Lookup (furnish
ET MALWARE DonotGroup Activity (GET)
.spacequery .live)
ET MALWARE Observed DonotGroup Related Domain (furnish ET MALWARE Win32/RecordBreaker - Observed UA M3
.spacequery .live in TLS SNI) (TakeMyPainBack)
ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M1
M2
ET MALWARE Observed DNS Query to TA444 Domain (docuprivacy ET MALWARE Observed DNS Query to TA444 Domain (share .anobaka
.com) .info)
ET MALWARE Observed DNS Query to TA444 Domain (privacysign ET MALWARE Observed DNS Query to TA444 Domain (ms
.org) .onlineshares .cloud)
ET MALWARE Observed DNS Query to TA444 Domain (team .msteam ET MALWARE Observed DNS Query to TA444 Domain (mizuhogroup
.biz) .us)
ET MALWARE Observed DNS Query to TA444 Domain (docs
ET MALWARE Observed DNS Query to TA444 Domain (tptf .fund)
.azurehosting .co)
ET MALWARE Observed DNS Query to TA444 Domain (smbcgroup
ET MALWARE Observed DNS Query to TA444 Domain (perseus .bond)
.us)
ET MALWARE Observed DNS Query to TA444 Domain (tptf .cloud) ET MALWARE Observed TA444 Domain (tptf .fund in TLS SNI)
ET MALWARE Observed TA444 Domain (docs .azurehosting .co in TLS
ET MALWARE Observed TA444 Domain (team .msteam .biz in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (share .anobaka .info in TLS
ET MALWARE Observed TA444 Domain (smbcgroup .us in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (perseus .bond in TLS SNI) ET MALWARE Observed TA444 Domain (docuprivacy .com in TLS SNI)
ET MALWARE Observed TA444 Domain (privacysign .org in TLS SNI) ET MALWARE Observed TA444 Domain (mizuhogroup .us in TLS SNI)
ET MALWARE Observed TA444 Domain (ms .onlineshares .cloud in
ET MALWARE Observed TA444 Domain (tptf .cloud in TLS SNI)
TLS SNI)
ET MALWARE SocGholish Domain in DNS Lookup (casting .faeryfox
ET MALWARE Win32/Cryptbot V2 Data Exfiltration Attempt
.com)
ET MALWARE SocGholish Domain in DNS Lookup (predator ET MALWARE SocGholish Domain in DNS Lookup (amplifier
.foxscalesjewelry .com) .myjesusloves .me)
ET MALWARE SocGholish Domain in DNS Lookup (loans ET MALWARE SocGholish Domain in DNS Lookup (restructuring
.mistakenumberone .com) .breatheinnew .life)
ET MALWARE SocGholish Domain in DNS Lookup (prompt
ET MALWARE SocGholish Domain in DNS Lookup (hair .2topost .com)
.zonashoppers .academy)
ET MALWARE SocGholish Domain in DNS Lookup (custom ET MALWARE SocGholish CnC Domain in DNS Lookup (moments
.usmuchmedia .com) .abledity .com)
ET MALWARE SocGholish Domain in DNS Lookup (notes
ET MALWARE APT28/FancyBear Related Activity (POST)
.fumcpittsburg .org)
ET MALWARE Metador CnC Domain (networkselfhelp .com) in DNS ET MALWARE dYdX NPM Package Backdoor Exfiltration Domain (api
Lookup .circle-cdn .com) in DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (tutorials
ET MALWARE Gamaredon APT Backdoor Related Activity
.girandolashutkindconstruction .com)
ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup
ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup
ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup
ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup
ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup ET MALWARE OSX/SHLAYER CnC Domain in DNS Lookup

248 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Golang/Webbfustator Related Domain in DNS Lookup ET MALWARE Golang/Webbfustator Related Domain in DNS Lookup
(xmlschemeformat .com) (updatesagent .com)
ET MALWARE Lazarus APT Related Domain in DNS Lookup (digiboxes ET MALWARE TA444 Related Domain in DNS Lookup (onlinecloud
.us) .cloud)
ET MALWARE Lockbit Ransomware Related Domain in DNS Lookup ET MALWARE Lockbit Ransomware Related Domain in DNS Lookup
(lockbitapt) (ppaauuaa11232 .cc)
ET MALWARE Win32/Logger RAT CnC Checkin ET MALWARE Win32/Spy.Delf.QTL Data Exfiltration Attempt
ET MALWARE SocGholish CnC Domain in DNS Lookup (jobs
ET MALWARE Maldoc CnC Checkin
.registermegod .online)
ET MALWARE SocGholish Domain in DNS Lookup (logistics ET MALWARE SocGholish Domain in DNS Lookup (football .4tosocial
.socialtrendsmanagement .com) .com)
ET MALWARE SocGholish Domain in DNS Lookup (memorial ET MALWARE ErbiumStealer CnC Domain (mamamiya137 .ru) in DNS
.4tosocialprofessional .com) Lookup
ET MALWARE ErbiumStealer CnC Domain (www .f0679086 .xsph .ru)
ET MALWARE Win32/SaintStealer Data Exfiltration Attempt M1
in DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (people
ET MALWARE Win32/SaintStealer CnC Response
.zonashoppers .com)
ET MALWARE LazyScripter Related Domain in DNS Lookup (hpsj
ET MALWARE LazyScripter Related Activity (GET)
.firewall-gateway .net)
ET MALWARE Win32/Sephora Related Domain in DNS Lookup (sephus
ET MALWARE Lazyscripter Related Activity (Inbound)
.me)
ET MALWARE Win32/Sephora Related Activity (GET) ET MALWARE Win32/Sephora Related Activity (POST)
ET MALWARE Win32/Variant.Babar.74963 CnC Exfil ET MALWARE Win32/SaintStealer Data Exfiltration Attempt M2
ET MALWARE Maldoc Domain (word2022 .c1 .biz) in DNS Lookup ET MALWARE TigerHunter DOTM CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (soendorg .top) ET MALWARE TA569 Domain in DNS Lookup (luxury-limousine .com)
ET MALWARE TA569 sczriptzzbn JavaScript Inject ET MALWARE TA569 Fake Captcha Download
ET MALWARE TA569 Domain in DNS Lookup (skambio-porte .com) ET MALWARE TA569 Fake Browser Update
ET MALWARE SocGholish Domain in DNS Lookup (training .c1ypsilanti ET MALWARE SocGholish Domain in DNS Lookup (engine
.org) .discoveryhypnosis .com)
ET MALWARE SocGholish Domain in DNS Lookup (fundraising
ET MALWARE SocGholish Domain in DNS Lookup (resale .adkelly .com)
.mystylingmylife .xyz)
ET MALWARE SocGholish Domain in DNS Lookup (auction
ET MALWARE Win32/NetDooka Framework Related Activity (POST) M2
.wonderwomanquilts .com)
ET MALWARE Observed Malicious SSL Cert (Go/Chaos Botnet) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE Win32/Coldstealer Sending System Information (POST) ET MALWARE TA444 Domain in DNS Lookup
ET MALWARE TA444 Domain in DNS Lookup ET MALWARE Observed TA444 Domain (mufg .ink in TLS SNI)
ET MALWARE Chaos Botnet CnC Domain (ars1 .wemix .cc) in DNS
ET MALWARE Observed TA444 Domain (mufg .us .org in TLS SNI)
Lookup
ET MALWARE Chaos Botnet CnC Domain (quanquandd .top) in DNS ET MALWARE Chaos Botnet CnC Domain (tomca1 .com) in DNS
Lookup Lookup
ET MALWARE Chaos Botnet CnC Domain (a .nqb001 .com) in DNS ET MALWARE Chaos Botnet CnC Domain (js .wanpay1 .cn) in DNS
Lookup Lookup
ET MALWARE Chaos Botnet CnC Domain (tf .xiaozhuddos .co) in DNS ET MALWARE Chaos Botnet CnC Domain (abc .cfed .cc) in DNS
Lookup Lookup
ET MALWARE Chaos Botnet CnC Domain (ai .nqb001 .com) in DNS ET MALWARE Chaos Botnet CnC Domain (x .xlg360 .xyz) in DNS
Lookup Lookup
ET MALWARE Chaos Botnet CnC Domain (kivspace .xyz) in DNS ET MALWARE Chaos Botnet CnC Domain (bitantcoins .pro) in DNS
Lookup Lookup
ET MALWARE Chaos Botnet CnC Domain (botnet .ddoswow .site) in
ET MALWARE Chaos Botnet CnC Domain (skyeda .vip) in DNS Lookup
DNS Lookup
ET MALWARE Chaos Botnet CnC Domain (linuxddos .net) in DNS ET MALWARE Chaos Botnet CnC Domain (xiaomai233 .f3322 .net) in
Lookup DNS Lookup
ET MALWARE Chaos Botnet CnC Domain (bb .hash3688 .com) in DNS ET MALWARE Chaos Botnet CnC Domain (are .nishabig .pro) in DNS
Lookup Lookup
ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup ET MALWARE Observed Lazarus Domain (market .contradecapital
(market .contradecapital .com) .com in TLS SNI)
ET MALWARE Havoc Framework CnC Request ET MALWARE Havoc Framework CnC Response
ET MALWARE TA404/Zinc Trojanized KiTTY CnC Checkin ET MALWARE TA404/Zinc Trojanized muPDF/Subliminal CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (premiere
ET MALWARE WP CharCode Inject
.4tosocialbeginners .com)
ET MALWARE TA569 Obfuscated sczriptzzb JavaScript Inject ET MALWARE DonotGroup Pult Downloader Activity (POST) M2
ET MALWARE Observed DNS Query to Comm100 Trojan Domain ET MALWARE Observed DNS Query to Comm100 Trojan Domain
(amazonawsreplay .com) (microsoftfileapis .com)
ET MALWARE Observed DNS Query to Comm100 Trojan Domain
ET MALWARE JS/Comm100 Trojan Backdoor Inbound
(windowstearns .com)
ET MALWARE JS/Comm100 Trojan CnC Payload Inbound ET MALWARE TA569 Domain in DNS Lookup (gloogletag .com)
ET MALWARE Malicious Browser Installer Domain in DNS Lookup
ET MALWARE TA569 Domain in DNS Lookup (brocode3s .com)
(torbrowser .io)

249 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Malicious Browser Installer Domain in DNS Lookup (tor-


ET MALWARE Malicious Browser Installer Checkin (POST)
browser .io)
ET MALWARE Observed DNS Query to XWorm RAT Domain ET MALWARE AllcomeClipper CnC Domain
(system6458 .ddns .net) (dba692117be7b6d3480fe5220fdd58b38bf .xyz) in DNS Lookup
ET MALWARE AllcomeClipper CnC Checkin ET MALWARE TA569 Domain in DNS Lookup (pastukhova .com)
ET MALWARE TA569 Fake Browser Update Domain in DNS Lookup
ET MALWARE Suspected Smokeloader Activity (POST)
(profi-stom .com)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (faristo ET MALWARE WinGo/Go-rod signInUrls Failed Data Exfiltration
.site) attempt
ET MALWARE WinGo/Go-rod moz_cookies Failed Data Exfiltration ET MALWARE SocGholish CnC Domain in DNS Lookup (internal
attempt .blessedfoodshalalmeat .com)
ET MALWARE TrueBot/Silence.Downlaoder Screenshot Post M1 ET MALWARE TrueBot/Silence.Downlaoder Screenshot Post M2
ET MALWARE Observed DNS Query to DonotGroup Domain (stokpro
ET MALWARE Win32/RM3Loader Activity (set)
.buzz)
ET MALWARE SocGholish Domain in DNS Lookup (repo
ET MALWARE Win32/RM3Loader Server Response
.allgoodsnservices .com)
ET MALWARE SocGholish Domain in DNS Lookup (family ET MALWARE SocGholish Domain in DNS Lookup (resort
.1ablecommunity .com) .reliablecommunityservices .com)
ET MALWARE SocGholish Domain in DNS Lookup (ecar .allsunstates ET MALWARE SocGholish CnC Domain in DNS Lookup (houses .in-
.com) vermont .com)
ET MALWARE Polonium APT CREEPYSNAIL Backdoor Related Activity
ET MALWARE Polonium APT PAPACREEP Backdoor Related Activity
(GET)
ET MALWARE Arid Viper APT Related Domain in DNS Lookup (zakaria- ET MALWARE Observed Arid Viper APT Related Domain (zakaria-
chotzen .info) chotzen .info in TLS SNI)
ET MALWARE Observed DNS Query to Cobalt Strike Domain
ET MALWARE HTML/Qbot Dropper (.zip)
2022-10-11 (pigahinilu .com)
ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot)
ET MALWARE SocGholish CnC Domain in DNS Lookup (demand
ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot)
.sageyogatherapies .com)
ET MALWARE Magecart Related Domain in DNS Lookup (cdn-
ET MALWARE Arid Viper APT Related Activity (POST)
mediahub .com)
ET MALWARE Mekotio Banking Trojan CnC Domain (zautoservice .eu)
ET MALWARE Win32/Spy.Mekotio.EY Payload Request
in DNS Lookup
ET MALWARE MSSQL maggie backdoor Accessall Query Observed ET MALWARE MSSQL maggie backdoor ListIP Query Observed
ET MALWARE MSSQL maggie backdoor ls Query Observed ET MALWARE MSSQL maggie backdoor sysinfo Query Observed
ET MALWARE MSSQL maggie backdoor sp_addextendedproc
ET MALWARE MSSQL maggie backdoor whoami Query Observed
Command Observed
ET MALWARE Observed DNS Query to Budminer Domain (happy
ET MALWARE VBA/Agent.AAV CnC Checkin
.MyNetAV .ORG)
ET MALWARE Observed DNS Query to Budminer Domain (ktwods ET MALWARE Observed DNS Query to Budminer Domain (centers
.lflink .com) .allowed .org)
ET MALWARE Observed DNS Query to Budminer Domain (relationship ET MALWARE Observed DNS Query to Budminer Domain (common
.epac .to) .taiwan .twilightparadox .com)
ET MALWARE Observed DNS Query to Budminer Domain (ftp .hinet ET MALWARE Observed DNS Query to Budminer Domain (dirco .jetos
.dns-dns .com) .com)
ET MALWARE Observed DNS Query to Budminer Domain (RdAccount ET MALWARE Observed DNS Query to Budminer Domain (cart
.dns1 .us) .skyseaweb .org)
ET MALWARE Observed DNS Query to Budminer Domain (Facebook ET MALWARE Observed DNS Query to Budminer Domain
.ddns .ms) (sacstartapples .mohwfreshman1 .otzo .com)
ET MALWARE Observed DNS Query to Budminer Domain (zbAction ET MALWARE Observed DNS Query to Budminer Domain (web
.dynssl .COM) .stonekiki .freeddns .com)
ET MALWARE Observed DNS Query to Budminer Domain (big .qpoe ET MALWARE Observed DNS Query to Budminer Domain (oop .ddns
.com) .us)
ET MALWARE Observed DNS Query to Budminer Domain (bnhxalex ET MALWARE Observed DNS Query to Budminer Domain (asia
.organiccrap .com) .publiccosplay .org)
ET MALWARE Observed DNS Query to Budminer Domain (kilomier ET MALWARE Observed DNS Query to Budminer Domain (article
.2waky .com) .phdfa .com)
ET MALWARE Observed DNS Query to Budminer Domain (american ET MALWARE Observed DNS Query to Budminer Domain (Kaccount
.ddns .us) .moneyhome .biz)
ET MALWARE Observed DNS Query to Budminer Domain (zcrd ET MALWARE Observed DNS Query to Budminer Domain (duth
.twgogo .org) .ahfree .net)
ET MALWARE Observed DNS Query to Budminer Domain (oop .gov ET MALWARE Observed DNS Query to Budminer Domain (ftp .wlksbb
.minecraftr .us) .MrsLove .com)
ET MALWARE Observed DNS Query to Budminer Domain (most .gov ET MALWARE Observed DNS Query to Budminer Domain (kgoogfsd
.allowed .org) .freetcp .com)
ET MALWARE Observed DNS Query to Budminer Domain (accountinfo ET MALWARE Observed DNS Query to Budminer Domain (mofa
.ssl443 .org) .ignorelist .com)

250 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (ftp .yahoo-
(thesizeofearth .ourhobby .com) inc .DSMTP .COM)
ET MALWARE Observed DNS Query to Budminer Domain (taitra .fartit ET MALWARE Observed DNS Query to Budminer Domain
.com) (zoneprenuin .crabdance .com)
ET MALWARE Observed DNS Query to Budminer Domain (bing .ikwb ET MALWARE Observed DNS Query to Budminer Domain (rfvg
.com) .karlosb .com)
ET MALWARE Observed DNS Query to Budminer Domain (ey .acaro ET MALWARE Observed DNS Query to Budminer Domain (aolmail
.org) .ddns .info)
ET MALWARE Observed DNS Query to Budminer Domain (fsc-kd .ns01 ET MALWARE Observed DNS Query to Budminer Domain (pe
.info) .publiccosplay .org)
ET MALWARE Observed DNS Query to Budminer Domain (whlu ET MALWARE Observed DNS Query to Budminer Domain (google
.congci .info) .ddns .name)
ET MALWARE Observed DNS Query to Budminer Domain (av .phdfa ET MALWARE Observed DNS Query to Budminer Domain (kuangdao
.com) .serveftp .com)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (oop
(youtobeother .twbbs .org) .crabdance .com)
ET MALWARE Observed DNS Query to Budminer Domain (kcg2 .gov ET MALWARE Observed DNS Query to Budminer Domain (stonekiki
.tw .allowed .org) .freeddns .com)
ET MALWARE Observed DNS Query to Budminer Domain (loginlived ET MALWARE Observed DNS Query to Budminer Domain (smtpgov
.com) .eSMTP .biz)
ET MALWARE Observed DNS Query to Budminer Domain (prefers ET MALWARE Observed DNS Query to Budminer Domain (info
.kboyda .net) .IsASecret .com)
ET MALWARE Observed DNS Query to Budminer Domain (saitama ET MALWARE Observed DNS Query to Budminer Domain (Kmember
.map-shinai .com) .wikaba .com)
ET MALWARE Observed DNS Query to Budminer Domain (liveupdate ET MALWARE Observed DNS Query to Budminer Domain (bigbang
.Jkub .com) .myddns .com)
ET MALWARE Observed DNS Query to Budminer Domain (Liveupdate ET MALWARE Observed DNS Query to Budminer Domain (ftp .twnic
.jkub .com) .almostmy .com)
ET MALWARE Observed DNS Query to Budminer Domain (iphone .site ET MALWARE Observed DNS Query to Budminer Domain (video
.web .fbs .ezua .com) .itsaol .com)
ET MALWARE Observed DNS Query to Budminer Domain (mitac_com ET MALWARE Observed DNS Query to Budminer Domain (wlksbb
.dns05 .com) .MrsLove .com)
ET MALWARE Observed DNS Query to Budminer Domain (soft ET MALWARE Observed DNS Query to Budminer Domain (tipo .dns-
.update .cloudns .info) dns .com)
ET MALWARE Observed DNS Query to Budminer Domain (gpu ET MALWARE Observed DNS Query to Budminer Domain (global
.wikaba .com) .smart-house .ga)
ET MALWARE Observed DNS Query to Budminer Domain (name .itsaol ET MALWARE Observed DNS Query to Budminer Domain (exchanger-
.com) online-thalesgroup .zyns .com)
ET MALWARE Observed DNS Query to Budminer Domain (infor ET MALWARE Observed DNS Query to Budminer Domain (ftp .lily
.nttcom .tk) .onmypc .net)
ET MALWARE Observed DNS Query to Budminer Domain (healths ET MALWARE Observed DNS Query to Budminer Domain (cier .edu
.jumpingcrab .com) .tw .us .to)
ET MALWARE Observed DNS Query to Budminer Domain (gmailgroup ET MALWARE Observed DNS Query to Budminer Domain (moea
.mooo .com) .jumpingcrab .com)
ET MALWARE Observed DNS Query to Budminer Domain (bigbank ET MALWARE Observed DNS Query to Budminer Domain (kaspersky
.cnkk .org) .apchnetinfo .com)
ET MALWARE Observed DNS Query to Budminer Domain (madicity
ET MALWARE Observed DNS Query to Budminer Domain (nditd .top)
.org)
ET MALWARE Observed DNS Query to Budminer Domain (rt .skymeto ET MALWARE Observed DNS Query to Budminer Domain
.com) (mysweetpig .news .minecraftnoob .com)
ET MALWARE Observed DNS Query to Budminer Domain (ftp
ET MALWARE Observed DNS Query to Budminer Domain (nscnet .tk)
.kingdom .myddns .com)
ET MALWARE Observed DNS Query to Budminer Domain (pic-yahoo ET MALWARE Observed DNS Query to Budminer Domain (moeaidb
.ddns .us) .ro .lt)
ET MALWARE Observed DNS Query to Budminer Domain (mosec ET MALWARE Observed DNS Query to Budminer Domain (bigbigbig
.twgogo .org) .servehttp .com)
ET MALWARE Observed DNS Query to Budminer Domain (yahoo ET MALWARE Observed DNS Query to Budminer Domain (tdns
.serveuser .com) .verydvcd .com)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain
(TheoreticalModel .onmypc .us) (airlinesflightleaving .thesizeofearth .ourhobby .com)
ET MALWARE Observed DNS Query to Budminer Domain (family ET MALWARE Observed DNS Query to Budminer Domain (wlks
.mobwork .net) .ServeUsers .com)
ET MALWARE Observed DNS Query to Budminer Domain (bigbang ET MALWARE Observed DNS Query to Budminer Domain (bulk
.ddns .ms) .indonet .org)
ET MALWARE Observed DNS Query to Budminer Domain (wmdshr ET MALWARE Observed DNS Query to Budminer Domain (skype
.3322 .org) .mrbonus .com)
ET MALWARE Observed DNS Query to Budminer Domain (ftp .newmc ET MALWARE Observed DNS Query to Budminer Domain (toolbar
.dns-dns .com) .qpoe .com)

251 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Budminer Domain (micro ET MALWARE Observed DNS Query to Budminer Domain (manated
.security .services .rebatesrule .net) .dynamic-dns .net)
ET MALWARE Observed DNS Query to Budminer Domain (sci .dns1 ET MALWARE Observed DNS Query to Budminer Domain (update
.us) .mefound .com)
ET MALWARE Observed DNS Query to Budminer Domain (twmis ET MALWARE Observed DNS Query to Budminer Domain (bigkszb
.twgogo .org) .twgogo .org)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (newsda
(emailfromsm .mpsdtupdsda .ezua .com) .opsdatus .greatfinder .org)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (google
(google_service .ns01 .us) .dynssl .com)
ET MALWARE Observed DNS Query to Budminer Domain (youtobebig ET MALWARE Observed DNS Query to Budminer Domain (gov .toh
.cnkk .org) .info)
ET MALWARE Observed DNS Query to Budminer Domain (moea ET MALWARE Observed DNS Query to Budminer Domain (msnlive
.toythieves .com) .25u .com)
ET MALWARE Observed DNS Query to Budminer Domain (hinet .dns- ET MALWARE Observed DNS Query to Budminer Domain (moeaidb
stuff .com) .tk)
ET MALWARE Observed DNS Query to Budminer Domain (photostw ET MALWARE Observed DNS Query to Budminer Domain (iPhone
.twgogo .org) .linkWebSock .ZoneID .uk .to)
ET MALWARE Observed DNS Query to Budminer Domain (oop .govtw ET MALWARE Observed DNS Query to Budminer Domain (kdbb
.servernux .com) .ourhobby .com)
ET MALWARE Observed DNS Query to Budminer Domain (google ET MALWARE Observed DNS Query to Budminer Domain (faqtos
.apchnetinfo .com) .ignorelist .com)
ET MALWARE Observed DNS Query to Budminer Domain (info
ET MALWARE Observed DNS Query to Budminer Domain (oop .uk .to)
.chemoimmunity .top)
ET MALWARE Observed DNS Query to Budminer Domain (sceyf ET MALWARE Observed DNS Query to Budminer Domain (getadobe
.ibmmt .net) .dns-dns .com)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (specas
(symantecAnti .ItemDB .com) .OurHobby .com)
ET MALWARE Observed DNS Query to Budminer Domain (economy ET MALWARE Observed DNS Query to Budminer Domain (mbank
.ServeUser .com) .moneyhome .biz)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (kuangd
(privilegecom .theesponsibility .crabdance .com) .new .privatedns .org)
ET MALWARE Observed DNS Query to Budminer Domain (dns ET MALWARE Observed DNS Query to Budminer Domain (moeaidb
.dymantic .service .fbs .ocry .com) .dns-dns .tw)
ET MALWARE Observed DNS Query to Budminer Domain (oop .itsaol ET MALWARE Observed DNS Query to Budminer Domain (bitcom
.com) .polaczyk .com)
ET MALWARE Observed DNS Query to Budminer Domain (intweb ET MALWARE Observed DNS Query to Budminer Domain (biz
.mobwork .net) .pcanywhere .NET)
ET MALWARE Observed DNS Query to Budminer Domain (yahoo ET MALWARE Observed DNS Query to Budminer Domain (trends
.ddns .name) .crabdance .com)
ET MALWARE Observed DNS Query to Budminer Domain (moea ET MALWARE Observed DNS Query to Budminer Domain (backupcoa
.dsmtp .com) .serveftp .com)
ET MALWARE Observed DNS Query to Budminer Domain (jjj .ns02 .us) ET MALWARE Observed DNS Query to Budminer Domain (ey .uk .to)
ET MALWARE Observed DNS Query to Budminer Domain (expiration ET MALWARE Observed DNS Query to Budminer Domain (common
.toythieves .com) .taiwaninfoma .uk .to)
ET MALWARE Observed DNS Query to Budminer Domain (ftp .boonty ET MALWARE Observed DNS Query to Budminer Domain (itunes
.Got-Game .org) .toythieves .com)
ET MALWARE Observed DNS Query to Budminer Domain (obicsystem ET MALWARE Observed DNS Query to Budminer Domain (bidsd
.ntt-nexia .tk) .justdied .com)
ET MALWARE Observed DNS Query to Budminer Domain (rocky3288 ET MALWARE Observed DNS Query to Budminer Domain (mails
.changeip .org) .grousp .allowed .org)
ET MALWARE Observed DNS Query to Budminer Domain (tpp .otzo ET MALWARE Observed DNS Query to Budminer Domain (lily .onmypc
.com) .net)
ET MALWARE Observed DNS Query to Budminer Domain (skyfd .com) ET MALWARE Observed DNS Query to Budminer Domain (cca .us .to)
ET MALWARE Observed DNS Query to Budminer Domain (news ET MALWARE Observed DNS Query to Budminer Domain (pqsl
.rockspace .wang) .servernux .com)
ET MALWARE Observed DNS Query to Budminer Domain (taiwanmail ET MALWARE Observed DNS Query to Budminer Domain (mains
.org .ignorelist .com) .tainoetnde .bgphome .com)
ET MALWARE Observed DNS Query to Budminer Domain (update ET MALWARE Observed DNS Query to Budminer Domain (members
.madicity .org) .viaopen .net)
ET MALWARE Observed DNS Query to Budminer Domain (enjoyit ET MALWARE Observed DNS Query to Budminer Domain (customs
.longmusic .com) .bot .nu)
ET MALWARE Observed DNS Query to Budminer Domain (music ET MALWARE Observed DNS Query to Budminer Domain (bbwlkszb
.apchnetinfo .com) .organiccrap .com)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (news
(googlemailinforma .orge .pl) .onmypc .org)
ET MALWARE Observed DNS Query to Budminer Domain (fareastone
ET MALWARE Observed DNS Query to Budminer Domain (k1fsc .ax .lt)
.my03 .com)

252 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Budminer Domain (news ET MALWARE Observed DNS Query to Budminer Domain (aimimi
.mynews .photo-frame .com) .xxuz .com)
ET MALWARE Observed DNS Query to Budminer Domain (trace ET MALWARE Observed DNS Query to Budminer Domain (kelsdc
.leecantu .com) .compress .to)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (idb .dns-
(googledrivercould .serveuser .com) dns .com)
ET MALWARE Observed DNS Query to Budminer Domain (blizzard ET MALWARE Observed DNS Query to Budminer Domain (widcards
.apchnetinfo .com) .abousts .fabioabreu .net)
ET MALWARE Observed DNS Query to Budminer Domain (money ET MALWARE Observed DNS Query to Budminer Domain (yahoonews
.terelation .com) .twgg .org)
ET MALWARE Observed DNS Query to Budminer Domain (kuangd ET MALWARE Observed DNS Query to Budminer Domain (ktwords
.new .hack-inter .net) .lflink .com)
ET MALWARE Observed DNS Query to Budminer Domain (voicetube ET MALWARE Observed DNS Query to Budminer Domain (moea
.citytalk .crabdance .com) .strangled .net)
ET MALWARE Observed DNS Query to Budminer Domain (jgx ET MALWARE Observed DNS Query to Budminer Domain (ofa .fartit
.explorermaker .com) .com)
ET MALWARE Observed DNS Query to Budminer Domain (moeaidb ET MALWARE Observed DNS Query to Budminer Domain (kingpsng
.qhigh .com) .twgogo .org)
ET MALWARE Observed DNS Query to Budminer Domain (post ET MALWARE Observed DNS Query to Budminer Domain (sososb
.ourhobby .com) .twbbs .org)
ET MALWARE Observed DNS Query to Budminer Domain (yahoo ET MALWARE Observed DNS Query to Budminer Domain
.mailweb .sxn .us) (yahoofacebook .345 .pl)
ET MALWARE Observed DNS Query to Budminer Domain (gov ET MALWARE Observed DNS Query to Budminer Domain (download
.organiccrap .com) .longmusic .com)
ET MALWARE Observed DNS Query to Budminer Domain (update ET MALWARE Observed DNS Query to Budminer Domain (trademoea
.madacity .top) .onmypc .net)
ET MALWARE Observed DNS Query to Budminer Domain (wephone ET MALWARE Observed DNS Query to Budminer Domain (tw
.us .to) .americanunfinished .com)
ET MALWARE Observed DNS Query to Budminer Domain (renders ET MALWARE Observed DNS Query to Budminer Domain (dayan
.maninta .anichgroup .com) .onedumb .com)
ET MALWARE Observed DNS Query to Budminer Domain (qtwlkszb ET MALWARE Observed DNS Query to Budminer Domain (workstation
.dynamicdns .org .uk) .mypop3 .org)
ET MALWARE Observed DNS Query to Budminer Domain (H0TMAIL ET MALWARE Observed DNS Query to Budminer Domain (kingdom
.ddns .info) .myddns .com)
ET MALWARE Observed DNS Query to Budminer Domain (Artor ET MALWARE Observed DNS Query to Budminer Domain (kdmm .t28
.terelation .com) .net)
ET MALWARE Observed DNS Query to Budminer Domain (mofir .twgg ET MALWARE Observed DNS Query to Budminer Domain (list
.org) .googlebook .mrbonus .com)
ET MALWARE Observed DNS Query to Budminer Domain (find .usdc ET MALWARE Observed DNS Query to Budminer Domain (sorry
.ignorelist .com) .iownyour .biz)
ET MALWARE Observed DNS Query to Budminer Domain (software ET MALWARE Observed DNS Query to Budminer Domain (symantec
.acmetoy .com) .apchnetinfo .com)
ET MALWARE Observed DNS Query to Budminer Domain (lookup ET MALWARE Observed DNS Query to Budminer Domain (mofamail
.ns02 .us) .acmetoy .com)
ET MALWARE Observed DNS Query to Budminer Domain ET MALWARE Observed DNS Query to Budminer Domain (mimimi
(mpsdtupdsda .ezua .com) .VizVaz .com)
ET MALWARE Observed DNS Query to Budminer Domain (mptudp ET MALWARE Observed DNS Query to Budminer Domain (bestcom
.pw) .dns2 .us)
ET MALWARE Observed DNS Query to Budminer Domain (toolbar ET MALWARE Observed DNS Query to Budminer Domain (security
.DSMTP .COM) .MyNetAV .ORG)
ET MALWARE Observed DNS Query to Budminer Domain (ftp ET MALWARE Observed DNS Query to Budminer Domain (mybb .dns-
.ourfriends .sexxxy .biz) dns .com)
ET MALWARE Observed DNS Query to Budminer Domain (iphone-ex ET MALWARE Observed DNS Query to Budminer Domain (airbus .zyns
.info .tm) .com)
ET MALWARE Observed DNS Query to Budminer Domain (1122334 ET MALWARE Observed DNS Query to Budminer Domain (mobiles
.zyns .com) .chickenkiller .com)
ET MALWARE Observed DNS Query to Budminer Domain (ourfriends ET MALWARE MSSQL maggie backdoor Query Observed (other
.sexxxy .biz) functions)
ET MALWARE SocGholish CnC Domain in DNS Lookup (offerings
ET MALWARE Win32/TrojanDropper.Agent.SRM Exfil via Discord
.love4lifewellness .com)
ET MALWARE Observed DNS Query to Cryptojacking Domain (a-dog
ET MALWARE Win32/TrojanDropper.Agent.SSQ Checkin
.top)
ET MALWARE Win32/Lumma Stealer CnC Domain (evetesttech .net) in
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M1
DNS Lookup
ET MALWARE Win32/Lumma Stealer CnC Domain (765mm .xyz) in DNS ET MALWARE Win32/Lumma Stealer CnC Domain (safe-car .ru) in DNS
Lookup Lookup
ET MALWARE SocGholish Domain in DNS Lookup (festival .robingaster
ET MALWARE WinGo/YT Stealer CnC Domain in DNS Lookup
.com)

253 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (consultant


ET MALWARE WinGo/YT Stealer CnC Checkin
.meredithklemmblog .com)
ET MALWARE SocGholish Domain in DNS Lookup ET MALWARE SocGholish CnC Domain in DNS Lookup
ET MALWARE Suspected POLONIUM CnC Domain (consulting-ukraine ET MALWARE Suspected POLONIUM CnC Domain (ukrsupport .info) in
.tk) in DNS Lookup DNS Lookup
ET MALWARE Suspected Polonium CnC Initial Checkin M1 ET MALWARE Suspected Polonium CnC Initial Checkin M2
ET MALWARE Suspected Polonium CnC Checkin (result.php - process
ET MALWARE Suspected Polonium CnC Checkin (get_cmd)
list) M1
ET MALWARE Suspected Polonium CnC Checkin (result.php - process ET MALWARE SocGholish CnC Domain in DNS Lookup (discover
list) M2 .jsfconnections .com)
ET MALWARE SocGholish Domain in DNS Lookup (chess .north-atlantic
ET MALWARE MSIL/InfoStealer Variant Activity (POST)
.com)
ET MALWARE TA452 Related Backdoor Activity (GET) ET MALWARE TA452 Related Backdoor Activity (POST)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (pedaily
ET MALWARE TA452 Related Backdoor Activity (POST)
.online)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ellechina ET MALWARE Observed DNS Query to ROMCOM RAT Domain (gov
.online) .mil .ua .aspx .io)
ET MALWARE Observed DNS Query to ROMCOM RAT Domain ET MALWARE Observed DNS Query to ROMCOM RAT Domain
(notfiled .com) (advanced-ip-scanners .com)
ET MALWARE Observed DNS Query to ROMCOM RAT Domain ET MALWARE Observed DNS Query to ROMCOM RAT Domain (4qzm
(advanced-ip-scaner .com) .com)
ET MALWARE Observed DNS Query to ROMCOM RAT Domain (www
ET MALWARE Win32/WarHawk Checkin Activity
.get .adobe .com .aspx .io)
ET MALWARE Win32/WarHawk Activity (ping) ET MALWARE Win32/WarHawk Activity (task)
ET MALWARE Win32/WarHawk Activity (cmd) ET MALWARE Win32/WarHawk Activity (filemgr)
ET MALWARE Win32/WarHawk Activity (filemgr) M2 ET MALWARE Win32/WarHawk Activity (fileupload)
ET MALWARE Win32/WarHawk Sending Windows System Information
ET MALWARE Win32/WarHawk Activity (task_done)
(POST)
ET MALWARE Cobalt Strike Related Domain in DNS Lookup ET MALWARE Cobalt Strike Related Domain in DNS Lookup
ET MALWARE Sidewinder APT Related Malware Activity M2 (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot) ET MALWARE Observed Malicious SSL/TLS Certificate (QakBot)
ET MALWARE SocGholish Domain in DNS Lookup (shipwrecks .ggentile
ET MALWARE Win32/Injector.BBYK Checkin
.com)
ET MALWARE Potential Juniper Phar Deserialization RCE Attempt ET MALWARE Potential Juniper XPATH Injection Attempt
(CVE-2022-22241) (CVE-2022-22244)
ET MALWARE SocGholish CnC Domain in DNS Lookup (portraits ET MALWARE Potential Juniper Reflected XSS Attempt
.studio-94-photography .com) (CVE-2022-22242)
ET MALWARE Potential Juniper Path Traversal RCE Attempt ET MALWARE Potential Juniper PHP Local File Inclusion Attempt
(CVE-2022-22245) (CVE-2022-22246)
ET MALWARE Manjusaka C2 Client Heartbeat ET MALWARE Manjusaka C2 Heartbeat Response
ET MALWARE JS/AlterSave Skimmer Payload Inbound M1 ET MALWARE JS/AlterSave Skimmer Payload Inbound M2
ET MALWARE Malicious Doc CnC Domain (e-demarches .kodeo .ch) in
ET MALWARE Win32.Agent.OSCF CnC Checkin
DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (squad .incumetrics
ET MALWARE Win32/Agent.AETZ CnC Checkin
.com)
ET MALWARE SocGholish Domain in DNS Lookup (myfood ET MALWARE Python Library Backdoor Domain (wasp .plague .fun) in
.silverspringfoodproject .org) DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (podcasts
ET MALWARE Emotet Style Request Activity (GET)
.momsgrabcoffee .com)
ET MALWARE Observed DNS Query to Ursnif Domain (fishenddog
ET MALWARE Observed DNS Query to Ursnif Domain (lionnik .xyz)
.xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (mamount
ET MALWARE Observed DNS Query to Ursnif Domain (astope .xyz)
.cyou)
ET MALWARE Observed DNS Query to Ursnif Domain (pinki .cyou) ET MALWARE Observed DNS Query to Ursnif Domain (daydayvin .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (kidup .xyz) ET MALWARE Observed DNS Query to Ursnif Domain (damnater .com)
ET MALWARE Observed DNS Query to Ursnif Domain (minotos .xyz) ET MALWARE Observed DNS Query to Ursnif Domain (isteros .com)
ET MALWARE Observed DNS Query to Ursnif Domain (dodstep .cyou) ET MALWARE Observed DNS Query to Ursnif Domain (logotep .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (higmon .cyou) ET MALWARE Observed DNS Query to Ursnif Domain (gigiman .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (fineg .xyz) ET MALWARE Observed DNS Query to Ursnif Domain (pipap .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (prises .cyou) ET MALWARE Observed DNS Query to Ursnif Domain (binchfog .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (gigeram .com) ET MALWARE Observed DNS Query to Ursnif Domain (mainwog .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (gigimas .xyz) ET MALWARE Observed DNS Query to Ursnif Domain (tornton .xyz)
ET MALWARE Observed DNS Query to Ursnif Domain (dodsman .com) ET MALWARE Observed DNS Query to Ursnif Domain (rorfog .com)
ET MALWARE Observed DNS Query to Ursnif Domain (reaso .xyz) ET MALWARE Observed DNS Query to Ursnif Domain (giantos .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (lionnik .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (fishenddog .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (astope .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (mamount .cyou)
ET MALWARE Observed Ursnif Domain in TLS SNI (pinki .cyou) ET MALWARE Observed Ursnif Domain in TLS SNI (daydayvin .xyz)

254 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Ursnif Domain in TLS SNI (kidup .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (damnater .com)
ET MALWARE Observed Ursnif Domain in TLS SNI (minotos .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (isteros .com)
ET MALWARE Observed Ursnif Domain in TLS SNI (dodstep .cyou) ET MALWARE Observed Ursnif Domain in TLS SNI (logotep .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (higmon .cyou) ET MALWARE Observed Ursnif Domain in TLS SNI (vavilgo .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (gigiman .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (fineg .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (pipap .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (prises .cyou)
ET MALWARE Observed Ursnif Domain in TLS SNI (binchfog .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (gigeram .com)
ET MALWARE Observed Ursnif Domain in TLS SNI (mainwog .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (gigimas .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (fingerpin .cyou) ET MALWARE Observed Ursnif Domain in TLS SNI (tornton .xyz)
ET MALWARE Observed Ursnif Domain in TLS SNI (dodsman .com) ET MALWARE Observed Ursnif Domain in TLS SNI (rorfog .com)
ET MALWARE Observed Ursnif Domain in TLS SNI (reaso .xyz) ET MALWARE Observed Ursnif Domain in TLS SNI (giantos .xyz)
ET MALWARE EICAR File Sent With X-Powered By Kaspersky Labs
ET MALWARE Win32/Ursnif LDR4 Beacon (POST)
2022-11-03
ET MALWARE Win32/FlyStudio.OJJ CnC Checkin ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Observed DNS Query to Hyperion Obfuscator Domain
ET MALWARE Hyperion Obfuscator Payload Inbound
(plague .fun)
ET MALWARE Win32/DataStealer.P CnC Checkin ET MALWARE Win32/Delf.UUW CnC Keep-Alive
ET MALWARE Win32\Cryptbot CnC Domain (kyrsti44 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (okwnyw02 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (okwydg05 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (towcqx32 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (okwerh01 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (suqzyt03 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (suqyjb01 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (okwyeg04 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (pefjfw62 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (suqpvu08 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (towhfs22 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (suqosk04 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (suqyqu10 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (kyrjwt45 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (suqzpe02 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (suqycd05 .top) in DNS
Lookup Lookup
ET MALWARE Win32\Cryptbot CnC Domain (suqoyw07 .top) in DNS ET MALWARE Win32\Cryptbot CnC Domain (towspd42 .top) in DNS
Lookup Lookup
ET MALWARE ROMCOM RAT CnC Domain (you-supported .com) in ET MALWARE ROMCOM RAT Campaign Domain (wveeam .com) in DNS
DNS Lookup Lookup
ET MALWARE ROMCOM RAT Campaign Domain (keepas .org) in DNS ET MALWARE Kutaki Stealer CnC Domain (terebinnahicc .club) in DNS
Lookup Lookup
ET MALWARE Kutaki Stealer CnC Domain (treysbeatend .com) in DNS ET MALWARE ChromeLoader CnC Domain (istakechau .autos) in DNS
Lookup Lookup
ET MALWARE ChromeLoader CnC Domain (imenttogethe .xyz) in DNS
ET MALWARE ChromeLoader CnC Checkin M1
Lookup
ET MALWARE ChromeLoader CnC Error ET MALWARE ChromeLoader CnC Checkin M2
ET MALWARE APT36/TransparentTribe CnC Domain (richa-sharma
ET MALWARE WinGO\Monitor.go CnC Checkin
.ddns .net) in DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (course ET MALWARE SocGholish CnC Domain in DNS Lookup (campaign
.netpickstrading .com) .tworiversboat .com)
ET MALWARE SocGholish Domain in DNS Lookup (automatic ET MALWARE JS/Cloud9 Domain (download .loginserv .net) in DNS
.tworiversboats .com) Lookup
ET MALWARE JS/Cloud9 Domain (cloud-miner .de) in DNS Lookup ET MALWARE JS/Cloud9 Domain (zmsp .top) in DNS Lookup
ET MALWARE JS/Cloud9 Domain (download .agency) in DNS Lookup ET MALWARE JS/Cloud9 Cookie Exfiltration Attempt
ET MALWARE JS/Cloud9 Clipboard Exfiltration Attempt ET MALWARE DeimosC2 TCP Agent Heartbeat

255 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish CnC Domain in DNS Lookup (rate .coinangel


ET MALWARE VBA/Agent.ADT Checkin
.online)
ET MALWARE APT41 CnC Domain (www .affice366 .com) in DNS
ET MALWARE APT41 CnC Domain (c .ymvh8w5 .xyz) in DNS Lookup
Lookup
ET MALWARE APT41 CnC Domain (www .vietsovspeedtest .com) in ET MALWARE IceXLoader CnC Domain (stealthelite .one) in DNS
DNS Lookup Lookup
ET MALWARE IceXLoader CnC Domain (www .filifilm .com .br) in DNS ET MALWARE CloudAtlas Related Domain in DNS Lookup (protocol-list
Lookup .com)
ET MALWARE Laplas Clipper CnC Domain (clipper .guru) in DNS
ET MALWARE Laplas Clipper - Regex CnC Request
Lookup
ET MALWARE Laplas Clipper - SetOnline CnC Checkin ET MALWARE Laplas Clipper - GetAddress CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (community
ET MALWARE GO/Titan Stealer Data Exfiltration Attempt
.backpacktrader .com)
ET MALWARE TA569 Domain in DNS Lookup (friscomusicgroup .com) ET MALWARE Fodcha Botnet Style DNS Server Lookup
ET MALWARE SocGholish Domain in DNS Lookup (casting .austinonline
ET MALWARE Win32/TyphonReborn Telegram CnC Checkin
.shop)
ET MALWARE SocGholish Domain in DNS Lookup (collapse ET MALWARE SocGholish Domain in DNS Lookup (founder .carflower
.tradingiswar .com) .pics)
ET MALWARE SocGholish Domain in DNS Lookup (travel .dianatokaji ET MALWARE SocGholish CnC Domain in DNS Lookup (diary .lojjh
.com) .com)
ET MALWARE Observed Malicious SSL/TLS Certificate (CobaltStrike
ET MALWARE Win32/VB.PNU CnC Checkin
C2)
ET MALWARE SocGholish Domain in DNS Lookup (factors .djbel .com) ET MALWARE Win32/Corrempa/HZRAT CnC Checkin
ET MALWARE Suspected Bitter APT Related Activity ET MALWARE Cobalt Strike Activity (GET)
ET MALWARE Kimsuky CnC Domain (jojoa .mypressonline .com) ET MALWARE Kimsuky CnC Domain (okihs .mypressonline .com)
Observed in DNS Query Observed in DNS Query
ET MALWARE Maldoc Related Domain in DNS Lookup ET MALWARE Maldoc Related Domain in DNS Lookup
ET MALWARE Maldoc Retrieving Remote Template (GET) ET MALWARE TA444 Domain in DNS Lookup (gdocshare .one)
ET MALWARE Observed TA444 Domain (gdocshare .one in TLS SNI) ET MALWARE Win32/Filecoder.OJC CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (mini .ptipexcel
ET MALWARE Golang Aurora Stealer Exfil Activity
.com)
ET MALWARE Observed TA453 Domain (washingtonlnstitute .org in
ET MALWARE TA453 Domain in DNS Lookup (washingtonlnstitute .org)
TLS SNI)
ET MALWARE TA444 Domain in DNS Lookup (sharedrive .ink) ET MALWARE TA444 Domain in DNS Lookup (dnx .capital)
ET MALWARE Observed TA444 Domain (sharedrive .ink in TLS SNI) ET MALWARE Observed TA444 Domain (dnx .capital in TLS SNI)
ET MALWARE SocGholish Domain in DNS Lookup (dashboard ET MALWARE SocGholish Domain in DNS Lookup (montage
.skybacherslocker .com) .travelguidediva .com)
ET MALWARE Win32/Gh0st RAT Variant CnC Checkin response ET MALWARE SocGholish Domain in DNS Lookup (hook .adieh .com)
ET MALWARE SocGholish Domain in DNS Lookup (subscribe .3gbling
ET MALWARE Mustang Panda APT TONESHELL Related Activity
.com)
ET MALWARE Vidar Stealer Payload Delivery Domain (audacitya .org)
ET MALWARE Win32/ViperSoftX Stealer Activity M3 (POST)
in DNS Lookup
ET MALWARE Backdoored MSI Afterburner Payload Delivery Domain
ET MALWARE SocGholish Domain in DNS Lookup (pastor .cntcog .org)
(git .git .skblxin .matrizauto .net) in DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (wiki .clotheslane ET MALWARE SocGholish Domain in DNS Lookup (perspective
.com) .cdsignner .com)
ET MALWARE SocGholish Domain in DNS Lookup (mask .covidturf ET MALWARE SocGholish Domain in DNS Lookup (progress
.com) .cashdigger .com)
ET MALWARE Observed DNS Query to W32/Filecoder.KY!tr.ransom ET MALWARE Observed DNS Query to W32/Filecoder.KY!tr.ransom
Domain (e4c0660414bf .eu .ngrok .io) Domain (ec2-3-125-223-134 .eu-central-1 .compute .amazonaws .com)
ET MALWARE Qakbot/Cobalt Strike Domain (jesofidiwi .com) in DNS ET MALWARE Qakbot/Cobalt Strike Domain (tevokaxol .com) in DNS
Lookup Lookup
ET MALWARE Qakbot/Cobalt Strike Domain (vopaxafi .com) in DNS ET MALWARE Qakbot/Cobalt Strike Domain (dimingol .com) in DNS
Lookup Lookup
ET MALWARE DonotGroup Related Domain in DNS Lookup
ET MALWARE DonotGroup Backdoor Activity (POST)
(grapehister .buzz)
ET MALWARE DonotGroup Related Domain in DNS Lookup ET MALWARE Observed DonotGroup Related Domain (orangeholister
(orangeholister .buzz) .buzz in TLS SNI)
ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon
.me) .live)
ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon
ET MALWARE TA453 Related Domain in DNS Lookup (tinyurl .ink)
.net)
ET MALWARE TA453 Related Domain in DNS Lookup (de-ma .online) ET MALWARE TA453 Related Domain in DNS Lookup (litby .us)
ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon ET MALWARE TA453 Related Domain in DNS Lookup (mailer-daemon
.online) .org)
ET MALWARE Python PyPi Typo Squatting Package Payload Delivery ET MALWARE Octopus Energy Themed Trojan CnC Domain
Domain (anarchydev .com) in DNS Request (docusign-octopus-energy .com) in DNS Lookup
ET MALWARE DonotGroup Maldoc Activity (GET) ET MALWARE Blackmagic Ransomware Checkin Activity (GET)

256 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Magecart Skimmer Domain in DNS Lookup (cdn-jsnode- ET MALWARE Confucious APT Related Domain in DNS Lookup (info-
call .com) updates .ddns .net)
ET MALWARE Win32/DuckLogs Malware Related Domain in DNS
ET MALWARE Win32/DuckLogs Malware Activity (GET)
Lookup (ducklogs .com)
ET MALWARE Observed Win32/DuckLogs Malware Domain (ducklogs
ET MALWARE ZINC APT Related Backdoor Activity (POST)
.com in TLS SNI)
ET MALWARE Observed DNS Query to AppleJeus Domain
ET MALWARE Possible Heliconia Noise Landing Page Response
(strainservice .com)
ET MALWARE Observed DNS Query to AppleJeus Domain (wirexpro
ET MALWARE Observed DNS Query to AppleJeus Domain (telloo .io)
.com)
ET MALWARE Observed DNS Query to AppleJeus Domain ET MALWARE Observed DNS Query to AppleJeus Domain (oilycargo
(rebelthumb .net) .com)
ET MALWARE Observed DNS Query to AppleJeus Domain (bloxholder
ET MALWARE Win32/AppleJeus CnC Checkin (POST)
.com)
ET MALWARE Bitter APT CnC Domain (mobisharestock .com) in DNS
ET MALWARE JS/Batloader Payload Request (GET)
Lookup
ET MALWARE Bitter APT CnC Domain (updnangelgroup .com) in DNS
ET MALWARE Bitter APT CHM Activity (GET) M3
Lookup
ET MALWARE Observed DNS Query to XWORM RAT Domain ET MALWARE Observed DNS Query to XWORM RAT Domain
(esteticamarbai .es) (pujakumari .duckdns .org)
ET MALWARE Observed DNS Query to ElectronBot Domain (Electron-
ET MALWARE Win32/RecordBreaker - Observed UA M4 (20112211)
Bot .s3 .eu-central-1 .amazonaws .com)
ET MALWARE Observed DNS Query to ElectronBot Domain (11k
ET MALWARE JS.ElectronBot.B.F7A4D930 Downloader (GET)
.online)
ET MALWARE JS.ElectronBot Payload Inbound ET MALWARE Win32/XFILES Stealer Data Exfiltration Attempt
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .fate
ET MALWARE TA569 Domain in DNS Lookup (ergpractice .com)
.truelance .com)
ET MALWARE Observed DNS Query to Pirate Stealer Domain
ET MALWARE GCleaner Downloader Activity M8
(mdvksublbpczqluqvvbytfprxdwakuke .nl)
ET MALWARE Observed Pirate Stealer Domain in DNS Lookup
ET MALWARE Confucious APT CnC Checkin
(wearenotbbystealer .nl)
ET MALWARE Confucious APT CnC Domain (microsoftonedriver .com) ET MALWARE Maldoc Related Domain in DNS Lookup (ms-offices
in DNS Lookup .com)
ET MALWARE Maldoc Related Domain in DNS Lookup (ms-office ET MALWARE Maldoc Related Domain in DNS Lookup (template-
.services) openxml .com)
ET MALWARE Observed DNS Query to Impersoni-fake-ator (cloud
ET MALWARE Win32/Irafau Backdoor CnC Activity (POST)
.fastpaymentser-vice .com)
ET MALWARE Observed DNS Query to Impersoni-fake-ator (uc ET MALWARE Observed DNS Query to Impersoni-fake-ator (cloud
.ejalase .org) .microsoftshop .org)
ET MALWARE Observed DNS Query to Impersoni-fake-ator (cloud ET MALWARE Observed DNS Query to Impersoni-fake-ator (fcanet
.crmdev .org) .microsoftshop .org)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(cloud .skypecloud .net) (iranwatch .tech)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(plastic .delldrivers .in) (iransec .services)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
ET MALWARE Playful Taurus CnC Domain (proxy .oracleapps .org)
(iredugov .wiki)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(news .alberto2011 .com) (info .payamradio .com)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(picture .efanshion .com) (srv .fazlollah .net)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(api .vmwareapi .net) (mail .irir .org)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(info .fazlollah .net) (soap .crmdev .org)
ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain ET MALWARE Observd DNS Query to Impersoni-fake-ator Domain
(mci .ejalase .org) (srv .payamradio .com)
ET MALWARE Win32/ModernLoader Activity (POST) ET MALWARE Impersoni-fake-ator backdoor CnC Checkin
ET MALWARE Win32/Eternity Stealer Activity (POST) ET MALWARE Win32/Eternity Ransomware Retrieving Image (GET)
ET MALWARE Observed BatLoader Domain (cloudsteamview .com) in
ET MALWARE Win32/BlackMagic Ransomware Payload Request (GET)
TLS SNI
ET MALWARE Observed BatLoader Domain (installationupgrade6 ET MALWARE Observed BatLoader Domain (installationsoftware1 .com)
.com) in TLS SNI in TLS SNI
ET MALWARE Observed BatLoader Domain (tableau-cloud .com) in ET MALWARE Observed BatLoader Domain (internalcheckssso .com)
TLS SNI in TLS SNI
ET MALWARE Observed BatLoader Domain (logmeincloudss .com) in ET MALWARE Observed BatLoader Domain (105105105015 .com) in
TLS SNI TLS SNI

257 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE BatLoader CnC Domain (cloudsteamview .com) in DNS ET MALWARE BatLoader CnC Domain (installationupgrade6 .com) in
Lookup DNS Lookup
ET MALWARE BatLoader CnC Domain (installationsoftware1 .com) in ET MALWARE BatLoader CnC Domain (tableau-cloud .com) in DNS
DNS Lookup Lookup
ET MALWARE BatLoader CnC Domain (internalcheckssso .com) in DNS ET MALWARE BatLoader CnC Domain (logmeincloudss .com) in DNS
Lookup Lookup
ET MALWARE BatLoader CnC Domain (105105105015 .com) in DNS
ET MALWARE Win32/Packed.Themida.AAL Checkin
Lookup
ET MALWARE Cobalt Strike Related Domain in DNS Lookup ET MALWARE Cobalt Strike Related Domain in DNS Lookup
(aloyadakmashin .com) (pejapezey .com)
ET MALWARE Cobalt Strike Related Activity (GET) ET MALWARE Win32/DolphinCape Activity (POST)
ET MALWARE Observed Pirate Stealer Domain in DNS Lookup (socket
ET MALWARE JS/GootLoader CnC Exfil
.bby .gg)
ET MALWARE Observed TA444/Lazarus Domain (one .microshare ET MALWARE TA444/Lazarus Related Domain in DNS Lookup
.cloud) in TLS SNI (microshare .cloud)
ET MALWARE TA444 Related Domain in DNS Lookup (docs-view ET MALWARE TA444 Related Domain in DNS Lookup (microshare
.cloud) .cloud)
ET MALWARE TA444 Related Domain in DNS Lookup (auto-protection
ET MALWARE TA444 Related Domain in DNS Lookup (mufg .college)
.cloud)
ET MALWARE TA444 Related Domain in DNS Lookup (prosec .ink) ET MALWARE TA444 Related Domain in DNS Lookup (smbc-vc .com)
ET MALWARE TA444 Related Domain in DNS Lookup (angelbridge ET MALWARE TA444 Related Domain in DNS Lookup (meeting .work
.capital) .gd)
ET MALWARE DangerousPassword APT Related Domain in DNS ET MALWARE Observed DangerousPassword Related Domain (www
Lookup (thecloudnet .org) .thecloudnet .org in TLS SNI)
ET MALWARE DangerousPassword APT Style Request (GET) ET MALWARE Gamaredon APT Related Domain in DNS Lookup
ET MALWARE Observed Gamaredon APT Related Domain (dwn-files
ET MALWARE Win32/Valyria Maldoc Payload Request M1
.shop in TLS SNI)
ET MALWARE Win32/Valyria Maldoc Payload Request M2 ET MALWARE Villain C2 Framework HTTP Command Response
ET MALWARE 7ev3n Ransomware Related Activity (GET) ET MALWARE DOC/TrojanDownloader.Agent.ARJ Payload Request
ET MALWARE PSRansom File Exfiltration (POST) ET MALWARE Villain C2 Framework HTTP Server Response
ET MALWARE Win32/SocksTroy Session Initiation Attempt M1 ET MALWARE Win32/SocksTroy Session Initiation Attempt M2
ET MALWARE SocGholish Domain in DNS Lookup (modernism ET MALWARE SocGholish Domain in DNS Lookup (library .covebooks
.designpaw .com) .com)
ET MALWARE Filez Downloader Checkin ET MALWARE RedditC2 Related Activity (POST)
ET MALWARE Cobalt Strike Related Activity (GET) ET MALWARE Cobalt Strike Related Activity (GET)
ET MALWARE PS/PSRansom Client Checkin (GET) ET MALWARE PS/PSRansom Server Status Check (GET)
ET MALWARE Win32/Khaosz.A!MTB Checkin - Command Retrieval ET MALWARE Win32/Sality.NBA Exfil
ET MALWARE RedditC2 Related Activity M2 (POST) ET MALWARE Suspected Golang/Zerobot Websocket Activity (GET)
ET MALWARE Phonk Trojan CnC Checkin (POST) ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M2
ET MALWARE Observed DNS Query to Goofy Guineapig Domain
ET MALWARE Win32/Goofy Guineapig CnC Activity (GET) M1
(static .tcplog .com)
ET MALWARE CIA Ransomware Domain (cia .cookie-coin .xyz) in DNS
ET MALWARE CIA Ransomware - wallpaper/readme retrieval attempt
Lookup
ET MALWARE SocGholish Domain in DNS Lookup (fittingroom
ET MALWARE GoLinux/GoTrim CnC Checkin
.gibbsjewelry .com)
ET MALWARE SocGholish Domain in DNS Lookup (deposit .coveprice ET MALWARE SocGholish Domain in DNS Lookup (brooklands
.com) .harteverything .com)
ET MALWARE Observed Malicious Mustang Panda APT Related SSL
ET MALWARE Win32/PSW.LdPinch CnC Checkin
Cert (File Transfer Service)
ET MALWARE TA444 Related Domain in DNS Lookup (cloudprotect .us
ET MALWARE TrueBot/Silence.Downloader CnC Checkin 3
.org)
ET MALWARE TA444 Related Domain in DNS Lookup (cloud .prosec ET MALWARE Win32/Phoenix Grabber Sending System Information
.ink) (POST)
ET MALWARE TA453 Related Domain in DNS Lookup ET MALWARE SocGholish Domain in DNS Lookup (navyseal .bezmail
(universityofmhealth .biz) .com)
ET MALWARE Win32/Vulturi CnC Activity (GET) ET MALWARE Charming Kitten APT Related DNS Activity
ET MALWARE Gamaredon APT Related Activity (GET) ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(vasimgo .shop) (admin-dpsu .org)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (files-
ET MALWARE Win32/RisePro CnC Command Outbound (set_file)
dwn .shop)
ET MALWARE Win32/RisePro CnC Command Outbound (get_loaders) ET MALWARE Win32/RisePro CnC Command Outbound (get_marks)
ET MALWARE Win32/RisePro CnC Command Outbound
ET MALWARE Win32/RisePro CnC Command Outbound (freezeStats)
(get_grabbers)
ET MALWARE Win32/RisePro CnC Command Outbound (pingmap) ET MALWARE Win32/RisePro CnC Activity (GET)
ET MALWARE Win32/RisePro CnC Server Response M1 ET MALWARE Win32/RisePro CnC Server Response M2
ET MALWARE Win32/RisePro CnC Server Response M3 ET MALWARE Win32/Generik.BUTNSNA Checkin

258 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (governing


ET MALWARE Gamaredon APT Related Activity (GET)
.beautynic .com)
ET MALWARE SocGholish Domain in DNS Lookup (office .cdsigner
ET MALWARE Gamaredon APT Related Activity (POST)
.com)
ET MALWARE SocGholish Domain in DNS Lookup (group5 ET MALWARE SocGholish Domain in DNS Lookup (navyseal .digijump
.corralphacap .com) .online)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .shrubs
ET MALWARE Win32/RecordBreaker - Observed UA M5 (23591)
.emptyisland .pics)
ET MALWARE SocGholish Domain in DNS Lookup (perspective ET MALWARE SocGholish Domain in DNS Lookup (exclusive
.abcbarbecue .xyz) .milonopensky .store)
ET MALWARE SocGholish Domain in DNS Lookup (extcourse .zurvio ET MALWARE SocGholish Domain in DNS Lookup (internship .ojul
.com) .com)
ET MALWARE Antinum WebSockets Start ET MALWARE Antinum HTTP Checkin
ET MALWARE Win32/Drokbk Checkin Activity (GET) ET MALWARE CloudAtlas APT Related Domain in DNS Lookup
ET MALWARE CloudAtlas APT Related Domain in DNS Lookup ET MALWARE Aurora Stealer Admin Console In HTTP Response
ET MALWARE Observed DNS Query to Alibaba2044 Domain (service- ET MALWARE Observed DNS Query to Alibaba2044 Domain (utente
fatturecloud .de) .service-fatturecloud .de)
ET MALWARE Observed DNS Query to Alibaba2044 Domain ET MALWARE SocGholish Domain in DNS Lookup (people .fl2wealth
(downloadpdf-fattura .de) .com)
ET MALWARE Observed Glupteba CnC Domain (greenphoenix .xyz in
ET MALWARE SocGholish Domain in DNS Lookup (taxes .rpacx .com)
TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (cdneurops .buzz in ET MALWARE Observed Glupteba CnC Domain (mastiakele .ae .org in
TLS SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (cdneurops .pics in ET MALWARE Observed Glupteba CnC Domain (zaoshang .ooo in TLS
TLS SNI) SNI)
ET MALWARE Observed Glupteba CnC Domain (getyourgift .life in TLS ET MALWARE Observed Glupteba CnC Domain (zaoshang .ru in TLS
SNI) SNI)
ET MALWARE Observed Glupteba CnC Domain (tmetres .com in TLS ET MALWARE Observed Glupteba CnC Domain (revouninstaller
SNI) .homes in TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (limeprime .com in TLS ET MALWARE Observed Glupteba CnC Domain (zaoshanghao .su in
SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (cdneurop .cloud in ET MALWARE Observed Glupteba CnC Domain (zaoshanghaoz .net in
TLS SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (checkpos .net in TLS ET MALWARE Observed Glupteba CnC Domain (zaoshang .moscow in
SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (mastiakele .icu in TLS ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio in
SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (mastiakele .xyz in TLS ET MALWARE Observed Glupteba CnC Domain (cdneurops .health in
SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (cdneurops .shop in ET MALWARE Observed Glupteba CnC Domain (mastiakele .cyou in
TLS SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (duniadekho .bar in ET MALWARE Lazarus APT Related Domain in DNS Lookup
TLS SNI) (professiondesc .com)
ET MALWARE Observed DNS Query to RisePro Domain (first-mirror
ET MALWARE Win32/RisePro CnC Command Outbound (get_settings)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (torggissoft
ET MALWARE Observed DNS Query to RisePro Domain (myrise .pro)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (hero-files
ET MALWARE Observed DNS Query to RisePro Domain (uc-files .com)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (files-rate ET MALWARE Observed DNS Query to RisePro Domain (rate-files
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (xx1-files ET MALWARE Observed DNS Query to RisePro Domain
.com) (webproduct25 .com)
ET MALWARE Observed DNS Query to RisePro Domain (pin-files ET MALWARE Observed DNS Query to RisePro Domain (best24-files
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (get-24files ET MALWARE Observed DNS Query to RisePro Domain (neo-files
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (pickofiles
ET MALWARE Observed DNS Query to RisePro Domain (m-rise .pro)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (my-rise .cc) ET MALWARE Observed DNS Query to RisePro Domain (my-rise .pro)
ET MALWARE Observed DNS Query to RisePro Domain (fvp-files ET MALWARE Observed DNS Query to RisePro Domain (gg-download
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (get-files24
ET MALWARE Observed DNS Query to RisePro Domain (vi-files .com)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (greatsofteasy
ET MALWARE Observed DNS Query to RisePro Domain (qd-file .com)
.com)
ET MALWARE Observed DNS Query to RisePro Domain (upxlead ET MALWARE Observed DNS Query to RisePro Domain (jojo-files
.com) .com)

259 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to RisePro Domain (vip-space ET MALWARE Observed DNS Query to RisePro Domain (files-sender
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (elite-hacks ET MALWARE Observed DNS Query to RisePro Domain (gg-loader
.ru) .com)
ET MALWARE Observed DNS Query to RisePro Domain (softs-portal ET MALWARE Observed DNS Query to RisePro Domain (factor1right
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (gs24softeasy ET MALWARE Observed DNS Query to RisePro Domain (teleportsoft
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain (boost-files ET MALWARE Observed DNS Query to RisePro Domain (testitsoft
.com) .com)
ET MALWARE Observed DNS Query to RisePro Domain
ET MALWARE Observed DNS Query to RisePro Domain (uni-files .com)
(fixgroupfactor .com)
ET MALWARE Observed DNS Query to RisePro Domain (pu-file .com) ET MALWARE Possible PrivateLoader Payload Request (GET)
ET MALWARE Win32/RisePro CnC Server Response M3 ET MALWARE Win32/RisePro CnC Server Response M4
ET MALWARE Win32/RisePro CnC Server Response M5 ET MALWARE Win32/Uwamson.A!ml CnC Checkin
ET MALWARE Compromised Chat Application Related User-Agent
ET MALWARE TA569 Domain in DNS Lookup (luxurycompare .com)
(Chrorne)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
schnellvpn .com) schnellvpn .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-service ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
.com) blog .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-blog ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-chat
.com) .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-blog ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-blog
.com) .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-chat ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-
.com) schnellvpn .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
schnellvpn .com) endpoint .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-blog
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-cdn .xyz)
.xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-cdn .xyz)
endpoint .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-endpoint
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-cdn .xyz)
.com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
schnellvpn .xyz) schnellvpn .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
chat .xyz) cdn .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-blog ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-
.xyz) schnellvpn .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
blog .com) endpoint .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-endpoint
endpoint .xyz) .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-cdn ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
.com) cdn .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
endpoint .com) chat .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-endpoint
blog .xyz) .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
blog .com) cdn .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-endpoint
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-cdn .com)
.xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-chat
schnellvpn .xyz) .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-chat .com) ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-blog .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (fairu-chat .xyz)
endpoint .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-cdn ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
.com) schnellvpn .com)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (bideo-chat ET MALWARE ViperSoftX CnC Domain in DNS Lookup (privatproxy-
.com) cdn .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo- ET MALWARE ViperSoftX CnC Domain in DNS Lookup (wmail-
chat .com) schnellvpn .xyz)
ET MALWARE ViperSoftX CnC Domain in DNS Lookup (ahoravideo-
ET MALWARE ViperSoftX HTTP CnC Activity
chat .xyz)

260 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE TA444 Domain in DNS Lookup (hoststudio .org) ET MALWARE TA444 Domain in DNS Lookup (updatezone .org)
ET MALWARE TA444 Related Activity (POST) ET MALWARE TA444 Related CnC Payload Request
ET MALWARE SocGholish Domain in DNS Lookup (canonical .fmunews ET MALWARE SocGholish Domain in DNS Lookup (kinematics
.com) .starmidwest .com)
ET MALWARE SocGholish Domain in DNS Lookup (passphrase
ET MALWARE ViperSoftX HTTP CnC Activity
.singinganewsong .com)
ET MALWARE ActionLoader CnC Domain in DNS Lookup (roskazna
ET MALWARE ActionLoader CnC Domain in DNS Lookup (mejito .ru)
.net)
ET MALWARE ActionLoader CnC Domain in DNS Lookup (cloud-
ET MALWARE ActionLoader CnC Domain in DNS Lookup (kc-3 .ru)
documents .com)
ET MALWARE ActionLoader CnC Domain in DNS Lookup (azure-tech ET MALWARE ActionLoader CnC Domain in DNS Lookup (xlssmooth
.pro) .xyz)
ET MALWARE ActionLoader CnC Domain in DNS Lookup (ekb ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain
.tanzedrom .ru) (gabriellalovecats .com) in DNS Lookup
ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain ET MALWARE linux.backdoor.wordpressexploit.1 CnC Domain
(transadforward .icu) in DNS Lookup (tommyforgreendream .icu) in DNS Lookup
ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain
(gabriellalovecats .com) in TLS SNI (transadforward .icu) in TLS SNI
ET MALWARE Observed linux.backdoor.wordpressexploit.1 Domain ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (clon
(tommyforgreendream .icu) in TLS SNI .collectfasttracks .com) in DNS Lookup
ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain (count
(letsmakeparty3 .ga) in DNS Lookup .trackstatisticsss .com) in DNS Lookup
ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain ET MALWARE linux.backdoor.wordpressexploit.2 CnC Domain
(lobbydesires .com) in DNS Lookup (deliverygoodstrategies .com) in DNS Lookup
ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(clon .collectfasttracks .com) in TLS SNI (letsmakeparty3 .ga) in TLS SNI
ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
(count .trackstatisticsss .com) in TLS SNI (lobbydesires .com) in TLS SNI
ET MALWARE Observed linux.backdoor.wordpressexploit.2 Domain
ET MALWARE linux.backdoor.wordpressexploit.1 CnC Checkin
(deliverygoodstrategies .com) in TLS SNI
ET MALWARE linux.backdoor.wordpressexploit.1 JS backdoor retrieval ET MALWARE linux.backdoor.wordpressexploit.2 CnC Checkin
ET MALWARE linux.backdoor.wordpressexploit.2 JS backdoor retrieval ET MALWARE linux.backdoor.wordpressexploit file upload test
ET MALWARE Win32/Aurora Stealer WORK Command ET MALWARE Win32/Aurora Stealer Accept Command
ET MALWARE Win32/Aurora Stealer Thanks Command ET MALWARE Rhadamanthys Stealer - Payload Download Request
ET MALWARE Observed PyPI Malicious Library Payload Delivery
ET MALWARE Win32/Aurora Stealer Sending System Information
Domain (h4ck .cfd) Domain in DNS Lookup
ET MALWARE Observed PyPI Malicious Library Payload Delivery
ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2
Domain (h4ck .cfd in TLS SNI)
ET MALWARE Donot APT Related Domain in DNS Lookup (soundvista ET MALWARE Donot APT Related Domain in DNS Lookup
.club) (resolverequest .live)
ET MALWARE Donot APT Related Domain in DNS Lookup (biteupdates ET MALWARE Donot APT Related Domain in DNS Lookup (biteupdates
.live) .site)
ET MALWARE Donot APT Related Domain in DNS Lookup ET MALWARE Donot APT Related Domain in DNS Lookup
(printerupdates .online) (printersolutions .live)
ET MALWARE Donot APT Related Domain in DNS Lookup ET MALWARE Donot APT Related Domain in DNS Lookup (packetbite
(tplinkupdates .space) .live)
ET MALWARE Donot APT Related Domain in DNS Lookup
ET MALWARE AHK Bot Domain Profiler CnC Activity
(lovingallupdates .life)
ET MALWARE Golang/Sandcat Plugin Activity (POST) ET MALWARE Win32/DarkCloud Exfil Over SMTP (Subject)
ET MALWARE Win32/DarkCloud Exfil Over SMTP (Body) ET MALWARE MintStealer Discord Activity (GET)
ET MALWARE MintStealer Discord Activity (GET) ET MALWARE MintStealer CnC Activity (GET)
ET MALWARE MintStealer CnC Activity (GET) ET MALWARE MintStealer CnC Activity (POST)
ET MALWARE Downloader/Linux.Agent CnC Domain (wget .hostname ET MALWARE Downloader/Linux.Agent CnC Domain (pateu .freevar
.help) in DNS Lookup .com) in DNS Lookup
ET MALWARE Win32/Youtube Bot - CnC Checkin ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Turla JS/Kopiluwak Sending Information (POST) ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Win32/Generik.NWVMNHQ Variant Exfil (POST) ET MALWARE O97M/Sadoca.C!ml Checkin
ET MALWARE Remote Utility Access Tool Key SMTP Exfil ET MALWARE WasabiSeed Backdoor Payload Request (GET)
ET MALWARE DNS Query to Fake TeamViewer Domain
ET MALWARE Win32/Screenshotter Backdoor CnC Activity (GET)
(coldcreekranch .com)
ET MALWARE Observed DNS Query to IcedID Domain (dogotungtam ET MALWARE Observed DNS Query to IcedID Domain
.com) (acehphonnajaya .com)
ET MALWARE Observed DNS Query to IcedID Domain (baherlakerl ET MALWARE Observed DNS Query to IcedID Domain (ajerlakerl
.online) .online)
ET MALWARE WinPwn PenTesting Activity ET MALWARE Vidar Stealer IP Address in DNS Query Response
ET MALWARE NetSupport RAT Domain (tradinghuy .duckdns .org) in ET MALWARE SocGholish CnC Domain in DNS Lookup (* .asset
DNS Lookup .tradingvein .xyz)

261 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE BLINDEAGLE CnC Domain (laminascol .linkpc .net) in ET MALWARE BLINDEAGLE CnC Domain (upxsystems .com) in DNS
DNS Lookup Lookup
ET MALWARE BLINDEAGLE CnC Domain (systemwin .linkpc .net) in
ET MALWARE XDR33 CnC Server SSL Certificate Observed
DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE Observed IcedID Domain in DNS Lookup ET MALWARE Observed IcedID Domain in DNS Lookup
(spkdeutshnewsupp .com) (bayernbadabum .com)
ET MALWARE Observed DNS Query to TA444/Lazarus Domain
ET MALWARE Win32/Nitol.A CnC Checkin M3
(concrecapital .com)
ET MALWARE TA444 Related Domain (updatezone .org) in DNS ET MALWARE TA444 Related Domain (autoprotect .com .de) in DNS
Lookup Lookup
ET MALWARE TA444 Related Domain (autoprotect .gb .net) in DNS ET MALWARE TA444 Related Domain (azure-security .online) in DNS
Lookup Lookup
ET MALWARE TA444 Related Domain (azure-security .site) in DNS
ET MALWARE TA444 Related Domain (hoststudio .org) in DNS Lookup
Lookup
ET MALWARE TA444 Related Domain (thecloudnet .org) in DNS
ET MALWARE DCRAT Checkin via Telegram
Lookup
ET MALWARE ZeroBot/ZeroStresser Botnet Related Domain in DNS
ET MALWARE VectorStealer Data Exfil via Telegram
Lookup (zero .sudolite .ml)
ET MALWARE Observed Various Malware Staging Domain (direct- ET MALWARE Various Malware Staging Domain in DNS Lookup
trojan .com in TLS SNI) (direct-trojan .com)
ET MALWARE Magecart CnC Domain in DNS Lookup (saylor2xbtc
ET MALWARE Magecart Loader Domain in DNS Lookup (2xdepp .com)
.com)
ET MALWARE Magecart Skimmer Domain in DNS Lookup (elon2xmusk ET MALWARE Observed DNS Query to Xworm Domain (su1d .nerdpol
.com) .ovh)
ET MALWARE Win32/Gamaredon CnC Activity ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE Cobalt Strike Domain in DNS Lookup (fepopeguc .com) ET MALWARE Cobalt Strike Domain (fepopeguc .com) in TLS SNI
ET MALWARE Win32/Spy.KeyLogger.RJA Checkin ET MALWARE Observed DNS Query to CnC Domain (StrongPity)
ET MALWARE Magecart Skimmer Domain in DNS Lookup (magento-
ET MALWARE Observed DNS Query to CnC Domain (StrongPity)
cdn .net)
ET MALWARE Observed DNS Query to Mirai Domain (miraistealer
ET MALWARE Win32/Emotet CnC Activity M12 (POST)
.xyz)
ET MALWARE Magecart Loader Javascript ET MALWARE Magecart Skimmer CSS
ET MALWARE IcedID CnC Domain in DNS Lookup (pkusamain .cloud) ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics)
ET MALWARE IcedID CnC Domain in DNS Lookup (pahtafinlund .com) ET MALWARE IcedID CnC Domain in DNS Lookup (owisportlittle .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (nigaragusoups
ET MALWARE IcedID CnC Domain in DNS Lookup (tonikantos .one)
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com) ET MALWARE IcedID CnC Domain in DNS Lookup (wendypior .ink)
ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com) ET MALWARE IcedID CnC Domain in DNS Lookup (stillprunnert .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (marmelokpa .com) ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop)
ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) ET MALWARE IcedID CnC Domain in DNS Lookup (skafiparod .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (apretakert .com) ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com)
ET MALWARE Win32/Qakbot CnC Activity (POST) ET MALWARE Possible Vidar Stealer C2 Config In Steam Profile
ET MALWARE BatLoader CnC Domain (grammarlycheck2 .com) in DNS
ET MALWARE BatLoader CnC Domain (updatea1 .com) in DNS Lookup
Lookup
ET MALWARE BatLoader CnC Domain (updateclientssoftware .com) in
ET MALWARE BatLoader CnC Domain (t1pixel .com) in DNS Lookup
DNS Lookup
ET MALWARE BatLoader CnC Domain (24xpixeladvertising .com) in ET MALWARE BatLoader CnC Domain (clodtechnology .com) in DNS
DNS Lookup Lookup
ET MALWARE BatLoader CnC Domain (updatecloudservice1 .com) in ET MALWARE BatLoader CnC Domain (externalchecksso .com) in DNS
DNS Lookup Lookup
ET MALWARE BatLoader CnC Domain (cloudupdatesss .com) in DNS ET MALWARE Observed BatLoader Domain (grammarlycheck2 .com)
Lookup in TLS SNI
ET MALWARE Observed BatLoader Domain (updateclientssoftware
ET MALWARE Observed BatLoader Domain (updatea1 .com) in TLS SNI
.com) in TLS SNI
ET MALWARE Observed BatLoader Domain (24xpixeladvertising .com)
ET MALWARE Observed BatLoader Domain (t1pixel .com) in TLS SNI
in TLS SNI
ET MALWARE Observed BatLoader Domain (clodtechnology .com) in ET MALWARE Observed BatLoader Domain (updatecloudservice1
TLS SNI .com) in TLS SNI
ET MALWARE Observed BatLoader Domain (externalchecksso .com) ET MALWARE Observed BatLoader Domain (cloudupdatesss .com) in
in TLS SNI TLS SNI
ET MALWARE Playful Taurus CnC Domain (vpnkerio .com) in DNS
ET MALWARE Playful Taurus Malicious SSL Certificate Observed
Lookup
ET MALWARE Playful Taurus Observe malicious SSL Cert (self-signed ET MALWARE Playful Taurus CnC Domain (scm .oracleapps .org) in
www .netgate .com) DNS Lookup

262 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Playful Taurus CnC Domain (update .adboeonline .net) ET MALWARE Playful Taurus CnC Domain (mail .indiarailways .net) in
in DNS Lookup DNS Lookup
ET MALWARE Playful Taurus CnC Domain (update .delldrivers .in) in
ET MALWARE Kimsuky Related CnC
DNS Lookup
ET MALWARE Kimsuky CnC Domain (lifehelper .kr) in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup (skaiortalop .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (allertmnemonkik
ET MALWARE IcedID CnC Domain in DNS Lookup (headertolz .com)
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (wagringamuk .com) ET MALWARE IcedID CnC Domain in DNS Lookup (ertusaporf .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (windmencherser ET MALWARE IcedID CnC Domain in DNS Lookup (dgormiugatox
.com) .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (elcapolis .com) ET MALWARE IcedID CnC Domain in DNS Lookup (needzolapa .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (klayerziluska .com) ET MALWARE IcedID CnC Domain in DNS Lookup (avoymratax .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (plivetrakoy .com) ET MALWARE IcedID CnC Domain in DNS Lookup (june85 .cyou)
ET MALWARE IcedID CnC Domain in DNS Lookup (wcollopracket .com) ET MALWARE IcedID CnC Domain in DNS Lookup (ijoyzymama .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (ebothlips .com) ET MALWARE IcedID CnC Domain in DNS Lookup (likasertik .shop)
ET MALWARE IcedID CnC Domain in DNS Lookup (qsertopinajil .com) ET MALWARE IcedID CnC Domain in DNS Lookup (umousteraton .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (trinazhkoma .club) ET MALWARE IcedID CnC Domain in DNS Lookup (brakudafear .pics)
ET MALWARE DOUBLEBACK Related Domain in DNS Lookup (barricks
ET MALWARE IcedID CnC Domain in DNS Lookup (golddisco .top)
.org)
ET MALWARE Observed DOUBLEBACK Related Domain (barricks .org
ET MALWARE Pyramid Framework Payload Request (base-bh.py)
in TLS SNI)
ET MALWARE Pyramid Framework Payload Request (base-bof.py) ET MALWARE Pyramid Framework Payload Request (base-clr.py)
ET MALWARE Pyramid Framework Payload Request (base-impacket-
ET MALWARE Pyramid Framework Payload Request (base-DonPAPI.py)
secretsdump.py)
ET MALWARE Pyramid Framework Payload Request (base-
ET MALWARE Pyramid Framework Payload Request (base-LaZagne.py)
pythonmemorymodule.py)
ET MALWARE Pyramid Framework Payload Request (base-tunnel- ET MALWARE Pyramid Framework Payload Request (base-tunnel-
inj.py) socks5.py)
ET MALWARE Cobalt Strike Activity (GET) ET MALWARE DCRat Initial Checkin Server Response M5
ET MALWARE DCRat Initial Checkin Server Response M6 ET MALWARE Discord .exe Download URL In HTTP Response
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .betting
ET MALWARE Win32/Enigma Stealer CnC Checkin
.cockroachracing .site)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .market
ET MALWARE Win32/Sventore.B CnC Checkin
.dentureforfree .online)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rendezvous ET MALWARE SocGholish CnC Domain in DNS Lookup (* .signing
.tophandsome .gay) .unitynotarypublic .com)
ET MALWARE SLIVER Framework SMB CreateService Default
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M1
ServiceName
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M2 ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M3
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M4 ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M5
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M6 ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M7
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M8 ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M9
ET MALWARE Observed Glupteba CnC Domain (spolaect .info in TLS
ET MALWARE Win32/Obsidium Stealer Data Exfiltration Attempt M10
SNI)
ET MALWARE Win32/HMR RAT Sending System Information ET MALWARE Win32/TradingView CnC Exfil (POST)
ET MALWARE Cobalt Strike CnC Domain (020 .57thandnormal .com) in
ET MALWARE Win32/DoNot Observed UA (Mozilla 105.01.05)
DNS Lookup
ET MALWARE Cobalt Strike CnC Domain (r2 .57thandnormal .com) in ET MALWARE Cobalt Strike CnC Domain (r1 .57thandnormal .com) in
DNS Lookup DNS Lookup
ET MALWARE Observed DNS Query to IcedID Domain (swordnifhing ET MALWARE Observed DNS Query to IcedID Domain (nomaeradiur
.com) .com)
ET MALWARE Observed DNS Query to IcedID Domain (tibloautonef
ET MALWARE Observed DNS Query to IcedID Domain (trotimera .com)
.com)
ET MALWARE PseudoManuscrypt Activity (POST) ET MALWARE Luminosity Link Variant CnC Activity (get_failed)
ET MALWARE Malvirt/KoiVM Downloader Variant Payload Retrieval ET MALWARE Observed Glupteba CnC Domain (nisdably .com in TLS
Request SNI)
ET MALWARE Observed Glupteba CnC Domain (ninhaine .com in TLS
ET MALWARE Gamaredon APT Related Activity (GET)
SNI)
ET MALWARE Observed APT Actor Payload Domain (archive-
ET MALWARE Gamaredon APT Related Activity (GET)
downloader .com in TLS SNI)
ET MALWARE Observed APT Actor Payload Domain (e-aks .uz in TLS ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain
SNI) (win02 .xyz) in DNS Lookup
ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain
(win03 .xyz) in DNS Lookup (win04 .xyz) in DNS Lookup
ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain
ET MALWARE SocGholish Domain in DNS Lookup (smiles .cahl4u .org)
(win01 .xyz) in DNS Lookup
ET MALWARE GCleaner CnC Checkin M1 ET MALWARE GCleaner Payload Retrieval Attempt
ET MALWARE GCleaner CnC Checkin M2 ET MALWARE Potential GCleaner CnC Checkin

263 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE GCleaner Downloader - Payload Response ET MALWARE Suspected Lazarus APT Related Activity (GET)
ET MALWARE Ice Breaker Backdoor CnC Domain (xn--screnshot-iib
ET MALWARE Phorpiex CnC Domain (twizt .org) in DNS Lookup
.net) in DNS Lookup
ET MALWARE Ice Breaker Backdoor CnC Domain (ponzix .net) in DNS ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotlite .com)
Lookup in DNS Lookup
ET MALWARE Ice Breaker Backdoor CnC Domain (screenshot .icu) in ET MALWARE Ice Breaker Backdoor CnC Domain (xn--screnshot-jib
DNS Lookup .net) in DNS Lookup
ET MALWARE Ice Breaker Backdoor CnC Domain (screenshotcap ET MALWARE Observed DNS Query to IcedID Domain (alijhaborta
.com) in DNS Lookup .com)
ET MALWARE Observed DNS Query to IcedID Domain (qoipaboni ET MALWARE Observed DNS Query to IcedID Domain
.com) (windmencherser .com)
ET MALWARE Observed DNS Query to IcedID Domain (leftcatrheringg ET MALWARE Observed DNS Query to IcedID Domain (yelsopotre
.com) .com)
ET MALWARE Observed DNS Query to IcedID Domain (headertolz
ET MALWARE UAC-0114/Winter Vivern Screenshot Upload M1
.com)
ET MALWARE UAC-0114/Winter Vivern Screenshot Upload M2 ET MALWARE UAC-0114/Winter Vivern File Exfilration
ET MALWARE UAC-0114/Winter Vivern CnC Activity ET MALWARE Kakfum/COLDSTEEL CnC Beacon M3
ET MALWARE Win32/Kumquat Loader Activity (Connect) ET MALWARE Win32/Kumquat Loader Activity (Subscribe)
ET MALWARE Win32/Kumquat Loader Activity (Publish) ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
ET MALWARE TA430/Andariel ACRES Backdoor Activity (GET) ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M1
ET MALWARE Patchwork APT BADNEWS CnC Domain (bingoplant .live)
ET MALWARE Patchwork APT BADNEWS Variant CnC Checkin M2
in DNS Lookup
ET MALWARE Suspected NginxSpy Related Request (Inbound) ET MALWARE NginxSpy Magic Bytes M2 (Inbound)
ET MALWARE Win32/Phorpiex Template 7 Active - Outbound
ET MALWARE NginxSpy Magic Bytes M1 (Outbound)
Malicious Email Spam
ET MALWARE Win32/Phorpiex Template 8 Active - Outbound
ET MALWARE Win32/Gamaredon CnC Activity (GET)
Malicious Email Spam
ET MALWARE Win32/Gamaredon CnC Activity (POST) M1 ET MALWARE Win32/Gamaredon CnC Activity (POST) M2
ET MALWARE Observed DNS Query to Gamaredon Domain (antargi ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (mohsengo .shop)
ET MALWARE Win32/RecordBreaker - Observed UA M7
ET MALWARE Win32/RecordBreaker - Observed UA M6 (01785252112)
(1235125521512)
ET MALWARE Win32/DarkCloud Variant Exfil over SMTP
ET MALWARE Win32/RecordBreaker - Observed UA M8 (125122112551)
(FirefoxCookies.json)
ET MALWARE Win32/Spy.Banker.AAGB Checkin ET MALWARE Win32/Comrerop Checkin
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .samples ET MALWARE SocGholish Domain in DNS Lookup (telemetry
.muzikcitysound .com) .usacyberpages .net)
ET MALWARE Win32/Disabler.NPR Checkin ET MALWARE Win32/CrimsonRAT Activity (Inbound)
ET MALWARE TA444 Related Domain in DNS Lookup (safe .doc-share
ET MALWARE Win32/CrimsonRAT Activity (Outbound)
.cloud)
ET MALWARE TA444 Related Domain in DNS Lookup (autoprotect
ET MALWARE UAC-0114/Winter Vivern Redirect
.com .se)
ET MALWARE SocGholish Domain in DNS Lookup (shock
ET MALWARE Suspected Gamaredon Related Activity (GET)
.creatingaharmoniouslife .net)
ET MALWARE DonotGroup Related Domain in DNS Lookup (records ET MALWARE NewsPenguin Domain in DNS Lookup (updates .win32
.libutires .info) .live)
ET MALWARE NewsPenguin Domain in DNS Lookup (windowsupdates
ET MALWARE NewsPenguin CnC Checkin
.shop)
ET MALWARE NewsPenguin Domain in DNS Lookup (sailorjobs .world) ET MALWARE Cobalt Strike CnC Domain (cdcgov .us) in DNS Lookup
ET MALWARE Malicious Node.js Module aabquerys payload delivery ET MALWARE Havoc RAT CnC Domain (zh .googlecdnb .tk) in DNS
domain (github .elemecdn .com) in DNS Lookup Lookup
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .distributor ET MALWARE SocGholish CnC Domain in DNS Lookup (* .picture
.techsavvyauto .com) .mercedesbestphoto .store)
ET MALWARE Backdoored Xpopup Domain (xpopup .pe .kr) in DNS ET MALWARE Backdoored Xpopup Domain (xpopup .com) in DNS
Lookup Lookup
ET MALWARE DonotGroup Pult Downloader Activity M3 ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE zgRAT Activity M3 ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE Donot Group Related Domain in DNS Lookup (mayosasa ET MALWARE Observed Donot Group Relaed Domain (mayosasa .buzz
.buzz) in TLS SNI)
ET MALWARE Donot APT Related Domain in DNS Lookup (best
ET MALWARE Win32/Loader Variant Activity (POST)
.tasterschoice .shop)
ET MALWARE Donot APT Related Domain in DNS Lookup (blogs ET MALWARE Donot APT Related Domain in DNS Lookup (blogs
.tourseasons .xyz) .libraryutilitis .live)
ET MALWARE OSX/iWebUpdate CnC Activity ET MALWARE Donot Group Downloader Activity (GET)
ET MALWARE Dalbit Group CnC Domain (m00nlight .top) in DNS
ET MALWARE Gamaredon Related Domain in DNS Lookup (gayado .ru)
Lookup

264 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Dalbit Group CnC Domain (zxcss .com) in DNS Lookup ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG
ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG 2 ET MALWARE Likely APT29 Retrieving Payload Embedded In PNG 3
ET MALWARE Possible APT29 Compressed Payload Download
ET MALWARE APT28 DealersChoice CnC Beacon Response
Request
ET MALWARE APT28 Zebrocy/Zekapab POST Template Structure ET MALWARE APT28 Zebrocy/Zekapab CnC Checkin
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M1
ET MALWARE Win32/frebniis IIS Backdoor Trigger Attempt M2 ET MALWARE APT37 M2RAT CnC Server Command - OKR
ET MALWARE APT37 M2RAT CnC Server Command - URL ET MALWARE APT37 M2RAT CnC Server Command - UPD
ET MALWARE APT37 M2RAT CnC Server Command - RES ET MALWARE APT37 M2RAT CnC Server Command - UNI
ET MALWARE SocGholish Domain in DNS Lookup (blockchain
ET MALWARE APT37 M2RAT CnC Server Command - CMD
.shannongougenheim .com)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers
ET MALWARE Win32/Stealc Requesting plugins Config from C2
Config
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with
ET MALWARE Win32/Stealc Submitting System Information to C2
plugins Config
ET MALWARE Win32/Stealc Submitting Screenshot to C2 ET MALWARE Win32/WhiskerSpy - Machine ID Registration
ET MALWARE Win32/WhiskerSpy - Key Material Upload ET MALWARE Win32/WhiskerSpy - Task Request
ET MALWARE Win32/WhiskerSpy CnC Activity ET MALWARE Win32/WhiskerSpy - FTP - Observed Creds
ET MALWARE Win32/WhiskerSpy - FTP STOR Command M1 ET MALWARE Win32/WhiskerSpy - FTP STOR Command M2
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .calendar ET MALWARE Win32/Snojan Variant Sending System Information
.wishmarkets .com) (GET)
ET MALWARE Win32/Snojan Variant Sending System Information
ET MALWARE Villain C2 Framework CnC Exfil (POST)
(POST)
ET MALWARE Observed Operation Silent Watch Domain in DNS
ET MALWARE Win32/0xtaRAT CnC Activity M1 (GET)
Lookup (edupoliceam .info)
ET MALWARE Observed Operation Silent Watch Domain in DNS ET MALWARE Observed Operation Silent Watch Domain in DNS
Lookup (filecloudservices .xyz) Lookup (filesindrive .info)
ET MALWARE Observed Operation Silent Watch Domain in DNS ET MALWARE Observed Operation Silent Watch Domain in DNS
Lookup (avvpassport .info) Lookup (mediacloud .space)
ET MALWARE Gamaredon C2 Domain (a0728173 .xsph .ru) in DNS ET MALWARE Gamaredon C2 Domain (f0559838 .xsph .ru) in DNS
Lookup Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE Win32/Atlantida Stealer Sending System Information
ET MALWARE Win32/0xtaRAT CnC Activity M2 (GET)
(POST)
ET MALWARE Golang Aurora Stealer Activity (POST) ET MALWARE WhiteSnake Stealer Sending Data to Telegram (POST)
ET MALWARE Observed Malicious Domain in DNS Lookup (wpsupdate
ET MALWARE Win32/Plugx CnC Activity (CONNECT)
.luckfafa .com)
ET MALWARE Cobalt Strike CnC Domain (taoche .cn .wswebpic .com) ET MALWARE Cobalt Strike CnC Domain (csc .zte .com .cn .wswebpic
in DNS Lookup .com) in DNS Lookup
ET MALWARE Cobalt Strike CnC Domain (alidocs .dingtalk .com
ET MALWARE Win32/Backdoor.Atharvan CnC Checkin
.wswebpic .com) in DNS Lookup
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .decision
ET MALWARE WhiteSnake Stealer Response (Inbound)
.alshafipdk .com)
ET MALWARE Observed NimPlant UA (NimPlant) ET MALWARE Observed NimPlant Server Response (Inbound)
ET MALWARE EvilExtractor Stealer CnC Domain (evilextractor .com) in
ET MALWARE Trojan/Win32.Agent Variant Checkin
DNS Lookup
ET MALWARE PS1Loader Encoded Profiling POST ET MALWARE Win32/Grandoreiro TCP CnC Activity
ET MALWARE NimPlant Register Activity (GET) ET MALWARE NimPlant Sending Command (Inbound)
ET MALWARE NimPlant Register Activity M2 (POST) ET MALWARE NimPlant Task Activity (GET)
ET MALWARE NimPlant Sending Task (Inbound) ET MALWARE NimPlant Result Activity (POST)
ET MALWARE Win32/S1deload Stealer CnC Domain (neukoo .top) in
ET MALWARE Gamaredon APT Related Activity (GET)
DNS Lookup
ET MALWARE Win32/S1deload Stealer CnC Checkin ET MALWARE Win32/S1deload Stealer CnC Checkin - Get Tasking
ET MALWARE Win32/S1deload Stealer CnC Domain (ytb .dolala .xyz) ET MALWARE Win32/S1deload Stealer CnC Domain (shopproxy .live)
in DNS Lookup in DNS Lookup
ET MALWARE Win32/S1deload Stealer CnC Checkin - Coinminer ET MALWARE Win32/S1deload Stealer CnC Checkin - Coinminer
Payload Retrieval M1 Payload Retrieval M2
ET MALWARE Win32/S1deload Stealer CnC Checkin - Coinminer
ET MALWARE Win32/S1deload Stealer Data Exfiltration Attempt M1
Payload Retrieval M3
ET MALWARE Win32/S1deload Stealer Data Exfiltration Attempt M2 ET MALWARE Win32/VB.AAF Checkin
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .stuff
ET MALWARE ReverseRat 3.0 CnC Checkin M1
.libertydentalcourse .ca)
ET MALWARE Donot Group APT Related Domain in DNS Lookup
ET MALWARE ReverseRat 3.0 CnC Checkin M2
(briefdeal .buzz)

265 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Donot Group APT Domain (briefdeal .buzz in ET MALWARE Observed Donot Group APT Domain (winterhero .buzz
TLS SNI) in TLS SNI)
ET MALWARE Donot Group APT Related Domain in DNS Lookup
ET MALWARE Gamaredon APT Related Activity (GET)
(winterhero .buzz)
ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M1 ET MALWARE Win32/BUGHATCH SpawnAgent Request (GET) M2
ET MALWARE Magecart Skimmer Domain in DNS Lookup (rithdigit ET MALWARE Magecart Skimmer Domain in DNS Lookup (app-stat
.cyou) .com)
ET MALWARE Magecart Skimmer Domain in DNS Lookup (yachtbars ET MALWARE Magecart Skimmer Domain in DNS Lookup (antohub
.fun) .shop)
ET MALWARE Magecart Skimmer Domain in DNS Lookup (nebiltech
ET MALWARE Magecart Skimmer Domain in DNS Lookup (okqtfc1 .org)
.shop)
ET MALWARE Magecart Skimmer Domain in DNS Lookup (jquery-node ET MALWARE Fake ChatGPT Domain in DNS Lookup (chat-gpt-pc
.com) .online)
ET MALWARE Fake ChatGPT Domain in DNS Lookup (openai-pc-pro ET MALWARE Fake ChatGPT Domain in DNS Lookup (chat-gpt-online-
.online) pc .com)
ET MALWARE IcedID CnC Domain (neonmilkustaers .com) in DNS
ET MALWARE IcedID CnC Domain (whothitheka .com) in DNS Lookup
Lookup
ET MALWARE IcedID CnC Domain (svoykbragudern .com) in DNS
ET MALWARE IcedID CnC Domain (trbiriumpa .com) in DNS Lookup
Lookup
ET MALWARE 8220 Gang CnC Domain (jira .letmaker .top) in DNS ET MALWARE 8220 Gang CnC Domain (dw .bpdeliver .ru) in DNS
Lookup Lookup
ET MALWARE 8220 Gang CnC Domain (fbi .su1001-2 .top) in DNS ET MALWARE SocGholish Domain in DNS Lookup (catalog .iroldzyn
Lookup .com)
ET MALWARE SocGholish Domain in DNS Lookup (accountability ET MALWARE SocGholish Domain in DNS Lookup (oxford .courstify
.thefenceanddeckguys .com) .com)
ET MALWARE Observed BlackLotus SSL Certificate Observed ET MALWARE Win32/BlackLotus CnC Activity (POST)
ET MALWARE Observed Gootloader Domain in DNS Lookup (jp ET MALWARE Observed Gootloader Domain in DNS Lookup (kakiosk
.imonitorsoft .com) .adsparkdev .com)
ET MALWARE Observed Gootloader Domain in DNS Lookup (kristinee ET MALWARE Observed Gootloader Domain in DNS Lookup
.com) (jonathanbartz .com)
ET MALWARE Observed Gootloader Domain in DNS Lookup (kepw ET MALWARE Observed Gootloader Domain in DNS Lookup (lakeside-
.org) fishandchips .com)
ET MALWARE Observed Gootloader Domain in DNS Lookup (junk-
ET MALWARE MSIL/PSW.Agent.STP Data Exfiltration Attempt
bros .com)
ET MALWARE Maldoc Related Domain in DNS Lookup
ET MALWARE Win32/GenKryptik.GCJX Data Exfiltration Attempt
(nationalweatherserviceapp .com)
ET MALWARE Win32/VBS Backdoor Sending System Information ET MALWARE Observed DNS Query to Gamaredon Domain (payampo
(POST) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (osmanpo ET MALWARE Observed DNS Query to Gamaredon Domain (muhsingo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (myuridgo ET MALWARE Observed DNS Query to Gamaredon Domain (ogtaypi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (muhtargo
(orduhanpi .ru) .ru)
ET MALWARE Parallax CnC Activity M18 (set) ET MALWARE Parallax CnC Response Activity M18
ET MALWARE Lockbit Ransomware Related Domain (poliovocalist ET MALWARE Observed Emotet Maldoc Retrieving Payload
.com) in DNS Lookup (2023-03-07) M1
ET MALWARE Hiatus RAT CnC Checkin ET MALWARE SYS01 Information Stealer - CnC Checkin
ET MALWARE SYS01 Information Stealer CnC Domain (seemlabie .top) ET MALWARE SYS01 Information Stealer CnC Domain (craceruib .top)
in DNS Lookup in DNS Lookup
ET MALWARE SYS01 Information Stealer CnC Domain (oscarnaija .com) ET MALWARE SYS01 Information Stealer CnC Domain (caseiden .com)
in DNS Lookup in DNS Lookup
ET MALWARE SYS01 Information Stealer CnC Domain (mahinetain .top) ET MALWARE SYS01 Information Stealer CnC Domain (makananwisata
in DNS Lookup .com) in DNS Lookup
ET MALWARE SYS01 Information Stealer CnC Domain (graeslavur ET MALWARE SYS01 Information Stealer CnC Domain (rapadtrai .com)
.com) in DNS Lookup in DNS Lookup
ET MALWARE SYS01 Information Stealer CnC Domain (baglamanotalari ET MALWARE SYS01 Information Stealer CnC Domain (seleriti .com) in
.com) in DNS Lookup DNS Lookup
ET MALWARE SocGholish Domain in DNS Lookup (profit .3stepsprofit
ET MALWARE SocGholish Domain in DNS Lookup (use .solqueen .com)
.com)
ET MALWARE Observed Emotet Maldoc Retrieving Payload ET MALWARE TA444 Related Domain in DNS Lookup (azure .doc-view
(2023-03-07) M2 .cloud)
ET MALWARE Gamaredon APT Related Activity (GET) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE Win32/Luca Stealer Sending System Information via
ET MALWARE PlugX Related Domain in DNS Lookup (cdn .imango .ink)
Telegram (GET)
ET MALWARE Win32/Vector Stealer Sending System Information via
ET MALWARE PlugX Related Domain in DNS Lookup (api .imango .ink)
Telegram (POST)

266 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to NanoCore Domain


ET MALWARE Hact .be Pentesting CnC Activity
(nanocore2023 .duckdns .org)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .tool
ET MALWARE Win32/I'm_Better Stealer CnC Command - get_key
.pearldentalgroup .ca)
ET MALWARE Observed Emotet Maldoc Retrieving Payload ET MALWARE SideCopy APT Related Backdoor Sending System
(2023-03-07) M3 Information (POST)
ET MALWARE Observed DNS Query to Cinoshi Stealer Domain
ET MALWARE Win32/Cinoshi Stealer Wallet Request (GET)
(anaida .evisyn .lol)
ET MALWARE Win32/Cinoshi Stealer Payload Request (GET) ET MALWARE Win32/I'm_Better Stealer CnC Checkin
ET MALWARE SocGholish NetSupport CnC Domain in DNS Lookup
ET MALWARE Win32/Packed.BlackMoon.A Checkin
(itugbjhb .xyz)
ET MALWARE SocGholish NetSupport Dropper Domain in DNS Lookup
ET MALWARE Gamaredon APT Related Activity (GET)
(gybvhxu .top)
ET MALWARE WorldWind Stealer Sending System information via
ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern
Telegram (POST)
ET MALWARE Prometei Botnet CnC Domain (feefreepool .net) in DNS
ET MALWARE Prometei Botnet CnC Checkin
Lookup
ET MALWARE Prometei Botnet CnC Checkin - Payload Retrieval ET MALWARE Sharp Panda Soul Framework CnC Checkin
ET MALWARE Qbot Payload Request (2023-03-13) M1 ET MALWARE Qbot Payload Request (2023-03-13) M2
ET MALWARE Qbot Payload Request (2023-03-13) M3 ET MALWARE Qbot Payload Request (2023-03-13) M4
ET MALWARE Qbot Payload Request (2023-03-13) M5 ET MALWARE Qbot Payload Request (2023-03-13) M6
ET MALWARE Qbot Payload Request (2023-03-13) M7 ET MALWARE Qbot Payload Request (2023-03-13) M8
ET MALWARE Qbot Payload Request (2023-03-13) M9 ET MALWARE Win32/HMR RAT Sending System Information M2
ET MALWARE Crypto Drainer CnC Domain (pingpongtool .xyz) in DNS ET MALWARE Crypto Drainer CnC Domain (rewards-decentraland
Lookup .com) in DNS Lookup
ET MALWARE Crypto Drainer CnC Domain (usdc-circle .com) in DNS ET MALWARE Crypto Drainer CnC Domain (redeem-circle .com) in
Lookup DNS Lookup
ET MALWARE Win32/Root Finder Stealer Sending System Information ET MALWARE Win32/AMGO Keylogger - Keylogger Started Message
via Telegram (GET) via Telegram (POST)
ET MALWARE Win32/HMR RAT Sending System Information M3 ET MALWARE Win32/HMR RAT Sending System Information M4
ET MALWARE Amadey Bot Activity (POST) M1 ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M1
ET MALWARE Win32/Unknown Stealer CnC Exfil via Telegram M2 ET MALWARE SIDESHOW CnC Authentication Over HTTP
ET MALWARE Observed DNS Query to LIGHTSHOW Domain (sede ET MALWARE Observed DNS Query to LIGHTSHOW Domain (abba-
.lamarinadevalencia .com) servicios .mx)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain (doug ET MALWARE Observed DNS Query to LIGHTSHOW Domain (fainstec
.org) .com)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(webinternal .anyplex .com) (leadsblue .com)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(ruscheltelefonia .com .br) (ajayjangid .in)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain ET MALWARE Observed DNS Query to LIGHTSHOW Domain
(keewoom .co .kr) (olidhealth .com)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain (mantis ET MALWARE Observed DNS Query to LIGHTSHOW Domain
.quick .net .pl) (toptradenews .com)
ET MALWARE Observed DNS Query to LIGHTSHOW Domain ET MALWARE Observed DNS Query to Kimsuky Domain (mpevalr .ria
(crickethighlights .today) .monster)
ET MALWARE Linux DarkRadiation Ransomware Telegram Activity M1 ET MALWARE Linux DarkRadiation Ransomware Telegram Activity M2
ET MALWARE Possible Linux DarkRadiation Ransomware Telegram
ET MALWARE Linux DarkRadiation Ransomware Telegram Activity M3
Activity
ET MALWARE SideCopy APT Related Backdoor Sending System
ET MALWARE Amadey Bot Activity (POST)
Information (GET)
ET MALWARE SideCopy APT Related Backdoor Victim Response
ET MALWARE SideCopy APT Related CnC Response
(infoback)
ET MALWARE SideCopy APT Related Backdoor Command Inbound ET MALWARE SocGholish CnC Domain in DNS Lookup
(getinfo) (*.favor.thehouseplantblog.com)
ET MALWARE GoBruteForcer CnC Domain (fi .warmachine .su) in DNS
ET MALWARE Possible GoBruteforcer Payload Retrieval Attempt
Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup (applicatwindomz ET MALWARE IcedID CnC Domain in DNS Lookup (skanfordiporka
.com) .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (avroralikhaem .com) ET MALWARE IcedID CnC Domain in DNS Lookup (villageskaier .com)
ET MALWARE Mustang Panda APT Related Activity (GET) ET MALWARE Mustang Panda APT Related Activity (Response)
ET MALWARE Mustang Panda APT Related Activity (POST) ET MALWARE Mustang Panda APT Related Activity M2 (Response)
ET MALWARE Observed DNS Query to Gamaredon Domain (talehgi
ET MALWARE Sidecopy APT Related Activity (POST)
.ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (ravaet ET MALWARE Observed DNS Query to Gamaredon Domain (talgatgi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (barakal ET MALWARE Observed DNS Query to Gamaredon Domain (taysirgi
.ru) .ru)

267 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Gamaredon Domain (takyygi ET MALWARE Wintern Vivern CnC Domain (bugiplaysec .com) in DNS
.ru) Lookup
ET MALWARE Wintern Vivern CnC Domain (marakanas .com) in DNS ET MALWARE Wintern Vivern CnC Domain (ocs-romastassec .com) in
Lookup DNS Lookup
ET MALWARE Wintern Vivern CnC Domain (troadsecow .com) in DNS ET MALWARE Wintern Vivern CnC Domain (ocspdep .com) in DNS
Lookup Lookup
ET MALWARE Wintern Vivern CnC Domain (security-ocsp .com) in
ET MALWARE Winter Vivern APT Aperetif CnC Checkin
DNS Lookup
ET MALWARE Winter Vivern APT Aperetif Payload Retrieval Attempt ET MALWARE Winter Vivern APT Aperetif Payload Retrieval Attempt
M1 M2
ET MALWARE Observed DNS Query To Gamaredon Domain (balatu
ET MALWARE Golang/Linux Kaiji Variant Activity
.ru)
ET MALWARE Observed DNS Query To Gamaredon Domain (paratai ET MALWARE Observed DNS Query To Gamaredon Domain (gokols
.ru) .ru)
ET MALWARE Observed DNSQuery to Gamaredon Domain (omranpo ET MALWARE Observed DNSQuery to Gamaredon Domain
.ru) (orduhanpo .ru)
ET MALWARE Fortigate TABLEFLIP Backdoor Trigger - Magic Number
ET MALWARE Fortigate THINCRUST Backdoor Activity M1
Sequence
ET MALWARE Fortigate THINCRUST Backdoor Activity M2 ET MALWARE Ares Loader Observed User-Agent M1
ET MALWARE Ares Loader Observed User-Agent M2 ET MALWARE Ares Loader Checkin
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE Win32/keyzetsu Stealer exfil via Telegram (Response)
ET MALWARE Win32/keyzetsu Stealer Variant Exfil via Telegram
ET MALWARE Konni APT Related Activity (GET)
(Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Observed DNS Query to Gamaredon Domain (makasd
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
.ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (gojoxa ET MALWARE Observed DNS Query to Gamaredon Domain (baralap
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (rasulla
ET MALWARE Unknown Powershell Profiler Exfiltrating System Data
.ru)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .language ET MALWARE SocGholish Domain in DNS Lookup (archive .vibezik
.sebtomato .com) .com)
ET MALWARE SocGholish Domain in DNS Lookup (trackrecord
ET MALWARE SocGholish Domain in DNS Lookup (scripts .asi .services)
.wheresbecky .com)
ET MALWARE Observed DNS Query To Gamaredon Domain (raminla ET MALWARE Observed DNS Query To Gamaredon Domain (daglarho
.ru) .ru)
ET MALWARE Observed DNS Query to WinterVivern Domain (ocsp- ET MALWARE Observed DNS Query to WinterVivern Domain (ocsp-
report .com) reloads .com)
ET MALWARE Observed DNS Query to Bad Magic APT Domain ET MALWARE Observed DNS Query to Bad Magic APT Domain
(webservice-srv .online) (webservice-srv1 .online)
ET MALWARE Qbot Payload Request (2023-03-21) M1 ET MALWARE Qbot Payload Request (2023-03-21) M2
ET MALWARE Qbot Payload Request (2023-03-21) M3 ET MALWARE Qbot Payload Request (2023-03-21) M4
ET MALWARE Qbot Payload Request (2023-03-21) M5 ET MALWARE Qbot Payload Request (2023-03-21) M6
ET MALWARE Qbot Payload Request (2023-03-21) M7 ET MALWARE Qbot Payload Request (2023-03-21) M8
ET MALWARE DonotGroup Related Domain in DNS Lookup
ET MALWARE Qbot Payload Request (2023-03-21) M9
(roosterguy .online)
ET MALWARE DonotGroup Maldoc Activity (GET) ET MALWARE Win32/ZaRaza Stealer Activity via Telegram (Response)
ET MALWARE Win32/HookSpoofer Stealer Sending System
ET MALWARE Xaview Stealer Admin Panel Inbound
Information via Telegram (GET)
ET MALWARE DarkCloud Stealer File Grabber Function Exfiltrating ET MALWARE DarkCloud Stealer FirefoxCookies.json Exfiltration via
Data via Telegram Telegram
ET MALWARE SOMNIRECORD CnC Domain in DNS Lookup (dafadfweer ET MALWARE SOMNIRECORD Backdoor PROBE Command in DNS
.top) Query
ET MALWARE SOMNIRECORD Backdoor CMD Command in DNS Query ET MALWARE SOMNIRECORD Backdoor DATA Command in DNS Query
ET MALWARE Win64/TrojanDownloader.AHK.CH Checkin ET MALWARE PennyWise Stealer Data Exfil M2
ET MALWARE Win32/MuggleStealer CnC ChromePwd Exfil (POST) ET MALWARE Win32/MuggleStealer CnC Desktop Exfil (POST)
ET MALWARE Win32/MuggleStealer CnC DiskInfo Exfil (POST) ET MALWARE Win32/MuggleStealer CnC Wincreds Exfil (POST)
ET MALWARE TrojanDownloader:Win32/Sinresby.B Checkin ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE IcedID CnC Domain in DNS Lookup ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE Observed DNS Query to Gamaredon Domain (sabitpo
ET MALWARE Win32/Gamaredon Payload Request (GET)
.ru)
ET MALWARE LogStih Stealer CnC Checkin ET MALWARE LogStih Stealer Data Exfiltration Attempt
ET MALWARE WorldWind Stealer Checkin via Telegram (GET) ET MALWARE Snake Keylogger Exfil via SMTP
ET MALWARE Suspected Muggle Stealer Activity M1 ET MALWARE Suspected Muggle Stealer Activity M2
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (narutasx
(cumbersome .ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (vohod ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (highfalutin .ru)

268 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain
(parsimonious .ru) (caramelas .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (quizzical ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (heartbreaking .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (baoris
ET MALWARE Possible Bitter APT Activity (GET)
.ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (.ruzipo ET MALWARE Observed DNS Query to Gamaredon Domain (narama
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (rustampo ET MALWARE Observed DNS Query to Gamaredon Domain (sabihpo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (ruslanpo
(savalanpo .ru) .ru)
ET MALWARE Vidar Stealer CnC Checkin ET MALWARE MacOS/MacStealer Data Exfiltration Attempt
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .lap
ET MALWARE Win32/Inido!rts Checkin
.detroitdragway .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
ET MALWARE Win32/PSWStealer Data Exfiltration Attempt
Indiciator in DNS Lookup (azuredeploystore .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (qwepoi123098 .com) Indiciator in DNS Lookup (msedgepackageinfo .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (journalide .org) Indiciator in DNS Lookup (azureonlinestorage .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (pbxcloudeservices .com) Indiciator in DNS Lookup (pbxphonenetwork .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (pbxsources .com) Indiciator in DNS Lookup (akamaicontainer .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (sourceslabs .com) Indiciator in DNS Lookup (glcloudservice .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (zacharryblogs .com) Indiciator in DNS Lookup (azureonlinecloud .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (dunamistrd .com) Indiciator in DNS Lookup (officestoragebox .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (akamaitechcloudservices .com) Indiciator in DNS Lookup (msstorageazure .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (visualstudiofactory .com) Indiciator in DNS Lookup (msstorageboxes .com)
ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain ET MALWARE Possible 3CX Supply Chain Attack (2023-03-29) Domain
Indiciator in DNS Lookup (sbmsa .wiki) Indiciator in DNS Lookup (officeaddons .com)
ET MALWARE Suspected APT43 BITTERSWEET Related Activity (POST) ET MALWARE Suspected APT43 BRAVEPRINCE Related Activity (GET)
ET MALWARE Observed DNS Query to Gamaredon Domain (same
ET MALWARE MalDoc/Gamaredon CnC Activity M1
.gleaming8 .battleras .ru)
ET MALWARE MalDoc/Gamaredon CnC Activity M2 ET MALWARE MalDoc/Gamaredon CnC Activity M3
ET MALWARE Bitter Elephant APT Related Activity (GET) ET MALWARE Suspected APT37 Related Activity (GET)
ET MALWARE Observed DNS Query to Gamaredon Domain (saadipo ET MALWARE Observed DNS Query to Gamaredon Domain (sabirpo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (rufatpo
ET MALWARE Observed DNS Query to Gamaredon Domain (raidla .ru)
.ru)
ET MALWARE DBatLoader CnC Domain (silverline .com .sg) in DNS
ET MALWARE OpcJacker HVNC Variant Magic Packet
Lookup
ET MALWARE SocGholish Domain in DNS Lookup (unit4 .majesticpg ET MALWARE SocGholish Domain in DNS Lookup (examples
.com) .propertytax4less .com)
ET MALWARE SocGholish Domain in DNS Lookup (life .judyfay .com) ET MALWARE Observed 3CX Supply Chain Attack Cookie
ET MALWARE Observed 3CX Supply Chain Attack Cookie M2 ET MALWARE APT43 GOLDDRAGON Related Activity (GET)
ET MALWARE Crashedtech Loader Domain (crashedff .xyz) in DNS
ET MALWARE Crashedtech Loader CnC Checkin
Lookup
ET MALWARE SocGholish Domain in DNS Lookup (agreement
ET MALWARE DorkBot.Downloader CnC Beacon M2
.panworldtradersllc .com)
ET MALWARE Observed 3CX Supply Chain Attack User-Agent ET MALWARE Gamaredon Domain in DNS Lookup (earsplitting .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (aydynpo .ru) ET MALWARE Gamaredon Domain in DNS Lookup (disagreeable .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (undesirable .ru) ET MALWARE Gamaredon Domain in DNS Lookup (dzhafarho .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (glistening .ru) ET MALWARE Gamaredon Domain in DNS Lookup (krtkrt .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (materialistic .ru) ET MALWARE Gamaredon Domain in DNS Lookup (agonizing .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (statuesque .ru) ET MALWARE Gamaredon Domain in DNS Lookup (haramq .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (jafata .ru) ET MALWARE Gamaredon Domain in DNS Lookup (stereotyped .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (overjoyed .ru) ET MALWARE Gamaredon Domain in DNS Lookup (varials .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (capricious .ru) ET MALWARE Fake Browser Update via Error Page Loader
ET MALWARE Fake Browser Update via Error Page Web Inject ET MALWARE Fake Browser Update via Error Page Payload
ET MALWARE Fake Browser Update Loader Domain in DNS Lookup
ET MALWARE Win32/SnakeKeyLogger Payload Request (GET)
(infoamanewonliag .online)

269 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SnakeKeyLogger Domain in DNS Lookup (xfl .mooo ET MALWARE Malicious NetSupport CnC Domain in DNS Lookup
.com) (irejhg .fun)
ET MALWARE Malicious NetSupport Loader Domain in DNS Lookup ET MALWARE Malicious NetSupport Loader Domain in DNS Lookup
(tumnt .top) (rtern .top)
ET MALWARE Malicious NetSupport CnC Domain in DNS Lookup
ET MALWARE Gamaredon Domain in DNS Lookup (aykutpo .ru)
(dfrgb .fun)
ET MALWARE Gamaredon Domain in DNS Lookup (aychobanpo .ru) ET MALWARE Gamaredon Domain in DNS Lookup (ayzakpo .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (altamishpo .ru) ET MALWARE Rilide Stealer Domain in DNS Lookup (ashgrrwt .click)
ET MALWARE Aurora Stealer Domain in DNS Lookup (nvidia-graphics
ET MALWARE Rilide Stealer Domain in DNS Lookup (vceilinichego .ru)
.top)
ET MALWARE Ekipa RAT Domain in DNS Lookup (nch-software .info) ET MALWARE VBS/TrojanDownloader.Agent.XAO Payload Inbound
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cloudid
ET MALWARE KWN Clipper Checkin via Telegram
.teacherhamish .com)
ET MALWARE Cylance Ransomware Sending System Information
ET MALWARE Win32/Gamaredon CnC Activity (POST) M3
(POST)
ET MALWARE Win32/Gamaredon CnC Activity (POST) M4 ET MALWARE Win32/QakBot CnC Payload Request (GET)
ET MALWARE Fake Google Chrome Error Domain in DNS Lookup ET MALWARE Fake Google Chrome Error Domain in DNS Lookup
(fastjscdn .org) (chromedistcdn .cloud)
ET MALWARE Fake Google Chrome Error Domain in DNS Lookup ET MALWARE Fake Google Chrome Error Domain in DNS Lookup
(yhdmb .xyz) (chrome-error .co)
ET MALWARE Win32/Agartha Stealer Activity via Telegram ET MALWARE ClouudAtlas APT Related Domain in DNS Lookup
(Response) (supportpanel .agent-group .org)
ET MALWARE TA444 Related Domain in DNS Lookup (safe .shared- ET MALWARE TA444 Related Domain in DNS Lookup (spirtblockchain
document .cloud) .com)
ET MALWARE TA444 Related Domain in DNS Lookup (arbordeck .co
ET MALWARE Suspected Tick Group APT Related Activity (GET)
.in)
ET MALWARE Suspected Tick Group APT Related Activity (GET) ET MALWARE RaccoonStealer Admin Console Inbound
ET MALWARE MalDoc/Konni APT CnC Activity (GET) M1 ET MALWARE MalDoc/Konni APT CnC Activity (GET) M2
ET MALWARE MalDoc/Konni APT CnC Activity (GET) M3 ET MALWARE Win32/ScarCruf Payload Inbound
ET MALWARE Win32/Spy.Mekotio.ER Checkin ET MALWARE IcedID CnC Domain in DNS Lookup (askamoshopsi .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (sithoparka .com) ET MALWARE IcedID CnC Domain in DNS Lookup (tadernost .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (beepkauftagers
ET MALWARE IcedID CnC Domain in DNS Lookup (abigelofraj .com)
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (yhorneedminf .com) ET MALWARE IcedID CnC Domain in DNS Lookup (troffyfrutlot .com)
ET MALWARE Tick Group APT Activity (GET) ET MALWARE Donot Domain in DNS Lookup (dripgift .live)
ET MALWARE Gamaredon APT Maldoc Retrieving Remote Template
ET MALWARE Win32/TrojanDropper.Agent.SSQ Variant Checkin
(GET)
ET MALWARE Win32/StormKitty CnC Telegram Notification M1 ET MALWARE Win32/StormKitty CnC Telegram Notification M2
ET MALWARE StormKitty Download Request With Minimal Headers ET MALWARE TyphonStealer Exfil via Telegram
ET MALWARE TyphonStealer Exfil via AnonFiles (POST) ET MALWARE PlutoCrypt Decryption Key Exfil
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .reseller ET MALWARE IcedID CnC Domain in DNS Lookup (apoligazanattions
.wonderfulworldblog .com) .com)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(unsuitable .ru) (vesterac .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(hctntmc .ru) (superficial .ru)
ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M1 ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config
ET MALWARE Win32/LeftHook Stealer CnC Activity (GET) M2
Inbound
ET MALWARE Win32/LeftHook Stealer CnC Command - get_socket ET MALWARE Win32/LeftHook Stealer CnC Command - save_cookies
(POST) (POST)
ET MALWARE Win32/LeftHook Stealer Payload Inbound ET MALWARE Win32/LeftHook Stealer - CnC Response (get_socket)
ET MALWARE Observed DNS Query to Gamaredon Domain (atonpi ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (akenatonbo .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (aktaypo ET MALWARE Observed DNS Query to Gamaredon Domain (anumbo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (amonbo ET MALWARE Observed DNS Query to Gamaredon Domain (asheypi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (aydinpo ET MALWARE Observed DNS Query to Gamaredon Domain (azibobo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (altugpo
(addzhobo .ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (agshinpo ET MALWARE Observed DNS Query to Gamaredon Domain (velevas
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (garame
(akyuldizpo .ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (adempo
(alpaslanpo .ru) .ru)

270 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed DNS Query to Gamaredon Domain (uranic ET MALWARE Observed DNS Query to Gamaredon Domain (agasypo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (ayrympo ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (aydoganpo .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (aktanpo ET MALWARE Observed DNS Query to Gamaredon Domain (aytashpo
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (nalogw ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (aytyurkpo .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (baharas
ET MALWARE Observed DNS Query to Gamaredon Domain (lefant .ru)
.ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (agakiypo ET MALWARE Observed DNS Query to Gamaredon Domain
.ru) (agastanpo .ru)
ET MALWARE Observed DNS Query to Nemesis Domain (es- ET MALWARE Observed DNS Query to Nemesis Domain (plus-lema
megadom .com) .com)
ET MALWARE Observed DNS Query to Nemesis Domain (deveparty ET MALWARE Gamaredon APT Related Domain in DNS Lookup
.com) (barakapi .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(badrupi .ru) (ahmozpi .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(bakaripi .ru) (akenatonbo .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup (atonpi
(asheypi .ru) .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(anumbo .ru) (aktaypo .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup
ET MALWARE Win32/Fabookie.ek CnC Domain in DNS Lookup
(amonbo .ru)
ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) ET MALWARE Win32/Fabookie.ek CnC Activity M2
ET MALWARE Domino Loader CnC Domain (upperdunk .com) in DNS ET MALWARE Observed DNSQuery to TA444 Domain (tet .dnx
Lookup .capital)
ET MALWARE Observed DNSQuery to TA444 Domain (dmarc ET MALWARE Observed DNSQuery to TA444 Domain (onlineshares
.onlineshares .cloud) .cloud)
ET MALWARE Observed DNSQuery to TA444 Domain (cloud
ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc .com)
.azurehosting .co)
ET MALWARE Observed DNSQuery to TA444 Domain (256ventures ET MALWARE Observed DNSQuery to TA444 Domain (doc .gdocshare
.us) .one)
ET MALWARE Observed DNSQuery to TA444 Domain (down .tomming ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share
.us) .pro)
ET MALWARE Observed DNSQuery to TA444 Domain (inter .gpmtreit
ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .co)
.co)
ET MALWARE Observed DNSQuery to TA444 Domain (fs .digiboxes
ET MALWARE Observed DNSQuery to TA444 Domain (cloud .j-ic .com)
.us)
ET MALWARE Observed DNSQuery to TA444 Domain (internal .j-ic
ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .com)
.co)
ET MALWARE Observed DNSQuery to TA444 Domain (cloud .gpmtreit
ET MALWARE Observed DNSQuery to TA444 Domain (down .j-ic .co)
.co)
ET MALWARE Observed DNSQuery to TA444 Domain (cloud ET MALWARE Observed DNSQuery to TA444 Domain (deck .toyota-ai
.mekongcapital .net) .org)
ET MALWARE Observed DNSQuery to TA444 Domain (cloud .anobaka
ET MALWARE Observed DNSQuery to TA444 Domain (docsend .me)
.info)
ET MALWARE Observed DNSQuery to TA444 Domain (safe .doc-share
ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc .co .uk)
.top)
ET MALWARE Observed DNSQuery to TA444 Domain ET MALWARE Observed DNSQuery to TA444 Domain (ms .msteam
(protectedviewer .co) .biz)
ET MALWARE Observed DNSQuery to TA444 Domain (share ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit
.1drvmicrosoft .com) .us)
ET MALWARE Observed DNSQuery to TA444 Domain (down .gpmtreit ET MALWARE Observed DNSQuery to TA444 Domain (site .siteshare
.co) .me)
ET MALWARE Observed DNSQuery to TA444 Domain (cloud .dnx
ET MALWARE Observed DNS Query to TA444 Domain (nbright .best)
.capital)
ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in
DNS Lookup (cpcpipe .org) DNS Lookup (ukroboronprom .com .ukr .pm)
ET MALWARE FROZENBARENTS (SANDWORM) APT Related Domain in ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup
DNS Lookup (cpcpipe .com) (setnewcreds .ukr .net .frge .io)
ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup ET MALWARE FROZENLAKE (APT 28) Related Domain in DNS Lookup
(robot-876 .frge .io) (ukrprivatesite .frge .io)
ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-ua ET MALWARE PUSHCHA Related Domain in DNS Lookup (meta-l
.site) .space)
ET MALWARE PUSHCHA Related Domain in DNS Lookup (passport-log ET MALWARE Cuba Ransomware Related Domain in DNS Lookup
.online) (masterofdigital .org)

271 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Cuba Ransomware Related Domain in DNS Lookup


ET MALWARE Win32/Injector.DYZG Variant Checkin
(chatgpt4beta .com)
ET MALWARE Jasmin Ransomware Panel Activity (Response) ET MALWARE Donot Group Activity (GET)
ET MALWARE IcedID CnC Domain in DNS Lookup (ewyersbetter .com) ET MALWARE IcedID CnC Domain in DNS Lookup (nizanigrola .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (pingwiskot .com) ET MALWARE IcedID CnC Domain in DNS Lookup (klonpiparf .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (skigimeetroc .com) ET MALWARE IcedID CnC Domain in DNS Lookup (auronavtimor .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (animamagaznaf
ET MALWARE IcedID CnC Domain in DNS Lookup (jinowera .com)
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (plitspiritnox .com) ET MALWARE TA444 Related Domain in DNS Lookup
ET MALWARE DNS Query to Gamaredon Domain (bankoulpi .ru) ET MALWARE DNS Query to Gamaredon Domain (barutipi .ru)
ET MALWARE DNS Query to Gamaredon Domain (apispi .ru) ET MALWARE DNS Query to Gamaredon Domain (anherpi .ru)
ET MALWARE DNS Query to Gamaredon Domain (22defeated
ET MALWARE DNS Query to Gamaredon Domain (fushiguro .ru)
.ayrympo .ru)
ET MALWARE Roopy File Grabber Exfiltration Attempt ET MALWARE JLORAT CnC Checkin
ET MALWARE Suspected DPRK APT Related Activity (GET) ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
ET MALWARE DNS Query to Blind Eagle Domain (dfdagsdsag .con-ip
ET MALWARE ZStealer Admin Panel Inbound
.com)
ET MALWARE Gamaredon APT Domain in DNS Lookup (ruizchris .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (valasati .ru)
ET MALWARE Gamaredon APT Domain in DNS Lookup (ayarimar .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (nutriag .ru)
ET MALWARE Gamaredon APT Domain in DNS Lookup (vilaverde .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (fortunyzo .ru)
ET MALWARE Gamaredon APT Domain in DNS Lookup (dussaut .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (samiseto .ru)
ET MALWARE Gamaredon APT Domain in DNS Lookup (boraito .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (enokida .ru)
ET MALWARE TA453 Domain in DNS Lookup (update-windows-
ET MALWARE Gamaredon APT Domain in DNS Lookup (kaigitang .ru)
security .tk)
ET MALWARE TA453 Domain in DNS Lookup (sync-system-time .cf) ET MALWARE TA453 Domain in DNS Lookup (oracle-java .cf)
ET MALWARE Themedata Embedded OLE Object Maldoc Related
ET MALWARE TA453 Domain in DNS Lookup (dns-iprecords .tk)
Domain in DNS Lookup (support-zabbix .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (zalikomanperis
ET MALWARE Win32/Spy.Banker.ZZN Variant Checkin
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (alockajilly .com) ET MALWARE Suspected Win32/HMR RAT/LOBSHOT Initial Handshake
ET MALWARE Possible Raspberry Robin Activity M2 (GET) ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2
ET MALWARE Atomic macOS (AMOS) Stealer Domain in DNS Lookup
ET MALWARE Atomic macOS (AMOS) Stealer Data Exfiltration Attempt
(amos-malware .ru)
ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn- ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (msn-
service .co) center .uk)
ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (maill- ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup
support .com) (mailupdate .info)
ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup ET MALWARE TA453 BellaCiao CnC Domain in DNS Lookup (mail-
(twittsupport .com) updateservice .info)
ET MALWARE TA453 Modified IIS-Raid Backdoor Module Headers in ET MALWARE TA453 IIS Credential Stealer Module/Backdoor Headers
HTTP Request in HTTP Request
ET MALWARE TA453 BellaCiao ASPX Backdoor User-Agent in HTTP ET MALWARE IIS-Raid Module Backdoor Default Headers in HTTP
Request Request
ET MALWARE IIS-Raid Module Backdoor Ping in HTTP Request ET MALWARE Gamaredon APT Domain in DNS Lookup (nahalx .ru)
ET MALWARE Win32/Phorpiex Template 9 Active - Outbound
ET MALWARE Gamaredon APT Domain in DNS Lookup (baraslx .ru)
Malicious Email Spam
ET MALWARE Win32/Phorpiex Requesting Compromised Email
ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M2
Credentials List
ET MALWARE Donot Group APT Related Domain in DNS Lookup (pic
ET MALWARE Donot Group Pult Downloader Activity (POST) M4
.onesolution .buzz)
ET MALWARE Donot Group APT Related Domain in DNS Lookup
ET MALWARE Donot Group Pult Downloader Activity (POST) M5
(epiczplus .buzz)
ET MALWARE DNS Query to MageCart Domain (genlytec .us) ET MALWARE DNS Query to MageCart Domain (pyatiticdigt .shop)
ET MALWARE DNS Query to MageCart Domain (shumtech .shop) ET MALWARE DNS Query to MageCart Domain (interytec .shop)
ET MALWARE DNS Query to MageCart Domain (stacstocuh .quest) ET MALWARE DNS Query to MageCart Domain (daichetmob .sbs)
ET MALWARE DNS Query to MageCart Domain (zapolmob .sbs) ET MALWARE MageCart Skimmer Header Observed Outbound
ET MALWARE Gamaredon APT Domain in DNS Lookup (decorous .ru) ET MALWARE Gamaredon APT Domain in DNS Lookup (judicious .ru)
ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup
ET MALWARE Gamaredon APT Domain in DNS Lookup (succinct .ru)
(yrhsywu2009 .zapto .org)
ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup ET MALWARE Alloy Taurus APT Related Domain in DNS Lookup
(vpn729380678 .softether .net) (saspecialforces .co .za)
ET MALWARE IcedID CnC Domain in DNS Lookup (bgreenglobus .com) ET MALWARE IcedID CnC Domain in DNS Lookup (rtofmethough .top)
ET MALWARE IcedID CnC Domain in DNS Lookup (alepscoking .com) ET MALWARE IcedID CnC Domain in DNS Lookup (xairdone .com)
ET MALWARE MSIL/Whitesnake Variant Stealer Sending System Info ET MALWARE Ducktail Stealer Related Domain in DNS Lookup
via Telegram (GET) (techvibeo .com)
ET MALWARE Havoc Framework Header in HTTP Response ET MALWARE DNS Query to RokRat Domain (link .b4a .app)
ET MALWARE DNS Query to RokRat Domain (daum-store .com) ET MALWARE DNS Query to RokRat Domain (docx1 .b4a .app)

272 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DNS Query to RokRat Domain (nate-download .com) ET MALWARE DNS Query to RokRat Domain (naver-file .com)
ET MALWARE DNS Query to RokRat Domain (naver-storage .com) ET MALWARE Win32/RokRat CnC Activity (GET)
ET MALWARE Win32/RokRat CnC Activity (POST) ET MALWARE CMDASP Webshell Command Request
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .score
ET MALWARE CMDASP Webshell Default Title in HTTP Response
.symposiumhaiti .com)
ET MALWARE Win32/WarHawk/Spyder Sending Windows System
ET MALWARE CloudAtlas APT Related Domain in DNS Lookup
Information (POST) M2
ET MALWARE Truebot/Silence.Downloader No Tasking Response from
ET MALWARE WarHawk/Spyder Activity (Deploy)
Server
ET MALWARE DarkCloud Stealer Key Logger Function Exfiltrating
ET MALWARE TrueBot/Silence.Downloader CnC Checkin 4
Data via Telegram
ET MALWARE Suspected CloudAtlas APT Related Activity (GET) ET MALWARE Donot Group Pult Downloader Activity (POST) M6
ET MALWARE Win32/80mb3rm4n Grabber CnC Exfil via Discord
ET MALWARE Gamaredon APT Related Activity (GET)
(POST)
ET MALWARE SocGholish Domain in DNS Lookup (promo
ET MALWARE Win32/BlackSun.B Retrieving Payload
.kingdombusinessconnections .com)
ET MALWARE Possible Lockbit CnC Checkin ET MALWARE DNS Query to Raspberry Robin Domain (2t .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (z7s .org) ET MALWARE DNS Query to Raspberry Robin Domain (6uy .at)
ET MALWARE DNS Query to Raspberry Robin Domain (d0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (trzx .eu)
ET MALWARE DNS Query to Raspberry Robin Domain (w0iq .com) ET MALWARE DNS Query to Raspberry Robin Domain (2yd .eu)
ET MALWARE DNS Query to Raspberry Robin Domain (c0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (yuiw .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (5v0 .nl) ET MALWARE DNS Query to Raspberry Robin Domain (lwxa .eu)
ET MALWARE DNS Query to Raspberry Robin Domain (s8 .cx) ET MALWARE DNS Query to Raspberry Robin Domain (r6 .nz)
ET MALWARE DNS Query to Raspberry Robin Domain (b9 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (c4z .pl)
ET MALWARE DNS Query to Raspberry Robin Domain (6w .re) ET MALWARE DNS Query to Raspberry Robin Domain (y3x .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (3y .nu) ET MALWARE DNS Query to Raspberry Robin Domain (xz4 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (5g7 .at) ET MALWARE DNS Query to Raspberry Robin Domain (3e .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (1u .pm) ET MALWARE DNS Query to Raspberry Robin Domain (3h1 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (4j .pm) ET MALWARE DNS Query to Raspberry Robin Domain (21k .website)
ET MALWARE DNS Query to Raspberry Robin Domain (g4 .nu) ET MALWARE DNS Query to Raspberry Robin Domain (h6 .re)
ET MALWARE DNS Query to Raspberry Robin Domain (6t .pm) ET MALWARE DNS Query to Raspberry Robin Domain (xtabr .com)
ET MALWARE DNS Query to Raspberry Robin Domain (u8wp .com) ET MALWARE DNS Query to Raspberry Robin Domain (fgcz .net)
ET MALWARE DNS Query to Raspberry Robin Domain (9r .re) ET MALWARE DNS Query to Raspberry Robin Domain (2j4 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (5jb .me) ET MALWARE DNS Query to Raspberry Robin Domain (kr4 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (n5k .me) ET MALWARE DNS Query to Raspberry Robin Domain (l5k .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (7yfb .com) ET MALWARE DNS Query to Raspberry Robin Domain (rx3 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (t7 .nz) ET MALWARE DNS Query to Raspberry Robin Domain (d4j .club)
ET MALWARE DNS Query to Raspberry Robin Domain (w0 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (zf0 .ro)
ET MALWARE DNS Query to Raspberry Robin Domain (mz3 .biz) ET MALWARE DNS Query to Raspberry Robin Domain (3h .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (fnx .wf) ET MALWARE DNS Query to Raspberry Robin Domain (xjam .hk)
ET MALWARE DNS Query to Raspberry Robin Domain (mirw .wf) ET MALWARE DNS Query to Raspberry Robin Domain (7d .rs)
ET MALWARE DNS Query to Raspberry Robin Domain (4n .wf) ET MALWARE DNS Query to Raspberry Robin Domain (s0 .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (0p .rs) ET MALWARE DNS Query to Raspberry Robin Domain (4w .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (4xq .nl) ET MALWARE DNS Query to Raspberry Robin Domain (6y .re)
ET MALWARE DNS Query to Raspberry Robin Domain (k5m .co) ET MALWARE DNS Query to Raspberry Robin Domain (n51 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (4w .wf) ET MALWARE DNS Query to Raspberry Robin Domain (0j .re)
ET MALWARE DNS Query to Raspberry Robin Domain (bcomb .net) ET MALWARE DNS Query to Raspberry Robin Domain (fz .ms)
ET MALWARE DNS Query to Raspberry Robin Domain (e9 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (1j4 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (5qe8 .com) ET MALWARE DNS Query to Raspberry Robin Domain (oj8 .eu)
ET MALWARE DNS Query to Raspberry Robin Domain (6xj .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (cb3u .com)
ET MALWARE DNS Query to Raspberry Robin Domain (nk0 .club) ET MALWARE DNS Query to Raspberry Robin Domain (q0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (k5j .one) ET MALWARE DNS Query to Raspberry Robin Domain (7r6 .nl)
ET MALWARE DNS Query to Raspberry Robin Domain (1u .wf) ET MALWARE DNS Query to Raspberry Robin Domain (4k1 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (w4 .rs) ET MALWARE DNS Query to Raspberry Robin Domain (6c .nz)
ET MALWARE DNS Query to Raspberry Robin Domain (euya .cn) ET MALWARE DNS Query to Raspberry Robin Domain (ej3 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (2t .pm) ET MALWARE DNS Query to Raspberry Robin Domain (0j .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (nzm .one) ET MALWARE DNS Query to Raspberry Robin Domain (j5m .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (0i .wf) ET MALWARE DNS Query to Raspberry Robin Domain (60i .nl)
ET MALWARE DNS Query to Raspberry Robin Domain (1i .pm) ET MALWARE DNS Query to Raspberry Robin Domain (gz3 .nl)
ET MALWARE DNS Query to Raspberry Robin Domain (q2 .rs) ET MALWARE DNS Query to Raspberry Robin Domain (w4 .nz)
ET MALWARE DNS Query to Raspberry Robin Domain (2jks .com) ET MALWARE DNS Query to Raspberry Robin Domain (w6 .nz)
ET MALWARE DNS Query to Raspberry Robin Domain (l0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (omzk .org)
ET MALWARE DNS Query to Raspberry Robin Domain (4j1 .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (jrtz .re)
ET MALWARE DNS Query to Raspberry Robin Domain (k0 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (8t .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (ubv5 .com) ET MALWARE DNS Query to Raspberry Robin Domain (5j8 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (2kbq .com) ET MALWARE DNS Query to Raspberry Robin Domain (u0 .nz)

273 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DNS Query to Raspberry Robin Domain (g0 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (03s30 .com)
ET MALWARE DNS Query to Raspberry Robin Domain (4w .rs) ET MALWARE DNS Query to Raspberry Robin Domain (qmpo .art)
ET MALWARE DNS Query to Raspberry Robin Domain (j1n .me) ET MALWARE DNS Query to Raspberry Robin Domain (4j5 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (6ax .nl) ET MALWARE DNS Query to Raspberry Robin Domain (q0 .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (ri7 .biz) ET MALWARE DNS Query to Raspberry Robin Domain (g3 .rs)
ET MALWARE DNS Query to Raspberry Robin Domain (66j .me) ET MALWARE DNS Query to Raspberry Robin Domain (p9 .tel)
ET MALWARE DNS Query to Raspberry Robin Domain (1h3 .me) ET MALWARE DNS Query to Raspberry Robin Domain (dsi .mk)
ET MALWARE DNS Query to Raspberry Robin Domain (lwip .re) ET MALWARE DNS Query to Raspberry Robin Domain (y0 .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (zxn .fyi) ET MALWARE DNS Query to Raspberry Robin Domain (j8 .si)
ET MALWARE DNS Query to Raspberry Robin Domain (uqw .futbol) ET MALWARE DNS Query to Raspberry Robin Domain (jjl .one)
ET MALWARE DNS Query to Raspberry Robin Domain (6gcr .com) ET MALWARE DNS Query to Raspberry Robin Domain (tz6 .org)
ET MALWARE DNS Query to Raspberry Robin Domain (0v .wf) ET MALWARE DNS Query to Raspberry Robin Domain (tiua .uk)
ET MALWARE DNS Query to Raspberry Robin Domain (5z .wf) ET MALWARE DNS Query to Raspberry Robin Domain (5qw .pw)
ET MALWARE DNS Query to Raspberry Robin Domain (3z .nu) ET MALWARE DNS Query to Raspberry Robin Domain (y0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (zie5 .com) ET MALWARE DNS Query to Raspberry Robin Domain (t0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (fxb .tw) ET MALWARE DNS Query to Raspberry Robin Domain (f0 .tel)
ET MALWARE DNS Query to Raspberry Robin Domain (vs .gy) ET MALWARE DNS Query to Raspberry Robin Domain (6t4 .nl)
ET MALWARE DNS Query to Raspberry Robin Domain (0w .pm) ET MALWARE DNS Query to Raspberry Robin Domain (r4e .pl)
ET MALWARE DNS Query to Raspberry Robin Domain (m0 .nu) ET MALWARE DNS Query to Raspberry Robin Domain (j4z .co)
ET MALWARE DNS Query to Raspberry Robin Domain (j2 .gy) ET MALWARE DNS Query to Raspberry Robin Domain (i6n .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (msix .pm) ET MALWARE DNS Query to Raspberry Robin Domain (kj1 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (k5x .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (jzm .pw)
ET MALWARE DNS Query to Raspberry Robin Domain (2i .wf) ET MALWARE DNS Query to Raspberry Robin Domain (lgf .pw)
ET MALWARE DNS Query to Raspberry Robin Domain (0dz .me) ET MALWARE DNS Query to Raspberry Robin Domain (6t .nz)
ET MALWARE DNS Query to Raspberry Robin Domain (ejk .bz) ET MALWARE DNS Query to Raspberry Robin Domain (j0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (j4z .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (jrx .fr)
ET MALWARE DNS Query to Raspberry Robin Domain (k6c .org) ET MALWARE DNS Query to Raspberry Robin Domain (p3 .ms)
ET MALWARE DNS Query to Raspberry Robin Domain (ynns .uk) ET MALWARE DNS Query to Raspberry Robin Domain (u7u .ro)
ET MALWARE DNS Query to Raspberry Robin Domain (r0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (zbs .is)
ET MALWARE DNS Query to Raspberry Robin Domain (bo2sv .com) ET MALWARE DNS Query to Raspberry Robin Domain (mwgq .net)
ET MALWARE DNS Query to Raspberry Robin Domain (b3vv .com) ET MALWARE DNS Query to Raspberry Robin Domain (aij .hk)
ET MALWARE DNS Query to Raspberry Robin Domain (iyw5 .com) ET MALWARE DNS Query to Raspberry Robin Domain (0i .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (l6nk .com) ET MALWARE DNS Query to Raspberry Robin Domain (0x9 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (2i .nu) ET MALWARE DNS Query to Raspberry Robin Domain (0e .si)
ET MALWARE DNS Query to Raspberry Robin Domain (6t .re) ET MALWARE DNS Query to Raspberry Robin Domain (6wr9 .com)
ET MALWARE DNS Query to Raspberry Robin Domain (uz3 .me) ET MALWARE DNS Query to Raspberry Robin Domain (o7car .com)
ET MALWARE DNS Query to Raspberry Robin Domain (uoej .net) ET MALWARE DNS Query to Raspberry Robin Domain (5jk .club)
ET MALWARE DNS Query to Raspberry Robin Domain (4q .pm) ET MALWARE DNS Query to Raspberry Robin Domain (j4r .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (c7 .lc) ET MALWARE DNS Query to Raspberry Robin Domain (i0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (i1 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (4aw .ro)
ET MALWARE DNS Query to Raspberry Robin Domain (27o .nl) ET MALWARE DNS Query to Raspberry Robin Domain (j5n .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (zk5 .co) ET MALWARE DNS Query to Raspberry Robin Domain (as3 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (v0 .cx) ET MALWARE DNS Query to Raspberry Robin Domain (rn9v .com)
ET MALWARE DNS Query to Raspberry Robin Domain (1n4 .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (a0 .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (bpyo .in) ET MALWARE DNS Query to Raspberry Robin Domain (7d .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (r0 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (h0 .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (j3n .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (vn6 .co)
ET MALWARE DNS Query to Raspberry Robin Domain (2i .pm) ET MALWARE DNS Query to Raspberry Robin Domain (m5n .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (5kx .me) ET MALWARE DNS Query to Raspberry Robin Domain (5z .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (nt3 .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (dj2 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (kglo .link) ET MALWARE DNS Query to Raspberry Robin Domain (u0 .rs)
ET MALWARE DNS Query to Raspberry Robin Domain (kjaj .top) ET MALWARE DNS Query to Raspberry Robin Domain (mnem .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (z19 .ro) ET MALWARE DNS Query to Raspberry Robin Domain (i4x .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (n5 .ms) ET MALWARE DNS Query to Raspberry Robin Domain (4m .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (gloa .in) ET MALWARE DNS Query to Raspberry Robin Domain (5qy .ro)
ET MALWARE DNS Query to Raspberry Robin Domain (zi9f .com) ET MALWARE DNS Query to Raspberry Robin Domain (ldnr .net)
ET MALWARE DNS Query to Raspberry Robin Domain (8t .wf) ET MALWARE DNS Query to Raspberry Robin Domain (1j .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (g4 .tel) ET MALWARE DNS Query to Raspberry Robin Domain (tu6p .com)
ET MALWARE DNS Query to Raspberry Robin Domain (p0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (4s3 .me)
ET MALWARE DNS Query to Raspberry Robin Domain (7k .rs) ET MALWARE DNS Query to Raspberry Robin Domain (3p .ms)
ET MALWARE DNS Query to Raspberry Robin Domain (u0 .pm) ET MALWARE DNS Query to Raspberry Robin Domain (6id .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (l9b .org) ET MALWARE DNS Query to Raspberry Robin Domain (4kx .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (i49 .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (k6j .pw)
ET MALWARE DNS Query to Raspberry Robin Domain (5ap .nl) ET MALWARE DNS Query to Raspberry Robin Domain (m0 .yt)
ET MALWARE DNS Query to Raspberry Robin Domain (glnj .nl) ET MALWARE DNS Query to Raspberry Robin Domain (doem .re)

274 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DNS Query to Raspberry Robin Domain (ejk .li) ET MALWARE DNS Query to Raspberry Robin Domain (li1iv .com)
ET MALWARE DNS Query to Raspberry Robin Domain (wak .rocks) ET MALWARE DNS Query to Raspberry Robin Domain (13j .me)
ET MALWARE DNS Query to Raspberry Robin Domain (ue2 .eu) ET MALWARE DNS Query to Raspberry Robin Domain (k6j .me)
ET MALWARE DNS Query to Raspberry Robin Domain (b8x .org) ET MALWARE DNS Query to Raspberry Robin Domain (1k4 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (jrx .tw) ET MALWARE DNS Query to Raspberry Robin Domain (i0up .com)
ET MALWARE DNS Query to Raspberry Robin Domain (vqdn .net) ET MALWARE DNS Query to Raspberry Robin Domain (zk4 .me)
ET MALWARE DNS Query to Raspberry Robin Domain (gz .qa) ET MALWARE DNS Query to Raspberry Robin Domain (2um .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (k1n .club) ET MALWARE DNS Query to Raspberry Robin Domain (m0 .wf)
ET MALWARE DNS Query to Raspberry Robin Domain (h0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (mzjc .is)
ET MALWARE DNS Query to Raspberry Robin Domain (egso .net) ET MALWARE DNS Query to Raspberry Robin Domain (5kj .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (79r .nl) ET MALWARE DNS Query to Raspberry Robin Domain (6j2 .xyz)
ET MALWARE DNS Query to Raspberry Robin Domain (nwz .li) ET MALWARE DNS Query to Raspberry Robin Domain (iz .gy)
ET MALWARE DNS Query to Raspberry Robin Domain (w4 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (5s .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (pjz .one) ET MALWARE DNS Query to Raspberry Robin Domain (0t .yt)
ET MALWARE DNS Query to Raspberry Robin Domain (eznb .net) ET MALWARE DNS Query to Raspberry Robin Domain (skqv .eu)
ET MALWARE DNS Query to Raspberry Robin Domain (e0 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (mn1 .biz)
ET MALWARE DNS Query to Raspberry Robin Domain (n3 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (zk .qa)
ET MALWARE DNS Query to Raspberry Robin Domain (9r .sk) ET MALWARE DNS Query to Raspberry Robin Domain (zjc .bz)
ET MALWARE DNS Query to Raspberry Robin Domain (krrz .pm) ET MALWARE DNS Query to Raspberry Robin Domain (qji6 .com)
ET MALWARE DNS Query to Raspberry Robin Domain (g4 .wf) ET MALWARE DNS Query to Raspberry Robin Domain (3lzj .com)
ET MALWARE DNS Query to Raspberry Robin Domain (n9fz .com) ET MALWARE DNS Query to Raspberry Robin Domain (4c .pm)
ET MALWARE DNS Query to Raspberry Robin Domain (nz4 .xyz) ET MALWARE DNS Query to Raspberry Robin Domain (6qo .at)
ET MALWARE DNS Query to Raspberry Robin Domain (j68 .info) ET MALWARE DNS Query to Raspberry Robin Domain (n54 .me)
ET MALWARE DNS Query to Raspberry Robin Domain (4s .pm) ET MALWARE Win32/Umbral-Stealer CnC Exfil via Discord (POST)
ET MALWARE IcedID CnC Domain in DNS Lookup (joysaketshops
ET MALWARE W32/Snojan.BNQKZQH Payload Inbound
.com)
ET MALWARE DNS Query to KEKW Variant Domain (blackcap .ru) ET MALWARE DNS Query to KEKW Variant Domain (kekwltd .ru)
ET MALWARE Papercut MF/NG User/Group Sync Python Backdoor ET MALWARE Papercut MF/NG User/Group Sync FTP Backdoor
Trigger trigger
ET MALWARE Win32/KLBanker Activity (GET) ET MALWARE MSIL/Spyware Activity via Telegram (Response)
ET MALWARE Win32/Ducktail Exfil Via Telegram (POST) ET MALWARE Win32/Ducktail Exfil Via Telegram CnC Response
ET MALWARE Win32/DarkVision RAT CnC Checkin M1 ET MALWARE Win32/DarkVision RAT CnC Checkin M3
ET MALWARE SocGholish Domain in DNS Lookup (backroom
ET MALWARE Win32/DarkVision RAT CnC Checkin M2
.tauetaepsilon .org)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (files-
ET MALWARE MrRobot LYON Phish Kit Exfil (POST) M1
dwn .shop)
ET MALWARE SocGholish Domain in DNS Lookup (framework
ET MALWARE MrRobot LYON Phish Kit Exfil (POST) M2
.rankinfiles .com)
ET MALWARE SocGholish Domain in DNS Lookup (prototype
ET MALWARE Globe Imposter Ransomware Activity (GET)
.siliconvalleyga .com)
ET MALWARE FSB Snake CnC Activity Outbound via TCP (AA23-129A)
ET MALWARE MalDoc/TA427 Payload Request (GET)
M1
ET MALWARE FSB Snake CnC Activity Outbound via TCP (AA23-129A) ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A)
M2 M1
ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A) ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A)
M2 M3
ET MALWARE FSB Snake CnC Activity Inbound via TCP (AA23-129A)
ET MALWARE DNS Query to TA444 Domain (parallaxdigital .online)
M4
ET MALWARE DNS Query to TA444 Domain (morganstanleycorp .co
ET MALWARE DNS Query to TA444 Domain (myfirmdocument .online)
.uk)
ET MALWARE DNS Query to TA444 Domain (cyberwalletsecurity
ET MALWARE DNS Query to TA444 Domain (docs-send .online)
.online)
ET MALWARE DNS Query to TA444 Domain (drop-box .cloud) ET MALWARE DNS Query to TA444 Domain (gunosis .global)
ET MALWARE DNS Query to TA444 Domain (cryptyk .webredirect
ET MALWARE DNS Query to TA444 Domain (altair-vc .info)
.org)
ET MALWARE DNS Query to TA444 Domain (acuitykp .co) ET MALWARE DNS Query to TA444 Domain (doc .linkpc .net)
ET MALWARE DNS Query to TA444 Domain (docsend .business) ET MALWARE DNS Query to TA444 Domain (werfaultserver .com)
ET MALWARE DNS Query to TA444 Domain (nextera .capital) ET MALWARE DNS Query to TA444 Domain (companydeck .cloud)
ET MALWARE DNS Query to TA444 Domain (docs-send .cloud) ET MALWARE DNS Query to TA444 Domain (docs-send .com)
ET MALWARE DNS Query to TA444 Domain (sabrpatners .com) ET MALWARE DNS Query to TA444 Domain (cryptyk .online)
ET MALWARE DNS Query to TA444 Domain (autoupdatecheck .work
ET MALWARE DNS Query to TA444 Domain (forumpatners .com)
.gd)
ET MALWARE DNS Query to TA444 Domain (docsend-host .cloud) ET MALWARE DNS Query to TA444 Domain (hyperchaincapital .online)
ET MALWARE DNS Query to TA444 Domain (j-ic .co .in) ET MALWARE DNS Query to TA444 Domain (docupload .site)
ET MALWARE DNS Query to TA444 Domain (cryptyk .sytes .net) ET MALWARE DNS Query to TA444 Domain (companydeck .online)
ET MALWARE DNS Query to TA444 Domain (cryptyk .cloud) ET MALWARE BPFDoor V2 TCP Magic Packet Inbound
ET MALWARE BPFDoor V2 UDP Magic Packet Inbound ET MALWARE BPFDoor V2 SCTP Magic Packet Inbound

275 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (product ET MALWARE SocGholish Domain in DNS Lookup (games .iglesiaelarca
.sammyhallam .com) .org)
ET MALWARE SocGholish Domain in DNS Lookup (support .newshoop ET MALWARE SocGholish Domain in DNS Lookup (achievements
.com) .ritagamer .com)
ET MALWARE SocGholish Domain in DNS Lookup (books ET MALWARE TA444 Related Domain in DNS Lookup
.friendsofthefolsomlibrary .org) (cryptofundsresearch .com)
ET MALWARE TA444 Related Domain in DNS Lookup (jobdescription
ET MALWARE TA444 Related Domain in DNS Lookup (cryptyk .info)
.us .com)
ET MALWARE TA444 Related Domain in DNS Lookup (doc-send
ET MALWARE TA444 Related Domain in DNS Lookup (bdcc .bio)
.online)
ET MALWARE TA444 Related Domain in DNS Lookup ET MALWARE TA444 Related Domain in DNS Lookup (espcapital .co
(contractresearch .blog) .in)
ET MALWARE TA444 Related Domain in DNS Lookup (shared-
ET MALWARE TA444 Related Domain in DNS Lookup (javarepo .net)
document .cloud)
ET MALWARE TA444 Related Domain in DNS Lookup (contract- ET MALWARE TA444 Related Domain in DNS Lookup (gumi-cryptos
research .blog) .loan)
ET MALWARE TA444 Related Domain in DNS Lookup (smart-contracts
ET MALWARE TA444 Related Domain in DNS Lookup (doc-send .com)
.blog)
ET MALWARE TA444 Related Domain in DNS Lookup (verifydocument
ET MALWARE DNS Query to SmokeLoader Domain (potunulit .org)
.online)
ET MALWARE DNS Query to Glupteba Domain (geofaps .com) ET MALWARE DNS Query to Glupteba Domain (twopixis .com)
ET MALWARE DNS Query to Glupteba Domain (cdneurops .health) ET MALWARE DNS Query to Glupteba Domain (beegolang .com)
ET MALWARE Win32/Arid Gopher CnC Exfil (POST) ET MALWARE DNS Query to Gamaredon Domain (kahotepa .ru)
ET MALWARE DNS Query to Gamaredon Domain (OpenAsTextStream
ET MALWARE DNS Query to Gamaredon Domain (kaziyapa .ru)
.zuberipa .ru)
ET MALWARE DNS Query to Gamaredon Domain (80delay .dzhabaripa ET MALWARE DNS Query to Gamaredon Domain (71delay .dzhahipa
.ru) .ru)
ET MALWARE DNS Query to Gamaredon Domain (zaherpa .ru) ET MALWARE DNS Query to Gamaredon Domain (goruspa .ru)
ET MALWARE DNS Query to Gamaredon Domain (iknatonpa .ru) ET MALWARE DNS Query to Gamaredon Domain (dzhahipa .ru)
ET MALWARE DNS Query to Gamaredon Domain (dzhabaripa .ru) ET MALWARE DNS Query to Gamaredon Domain (zuberipa .ru)
ET MALWARE Fake Quickbooks Domain in DNS Lookup (quickbooks12 ET MALWARE Fake Quickbooks Domain in DNS Lookup
.hopto .org) (findproadvisors .com)
ET MALWARE Fake Quickbooks Domain in DNS Lookup
ET MALWARE Win32/Amadey Bot Activity (POST) M2
(quickbooks149 .hopto .org)
ET MALWARE Win32/Amadey Payload Request (GET) ET MALWARE Camaro Dragon APT - Horse Shell CnC Checkin
ET MALWARE Win32/Packed.BlackMoon.A Variant Checkin ET MALWARE Stellar Stealer Data Exfiltration Attempt M1
ET MALWARE Stellar Stealer Data Exfiltration Attempt M2 ET MALWARE Stellar Stealer Data Exfiltration Attempt M3
ET MALWARE Stellar Stealer Data Exfiltration Attempt M4 ET MALWARE Stellar Stealer Data Exfiltration Attempt M5
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .accounting ET MALWARE DonotGroup Related Domain in DNS Lookup
.bridgemastersllc .com) (lovebirdsshop .club)
ET MALWARE DonotGroup Maldoc Activity (GET) ET MALWARE Gamaredon APT Related Activity (GET)
ET MALWARE DonotGroup Maldoc Activity (GET) ET MALWARE DonotGroup Maldoc Activity (GET)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET MALWARE BotLoader Retrieving Additional Payloads
ET MALWARE DeltaStealer CnC Domain (deltaproject .us) in DNS
ET MALWARE BotLoader CnC Checkin
Lookup
ET MALWARE DeltaStealer CnC Domain (deltastealer .xyz) in DNS ET MALWARE DeltaStealer CnC Domain (deltastealer .gq) in DNS
Lookup Lookup
ET MALWARE Observed DeltaStealer Domain (deltaproject .us) in TLS ET MALWARE Observed DeltaStealer Domain (deltastealer .xyz) in TLS
SNI SNI
ET MALWARE Observed DeltaStealer Domain (deltastealer .gq) in TLS
ET MALWARE DeltaStealer Exfiltrating Data to gofile .io
SNI
ET MALWARE SparkRAT Related Domain in DNS Lookup (gwekekccef
ET MALWARE DeltaStealer CnC Checkin
.webull .day)
ET MALWARE TA427 Related Domain in DNS Lookup (com-people ET MALWARE TA427 Related Domain in DNS Lookup (com-price
.click) .space)
ET MALWARE TA427 Related Domain in DNS Lookup (com-www .click) ET MALWARE TA427 Related Domain in DNS Lookup (com-def .asia)
ET MALWARE TA427 Related Domain in DNS Lookup (com-otp .click) ET MALWARE TA427 Related Domain in DNS Lookup (de-file .online)
ET MALWARE TA427 Related Domain in DNS Lookup (com-port
ET MALWARE TA427 Related Domain in DNS Lookup (kr-me .click)
.space)
ET MALWARE TA427 Related Domain in DNS Lookup (cf-health .click) ET MALWARE TA427 Related Domain in DNS Lookup (kr-angry .click)
ET MALWARE Suspected Kimsuky Related Actvity (GET) ET MALWARE Suspected Gamaredon Related Maldoc Activity M1
ET MALWARE Suspected Gamaredon Related Maldoc Activity M2 ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
ET MALWARE SocGholish Domain in DNS Lookup (tube
ET MALWARE SocGholish Domain in DNS Lookup (vip .dueprocess .us)
.saltminecomics .com)
ET MALWARE SocGholish Domain in DNS Lookup (broadcast ET MALWARE SocGholish Domain in DNS Lookup (commercial
.ninemuses .io) .tedgorka .com)
ET MALWARE SocGholish Domain in DNS Lookup (forum .leewhitman- ET MALWARE SocGholish Domain in DNS Lookup (teaching .eduvisuo
raymond .com) .com)

276 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (round ET MALWARE SocGholish Domain in DNS Lookup (trademark
.macayafoundation .org) .iglesiaelarca .com)
ET MALWARE SocGholish Domain in DNS Lookup (training .defcon1
ET MALWARE SocGholish Domain in DNS Lookup (friends .foflib .org)
.us)
ET MALWARE SocGholish Domain in DNS Lookup (assist .cabinetelcea
ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity
.com)
ET MALWARE UAC-0063 Domain in DNS Lookup (net-certificate
ET MALWARE Win64/Rozena.TD Variant CnC Activity (GET)
.services)
ET MALWARE UAC-0063 Domain in DNS Lookup (diagnostic-resolver ET MALWARE UAC-0063 Domain in DNS Lookup (ms-webdav-
.com) miniredir .com)
ET MALWARE Observed DNS Query to Gamaredon Domain (mbiziso ET MALWARE Observed DNS Query to Gamaredon Domain (kontarso
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (koseyso ET MALWARE Observed DNS Query to Gamaredon Domain (menesso
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (kuaashiso ET MALWARE Observed DNS Query to Gamaredon Domain (lizimbaso
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (maatso
ET MALWARE Kraken Stealer SMTP Data Exfiltration Attempt
.ru)
ET MALWARE CloudWizard APT Related Domain in DNS Lookup ET MALWARE SocGholish Domain in DNS Lookup (booty
(curveroad .com) .midatlanticlaw .org)
ET MALWARE SocGholish Domain in DNS Lookup (internal
ET MALWARE DNS Query to Cobalt Strike Domain (iconnectgs .com)
.metro1properties .us)
ET MALWARE DNS Query to Cobalt Strike Domain (aicsoftware .com) ET MALWARE DNS Query to IcedID Domain (kicknocisd .com)
ET MALWARE DNS Query to IcedID Domain (guaracheza .pics) ET MALWARE DNS Query to IcedID Domain (curabiebarristie .com)
ET MALWARE DNS Query to IcedID Domain (simipimi .com) ET MALWARE DNS Query to IcedID Domain (belliecow .wiki)
ET MALWARE DNS Query to IcedID Domain (stayersa .art) ET MALWARE Cobalt Strike CnC Beacon (POST)
ET MALWARE SocGholish Domain in DNS Lookup (initiatives .ayitiexpo ET MALWARE SocGholish Domain in DNS Lookup (reporting
.com) .theamericasfashionfest .com)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .offer
ET MALWARE Bandit Stealer Data Exfiltration Attempt
.rpacxtaxappeal .com)
ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request
ET MALWARE Win32/RootTeam Stealer CnC Exfil M1
(Outbound)
ET MALWARE SocGholish Domain in DNS Lookup (strategy
ET MALWARE WhiteSnake Stealer Telegram Checkin
.transversalgroup .co)
ET MALWARE Suspected Gamaredon APT Related Activity ET MALWARE pswshopro_bot Stealer CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (enterprise
ET MALWARE pswshopro_bot Stealer data exfiltration attempt
.alliantlaw .us)
ET MALWARE SocGholish Domain in DNS Lookup (sapphire .abogados ET MALWARE SocGholish Domain in DNS Lookup (exclusive
.services) .transversalbranding .com)
ET MALWARE SocGholish Domain in DNS Lookup (archives .finanpress ET MALWARE SocGholish Domain in DNS Lookup (deploy
.com) .vanquicktech .com)
ET MALWARE SocGholish Domain in DNS Lookup (practices ET MALWARE SocGholish Domain in DNS Lookup (old .onepercentage
.bodyandsoulmassage .com) .org)
ET MALWARE [ANY.RUN] LgoogLoader Retrieving Config File ET MALWARE BellaCiao ASPX Backdoor Response
ET MALWARE SocGholish Domain in DNS Lookup (background ET MALWARE SocGholish Domain in DNS Lookup (hardware .deltavis
.bodyguardchicago .com) .com)
ET MALWARE SocGholish Domain in DNS Lookup (masterclass ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related
.teamupnetwork .org) (MC-NMF Authorization)
ET MALWARE [ANY.RUN] Observed Malicious Powershell Related
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
Activity (GET)
ET MALWARE Observed DNS Query to Gamaredon Domain (rashidiso ET MALWARE Observed DNS Query to Gamaredon Domain (mhotepzi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (neferzi ET MALWARE Observed DNS Query to Gamaredon Domain (naborzi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (minkazi ET MALWARE Observed DNS Query to Gamaredon Domain (nahtizi
.ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain ET MALWARE Observed DNS Query to Gamaredon Domain (nebtoizi
(panahaziso .ru) .ru)
ET MALWARE Observed DNS Query to Gamaredon Domain (nebibizi ET MALWARE SocGholish Domain in DNS Lookup (failure .mathgeniusa
.ru) .com)
ET MALWARE SocGholish Domain in DNS Lookup (static ET MALWARE SocGholish CnC Domain in DNS Lookup (* .nodes
.laytonroadconstruction .com) .gammalambdalambda .org)
ET MALWARE Win32/DarkPink KamiKakaBot CnC Exfil (POST) ET MALWARE [DCSO] Andariel Exfil Activity
ET MALWARE [DCSO] Possible Andariel Exfil Activity ET MALWARE [DCSO] Andariel CnC Activity, Check String
ET MALWARE Gamaredon Domain in DNS Lookup (havxcq .ru) ET MALWARE Gamaredon Domain in DNS Lookup (ozaharso .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (okparaso .ru) ET MALWARE Gamaredon Domain in DNS Lookup (omariso .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (ozirisso .ru) ET MALWARE Gamaredon Domain in DNS Lookup (remmaoso .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (oddzhiso .ru) ET MALWARE Gamaredon Domain in DNS Lookup (itoram .ru)

277 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Gamaredon Domain in DNS Lookup (rvawc .ru) ET MALWARE Gamaredon Domain in DNS Lookup (gajasx .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (xopekar .ru) ET MALWARE Gamaredon Domain in DNS Lookup (nalfas .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (blootundicht .ru) ET MALWARE Gamaredon Domain in DNS Lookup (tulocal .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (boptizol .ru) ET MALWARE Gamaredon Domain in DNS Lookup (yorisant .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (viratuk .ru) ET MALWARE Gamaredon Domain in DNS Lookup (reposant .ru)
ET MALWARE SocGholish Domain in DNS Lookup (stockroom ET MALWARE SocGholish Domain in DNS Lookup (collaboration
.baybeboutiquellc .com) .porchlightcs .org)
ET MALWARE SocGholish Domain in DNS Lookup (prepare ET MALWARE SocGholish Domain in DNS Lookup (dashboard
.dawarel3mda .com) .smartmetereducationnetwork .com)
ET MALWARE SocGholish Domain in DNS Lookup (reception .q-dent
ET MALWARE Redline Stealer Stager WebPage Inbound
.com)
ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity -
ET MALWARE Redline Stealer TCP CnC Activity
MSValue (Outbound)
ET MALWARE Redline Stealer/MetaStealer Family TCP CnC Activity -
ET MALWARE Gamaredon Domain in DNS Lookup (kafiripa .ru)
MSValue (Response)
ET MALWARE Gamaredon Domain in DNS Lookup (donkorpa .ru) ET MALWARE Gamaredon Domain in DNS Lookup (badarus .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (neythzi .ru) ET MALWARE Gamaredon Domain in DNS Lookup (mudadazi .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (dakareypa .ru) ET MALWARE Gamaredon Domain in DNS Lookup (ishakpa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (muhvanazi .ru) ET MALWARE Gamaredon Domain in DNS Lookup (kemoziripa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (keymnvatipa .ru) ET MALWARE Gamaredon Domain in DNS Lookup (butiram .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (luzidzhso .ru) ET MALWARE Gamaredon Domain in DNS Lookup (karoanpa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (trulazek .ru) ET MALWARE Gamaredon Domain in DNS Lookup (idogbpa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (porotad .ru) ET MALWARE Gamaredon Domain in DNS Lookup (dzhibeydpa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (galofad .ru) ET MALWARE Gamaredon Domain in DNS Lookup (dzhumoukpa .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (mensaso .ru) ET MALWARE Gamaredon Domain in DNS Lookup (knemuso .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (kemnebipa .ru) ET MALWARE Gamaredon Domain in DNS Lookup (imenandpa .ru)
ET MALWARE SocGholish Domain in DNS Lookup (templates
ET MALWARE Sharp Panda APT Style RTF Request (GET)
.jdlaytongrademaker .com)
ET MALWARE Sharp Panda APT RTF Retrieval (Response) ET MALWARE Observed Sharp Panda APT Related Activity M2
ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (System
(Screenshot) Information)
ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Check- ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity
in) (Activity)
ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (END) ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Response
ET MALWARE Possible MEME#4CHAN Exfil Activity ET MALWARE MEME#4CHAN Redirect Activity to Payload
ET MALWARE SocGholish Domain in DNS Lookup (illustrations .ipocla ET MALWARE SocGholish Domain in DNS Lookup (wholesale
.org) .surewareusa .com)
ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity
ET MALWARE CMDEmber Backdoor Style Request
(Loading) M1
ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity
ET MALWARE Cobalt Strike Domain in DNS Lookup
(Loading) M2
ET MALWARE SocGholish Domain in DNS Lookup (cosplay .univisuo ET MALWARE SocGholish Domain in DNS Lookup (portable
.com) .nodirtyelectricity .com)
ET MALWARE IIS-Raid Module Backdoor - Successful PING in HTTP
ET MALWARE SocGholish Domain in DNS Lookup (roadmap .jufp .com)
Response (PONG)
ET MALWARE IIS-Raid Module Backdoor - INJ Command in HTTP ET MALWARE IIS-Raid Module Backdoor - Successful INJ Command in
Request HTTP Response
ET MALWARE Win32/0xtaRAT CnC Activity M3 (GET) ET MALWARE Win32/0xtaRAT CnC Activity M4 (GET)
ET MALWARE Win32/0xtaRAT CnC Activity M5 (POST) ET MALWARE [ANY.RUN] Win32/DynamicRAT CnC Activity
ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M1
ET MALWARE Observed Maldoc Macro Request (GET)
(GET)
ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M2 ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M3
(GET) (GET)
ET MALWARE Suspected Stealth Soldier Backdoor Related Activity M4
ET MALWARE Stealth Soldier Backdoor Related Activity M1 (POST)
(GET)
ET MALWARE Stealth Soldier Backdoor Related Domain in DNS
ET MALWARE Gamaredon Domain in DNS Lookup (gawsxc .ru)
Lookup (filestoragehub .live)
ET MALWARE Gamaredon Domain in DNS Lookup (perccottuspi .ru) ET MALWARE Gamaredon Domain in DNS Lookup (razuiso .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (dzhabrailho .ru) ET MALWARE Gamaredon Domain in DNS Lookup (tispai .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (reyyfadsf .ru) ET MALWARE Gamaredon Domain in DNS Lookup (dumerilipi .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (bladefishpi .ru) ET MALWARE Gamaredon Domain in DNS Lookup (spatulapi .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (gawcq .ru) ET MALWARE Gamaredon Domain in DNS Lookup (agonepi .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (albacorepi .ru) ET MALWARE Trojan.PSW.Autoit Data Exfiltration Attempt
ET MALWARE SocGholish Domain in DNS Lookup (specific ET MALWARE SocGholish Domain in DNS Lookup (mentoring
.autonerdmobilerepairs .com) .yogayield .net)
ET MALWARE SocGholish Domain in DNS Lookup (forbes
ET MALWARE SocGholish Domain in DNS Lookup (form .haysllc .net)
.firstmillionaires .com)

278 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (names ET MALWARE SocGholish Domain in DNS Lookup (superposition
.expressyourselfesthetics .com) .mathgeniusacademy .com)
ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M1 ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M2
ET MALWARE Asylum Ambuscade Related CnC Activity (GET) M3 ET MALWARE Asylum Ambuscade Related CnC Activity (SendLog)
ET MALWARE Successful Win32/TrojanDownloader.VB.RUI Exfil Activity
ET MALWARE Asylum Ambuscade Related CnC Activity (install)
M1
ET MALWARE Successful Win32/TrojanDownloader.VB.RUI Exfil Activity
ET MALWARE Win32/TrojanDownloader.VB.RUI Checkin
M2
ET MALWARE Kimsuky ReconShark Payload Retrieval Request M1 ET MALWARE Kimsuky ReconShark Payload Retrieval Request M2
ET MALWARE Kimsuky ReconShark Related APT Activity ET MALWARE Kimsuky HTA Payload Retrieval Attempt
ET MALWARE APT-C-36 Related Domain in DNS Lookup (travel-ag
ET MALWARE SocGholish Domain in DNS Lookup (ibm .deltavis .net)
.com)
ET MALWARE GreetingGhoul Stealer Domain in DNS Lookup
ET MALWARE [ANY.RUN] RisePro TCP (Token)
(cryptohedgefund .us)
ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)
ET MALWARE SocGholish Domain in DNS Lookup (toolkit ET MALWARE SocGholish Domain in DNS Lookup (webdog .ilinkads
.mobileautorepairmechanic .com) .com)
ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M1 ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M2
ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M3 ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M4
ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M5 ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M6
ET MALWARE UNC4841 Related Domain in DNS Lookup
ET MALWARE [Mandiant] UNC4841 SEASPY Backdoor Activity M7
(togetheroffway .com)
ET MALWARE UNC4841 Related Domain in DNS Lookup (goldenunder ET MALWARE UNC4841 Related Domain in DNS Lookup (fessionalwork
.com) .com)
ET MALWARE UNC4841 Related Domain in DNS Lookup (singamofing ET MALWARE UNC4841 Related Domain in DNS Lookup
.com) (bestfindthetruth .com)
ET MALWARE UNC4841 Related Domain in DNS Lookup (troublendsef ET MALWARE UNC4841 Related Domain in DNS Lookup (singnode
.com) .com)
ET MALWARE UNC4841 Related Domain in DNS Lookup (gesturefavour ET MALWARE SocGholish Domain in DNS Lookup (subscription
.com) .provijuns .com)
ET MALWARE GreetingGhoul Stealer CnC Exfil (POST) ET MALWARE Mystic Stealer Admin Panel 2023-06-16
ET MALWARE Mystic Stealer C2 Client Hello Packet ET MALWARE Mystic Stealer C2 Session Key Response Packet
ET MALWARE Observed LegionLoader Domain in TLS SNI (legions
ET MALWARE LegionLoader CnC Domain (legions .win) in DNS Lookup
.win)
ET MALWARE LegionLoader Activity Observed (LegionClient) ET MALWARE Zenlod System Information Retrieval
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .rfc
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M1
.zitoprohealth .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (nerfgamesarche
ET MALWARE IcedID CnC Domain in DNS Lookup (kojgimagi .com)
.com)
ET MALWARE Observed Glupteba CnC Domain (deepsound .live in ET MALWARE Observed Glupteba CnC Domain (biggames .online in
TLS SNI) TLS SNI)
ET MALWARE Observed Malicious SSL Cert (Ursnif CnC) ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)
ET MALWARE Suspected Kimsuky Activity (POST) ET MALWARE Suspected Kimsuky Related Activity (set)
ET MALWARE Suspected Kimsuky Related Activity (Response) ET MALWARE Possible DarkFinger Payload Retrieval Attempt - nc10
ET MALWARE Possible DarkFinger Payload Retrieval Attempt - ps10 ET MALWARE Possible DarkFinger ipconfig Retrieval Attempt
ET MALWARE Possible DarkFinger tasklist Retrieval attempt ET MALWARE Win32/RedEnergy System Information Retrieval Attempt
ET MALWARE SocGholish Domain in DNS Lookup (described .moraver ET MALWARE SocGholish Domain in DNS Lookup (inside
.com) .awesomepotions .com)
ET MALWARE SocGholish Domain in DNS Lookup (artwork .siddavisart ET MALWARE SocGholish Domain in DNS Lookup (brands
.com) .shopperstreets .com)
ET MALWARE SocGholish Domain in DNS Lookup (career
ET MALWARE Suspected Blackmoon Related Domain in DNS Lookup
.humandesigns .com)
ET MALWARE Suspected Blackmoon Related Activity (GET) ET MALWARE Suspected Blackmoon Related Activity (Response)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request ET MALWARE SocGholish Domain in DNS Lookup (devops
Attempt .livinginthenowbook .info)
ET MALWARE DNS Query to SupremeBot Domain (shadowlegion ET MALWARE DNS Query to SupremeBot Domain (silentlegion
.duckdns .org) .duckdns .org)
ET MALWARE Win32/SupremeBot CnC Checkin (POST) M1 ET MALWARE Win32/SupremeBot CnC Checkin (POST) M2
ET MALWARE Gamaredon Domain in DNS Lookup (namibbo .ru) ET MALWARE Gamaredon Domain in DNS Lookup (kyzylkumbo .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (bukatam .ru) ET MALWARE Gamaredon Domain in DNS Lookup (negevbo .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (totalav .ru) ET MALWARE Gamaredon Domain in DNS Lookup (durakam .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (gutarax .ru) ET MALWARE [ANY.RUN] Gh0stBins Checkin
ET MALWARE [ANY.RUN] Possible Gh0stRat Checkin ET MALWARE [ANY.RUN] Gh0stBins Kernel Download Request
ET MALWARE SocGholish Domain in DNS Lookup (marathon
ET MALWARE [ANY.RUN] Gh0stBins RDP Remote Connection
.teachmemoney .net)

279 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (therapy ET MALWARE [ANY.RUN] StatusRecorder Stealer Sending System
.rationallifestyleconsulting .org) Information
ET MALWARE SocGholish Domain in DNS Lookup (sandwiches
ET MALWARE Win32/SparkRAT CnC Checkin (GET)
.tropipackfood .com)
ET MALWARE Golang Easy Stealer Exfil (POST) ET MALWARE Golang Easy Stealer CnC Response
ET MALWARE JokerSpy Domain in DNS Lookup (app .influmarket .org) ET MALWARE ThirdEye Stealer System Information Gathering Attempt
ET MALWARE ThirdEye Stealer CnC Checkin ET MALWARE DDoSia Client CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (editions
ET MALWARE DDoSia Client Target Retrieval
.seattlemysterylovers .com)
ET MALWARE Observed Trojan.Boxter/winlnk Domain (arm .texchi .xyz
ET MALWARE Gamaredon APT Related CnC Activity (POST) M3
in TLS SNI)
ET MALWARE TA444 Domain in DNS Lookup (docsend .linkpc .net) ET MALWARE TA444 Domain in DNS Lookup (jaicvc .com)
ET MALWARE Observed TA444 Domain in TLS SNI (docsend .linkpc
ET MALWARE Observed TA444 Domain in TLS SNI (jaicvc .com)
.net)
ET MALWARE JokerSpy Domain in DNS Lookup (git-hub .me) ET MALWARE Observed JokerSpy Domain (git-hub .me in TLS SNI)
ET MALWARE RedLine Stealer Domain in DNS Lookup (nordvpn-media ET MALWARE TA444 Related Domain in DNS Lookup (crypto
.com) .hondchain .com)
ET MALWARE TA444 Related Domain in DNS Lookup (starbucls .xyz) ET MALWARE Win32/Sinresby.B Checkin
ET MALWARE TA444 Related Domain in DNS Lookup ET MALWARE Observed DuckTail Domain (techvibeo .com in TLS SNI)
ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy M1 ET MALWARE Gamaredon Domain in DNS Lookup (hanotip .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (ideolot .ru) ET MALWARE [ANY.RUN] Remcos RAT Checkin 861
ET MALWARE GobRAT CnC Domain in DNS Lookup (ktlvz .dnsfailover ET MALWARE GobRAT CnC Domain in DNS Lookup (wpksi .mefound
.net) .com)
ET MALWARE Observed GobRAT Domain (ktlvz .dnsfailover .net) in
ET MALWARE GobRAT CnC Domain in DNS Lookup (su .vealcat .com)
TLS SNI
ET MALWARE Observed GobRAT Domain (wpksi .mefound .com) in
ET MALWARE Observed GobRAT Domain (su .vealcat .com) in TLS SNI
TLS SNI
ET MALWARE TA444 Domain in DNS Lookup (cloud .dnx .capital) ET MALWARE TA444 Domain in DNS Lookup (crypto .hondchain .com)
ET MALWARE Cinoshi Clipper Related Domain in DNS Lookup (tryno
ET MALWARE Win32/Ramgex.D Checkin
.ru)
ET MALWARE SmugX Domain in DNS Lookup (newsmailnet .com) ET MALWARE SmugX Domain in DNS Lookup (jcswcd .com)
ET MALWARE SocGholish Domain in DNS Lookup (launch
ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy M2
.viewthesteps .com)
ET MALWARE TA444 Domain in DNS Lookup ET MALWARE Playful Taurus Domain in TLS SNI (scm .oracleapps .org)
ET MALWARE Playful Taurus Domain in TLS SNI (update .delldrivers .in) ET MALWARE Playful Taurus Domain in TLS SNI (vpnkerio .com)
ET MALWARE Playful Taurus Domain in TLS SNI (update .adboeonline ET MALWARE Playful Taurus Domain in TLS SNI (mail .indiarailways
.net) .net)
ET MALWARE Observed Turla/Crutch Domain (hotspot .accesscam
ET MALWARE Win32/zgRAT CnC Activity (GET)
.org in TLS SNI)
ET MALWARE Gamaredon Domain in DNS Lookup (orientalebi .ru) ET MALWARE Gamaredon Domain in DNS Lookup (iraty .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (for30 ET MALWARE Gamaredon Domain in DNS Lookup (for71 .procellarumbi
.procellarumbi .ru) .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (loop71
ET MALWARE Gamaredon Domain in DNS Lookup (procellarumbi .ru)
.procellarumbi .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (to30 .procellarumbi
ET MALWARE Gamaredon Domain in DNS Lookup (marginisbi .ru)
.ru)
ET MALWARE Gamaredon Domain in DNS Lookup (opela .ru) ET MALWARE Gamaredon Domain in DNS Lookup (uteroma .ru)
ET MALWARE Gamaredon Domain in DNS Lookup (len61 ET MALWARE Observed Gamaredon Domain (orientalebi .ru in TLS
.procellarumbi .ru) SNI)
ET MALWARE Observed Gamaredon Domain (for30 .procellarumbi .ru
ET MALWARE Observed Gamaredon Domain (iraty .ru in TLS SNI)
in TLS SNI)
ET MALWARE Observed Gamaredon Domain (for71 .procellarumbi .ru ET MALWARE Observed Gamaredon Domain (loop71 .procellarumbi .ru
in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon Domain (procellarumbi .ru in TLS ET MALWARE Observed Gamaredon Domain (to30 .procellarumbi .ru
SNI) in TLS SNI)
ET MALWARE Observed Gamaredon Domain (marginisbi .ru in TLS
ET MALWARE Observed Gamaredon Domain (opela .ru in TLS SNI)
SNI)
ET MALWARE Observed Gamaredon Domain (len61 .procellarumbi .ru
ET MALWARE Observed Gamaredon Domain (uteroma .ru in TLS SNI)
in TLS SNI)
ET MALWARE SocGholish Domain in DNS Lookup (content .garretttrails ET MALWARE SocGholish Domain in DNS Lookup (creativity .kinchcorp
.org) .com)
ET MALWARE Playful Taurus Domain in TLS SNI (proxy .oracleapps ET MALWARE DNS Query to UNK_BisonBooster Domain (booster724
.org) .online)
ET MALWARE DNS Query to UNK_BisonBooster Domain (forsports ET MALWARE DNS Query to UNK_BisonBooster Domain (speedup-pc
.xyz) .online)
ET MALWARE Cinoshi Clipper Domain (tryno .ru) in TLS SNI ET MALWARE SmugX Domain (jcswcd .com) in TLS SNI
ET MALWARE SmugX Domain (newsmailnet .com) in TLS SNI ET MALWARE Win32/RootTeam Stealer CnC Exfil M2
ET MALWARE Win32/RootTeam Stealer CnC Response ET MALWARE Storm-0978 RomCom RAT CnC Checkin

280 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE RomCom CnC Domain in DNS Lookup (finformservice


ET MALWARE RomCom CnC Domain in DNS Lookup (penofach .com)
.com)
ET MALWARE RomCom CnC Domain in DNS Lookup (bentaxworld
ET MALWARE RomCom CnC Domain in DNS Lookup (altimata .org)
.com)
ET MALWARE [ANY.RUN] Konni.APT Exfiltration ET MALWARE [ANY.RUN] Konni.APT Keep-Alive
ET MALWARE [ANY.RUN] DNS Query to Konni APT Domain ET MALWARE [ANY.RUN] DNS Query to Konni APT Domain (elinline
(cachecast001 .com) .com)
ET MALWARE Mallox Ransomware CnC Domain (whyers .io) in DNS
ET MALWARE MalDoc/Konni APT CnC Activity (GET)
Lookup
ET MALWARE Observed Mallox Ransomware Domain (whyers .io) in ET MALWARE SocGholish CnC Domain in DNS Lookup (* .plan
TLS SNI .gemmadeealexander .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (skofilldrom .com) ET MALWARE IcedID CnC Domain in DNS Lookup (anscowerbrut .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (wiraofise .com) ET MALWARE IcedID CnC Domain in DNS Lookup (illboardinj .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (hloyagorepa .com) ET MALWARE IcedID CnC Domain in DNS Lookup (newwildtuna .top)
ET MALWARE IcedID CnC Domain in DNS Lookup (appkasnofert .com) ET MALWARE IcedID CnC Domain in DNS Lookup (firestansinbox .com)
ET MALWARE Observed Glupteba CnC Domain (robloxcdneu .net in
ET MALWARE IcedID CnC Domain in DNS Lookup (fishofgloster .pw)
TLS SNI)
ET MALWARE Golang/Bandit Stealer Telegram Exfil Activity (POST) ET MALWARE Kaiten User Agent
ET MALWARE SocGholish CnC Domain in TLS SNI (* .plan
ET MALWARE SocGholish Domain in DNS Lookup (x64 .nvize .com)
.gemmadeealexander .com)
ET MALWARE SocGholish Domain in TLS SNI (x64 .nvize .com) ET MALWARE CHAOS RAT/AlfaC2 Client Checkin
ET MALWARE CHAOS RAT/AlfaC2 CnC Server Status Check ET MALWARE Suspected Andariel RexPot CnC Checkin M1
ET MALWARE Suspected Andariel RexPot CnC Checkin M2 ET MALWARE Win32/Cryptbot CnC Activity (POST)
ET MALWARE Observed Glupteba CnC Domain (ggjump .ru in TLS
ET MALWARE PS1/Kimsuky CnC Exfil (POST)
SNI)
ET MALWARE DNS Query for IcedID Domain (filtaferamoza .com) ET MALWARE DNS Query for IcedID Domain (autokamertos .com)
ET MALWARE DNS Query for IcedID Domain (magiketchinn .com) ET MALWARE DNS Query for IcedID Domain (flarkonafaero .com)
ET MALWARE DNS Query for IcedID Domain (lohmotarufos .com) ET MALWARE DNS Query for IcedID Domain (magizanqomo .com)
ET MALWARE Win32/Rage Stealer CnC Exfil via Telegram (POST) ET MALWARE Observed IcedID Domain (flarkonafaero .com in TLS SNI)
ET MALWARE Observed IcedID Domain (autokamertos .com in TLS
ET MALWARE Observed IcedID Domain (lohmotarufos .com in TLS SNI)
SNI)
ET MALWARE Observed IcedID Domain (magizanqomo .com in TLS
ET MALWARE Observed IcedID Domain (filtaferamoza .com in TLS SNI)
SNI)
ET MALWARE Observed IcedID Domain (magiketchinn .com in TLS
ET MALWARE NanoCore RAT Keepalive 1
SNI)
ET MALWARE NanoCore RAT Keepalive 2 ET MALWARE NanoCore RAT Keepalive Response 1
ET MALWARE NanoCore RAT Keepalive Response 2 ET MALWARE NanoCore RAT Keepalive Response 3
ET MALWARE NanoCore RAT Keepalive 3 ET MALWARE NanoCore RAT Keepalive 4
ET MALWARE NanoCore RAT CnC 7 ET MALWARE NanoCore RAT CnC 24
ET MALWARE NanoCore RAT CnC 26 ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
ET MALWARE NanoCore RAT CnC 28 ET MALWARE NanoCore RAT CnC 23
ET MALWARE NanoCore RAT Keepalive Response 4 ET MALWARE NanoCore RAT Keepalive Response 5
ET MALWARE TraderTraitor CnC Domain in DNS Lookup (launchruse ET MALWARE TraderTraitor CnC Domain in DNS Lookup (datadog-
.com) graph .com)
ET MALWARE TraderTraitor CnC Domain in DNS Lookup (alwaysckain ET MALWARE TraderTraitor CnC Domain in DNS Lookup (centos-pkg
.com) .org)
ET MALWARE TraderTraitor CnC Domain in DNS Lookup (canolagroove ET MALWARE TraderTraitor CnC Domain in DNS Lookup (reggedrobin
.com) .com)
ET MALWARE TraderTraitor CnC Domain in DNS Lookup (nomadpkgs ET MALWARE TraderTraitor CnC Domain in DNS Lookup
.com) (primerosauxiliosperu .com)
ET MALWARE TraderTraitor CnC Domain in DNS Lookup ET MALWARE TraderTraitor CnC Domain in DNS Lookup (datadog-
(toyourownbeat .com) cloud .com)
ET MALWARE TraderTraitor CnC Domain in DNS Lookup (centos-repos ET MALWARE TraderTraitor CnC Domain in DNS Lookup (nomadpkg
.org) .com)
ET MALWARE Observed TraderTraitor Domain (launchruse .com in TLS ET MALWARE Observed TraderTraitor Domain (datadog-graph .com in
SNI) TLS SNI)
ET MALWARE Observed TraderTraitor Domain (alwaysckain .com in ET MALWARE Observed TraderTraitor Domain (centos-pkg .org in TLS
TLS SNI) SNI)
ET MALWARE Observed TraderTraitor Domain (canolagroove .com in ET MALWARE Observed TraderTraitor Domain (reggedrobin .com in
TLS SNI) TLS SNI)
ET MALWARE Observed TraderTraitor Domain (nomadpkgs .com in ET MALWARE Observed TraderTraitor Domain (primerosauxiliosperu
TLS SNI) .com in TLS SNI)
ET MALWARE Observed TraderTraitor Domain (toyourownbeat .com in ET MALWARE Observed TraderTraitor Domain (datadog-cloud .com in
TLS SNI) TLS SNI)
ET MALWARE Observed TraderTraitor Domain (centos-repos .org in ET MALWARE Observed TraderTraitor Domain (nomadpkg .com in TLS
TLS SNI) SNI)
ET MALWARE SocGholish Domain in TLS SNI (content .garretttrails ET MALWARE SocGholish Domain in TLS SNI (creativity .kinchcorp
.org) .com)

281 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Pupy RAT Default TLS Proxy Certificate ET MALWARE MalDoc/Gamaredon CnC Activity M4
ET MALWARE [ANY.RUN] Hydrochasma Fast Reverse Proxy M3 ET MALWARE IcedID CnC Domain in DNS Lookup (vrondafarih .com)
ET MALWARE Observed IcedID Domain (vrondafarih .com in TLS SNI) ET MALWARE PennyWise Stealer Data Exfil M4
ET MALWARE Pupy DNS Request with SPI M1 ET MALWARE Pupy DNS Request with SPI M2
ET MALWARE Pupy DNS Request with SPI M3 ET MALWARE Pupy DNS Request with SPI M4
ET MALWARE Pupy DNS Request without SPI M1 ET MALWARE Pupy DNS Request without SPI M2
ET MALWARE Pupy DNS Request without SPI M3 ET MALWARE Pupy DNS Request without SPI M4
ET MALWARE WikiLoader Activity M1 (GET) ET MALWARE WikilLoader Activity M1 (Response)
ET MALWARE WikilLoader Activity M2 (Response) ET MALWARE WikiLoader Activity M3 (Response)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (polaris-
ET MALWARE WikiLoader Activity M2 (GET)
bios-editor .ru)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (atiflash .ru)
(overdriventool .ru)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (balena- ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (evga-
etcher .com) precision .com)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (ryzen-
(nvidiainspector .ru) master .com)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (btc-tools ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (more-
.ru) power-tool .com)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (clockgen64
(sapphiretrixx .com) .com)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (srbpolaris
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (nvflash .ru)
.ru)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup (riva-tuner
(techpowerup-gpu-z .com) .com)
ET MALWARE Win32/Trojan.Fruity Domain in DNS Lookup ET MALWARE Win32/Trojan.Fruity Domain (polaris-bios-editor .ru) in
(atikmdagpatcher .com) TLS SNI
ET MALWARE Win32/Trojan.Fruity Domain (overdriventool .ru) in TLS
ET MALWARE Win32/Trojan.Fruity Domain (atiflash .ru) in TLS SNI
SNI
ET MALWARE Win32/Trojan.Fruity Domain (balena-etcher .com) in TLS ET MALWARE Win32/Trojan.Fruity Domain (evga-precision .com) in
SNI TLS SNI
ET MALWARE Win32/Trojan.Fruity Domain (nvidiainspector .ru) in TLS ET MALWARE Win32/Trojan.Fruity Domain (ryzen-master .com) in TLS
SNI SNI
ET MALWARE Win32/Trojan.Fruity Domain (more-power-tool .com) in
ET MALWARE Win32/Trojan.Fruity Domain (btc-tools .ru) in TLS SNI
TLS SNI
ET MALWARE Win32/Trojan.Fruity Domain (sapphiretrixx .com) in TLS ET MALWARE Win32/Trojan.Fruity Domain (clockgen64 .com) in TLS
SNI SNI
ET MALWARE Win32/Trojan.Fruity Domain (nvflash .ru) in TLS SNI ET MALWARE Win32/Trojan.Fruity Domain (srbpolaris .ru) in TLS SNI
ET MALWARE Win32/Trojan.Fruity Domain (techpowerup-gpu-z .com)
ET MALWARE Win32/Trojan.Fruity Domain (riva-tuner .com) in TLS SNI
in TLS SNI
ET MALWARE Win32/Trojan.Fruity Domain (atikmdagpatcher .com) in
ET MALWARE Win32/OriginLoader CnC Checkin
TLS SNI
ET MALWARE MacOS/Realst CnC Checkin ET MALWARE IcedID CnC Domain in DNS Lookup (mineskateroff .com)
ET MALWARE Observed IcedID Domain (mineskateroff .com in TLS
ET MALWARE Possible Raspberry Robin Activity (GET) M3
SNI)
ET MALWARE Bahamut APT Group CnC Domain in DNS Lookup
ET MALWARE abubasbanditbot CnC Checkin
(laborer-posted .nl)
ET MALWARE Observed Bahamut APT Group Domain (laborer-posted
ET MALWARE Earth Preta PUBLOAD Activity M1
.nl) in TLS SNI
ET MALWARE Bitter APT CHM CnC Activity (GET) M4 ET MALWARE IcedID CnC Domain in DNS Lookup (ultrafoks .com)
ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com) ET MALWARE Observed IcedID Domain (ultrafoks .com in TLS SNI)
ET MALWARE Observed IcedID Domain (pireltotus .com in TLS SNI) ET MALWARE Suspected Donot Group Related Activity (POST)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .excluded
ET MALWARE Donot Group Related Activity (Response)
.everyadpaysmefirst .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .excluded
ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com)
.everyadpaysmefirst .com)
ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP ET MALWARE [ANY.RUN] PovertyStealer Exfiltration M1
ET MALWARE Redis-p2pinfect TLS Certificate Serial Number
ET MALWARE [ANY.RUN] Phemedrone Stealer Exfiltration via Telegram
Observed in SSL Certificate
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(humorumbi .ru) (aethionemaso .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (bulot ET MALWARE Gamaredon APT Related Domain in DNS Lookup
.ru) (alliumso .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (baruta ET MALWARE Gamaredon APT Related Domain in DNS Lookup (nicsan
.ru) .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(mojavebo .ru) (imbriumbi .ru)

282 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(acaenaso .ru) (bolonna .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(alceaso .ru) (acanthusso .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (butoza ET MALWARE Gamaredon APT Related Domain in DNS Lookup
.ru) (patrios .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(acorusso .ru) (buritoc .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(achilleaso .ru) (wadibo .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(anguisbi .ru) (saharabo .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(cresozoq .ru) (alismaso .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup
(wahibabo .ru) (adiantumso .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup (tolofa ET MALWARE Gamaredon APT Related Domain in DNS Lookup (rogac
.ru) .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE Gamaredon APT Related Domain in DNS Lookup (macda
(cupata .ru) .ru)
ET MALWARE Gamaredon APT Related Domain in DNS Lookup ET MALWARE 8Base Ransomware Domain in DNS Lookup (dexblog45
(aconitumso .ru) .xyz)
ET MALWARE 8Base Ransomware Domain in DNS Lookup (sentrex219 ET MALWARE DNS Query for TA401 Controlled Domain
.xyz) (cryptoanalyzetech .com)
ET MALWARE Win32/Agniane Stealer CnC Exfil (POST) ET MALWARE Observed TA401 Related Domain in TLS SNI
ET MALWARE Observed Gamaredon APT Related Domain (achilleaso ET MALWARE Observed Gamaredon APT Related Domain (wadibo .ru
.ru in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (wahibabo ET MALWARE Observed Gamaredon APT Related Domain (anguisbi
.ru in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain ET MALWARE Observed Gamaredon APT Related Domain (bolonna .ru
(adiantumso .ru in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (acaenaso ET MALWARE Observed Gamaredon APT Related Domain (cresozoq
.ru in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (butoza .ru ET MALWARE Observed Gamaredon APT Related Domain (acanthusso
in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (alceaso .ru ET MALWARE Observed Gamaredon APT Related Domain (macda .ru
in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (saharabo ET MALWARE Observed Gamaredon APT Related Domain (nicsan .ru
.ru in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (mojavebo ET MALWARE Observed Gamaredon APT Related Domain (alliumso .ru
.ru in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain ET MALWARE Observed Gamaredon APT Related Domain (buritoc .ru
(aethionemaso .ru in TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (rogac .ru in ET MALWARE Observed Gamaredon APT Related Domain (cupata .ru
TLS SNI) in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (patrios .ru ET MALWARE Observed Gamaredon APT Related Domain (acorusso
in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (alismaso ET MALWARE Observed Gamaredon APT Related Domain (humorumbi
.ru in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (baruta .ru ET MALWARE Observed Gamaredon APT Related Domain (imbriumbi
in TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (tolofa .ru in ET MALWARE Observed Gamaredon APT Related Domain (aconitumso
TLS SNI) .ru in TLS SNI)
ET MALWARE Observed Gamaredon APT Related Domain (bulot .ru in
ET MALWARE [ANY.RUN] Parallax RAT Check-In
TLS SNI)
ET MALWARE Reptile Rootkit Default TCP Magic Packet Trigger ET MALWARE Reptile Rootkit Default UDP Magic Packet Trigger
ET MALWARE TA446 Domain in DNS Lookup (directdocumentgate
ET MALWARE Reptile Rootkit Default ICMP Magic Packet Trigger
.com)
ET MALWARE TA446 Domain in DNS Lookup (storagewarden .com) ET MALWARE TA446 Domain in DNS Lookup (commandentrance .com)
ET MALWARE TA446 Domain in DNS Lookup (clouddefsystems .com) ET MALWARE TA446 Domain in DNS Lookup (sourcedoorway .com)
ET MALWARE TA446 Domain in DNS Lookup (controlgatestorage
ET MALWARE TA446 Domain in DNS Lookup (pdfdirectglobal .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (configuregatewayglobal
ET MALWARE TA446 Domain in DNS Lookup (storageinfogate .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (yourdirectinfospace
ET MALWARE TA446 Domain in DNS Lookup (shortinfoonline .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (gawecryptoinfosolutions
ET MALWARE TA446 Domain in DNS Lookup (sourcedoorways .com)
.com)

283 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE TA446 Domain in DNS Lookup (bittechllc .net) ET MALWARE TA446 Domain in DNS Lookup (entrywaycenter .com)
ET MALWARE TA446 Domain in DNS Lookup (shielditlabel .com) ET MALWARE TA446 Domain in DNS Lookup (storagecryptogate .com)
ET MALWARE TA446 Domain in DNS Lookup (itgatestorage .com) ET MALWARE TA446 Domain in DNS Lookup (managercodepro .com)
ET MALWARE TA446 Domain in DNS Lookup ET MALWARE TA446 Domain in DNS Lookup (intelligencerepository
(realeasyconfiguregateway .com) .com)
ET MALWARE TA446 Domain in DNS Lookup (safetydocsgateway
ET MALWARE TA446 Domain in DNS Lookup (stateinfospace .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (gateinfosecure .com) ET MALWARE TA446 Domain in DNS Lookup (transfer-dns .com)
ET MALWARE TA446 Domain in DNS Lookup (secureglobaltele .com) ET MALWARE TA446 Domain in DNS Lookup (truncstorage .com)
ET MALWARE TA446 Domain in DNS Lookup (yourspaceprotector
ET MALWARE TA446 Domain in DNS Lookup (prodefendme .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (infostorageroute .com) ET MALWARE TA446 Domain in DNS Lookup (documentdirectllc .com)
ET MALWARE TA446 Domain in DNS Lookup (prokeeperit .com) ET MALWARE TA446 Domain in DNS Lookup (itinfogate .com)
ET MALWARE TA446 Domain in DNS Lookup (webgateway .ru) ET MALWARE TA446 Domain in DNS Lookup (datastoragecrypto .com)
ET MALWARE TA446 Domain in DNS Lookup (directexpressgateway
ET MALWARE TA446 Domain in DNS Lookup (cloudcpanelhost .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (myittechnext .com) ET MALWARE TA446 Domain in DNS Lookup (skycithereforeit .com)
ET MALWARE TA446 Domain in DNS Lookup (definform .com) ET MALWARE TA446 Domain in DNS Lookup (myitappnext .com)
ET MALWARE TA446 Domain in DNS Lookup (oneinformationcrypto
ET MALWARE TA446 Domain in DNS Lookup (webgatewayenter .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (computingtechstudio
ET MALWARE TA446 Domain in DNS Lookup (solutionsseccloud .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (meshgoin .com) ET MALWARE TA446 Domain in DNS Lookup (gatewayitsol .com)
ET MALWARE TA446 Domain in DNS Lookup (controlstoragesolutions
ET MALWARE TA446 Domain in DNS Lookup (cryptdatagate .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (storagekeeperinfopro
ET MALWARE TA446 Domain in DNS Lookup (incappcloud .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (directdocumentgateway
ET MALWARE TA446 Domain in DNS Lookup (gatestoragetech .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (storagecryptoweb .com) ET MALWARE TA446 Domain in DNS Lookup (cryptothistech .com)
ET MALWARE TA446 Domain in DNS Lookup (controlsstoragedirect
ET MALWARE TA446 Domain in DNS Lookup (pdfsecxcloudroute .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (serverguarditweb .com) ET MALWARE TA446 Domain in DNS Lookup (gatewaydocsint .com)
ET MALWARE TA446 Domain in DNS Lookup (storagetruncservices
ET MALWARE TA446 Domain in DNS Lookup (gatecryptospace .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (infogatestorage .com) ET MALWARE TA446 Domain in DNS Lookup (cloudrootstorage .com)
ET MALWARE TA446 Domain in DNS Lookup ET MALWARE TA446 Domain in DNS Lookup
(informationswitchsystems .com) (computertechdirectsystems .com)
ET MALWARE TA446 Domain in DNS Lookup (threatcenterofreaserch
ET MALWARE TA446 Domain in DNS Lookup (po .vatangate .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (suppdatacent .com) ET MALWARE TA446 Domain in DNS Lookup (directstoragegate .com)
ET MALWARE TA446 Domain in DNS Lookup
ET MALWARE TA446 Domain in DNS Lookup (datagatellc .com)
(protectordocumentcenter .com)
ET MALWARE TA446 Domain in DNS Lookup (getinfostarter .com) ET MALWARE TA446 Domain in DNS Lookup (cryptotechdirect .com)
ET MALWARE TA446 Domain in DNS Lookup (storagerootconnect
ET MALWARE TA446 Domain in DNS Lookup (gatewayrecord .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (documentdirectto .com) ET MALWARE TA446 Domain in DNS Lookup (keepitlabgroup .com)
ET MALWARE TA446 Domain in DNS Lookup (infocryptogate .com) ET MALWARE TA446 Domain in DNS Lookup (docsinfogate .com)
ET MALWARE TA446 Domain in DNS Lookup (networkgoin .com) ET MALWARE TA446 Domain in DNS Lookup (deskactivitygm .com)
ET MALWARE TA446 Domain in DNS Lookup (storagekeeperinfotech
ET MALWARE TA446 Domain in DNS Lookup (checkscreenit .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (datagatewayglobal .com) ET MALWARE TA446 Domain in DNS Lookup (webinterstellar .com)
ET MALWARE TA446 Domain in DNS Lookup (informationcoindata
ET MALWARE TA446 Domain in DNS Lookup (protectedviews .com)
.com)
ET MALWARE TA446 Domain in DNS Lookup (realitsolutionprimary ET MALWARE TA446 Domain in DNS Lookup (gateblurbrepository
.com) .com)
ET MALWARE TA446 Domain in DNS Lookup (centeritdefcity .com) ET MALWARE TA446 Domain in TLS SNI (directdocumentgate .com)
ET MALWARE TA446 Domain in TLS SNI (storagewarden .com) ET MALWARE TA446 Domain in TLS SNI (commandentrance .com)
ET MALWARE TA446 Domain in TLS SNI (clouddefsystems .com) ET MALWARE TA446 Domain in TLS SNI (sourcedoorway .com)
ET MALWARE TA446 Domain in TLS SNI (pdfdirectglobal .com) ET MALWARE TA446 Domain in TLS SNI (controlgatestorage .com)
ET MALWARE TA446 Domain in TLS SNI (configuregatewayglobal
ET MALWARE TA446 Domain in TLS SNI (storageinfogate .com)
.com)
ET MALWARE TA446 Domain in TLS SNI (yourdirectinfospace .com) ET MALWARE TA446 Domain in TLS SNI (shortinfoonline .com)
ET MALWARE TA446 Domain in TLS SNI (gawecryptoinfosolutions
ET MALWARE TA446 Domain in TLS SNI (sourcedoorways .com)
.com)
ET MALWARE TA446 Domain in TLS SNI (bittechllc .net) ET MALWARE TA446 Domain in TLS SNI (entrywaycenter .com)
ET MALWARE TA446 Domain in TLS SNI (shielditlabel .com) ET MALWARE TA446 Domain in TLS SNI (storagecryptogate .com)

284 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE TA446 Domain in TLS SNI (itgatestorage .com) ET MALWARE TA446 Domain in TLS SNI (managercodepro .com)
ET MALWARE TA446 Domain in TLS SNI (realeasyconfiguregateway
ET MALWARE TA446 Domain in TLS SNI (intelligencerepository .com)
.com)
ET MALWARE TA446 Domain in TLS SNI (stateinfospace .com) ET MALWARE TA446 Domain in TLS SNI (safetydocsgateway .com)
ET MALWARE TA446 Domain in TLS SNI (gateinfosecure .com) ET MALWARE TA446 Domain in TLS SNI (transfer-dns .com)
ET MALWARE TA446 Domain in TLS SNI (secureglobaltele .com) ET MALWARE TA446 Domain in TLS SNI (truncstorage .com)
ET MALWARE TA446 Domain in TLS SNI (yourspaceprotector .com) ET MALWARE TA446 Domain in TLS SNI (prodefendme .com)
ET MALWARE TA446 Domain in TLS SNI (infostorageroute .com) ET MALWARE TA446 Domain in TLS SNI (documentdirectllc .com)
ET MALWARE TA446 Domain in TLS SNI (prokeeperit .com) ET MALWARE TA446 Domain in TLS SNI (itinfogate .com)
ET MALWARE TA446 Domain in TLS SNI (webgateway .ru) ET MALWARE TA446 Domain in TLS SNI (datastoragecrypto .com)
ET MALWARE TA446 Domain in TLS SNI (directexpressgateway .com) ET MALWARE TA446 Domain in TLS SNI (cloudcpanelhost .com)
ET MALWARE TA446 Domain in TLS SNI (myittechnext .com) ET MALWARE TA446 Domain in TLS SNI (skycithereforeit .com)
ET MALWARE TA446 Domain in TLS SNI (definform .com) ET MALWARE TA446 Domain in TLS SNI (myitappnext .com)
ET MALWARE TA446 Domain in TLS SNI (oneinformationcrypto .com) ET MALWARE TA446 Domain in TLS SNI (webgatewayenter .com)
ET MALWARE TA446 Domain in TLS SNI (solutionsseccloud .com) ET MALWARE TA446 Domain in TLS SNI (computingtechstudio .com)
ET MALWARE TA446 Domain in TLS SNI (meshgoin .com) ET MALWARE TA446 Domain in TLS SNI (gatewayitsol .com)
ET MALWARE TA446 Domain in TLS SNI (controlstoragesolutions .com) ET MALWARE TA446 Domain in TLS SNI (cryptdatagate .com)
ET MALWARE TA446 Domain in TLS SNI (storagekeeperinfopro .com) ET MALWARE TA446 Domain in TLS SNI (incappcloud .com)
ET MALWARE TA446 Domain in TLS SNI (directdocumentgateway
ET MALWARE TA446 Domain in TLS SNI (gatestoragetech .com)
.com)
ET MALWARE TA446 Domain in TLS SNI (storagecryptoweb .com) ET MALWARE TA446 Domain in TLS SNI (cryptothistech .com)
ET MALWARE TA446 Domain in TLS SNI (pdfsecxcloudroute .com) ET MALWARE TA446 Domain in TLS SNI (controlsstoragedirect .com)
ET MALWARE TA446 Domain in TLS SNI (serverguarditweb .com) ET MALWARE TA446 Domain in TLS SNI (gatewaydocsint .com)
ET MALWARE TA446 Domain in TLS SNI (gatecryptospace .com) ET MALWARE TA446 Domain in TLS SNI (storagetruncservices .com)
ET MALWARE TA446 Domain in TLS SNI (infogatestorage .com) ET MALWARE TA446 Domain in TLS SNI (cloudrootstorage .com)
ET MALWARE TA446 Domain in TLS SNI (informationswitchsystems ET MALWARE TA446 Domain in TLS SNI (computertechdirectsystems
.com) .com)
ET MALWARE TA446 Domain in TLS SNI (threatcenterofreaserch .com) ET MALWARE TA446 Domain in TLS SNI (po .vatangate .com)
ET MALWARE TA446 Domain in TLS SNI (suppdatacent .com) ET MALWARE TA446 Domain in TLS SNI (directstoragegate .com)
ET MALWARE TA446 Domain in TLS SNI (protectordocumentcenter
ET MALWARE TA446 Domain in TLS SNI (datagatellc .com)
.com)
ET MALWARE TA446 Domain in TLS SNI (getinfostarter .com) ET MALWARE TA446 Domain in TLS SNI (cryptotechdirect .com)
ET MALWARE TA446 Domain in TLS SNI (gatewayrecord .com) ET MALWARE TA446 Domain in TLS SNI (storagerootconnect .com)
ET MALWARE TA446 Domain in TLS SNI (documentdirectto .com) ET MALWARE TA446 Domain in TLS SNI (keepitlabgroup .com)
ET MALWARE TA446 Domain in TLS SNI (infocryptogate .com) ET MALWARE TA446 Domain in TLS SNI (docsinfogate .com)
ET MALWARE TA446 Domain in TLS SNI (networkgoin .com) ET MALWARE TA446 Domain in TLS SNI (deskactivitygm .com)
ET MALWARE TA446 Domain in TLS SNI (checkscreenit .com) ET MALWARE TA446 Domain in TLS SNI (storagekeeperinfotech .com)
ET MALWARE TA446 Domain in TLS SNI (datagatewayglobal .com) ET MALWARE TA446 Domain in TLS SNI (webinterstellar .com)
ET MALWARE TA446 Domain in TLS SNI (informationcoindata .com) ET MALWARE TA446 Domain in TLS SNI (protectedviews .com)
ET MALWARE TA446 Domain in TLS SNI (realitsolutionprimary .com) ET MALWARE TA446 Domain in TLS SNI (gateblurbrepository .com)
ET MALWARE TA446 Domain in TLS SNI (centeritdefcity .com) ET MALWARE Win32/Agniane Stealer CnC Exfil (POST) M2
ET MALWARE MacOS/RustBucket System Information Exfiltration
ET MALWARE Win32/Unknown Stealer CnC Exfil (POST)
Attempt
ET MALWARE MacOS/RustBucket CnC Domain in DNS Lookup ET MALWARE SocGholish CnC Domain in DNS Lookup (* .timeline
(autodynamics .work .gd) .transversallearning .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .timeline
ET MALWARE Filez Downloader Checkin
.transversallearning .com)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE Win32/Amadey Payload Request (GET) M1
ET MALWARE Win32/Amadey Payload Request (GET) M2 ET MALWARE MacOS/Adload CnC Beacon
ET MALWARE MacOS/Adload Proxy Node Beacon ET MALWARE MacOS/Adload Proxy Node Response
ET MALWARE Suspected Bitter Elephant APT Related Activity (GET) ET MALWARE APT29 CnC Domain in DNS Lookup (sgrhf .org .pk)
ET MALWARE APT29 CnC Domain in DNS Lookup (toyy .zulipchat ET MALWARE APT29 CnC Domain in DNS Lookup (edenparkweddings
.com) .com)
ET MALWARE Observed APT29 Domain (toyy .zulipchat .com) in TLS
ET MALWARE Observed APT29 Domain (sgrhf .org .pk) in TLS SNI
SNI
ET MALWARE Observed APT29 Domain (edenparkweddings .com) in
ET MALWARE APT29 Duke Variant Malware CnC Checkin Observed
TLS SNI
ET MALWARE APT29 HTA Dropper Checkin Observed ET MALWARE JanelaRAT CnC Checkin Observed
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .photo
ET MALWARE QwixxRAT - Telegram CnC Checkin
.beyoudcor .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .photo .beyoudcor ET MALWARE SocGholish CnC Domain in DNS Lookup (* .workout
.com) .oystergardener .net)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .workout
ET MALWARE [ANY.RUN] Win32/RootTeam Stealer Related User-Agent
.oystergardener .net)
ET MALWARE [ANY.RUN] Win32/RootTeam Stealer CnC Exfil M3 ET MALWARE Malicious Powershell Activity (GET)
ET MALWARE Python Stealer/Clipper Related Domain in DNS Lookup ET MALWARE Observed Python Stealer/Clipper Related Domain
(kekwltd .ru) (kekwltd .ru in TLS SNI)

285 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www


ET MALWARE Spark RAT CnC Checkin (POST)
.brioche-amsterdam .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
.qhsbobfv .top) .mommachic .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .hatch ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
.computer) .nationalrecoveryllc .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .spv88 ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
.online) .raveready .shop)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .activ- ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
ketodietakjsy620 .cloud) .lushespets .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .qq9122 ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
.com) .corkagenexus .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www .kiavisa
.growind .info) .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
.akrsnamchi .com) .pinksugarpopmontana .com)
ET MALWARE MacOS/XLOADER Domain in DNS Lookup (www
ET MALWARE Carderbee APT Related Activity
.switchmerge .com)
ET MALWARE Win32/NewsRat CnC Exfil via Telegram (POST) ET MALWARE LNK/Unknown Downloader CnC Checkin (POST)
ET MALWARE Commonly Abused Domain in DNS Lookup (gk-stst .ru) ET MALWARE [ANY.RUN] Mekotio Banking Trojan TCP Request
ET MALWARE Suspected TA430/Andariel CollectionRAT Related
ET MALWARE Observed DNS Query to TA444 Domain
Activity (GET)
ET MALWARE Observed DNS Query to TA444 Domain ET MALWARE Observed TA444 Domain in TLS SNI
ET MALWARE Observed TA444 Domain in TLS SNI ET MALWARE Win32/CosmicRust TA444 CnC Activity (GET)
ET MALWARE Agent Tesla Reverse Base64 Encoded MZ In Image ET MALWARE Base64 Encoded MZ In Image
ET MALWARE ZenRAT Ping Command ET MALWARE ZenRAT CnC OK Response
ET MALWARE ZenRAT Get Status Command ET MALWARE ZenRAT Status Response
ET MALWARE ZenRAT Change Status Command ET MALWARE ZenRAT Request Module Command
ET MALWARE ZenRAT Request Module CnC Response ET MALWARE ZenRAT Update Command
ET MALWARE ZenRAT Update CnC Response (Already Actual) ET MALWARE ZenRAT Tasking Command
ET MALWARE ZenRAT Tasking CnC Response M1 ET MALWARE ZenRAT Tasking CnC Response M2
ET MALWARE IcedID CnC Domain in DNS Lookup (manderatapple ET MALWARE Observed IcedID Domain (manderatapple .com in TLS
.com) SNI)
ET MALWARE Glupteba CnC Domain in DNS Lookup (dazhiruoyu .org) ET MALWARE Observed Glupteba Domain (dazhiruoyu .org in TLS SNI)
ET MALWARE Win32/Steallerium Stealer Data Exfil via Telegram
ET MALWARE [ANY.RUN] TheBoxClipper (addbild)
(POST)
ET MALWARE [ANY.RUN] TheBoxClipper CnC Activity (getkeys) ET MALWARE [ANY.RUN] TheBoxClipper (updatebildchange)
ET MALWARE SocGholish Domain in DNS Lookup (assay ET MALWARE SocGholish Domain in TLS SNI (assay
.porchlightcommunity .org) .porchlightcommunity .org)
ET MALWARE IcedID CnC Domain in DNS Lookup (ewacootili .com) ET MALWARE IcedID CnC Domain in DNS Lookup (oopscokir .com)
ET MALWARE Observed IcedID Domain (ewacootili .com in TLS SNI) ET MALWARE Observed IcedID Domain (oopscokir .com in TLS SNI)
ET MALWARE Observed TA409 Related Domain (navercorp .ru in TLS
ET MALWARE TA409 Related DNS Lookup (navercorp .ru)
SNI)
ET MALWARE LNK/Konni APT CnC Checkin (GET) ET MALWARE Raspberry Robin CnC Domain in DNS Lookup (w0 .pm)
ET MALWARE SocGholish Domain in DNS Lookup (standard
ET MALWARE Observed Raspberry Robin Domain (w0 .pm in TLS SNI)
.architech3 .com)
ET MALWARE SocGholish Domain in TLS SNI (standard .architech3 ET MALWARE UAC-0173 Related Domain in DNS Lookup
.com) (filetransrediremin .com)
ET MALWARE UAC-0173 Related Domain in DNS Lookup (minijusfil ET MALWARE Observed UAC-0173 Related Domain (minijusfil .com in
.com) TLS SNI)
ET MALWARE Observed UAC-0173 Related Domain (filetransrediremin ET MALWARE Observed Malicious Powershell Loader Payload Request
.com in TLS SNI) (GET)
ET MALWARE TA444 CnC Domain in DNS Lookup (datasend .fun) ET MALWARE TA444 CnC Domain in DNS Lookup (cryptowave .capital)
ET MALWARE TA444 CnC Domain in DNS Lookup (trustmeeting ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting
.online) .online)
ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting
ET MALWARE TA444 CnC Domain in DNS Lookup (video-meet .xyz)
.live)
ET MALWARE TA444 CnC Domain in DNS Lookup (internal-meeting ET MALWARE Observed TA444 Domain (trustmeeting .online in TLS
.online) SNI)
ET MALWARE Observed TA444 Domain (ubi-safemeeting .live in TLS
ET MALWARE Observed TA444 Domain (video-meet .xyz in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (internal-meeting .online in ET MALWARE Observed TA444 Domain (ubi-safemeeting .online in
TLS SNI) TLS SNI)
ET MALWARE Observed TA444 Domain (cryptowave .capital in TLS
ET MALWARE Observed TA444 Domain (datasend .fun in TLS SNI)
SNI)
ET MALWARE [ANY.RUN] Echida Botnet Check-In M1 ET MALWARE [ANY.RUN] Echida Botnet Check-In M2
ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr ET MALWARE Observed CoinMiner Domain (pool .supportxmr .com in
.com) TLS SNI)

286 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Epsilon Stealer CnC Domain in DNS Lookup (epsilon1337 ET MALWARE Observed Epsilon Stealer Domain (epsilon1337 .com) in
.com) TLS SNI
ET MALWARE Win32/Bumblebee Loader Checkin Activity (set) ET MALWARE Win32/Bumblebee Loader Checkin Activity
ET MALWARE Malicious Debugging Application Related Domain in ET MALWARE Observed Malicious Debugging Application Related
DNS Lookup (dbgsymbol .com) Domain (dbgsymbol .com in TLS SNI)
ET MALWARE Malicious Debugging Application Related Domain in ET MALWARE Observed Malicious Debugging Application Related
DNS Lookup (blgbeach .com) Domain (blgbeach .com in TLS SNI)
ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M1 ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M2
ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M3 ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M4
ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M5 ET MALWARE Red Wolf/RedCurl Payload Retrieval Attempt M6
ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (msftcloud
ET MALWARE Red Wolf/RedCurl Implant Checkin
.click)
ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (servicehost ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup
.click) (amscloudhost .com)
ET MALWARE Red Wolf/RedCurl Domain (amscloudhost .com) in TLS
ET MALWARE Red Wolf/RedCurl Domain (servicehost .click) in TLS SNI
SNI
ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain
ET MALWARE Red Wolf/RedCurl Domain (msftcloud .click) in TLS SNI
in DNS Lookup (trabingviews .com)
ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain ET MALWARE Atomic macOS (AMOS) Stealer Payload Delivery Domain
in DNS Lookup (xn--tradgsvews-0ubd3y .com) in DNS Lookup (app-downloads .org)
ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload
Deliver Domain (trabingviews .com) in TLS SNI Deliver Domain (xn--tradgsvews-0ubd3y .com) in TLS SNI
ET MALWARE Observed Atomic macOS (AMOS) Stealer Payload ET MALWARE SocGholish Domain in DNS Lookup (ghost .blueecho88
Deliver Domain (app-downloads .org) in TLS SNI .com)
ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (eap
ET MALWARE SocGholish Domain in TLS SNI (ghost .blueecho88 .com)
.byethost10 .com)
ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (tdnmouse ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (buyhighroad
.atspace .eu) .scienceontheweb .net)
ET MALWARE Red Wolf/RedCurl Domain in DNS Lookup (earthmart .c1 ET MALWARE SocGholish CnC Domain in DNS Lookup (* .2023 .ebeenj
.biz) .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .2023 .ebeenj
ET MALWARE DNS Query to TA444 Domain (updatecheck .store)
.com)
ET MALWARE DNS Query to TA444 Domain (updatecheck .site) ET MALWARE DNS Query to TA444 Domain (antiviruscheck .store)
ET MALWARE DNS Query to TA444 Domain (waitingfor .cfd) ET MALWARE DNS Query to TA444 Domain (antifirmware .store)
ET MALWARE DNS Query to TA444 Domain (alwayswait .site) ET MALWARE DNS Query to TA444 Domain (unbelievableresult .site)
ET MALWARE DNS Query to TA444 Domain (antiviruscheck .site) ET MALWARE DNS Query to TA444 Domain (remoteproweb .cfd)
ET MALWARE DNS Query to TA444 Domain (auditprovidre .store) ET MALWARE DNS Query to TA444 Domain (alwayswait .online)
ET MALWARE DNS Query to TA444 Domain (auditprovidre .site) ET MALWARE DNS Query to TA444 Domain (antifirmware .site)
ET MALWARE DNS Query to TA444 Domain (auditprovidre .online) ET MALWARE DNS Query to TA444 Domain (unbelievableresult .store)
ET MALWARE DNS Query to TA444 Domain (systemupdate .site) ET MALWARE DNS Query to TA444 Domain (newcoming .cfd)
ET MALWARE DNS Query to TA444 Domain (systemupdate .store) ET MALWARE DNS Query to TA444 Domain (antifirmware .online)
ET MALWARE Observed TA444 Domain (updatecheck .store in TLS
ET MALWARE Observed TA444 Domain (updatecheck .site in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (antiviruscheck .store in TLS
ET MALWARE Observed TA444 Domain (waitingfor .cfd in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (antifirmware .store in TLS
ET MALWARE Observed TA444 Domain (alwayswait .site in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (unbelievableresult .site in TLS ET MALWARE Observed TA444 Domain (antiviruscheck .site in TLS
SNI) SNI)
ET MALWARE Observed TA444 Domain (remoteproweb .cfd in TLS ET MALWARE Observed TA444 Domain (auditprovidre .store in TLS
SNI) SNI)
ET MALWARE Observed TA444 Domain (alwayswait .online in TLS SNI) ET MALWARE Observed TA444 Domain (auditprovidre .site in TLS SNI)
ET MALWARE Observed TA444 Domain (auditprovidre .online in TLS
ET MALWARE Observed TA444 Domain (antifirmware .site in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (unbelievableresult .store in ET MALWARE Observed TA444 Domain (systemupdate .site in TLS
TLS SNI) SNI)
ET MALWARE Observed TA444 Domain (systemupdate .store in TLS
ET MALWARE Observed TA444 Domain (newcoming .cfd in TLS SNI)
SNI)
ET MALWARE Observed TA444 Domain (antifirmware .online in TLS
ET MALWARE TA406 Related Domain in DNS Lookup
SNI)
ET MALWARE Observed TA406 Related Domain in TLS SNI ET MALWARE TA406 Related Activity (GET)
ET MALWARE Reptile Linux LKM Rootkit Backdoor Activity ET MALWARE Win32/Chifrax.a CnC Exfil via TCP
ET MALWARE Free Download Manager Backdoor Domain in DNS ET MALWARE Redfly APT Shadowpad Backdoor Domain in DNS
Lookup (fdmpkg .org) Lookup (websencl .com)
ET MALWARE Darkgate Stealer CnC Checkin ET MALWARE Invoke-Phant0m Payload Request (GET)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Check-In ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) ET MALWARE DarkGate CnC Domain in DNS Lookup (zochao .com)
ET MALWARE Observed DarkGate Domain (zochao .com in TLS SNI) ET MALWARE DarkGate AutoIt Downloader

287 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DCRAT CnC Domain in DNS Lookup (akamaitechcdns ET MALWARE Atomic MacOS Stealer CnC Domain in DNS Lookup
.com) (maybe .host)
ET MALWARE Observed Atomic MacOS Stealer Domain (maybe .host
ET MALWARE Atomic MacOS Stealer CnC Exfil (POST)
in TLS SNI)
ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup ET MALWARE Earth Lusca/SprySOCKS CnC Domain in DNS Lookup
ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS
Lookup Lookup
ET MALWARE Transparent Tribe/CapraRAT CnC Domain in DNS ET MALWARE SocGholish CnC Domain in DNS Lookup (* .layout
Lookup .oystergardens .us)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .layout
ET MALWARE Suspected Periscope Framework Agent Related Activity
.oystergardens .us)
ET MALWARE TA427 Suspected ReconShark Related Response
ET MALWARE Earth Lusca/SprySOCKS CnC Checkin
(Inbound)
ET MALWARE Win32/Gh0stRat C2 Checkin ET MALWARE Win32/Gh0stRat C2 Response (X11 SelectionNotify)
ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) ET MALWARE DNS Query to TA444 Domain (swissborg .blog)
ET MALWARE DNS Query to TA444 Domain (doc .apple .com
ET MALWARE DNS Query to TA444 Domain (pre .alwayswait .site)
.premienoe .aidl .eonw .line .pm)
ET MALWARE DNS Query to TA444 Domain (tp-globa .xyz) ET MALWARE Observed TA444 Domain (swissborg .blog) in TLS SNI
ET MALWARE Observed TA444 Domain (doc .apple .com .premienoe ET MALWARE Observed TA444 Domain (pre .alwayswait .site) in TLS
.aidl .eonw .line .pm) in TLS SNI SNI
ET MALWARE SocGholish Domain in DNS Lookup (cpanel .gtiyeshua
ET MALWARE Observed TA444 Domain (tp-globa .xyz) in TLS SNI
.com)
ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS
ET MALWARE SocGholish Domain in TLS SNI (cpanel .gtiyeshua .com)
Lookup (ssl .explorecell .com)
ET MALWARE Sandman APT LuaDream Backdoor Domain in DNS ET MALWARE Observed Sandman APT LuaDream Backdoor Domain
Lookup (mode .encagil .com) (ssl .explorecell .com) in TLS SNI
ET MALWARE Observed Sandman APT LuaDream Backdoor Domain ET MALWARE Stately Taurus APT Toneshell Backdoor Domain in DNS
(mode .encagil .com) in TLS SNI Lookup (www .uvfr43p .com)
ET MALWARE Stately Taurus APT Related Domain in DNS Lookup
ET MALWARE TA577 Style Request (2023-05-15)
(Feed-5613 .coderformylife .info)
ET MALWARE TA577 Style Response (2023-05-15) ET MALWARE Win32/nstealer CnC Exfiltration (POST) M1
ET MALWARE Win32/nstealer CnC Exfiltration (POST) M2 ET MALWARE Possible OwlProxy activity M1
ET MALWARE Possible OwlProxy activity M2 ET MALWARE Possible OwlProxy activity M3
ET MALWARE Possible OwlProxy activity M4 ET MALWARE Possible OwlProxy activity M5
ET MALWARE Possible OwlProxy activity M6 ET MALWARE Possible ToneShell CnC Checkin M1
ET MALWARE TA577 Style Request (2023-05-15) ET MALWARE TA577 Style Request (2023-05-15)
ET MALWARE TA577 Style Request (2023-05-15) ET MALWARE TA577 Style Request (2023-05-15)
ET MALWARE TA577 Style Request (2023-05-15) ET MALWARE TA577 Style Request (2023-05-15)
ET MALWARE TA577 Style Request (2023-05-15) ET MALWARE TA577 Style Request (2023-05-15)
ET MALWARE Ducktail Malware Related Domain in DNS Lookup (ductai
ET MALWARE TA577 Style Request (2023-05-15)
.xyz)
ET MALWARE Observed Ducktail Malware Related Domain in TLS SNI ET MALWARE [ANY.RUN] Win32/EternityClipper CnC Activity
(ductai .xyz) (Successful Installation) (POST)
ET MALWARE [ANY.RUN] Win32/EternityClipper CnC Activity (Address
ET MALWARE Possible ToneShell CnC Checkin M2
Change) (POST)
ET MALWARE Possible ToneShell CnC Checkin M3 ET MALWARE Alloy Taurus APT Zapoa Backdoor Activity
ET MALWARE Alloy Taurus Reshell Backdoor URI pattern Observed
ET MALWARE Alloy Taurus Reshell Backdoor URI pattern Observed M1
M2
ET MALWARE IcedID CnC Domain in DNS Lookup (skrgerona .com) ET MALWARE IcedID CnC Domain in DNS Lookup (restohalto .site)
ET MALWARE IcedID CnC Domain in DNS Lookup (majzolimka .com) ET MALWARE IcedID CnC Domain in DNS Lookup (minutozhart .online)
ET MALWARE IcedID CnC Domain in DNS Lookup (awindakizend .com) ET MALWARE Observed Malicious SSL Cert (Cobalt Strike)
ET MALWARE PeepingTitle Backdoor Related Activity ET MALWARE TA444 MacOS/ProcessRequest CnC Checkin
ET MALWARE TA444 MacOS/ProcessRequest CnC Domain in DNS
ET MALWARE Maldoc Sending Windows System Information (POST)
Lookup (swissborg .blog)
ET MALWARE Maldoc Sending Registration Information (GET) ET MALWARE Lu0bot CnC Domain in DNS Lookup (hsh .juz09 .cfd)
ET MALWARE Lu0bot CnC Domain in DNS Lookup (apo .eus80 .fun) ET MALWARE Lu0bot CnC Domain in DNS Lookup (bic .xdk03 .fun)
ET MALWARE Lu0bot CnC Domain in DNS Lookup (mko .tinh73 .shop) ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M1
ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M2 ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M3
ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M4 ET MALWARE [ANY.RUN] Lu0bot-Style DNS Query in DNS Lookup M5
ET MALWARE AtlasAgent Activity (POST) ET MALWARE AtlasAgent Activity (GET)
ET MALWARE IcedID CnC Domain in DNS Lookup (carsfootyelo .com) ET MALWARE IcedID CnC Domain in DNS Lookup (mestorycallin .com)
ET MALWARE Observed Glupteba Domain (ramboclub .net in TLS SNI) ET MALWARE Win32/Agniane Stealer CnC Activity (GET) M1
ET MALWARE Win32/Agniane Stealer CnC Activity (GET) M2 ET MALWARE Win32/Agniane Stealer CnC Activity (GET) M3
ET MALWARE Akira Stealer CnC Domain in DNS Lookup (akira .red) ET MALWARE Observed Akira Stealer Domain (akira .red) in TLS SNI
ET MALWARE Win32/Lumma Stealer Data Exfiltration in URI (GET) ET MALWARE Observed BlackDolphin Ransomware Builder Cookie
ET MALWARE BlackDolphin Ransomware Builder Landing Page M2 ET MALWARE BlackDolphin Ransomware Builder Landing Page M3
ET MALWARE BlackDolphin Ransomware Builder Landing Page M4 ET MALWARE BlackDolphin Ransomware Builder Landing Page M1

288 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE BunnyLoader - Initial CnC Checkin ET MALWARE BunnyLoader Initial CnC Checkin Response
ET MALWARE BunnyLoader CnC Checkin - Retrieve Tasking ET MALWARE BunnyLoader CnC Tasking Response
ET MALWARE BunnyLoader CnC Checkin - Echoer ET MALWARE BunnyLoader CnC Checkin - Heartbeat
ET MALWARE BunnyLoader Heartbeat Acknowledgement ET MALWARE BunnyLoader CnC Checkin - ResultCMD
ET MALWARE BunnyLoader Data Exfiltration Attempt ET MALWARE LNK/Sherlock Stealer Host Process List Exfil (POST)
ET MALWARE LNK/Sherlock Stealer Payload Inbound ET MALWARE Malicious Domain in DNS Lookup (jscloud .live)
ET MALWARE Malicious Domain in DNS Lookup (cloudjs .live) ET MALWARE Malicious Domain in DNS Lookup (jscloud .ink)
ET MALWARE Malicious Domain in DNS Lookup (jscloud .biz) ET MALWARE Malicious Domain in DNS Lookup (jscdn .biz)
ET MALWARE [ANY.RUN] Win32/Gh0stRat Activity ET MALWARE [ANY.RUN] Win32/Gh0stRat Keep-Alive
ET MALWARE Observed Malicious Domain (jscloud .live in TLS SNI) ET MALWARE Observed Malicious Domain (cloudjs .live in TLS SNI)
ET MALWARE Observed Malicious Domain (jscloud .ink in TLS SNI) ET MALWARE Observed Malicious Domain (jscloud .biz in TLS SNI)
ET MALWARE Observed Malicious Domain (jscdn .biz in TLS SNI) ET MALWARE DNS Query to Ursnif Domain (communicalink .com)
ET MALWARE Ursnif Payload Downloader Inbound ET MALWARE DNS Query to Ursnif Domain (mifrutty .com)
ET MALWARE Observed IcedID CnC Domain (mestorycallin .com in
ET MALWARE Observed Ursnif Domain (mifrutty .com in TLS SNI)
TLS SNI)
ET MALWARE Observed IcedID CnC Domain (carsfootyelo .com in TLS ET MALWARE UAC-006 Domain in DNS Lookup (ukr-net-download-
SNI) files-php-name .ru)
ET MALWARE UAC-006 Domain in TLS SNI (ukr-net-download-files- ET MALWARE SocGholish Domain in DNS Lookup (sommelier
php-name .ru) .peppertreecanyon .com)
ET MALWARE SocGholish Domain in TLS SNI (sommelier
ET MALWARE Darkgate Stealer CnC Checkin (POST)
.peppertreecanyon .com)
ET MALWARE Cytrox Predator Spyware Related Domain in DNS ET MALWARE Observed Cytrox Predator Spyware Related Domain
Lookup (southchinapost .net in TLS SNI)
ET MALWARE Win32/MataDoor CnC Beacon Over UDP ET MALWARE [ANY.RUN] DarkGate Check-In HTTP Header (POST)
ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2 ET MALWARE Possible Win32/DarkWatchMan User Agent M2
ET MALWARE DNS Query to Fake Chrome Landing Page
ET MALWARE Possible Win32/DarkWatchMan User Agent M1
(chromiumbase .site)
ET MALWARE DNS Query to Fake Chrome Landing Page ET MALWARE DNS Query to Fake Chrome Landing Page
(chromiumtxt .space) (chromiumlink .site)
ET MALWARE Observed Fake Chrome Landing Domain ET MALWARE Observed Fake Chrome Landing Domain (chromiumtxt
(chromiumbase .site in TLS SNI) .space in TLS SNI)
ET MALWARE Observed Fake Chrome Landing Domain (chromiumlink
ET MALWARE IcedID CnC Domain in DNS Lookup (abegelkunic .com)
.site in TLS SNI)
ET MALWARE IcedID CnC Domain in DNS Lookup (seedkraproboy
ET MALWARE IcedID CnC Domain in DNS Lookup (maufusjiop .com)
.com)
ET MALWARE IcedID CnC Domain in DNS Lookup (joekairbos .com) ET MALWARE IcedID CnC Domain in DNS Lookup (aptekoagraliy .com)
ET MALWARE Observed Glupteba CnC Domain (statsexplorer .org in
ET MALWARE Observed IcedID Domain (abegelkunic .com in TLS SNI)
TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (filesdumpplace .org ET MALWARE Observed Glupteba CnC Domain (dumperstats .org in
in TLS SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (thestatsfiles .ru in TLS ET MALWARE Observed Glupteba CnC Domain (realupdate .ru in TLS
SNI) SNI)
ET MALWARE Observed Glupteba CnC Domain (parrotcare .net in TLS ET MALWARE Observed Glupteba CnC Domain (mypushtimes .net in
SNI) TLS SNI)
ET MALWARE Observed Glupteba CnC Domain (safarimexican .net in ET MALWARE Observed Glupteba CnC Domain (rentalhousezz .net in
TLS SNI) TLS SNI)
ET MALWARE Win32/Common RAT CnC Activity (GET) ET MALWARE Win32/Common RAT Host Checkin (GET)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .result ET MALWARE SocGholish CnC Domain in TLS SNI (* .result
.garrettcountygranfondo .org) .garrettcountygranfondo .org)
ET MALWARE TA401 Domain in DNS Lookup (isabeljwade .icu) ET MALWARE TA401 Domain in DNS Lookup (francescatmorrison .icu)
ET MALWARE TA401 Domain in DNS Lookup (jayyburrows .icu) ET MALWARE TA401 Domain in DNS Lookup (jessicakphillips .icu)
ET MALWARE TA401 Domain in TLS SNI (isabeljwade .icu) ET MALWARE TA401 Domain in TLS SNI (francescatmorrison .icu)
ET MALWARE TA401 Domain in TLS SNI (jayyburrows .icu) ET MALWARE TA401 Domain in TLS SNI (jessicakphillips .icu)
ET MALWARE HAMAS affiliated Domain in DNS Lookup (alqassam .ps) ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanps .top)
ET MALWARE HAMAS affiliated Domain in DNS Lookup (hamrah ET MALWARE HAMAS affiliated Domain in DNS Lookup (modir .nikanps
.nikanps .top) .top)
ET MALWARE HAMAS affiliated Domain in DNS Lookup (admin ET MALWARE HAMAS affiliated Domain in DNS Lookup (user .nikanps
.nikanps .top) .top)
ET MALWARE HAMAS affiliated Domain in DNS Lookup (hz .nikanpsx
ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx .top)
.top)
ET MALWARE HAMAS affiliated Domain in DNS Lookup (nikanpsx
ET MALWARE HAMAS affiliated Domain in TLS SNI (alqassam .ps)
.hopto .org)
ET MALWARE HAMAS affiliated Domain in TLS SNI (hamrah .nikanps
ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanps .top)
.top)
ET MALWARE HAMAS affiliated Domain in TLS SNI (modir .nikanps ET MALWARE HAMAS affiliated Domain in TLS SNI (admin .nikanps
.top) .top)
ET MALWARE HAMAS affiliated Domain in TLS SNI (user .nikanps .top) ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .top)

289 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE HAMAS affiliated Domain in TLS SNI (nikanpsx .hopto


ET MALWARE HAMAS affiliated Domain in TLS SNI (hz .nikanpsx .top)
.org)
ET MALWARE Fake Chrome Landing Domain Activity (chromiumbase ET MALWARE Fake Chrome Landing Domain Activity (chromiumtxt
.site) .space)
ET MALWARE Fake Chrome Landing Domain Activity (chromiumlink
ET MALWARE IcedID Related Loader Domain in DNS Lookup
.site)
ET MALWARE Observed IcedID Loader Related Domain in TLS SNI ET MALWARE IcedID Loader Related Domain in DNS Lookup
ET MALWARE Observed IcedID Related Loader Domain in TLS SNI ET MALWARE IcedID Loader Related Domain in DNS Lookup
ET MALWARE Observed IcedID Loader Related Domain in TLS SNI ET MALWARE IcedID Loader Related Domain in DNS Lookup
ET MALWARE Observed IcedID Loader Related Domain in TLS SNI ET MALWARE Latrodectus Loader Related Activity (POST)
ET MALWARE PovertyStealer Exfiltration M3 ET MALWARE Golang Easy Stealer Activiy (POST)
ET MALWARE Golang Easy Stealer Activiy M2 (POST) ET MALWARE Volt Typhoon User-Agent
ET MALWARE [ANY.RUN] PureLogs Stealer Data Exfiltration Attempt
ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M2
M1
ET MALWARE [ANY.RUN] PureLogs Stealer C2 Connection M1 ET MALWARE Win32/NewsRat CnC Response
ET MALWARE Suspected Bumblebee Loader Activity ET MALWARE Possible Konni RAT Related Activity Observed
ET MALWARE Possible Konni RAT Domain in DNS Lookup
ET MALWARE TA444 Domain in DNS Lookup (cisco-webex .online)
(documentoffice .club)
ET MALWARE TA444 Domain in DNS Lookup (internal .group .link-net
ET MALWARE TA444 Domain in DNS Lookup (video-meet .team)
.publicvm .com)
ET MALWARE TA444 Domain in DNS Lookup (docshared .col-link
ET MALWARE TA444 Domain in DNS Lookup (on-global .xyz)
.linkpc .net)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .ddns .net)
.net)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc
ET MALWARE TA444 Domain in DNS Lookup (indaddy .xyz)
.net)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .tech .linkpc ET MALWARE TA444 Domain in DNS Lookup (bitscrunch
.net) .presentations .life)
ET MALWARE TA444 Domain in DNS Lookup (doc .global-link .run ET MALWARE TA444 Domain in DNS Lookup (internalpdfviewer .ddns
.place) .net)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .serveirc
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .zapto .org)
.com)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunch .im .linkpc
ET MALWARE TA444 Domain in DNS Lookup (www .bitscrunch .co)
.net)
ET MALWARE TA444 Domain in DNS Lookup (bitscrunchtech .linkpc
ET MALWARE TA444 Domain in DNS Lookup (voldemort .myvnc .com)
.net)
ET MALWARE TA444 Domain in DNS Lookup (document .shared-link
ET MALWARE TA444 Domain in DNS Lookup (nor-health .xyz)
.line .pm)
ET MALWARE TA444 Domain in TLS SNI (cisco-webex .online) ET MALWARE TA444 Domain in TLS SNI (video-meet .team)
ET MALWARE TA444 Domain in TLS SNI (internal .group .link-net ET MALWARE TA444 Domain in TLS SNI (docshared .col-link .linkpc
.publicvm .com) .net)
ET MALWARE TA444 Domain in TLS SNI (on-global .xyz) ET MALWARE TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net)
ET MALWARE TA444 Domain in TLS SNI (bitscrunch .ddns .net) ET MALWARE TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net)
ET MALWARE TA444 Domain in TLS SNI (indaddy .xyz) ET MALWARE TA444 Domain in TLS SNI (bitscrunch .tech .linkpc .net)
ET MALWARE TA444 Domain in TLS SNI (bitscrunch .presentations
ET MALWARE TA444 Domain in TLS SNI (doc .global-link .run .place)
.life)
ET MALWARE TA444 Domain in TLS SNI (internalpdfviewer .ddns .net) ET MALWARE TA444 Domain in TLS SNI (bitscrunch .zapto .org)
ET MALWARE TA444 Domain in TLS SNI (bitscrunch .serveirc .com) ET MALWARE TA444 Domain in TLS SNI (www .bitscrunch .co)
ET MALWARE TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) ET MALWARE TA444 Domain in TLS SNI (voldemort .myvnc .com)
ET MALWARE TA444 Domain in TLS SNI (bitscrunchtech .linkpc .net) ET MALWARE TA444 Domain in TLS SNI (nor-health .xyz)
ET MALWARE TA444 Domain in TLS SNI (document .shared-link .line
ET MALWARE Suspected TA404 SIGNBT Backdoor Activity (POST)
.pm)
ET MALWARE Generic VBS Backdoor Sending Windows Information ET MALWARE DNS Query to SockRacket/KANDYKORN Domain (tp-
(POST) globa .xyz)
ET MALWARE DNS Query to SockRacket/KANDYKORN Domain ET MALWARE Observed SockRacket/KANDYKORN Domain (tp-globa
(bitscrunnch .linkpc .net) .xyz in TLS SNI)
ET MALWARE Observed SockRacket/KANDYKORN Domain ET MALWARE Malicious SockRacket/KANDYKORN SSL Certificate
(bitscrunnch .linkpc .net in TLS SNI) Detected
ET MALWARE DNS Query to SockRacket/KANDYKORN Domain ET MALWARE DNS Query to SockRacket/KANDYKORN Domain
(datasend .linkpc .net) (coupang-networks .pics)
ET MALWARE DNS Query to SockRacket/KANDYKORN Domain ET MALWARE DNS Query to SockRacket/KANDYKORN Domain
(docsendinfo .linkpc .net) (exodus .linkpc .net)
ET MALWARE DNS Query to SockRacket/KANDYKORN Domain ET MALWARE DNS Query to SockRacket/KANDYKORN Domain
(jobintro .linkpc .net) (docsenddata .linkpc .net)
ET MALWARE DNS Query to SockRacket/KANDYKORN Domain ET MALWARE DNS Query to SockRacket/KANDYKORN Domain
(bitscrunnch .run .place) (jobdescription .linkpc .net)
ET MALWARE Observed SockRacket/KANDYKORN Domain (datasend ET MALWARE Observed SockRacket/KANDYKORN Domain (coupang-
.linkpc .net in TLS SNI) networks .pics in TLS SNI)

290 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed SockRacket/KANDYKORN Domain ET MALWARE Observed SockRacket/KANDYKORN Domain (exodus


(docsendinfo .linkpc .net in TLS SNI) .linkpc .net in TLS SNI)
ET MALWARE Observed SockRacket/KANDYKORN Domain (jobintro ET MALWARE Observed SockRacket/KANDYKORN Domain
.linkpc .net in TLS SNI) (docsenddata .linkpc .net in TLS SNI)
ET MALWARE Observed SockRacket/KANDYKORN Domain ET MALWARE Observed SockRacket/KANDYKORN Domain
(bitscrunnch .run .place in TLS SNI) (jobdescription .linkpc .net in TLS SNI)
ET MALWARE SockRacket/KANDYKORN Client Connect (Random
ET MALWARE SockRacket/KANDYKORN CnC Response (Nonce)
Number)
ET MALWARE SockRacket/KANDYKORN Client Challenge ET MALWARE SockRacket/KANDYKORN CnC Response
ET MALWARE Malicious Base64 Encoded Payload In Image ET MALWARE GCleaner Downloader IP Address Retrieval Attempt M2
ET MALWARE Win32/Unknown CnC Domain in DNS Lookup
ET MALWARE GCleaner Downloader Activity M11
(hackermania .org)
ET MALWARE Win32/Unknown Domain (hackermania .org) in TLS SNI ET MALWARE Suspected APT34 Related SSD Backdoor Activity (POST)
ET MALWARE Suspected APT34 Related SSD Backdoor Response ET MALWARE RisePro TCP Heartbeat Packet
ET MALWARE Suspected Higaisa APT Related Domain in DNS Lookup
ET MALWARE DNS Query to IcedID Domain (asleytomafa .com)
(insightinteriors .im)
ET MALWARE DNS Query to IcedID Domain (manjuskploman .com) ET MALWARE DNS Query to IcedID Domain (brojizuza .com)
ET MALWARE DNS Query to IcedID Domain (grafielucho .com) ET MALWARE DNS Query to IcedID Domain (qousahaff .com)
ET MALWARE Observed IcedID Domain (manjuskploman .com in TLS
ET MALWARE Observed IcedID Domain (asleytomafa .com in TLS SNI)
SNI)
ET MALWARE Observed IcedID Domain (brojizuza .com in TLS SNI) ET MALWARE Observed IcedID Domain (grafielucho .com in TLS SNI)
ET MALWARE NodeStealer CnC Activity from Downloaded Archive
ET MALWARE Observed IcedID Domain (qousahaff .com in TLS SNI)
(GET)
ET MALWARE JS/Z1_Loader Activity (POST) ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST
ET MALWARE Bitter APT Related Domain in DNS Lookup ET MALWARE Observed Bitter APT Related Domain in TLS SNI
ET MALWARE Lazarus CnC Domain in DNS Lookup (online-meeting ET MALWARE Lazarus CnC Domain in DNS Lookup (team-meet
.team) .online)
ET MALWARE Lazarus CnC Domain in DNS Lookup (safemeeting ET MALWARE Lazarus CnC Domain in DNS Lookup (videomeethub
.online) .online)
ET MALWARE Observed Lazarus Domain (team-meet .online in TLS ET MALWARE Observed Lazarus Domain (videomeethub .online in
SNI) TLS SNI)
ET MALWARE Observed Lazarus Domain (online-meeting .team in TLS ET MALWARE Observed Lazarus Domain (safemeeting .online in TLS
SNI) SNI)
ET MALWARE Socks5Systemz CnC Checkin M2 ET MALWARE Socks5SystemZ CnC Checkin Response M1
ET MALWARE Socks5SystemZ CnC Checkin Response M2 ET MALWARE Bandit Stealer Config Inbound
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .caching
ET MALWARE Bandit Stealer Host Details Exfil
.oysterfloats .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .caching
ET MALWARE MACE C2 Framework Activity (GET)
.oysterfloats .com)
ET MALWARE MACE C2 Framework Response M1 ET MALWARE MACE C2 Framework Response M2
ET MALWARE SocGholish Domain in DNS Lookup (modification
ET MALWARE Win32/Fewin Stealer Data Exfiltration Attempt
.grebcocontractors .com)
ET MALWARE SocGholish Domain in DNS Lookup (sermon ET MALWARE SocGholish Domain in TLS SNI (modification
.pastorbriantubbs .com) .grebcocontractors .com)
ET MALWARE SocGholish Domain in TLS SNI (sermon
ET MALWARE Win32/Unknown RAT CnC Server Acknowledgement
.pastorbriantubbs .com)
ET MALWARE Win32/Unknown RAT CnC Checkin ET MALWARE Win32/TA402 CnC User-Agent
ET MALWARE Win32/TA402 CnC Response M1 ET MALWARE Win32/TA402 CnC Response M2
ET MALWARE Win32/TA402 Checkin ET MALWARE Win32/TA402 Checkin M2
ET MALWARE TA402 CnC Domain in DNS Lookup ET MALWARE Observed TA402 Domain in TLS SNI
ET MALWARE TA402 CnC Domain in DNS Lookup ET MALWARE Observed TA402 Domain in TLS SNI
ET MALWARE Win32/TA402 CnC Activity (POST) ET MALWARE Win32/TA402 CnC Activity (GET)
ET MALWARE DNS Query to Remcos Domain (retghrtgwtrgtg
ET MALWARE DNS Query to Remcos Domain (listpoints .online)
.bounceme .net)
ET MALWARE Observed Remcos Domain (retghrtgwtrgtg .bounceme
ET MALWARE DNS Query to Remcos Domain (listpoints .click)
.net in TLS SNI)
ET MALWARE Observed Remcos Domain (listpoints .online in TLS SNI) ET MALWARE Observed Remcos Domain (listpoints .click in TLS SNI)
ET MALWARE QuickBooks Pop-Up Scam - Request for QB Download
ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request M2
Locations
ET MALWARE QuickBooks Pop-Up Scam - Download Locations
ET MALWARE QuickBooks Pop-Up Scam - Checkin Response
Response
ET MALWARE QuickBooks Pop-Up Scam - Pop-Up Details Request ET MALWARE QuickBooks Pop-Up Scam - Pop-Up Details Response
ET MALWARE QuickBooks Pop-Up Scam - Checkin ET MALWARE Latrodectus Alive Request (GET)
ET MALWARE Latrodectus Alive Response M1 ET MALWARE Latrodectus 404 Response
ET MALWARE DNS Query to Scattered Spider Domain (victimname- ET MALWARE DNS Query to Scattered Spider Domain (victimname-
sso .com servicedesk .com

291 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE DNS Query to Scattered Spider Domain (victimname- ET MALWARE Observed Scattered Spider Domain (victimname-sso
okta .com .com in TLS SNI)
ET MALWARE Observed Scattered Spider Domain (victimname- ET MALWARE Observed Scattered Spider Domain (victimname-okta
servicedesk .com in TLS SNI) .com in TLS SNI)
ET MALWARE Observed Malicious Domain (drive-google-com .tk in
ET MALWARE DNS Query to Malicious Domain (drive-google-com .tk)
TLS SNI)
ET MALWARE [ANY.RUN] Stealc/Vidar Stealer TLS Certificate ET MALWARE Suspected Malicious JS Loader Activity (GET)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .novelty
ET MALWARE Turla APT/Kazuar Backdoor CnC Activity (POST)
.akibacreative .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .novelty
ET MALWARE WikiLoader Activity M3 (GET)
.akibacreative .com)
ET MALWARE WikiLoader Activity M4 (Response) ET MALWARE TA404 Comebacker Related Activity (POST)
ET MALWARE TA444 Related JS Activity Sending Windows System
ET MALWARE MetaStealer Activity (Response)
Process Information (POST)
ET MALWARE DNS Query to Malicious Domain (flyfggfdbvcbvcbc
ET MALWARE DNS Query to Malicious Domain (mydatayxnhzcs .tech)
.online)
ET MALWARE LNK/imageres CnC Payload Request (GET) ET MALWARE TA422 Related Activity M3
ET MALWARE TA422 Related Activity M4 ET MALWARE TA422 Related Activity M5
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .sync ET MALWARE SocGholish CnC Domain in TLS SNI (* .sync
.oystergardens .club) .oystergardens .club)
ET MALWARE DNS Query to SysJoker Domain (sharing-u-file .com) ET MALWARE DNS Query to SysJoker Domain (filestorage-short .org)
ET MALWARE DNS Query to SysJoker Domain (audiosound-visual
ET MALWARE SysJoker Host Details Exfil (POST)
.com)
ET MALWARE SysJoker Successful Command Execution (POST) ET MALWARE SysJoker Bot Configuration Request (POST)
ET MALWARE SysJoker Bot Registration (POST) ET MALWARE SysJoker User-Agent Observed
ET MALWARE SysJoker User-Agent Observed ET MALWARE SysJoker CnC Checkin (POST)
ET MALWARE TA406 Win32/Updog Backdoor Data Exfiltration
ET MALWARE TA406 Win32/Updog CnC Checkin
Attempt
ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025) ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025) ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025)
ET MALWARE Andariel Group Nukesped Variant CnC Checkin ET MALWARE Marai Variant Activity (Inbound)
ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client
ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)
Traffic
ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025) ET MALWARE ToddyCat APT Related CurCore Activity (POST)
ET MALWARE JynxLoaderV2 CnC Checkin ET MALWARE SugarGh0st RAT CnC Checkin
ET MALWARE SugarGh0st RAT Domain in DNS Lookup (login .drive- ET MALWARE SugarGh0st RAT Domain in DNS Lookup (account .drive-
google-com .tk) google-com .tk)
ET MALWARE SocGholish Domain in DNS Lookup (dashboard ET MALWARE SocGholish Domain in TLS SNI (dashboard
.renovationsruth .com) .renovationsruth .com)
ET MALWARE Suspected ToddyCat APT Curlu Related Activity M1 ET MALWARE Suspected ToddyCat APT Curlu Related Activity M2
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(tirechinecarpett .pw) (hemispheredonkkl .pw)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(musclefarelongea .pw) (ownerbuffersuperw .pw)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(freckletropsao .pw) (fanlumpactiras .pw)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(medicinebuckerrysa .pw) (helpfulsteepyi .pw)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE PS1/Unknown Payload C2 Downloader (GET)
(definefolkeloi .pw)
ET MALWARE DNS Query to Malicious Domain (2311forget .online) ET MALWARE DNS Query to Malicious Domain (hijackson .org)
ET MALWARE Observed Malicious Domain in TLS SNI (2311forget
ET MALWARE Observed Malicious Domain in TLS SNI (hijackson .org)
.online)
ET MALWARE Darkgate Stealer CnC Checkin (POST) M2 ET MALWARE DNS Query to Darkgate Domain (saintelzearlava .com)
ET MALWARE DNS Query to Darkgate Domain (trans1ategooglecom ET MALWARE Observed Darkgate Domain (saintelzearlava .com in TLS
.com) SNI)
ET MALWARE Observed Darkgate Domain (trans1ategooglecom .com ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration
in TLS SNI) Attempt
ET MALWARE Suspected TA453 Related Domain in DNS Lookup ET MALWARE Suspected TA453 Related Domain in DNS Lookup (xn--
(metahelpservice .net) metaspport-v43e .com)
ET MALWARE Suspected TA453 Related Domain in DNS Lookup ET MALWARE Suspected TA453 Related Domain in DNS Lookup
(metaemailsecurity .net) (metasupportmail .co)
ET MALWARE Suspected TA453 Related Domain in DNS Lookup ET MALWARE Suspected TA453 Related Domain in DNS Lookup
(metasecurityemail .org) (metaemailsecurity .com)
ET MALWARE Suspected TA453 Related Domain in DNS Lookup ET MALWARE Suspected TA453 Related Domain in DNS Lookup
(metasupportmail .com) (igsecurity .email)
ET MALWARE Observed Suspected TA453 Related Domain ET MALWARE Observed Suspected TA453 Related Domain (xn--
(metahelpservice .net in TLS SNI) metaspport-v43e .com in TLS SNI)

292 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Suspected TA453 Related Domain ET MALWARE Observed Suspected TA453 Related Domain
(metaemailsecurity .net in TLS SNI) (metasupportmail .co in TLS SNI)
ET MALWARE Observed Suspected TA453 Related Domain ET MALWARE Observed Suspected TA453 Related Domain
(metasecurityemail .org in TLS SNI) (metaemailsecurity .com in TLS SNI)
ET MALWARE Observed Suspected TA453 Related Domain ET MALWARE Observed Suspected TA453 Related Domain (igsecurity
(metasupportmail .com in TLS SNI) .email in TLS SNI)
ET MALWARE Suspected TA453 Related Domain in DNS Lookup ET MALWARE Observed Suspected TA453 Related Domain
(metasupport .com) (metasupport .com in TLS SNI)
ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2
ET MALWARE SocGholish Domain in DNS Lookup (pluralism ET MALWARE SocGholish Domain in TLS SNI (pluralism .themancav
.themancav .com) .com)
ET MALWARE DNS Query to Teal Kurma Domain (anfturkce .news) ET MALWARE DNS Query to Teal Kurma Domain (al-marsad .co)
ET MALWARE DNS Query to Teal Kurma Domain (aws .systemctl
ET MALWARE DNS Query to Teal Kurma Domain (nmcbcd .live)
.network)
ET MALWARE DNS Query to Teal Kurma Domain (querryfiles .com) ET MALWARE DNS Query to Teal Kurma Domain (ybcd .tech)
ET MALWARE DNS Query to Teal Kurma Domain (ud .ybcd .tech) ET MALWARE DNS Query to Teal Kurma Domain (systemctl .network)
ET MALWARE DNS Query to Teal Kurma Domain (alhurra .online) ET MALWARE DNS Query to Teal Kurma Domain (upt .mcsoft .org)
ET MALWARE DNS Query to Teal Kurma Domain (lo0 .systemctl
ET MALWARE DNS Query to Teal Kurma Domain (eth0 .secrsys .net)
.network)
ET MALWARE DNS Query to Teal Kurma Domain (dhcp .systemctl ET MALWARE Observed Teal Kurma Domain (anfturkce .news in TLS
.network) SNI)
ET MALWARE Observed Teal Kurma Domain (ud .ybcd .tech in TLS
ET MALWARE Observed Teal Kurma Domain (al-marsad .co in TLS SNI)
SNI)
ET MALWARE Observed Teal Kurma Domain (alhurra .online in TLS ET MALWARE Observed Teal Kurma Domain (systemctl .network in
SNI) TLS SNI)
ET MALWARE Observed Teal Kurma Domain (querryfiles .com in TLS
ET MALWARE Observed Teal Kurma Domain (ybcd .tech in TLS SNI)
SNI)
ET MALWARE Observed Teal Kurma Domain (lo0 .systemctl .network ET MALWARE Observed Teal Kurma Domain (upt .mcsoft .org in TLS
in TLS SNI) SNI)
ET MALWARE Observed Teal Kurma Domain (aws .systemctl .network ET MALWARE Observed Teal Kurma Domain (dhcp .systemctl .network
in TLS SNI) in TLS SNI)
ET MALWARE Observed Teal Kurma Domain (eth0 .secrsys .net in TLS
ET MALWARE Observed Teal Kurma Domain (nmcbcd .live in TLS SNI)
SNI)
ET MALWARE SnappyTCP Reverse Shell Header Value Observed ET MALWARE SnappyTCP Reverse Shell Client Checkin M1
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cloudid
ET MALWARE SnappyTCP Reverse Shell Client Checkin M2
.coffeeonboard .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .cloudid
ET MALWARE Observed Malicious SSL Cert (Silver Keylogger)
.coffeeonboard .com)
ET MALWARE Observed Malicious SSL Cert (Brushaloader CnC)
ET MALWARE Win32/Asmodeasmo Bot CnC Checkin
2023-12-4
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .settings ET MALWARE SocGholish CnC Domain in TLS SNI (* .settings
.oysterfloats .org) .oysterfloats .org)
ET MALWARE TA430/Andariel APT Related CnC Domain in DNS
ET MALWARE Void Rabisu Related Loader Activity (GET)
Lookup (tech .micrsofts .com)
ET MALWARE Observed TA430/Andariel APT Related Domain (tech ET MALWARE TA430/Andariel APT Related CnC Domain in DNS
.micrsofts .com in TLS SNI) Lookup (tech .micrsofts .tech)
ET MALWARE Observed TA430/Andariel APT Related Domain (tech
ET MALWARE TA430/Andariel APT Related DLRAT Activity (POST)
.micrsofts .tech in TLS SNI)
ET MALWARE JynxLoaderV2 CnC Server Command (NOTASK) ET MALWARE JynxLoaderV2 CnC Command (INSTALL)
ET MALWARE Encoded JinxV2DEV User-Agent Observed
ET MALWARE RisePro CnC Activity (Outbound)
(4a696e785632444556)
ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE TA430/Andariel APT BottomLoader Activity (GET)
ET MALWARE TA430/Andariel APT HazyLoad Proxy Related Activity
ET MALWARE Suspected Kimsuky APT RevClient Related Activity
(POST)
ET MALWARE DNS Query to Axile Stealer Domain (axile .su) ET MALWARE Observed Axile Stealer Domain (axile .su in TLS SNI)
ET MALWARE Suspected Lazarus APT Validator Related Activity
ET MALWARE Axile Stealer CnC Activity (POST)
(POST)
ET MALWARE Lazarus APT Related Loader Activity (GET) ET MALWARE Win32/Spyder Sending Info to CnC
ET MALWARE Win32/Spyder CnC Checkin ET MALWARE Win32/Spyder Successful CnC Checkin
ET MALWARE Latrodectus Alive Response M2 ET MALWARE Latrodectus Alive Response M3
ET MALWARE Latrodectus Alive Response M4 ET MALWARE Latrodectus Alive Response M5
ET MALWARE Latrodectus Alive Response M6 ET MALWARE Latrodectus Alive Response M7
ET MALWARE Latrodectus Alive Response M8 ET MALWARE IcedID CnC Domain in DNS Lookup
ET MALWARE Observed Malicious SSL Cert (TA577) ET MALWARE Observed Malicious SSL Cert (TA577)
ET MALWARE Observed Malicious SSL Cert (TA577) ET MALWARE Observed Malicious SSL Cert (TA577)
ET MALWARE Observed Malicious SSL Cert (TA577) ET MALWARE Observed Malicious SSL Cert (TA577)
ET MALWARE Win32/GoPix Stealer Activity (POST) ET MALWARE Qbot Related Activity (POST)
ET MALWARE Win32/Blacklegion Ransomware CnC Checkin ET MALWARE Win32/Blacklegion Ransomware CnC Response

293 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish CnC Domain in DNS Lookup (* .scheme ET MALWARE SocGholish CnC Domain in TLS SNI (* .scheme
.corycabana .net) .corycabana .net)
ET MALWARE Observed CloudAtlas APT Related Domain (avito-
ET MALWARE CloudAtlas APT Related DNS Lookup (avito-service .net)
service .net in TLS SNI)
ET MALWARE CloudAtlas APT Related Domain in DNS Lookup
ET MALWARE CloudAtlas APT Related Maldoc Activity M1 (GET)
(network-list .com)
ET MALWARE Observed CloudAtlas APT Related Domain (network-list
ET MALWARE CloudAtlas APT Related Maldoc Activity M3 (GET)
.com in TLS SNI)
ET MALWARE CloudAtlas APT Related Maldoc Activity M4 (GET) ET MALWARE CloudAtlas APT Related Maldoc Activity M5 (GET)
ET MALWARE CloudAtlas APT Related Maldoc Activity M6 (GET) ET MALWARE DNS Query to Suspected APT Domain (idfleaks .info)
ET MALWARE DNS Query to Suspected APT Domain (idf .pics) ET MALWARE DNS Query to Suspected APT Domain (idfinfo .pw)
ET MALWARE Observed Suspected APT Domain (idfleaks .info in TLS
ET MALWARE Observed Suspected APT Domain (idf .pics in TLS SNI)
SNI)
ET MALWARE Observed Suspected APT Domain (idfinfo .pw in TLS
ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .in)
SNI)
ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .site) ET MALWARE DNS Query to UAC-0177 Domain (getssl .ink)
ET MALWARE DNS Query to UAC-0177 Domain (personlog .in) ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .link)
ET MALWARE DNS Query to UAC-0177 Domain (authssl .online) ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .site)
ET MALWARE DNS Query to UAC-0177 Domain (hsts .online) ET MALWARE DNS Query to UAC-0177 Domain (authssl .in)
ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .online) ET MALWARE DNS Query to UAC-0177 Domain (authssl .site)
ET MALWARE DNS Query to UAC-0177 Domain (goaccount .link) ET MALWARE DNS Query to UAC-0177 Domain (ssl2 .site)
ET MALWARE DNS Query to UAC-0177 Domain (ssl1 .online) ET MALWARE DNS Query to UAC-0177 Domain (passport2 .zip)
ET MALWARE DNS Query to UAC-0177 Domain (certifiedauth .in) ET MALWARE DNS Query to UAC-0177 Domain (authssl .link)
ET MALWARE DNS Query to UAC-0177 Domain (connectssl .in) ET MALWARE DNS Query to UAC-0177 Domain (getssl .click)
ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .site) ET MALWARE DNS Query to UAC-0177 Domain (ssl3 .online)
ET MALWARE DNS Query to UAC-0177 Domain (exmo .day) ET MALWARE DNS Query to UAC-0177 Domain (authcheck .in)
ET MALWARE DNS Query to UAC-0177 Domain (ssl4 .online) ET MALWARE DNS Query to UAC-0177 Domain (authssl .org)
ET MALWARE Observed UAC-0177 Domain (ssl2 .in in TLS SNI) ET MALWARE Observed UAC-0177 Domain (ssl4 .site in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (getssl .ink in TLS SNI) ET MALWARE Observed UAC-0177 Domain (personlog .in in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (ssl2 .link in TLS SNI) ET MALWARE Observed UAC-0177 Domain (authssl .online in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (ssl1 .site in TLS SNI) ET MALWARE Observed UAC-0177 Domain (hsts .online in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (authssl .in in TLS SNI) ET MALWARE Observed UAC-0177 Domain (ssl2 .online in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (authssl .site in TLS SNI) ET MALWARE Observed UAC-0177 Domain (goaccount .link in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (ssl2 .site in TLS SNI) ET MALWARE Observed UAC-0177 Domain (ssl1 .online in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (certifiedauth .in in TLS
ET MALWARE Observed UAC-0177 Domain (passport2 .zip in TLS SNI)
SNI)
ET MALWARE Observed UAC-0177 Domain (authssl .link in TLS SNI) ET MALWARE Observed UAC-0177 Domain (connectssl .in in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (getssl .click in TLS SNI) ET MALWARE Observed UAC-0177 Domain (ssl3 .site in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (ssl3 .online in TLS SNI) ET MALWARE Observed UAC-0177 Domain (exmo .day in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (authcheck .in in TLS SNI) ET MALWARE Observed UAC-0177 Domain (ssl4 .online in TLS SNI)
ET MALWARE Observed UAC-0177 Domain (authssl .org in TLS SNI) ET MALWARE Possible W4SP Stealer CnC Checkin
ET MALWARE Possible KV Botnet CnC Checkin ET MALWARE CloudAtlas APT Related Maldoc Activity M2 (GET)
ET MALWARE CloudAtlas APT Related Maldoc Activity M7 (GET) ET MALWARE Malicious Loader Related Activity (GET)
ET MALWARE Malicious Loader Related Activity Response ET MALWARE JaskaGO CnC Host Profile Exfil
ET MALWARE Win32/BlackRain CnC Activity ET MALWARE BlackRain User-Agent Observed
ET MALWARE Brute Ratel Framework Related Domain in DNS Lookup ET MALWARE Observed Brute Ratel Framework Related Domain
(azureclouder .com) (azureclouder .com in TLS SNI)
ET MALWARE YoroTrooper APT Related Activty (GET) ET MALWARE Lumma Stealer Related Activity M2
ET MALWARE Win32/Koi Loader CnC Checkin M1 ET MALWARE Win32/Koi Loader CnC Checkin M2
ET MALWARE Win32/Koi Loader CnC Checkin M3 ET MALWARE Win32/Koi Stealer CnC Checkin
ET MALWARE Win32/Unknown Stealer CnC Domain in DNS Lookup
ET MALWARE Win32/Unknown Stealer Data Exfiltration Attempt
(webvideoshareonline .com)
ET MALWARE Suspicious Domain (webvideoshareonline .com) in TLS ET MALWARE Win32/Koi Loader/Stealer CnC Domain in DNS Lookup
SNI (podologie-werne .de)
ET MALWARE Observed Win32/Koi Loader/Stealer Domain
ET MALWARE Lumma Stealer Related Activity
(podologie-werne .de) in TLS SNI
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Suspected PrivateLoader Activity (POST)
(agedelayglacierwe .pw in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(agedelayglacierwe .pw) (chincenterblandwka .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(chincenterblandwka .pw in TLS SNI) (neighborhoodfeelsa .fun)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE SocGholish CnC Domain in DNS Lookup (* .places
(neighborhoodfeelsa .fun in TLS SNI) .creeksidehuntingpreserve .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .places ET MALWARE TA451 FalseFont Backdoor Related Domain in DNS
.creeksidehuntingpreserve .com) Lookup (digitalcodecrafters .com)

294 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed TA451 FalseFont Backdoor Related Domain


ET MALWARE Turla APT Kazuar Backdoor Related Activity
(digitalcodecrafters .com in TLS SNI)
ET MALWARE Suspected Turla APT Kazuar Backdoor Related Activity ET MALWARE Generic Stealer Checkin
ET MALWARE Observed DNS Query to FIN7/Carbanak Related ET MALWARE Observed FIN7/Carbanak Related Domain (sun876954
Domain (sun876954 .space) .space in TLS SNI)
ET MALWARE Suspected FIN7/Carbanak Related Payload C2
ET MALWARE Snake Keylogger HTTP Exfil
Downloader (GET)
ET MALWARE Rezlt RDP Grabber - This is Not RDP ET MALWARE Kimsuky APT Related Win32/RftRAT Activity
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(politefrightenpowoa .pw) (politefrightenpowoa .pw in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(carstirgapcheatdeposwte .pw) (carstirgapcheatdeposwte .pw in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(recessionconceptjetwe .pw) (opposesicknessopw .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(recessionconceptjetwe .pw in TLS SNI) (opposesicknessopw .pw in TLS SNI)
ET MALWARE BlueNoroff APT Related Activity M1 (POST) ET MALWARE BlueNoroff APT Related Activity M2 (POST)
ET MALWARE DNS Query to Malicious Domain (steam-install .run) ET MALWARE Win32/Sfuzuan Variant Payload Fetch
ET MALWARE SocGholish Domain in DNS Lookup (ebooks .ferrelljoe
ET MALWARE Win32/Sfuzuan Variant Payload Fetch
.com)
ET MALWARE SocGholish Domain in TLS SNI (ebooks .ferrelljoe .com) ET MALWARE Suspected Generic PHP Backdoor Activity M1
ET MALWARE Suspected Generic PHP Backdoor Activity M2 ET MALWARE Generic PHP Backdoor CnC Response
ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound
ET MALWARE Ducktail APT Style Payload Request
M1
ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound
ET MALWARE Agrius Group Webshell File Upload Attempt
M2
ET MALWARE Agrius Group Webshell Command Execution Attempt ET MALWARE DNS Query to Gamaredon Domain (plutoniumo .ru)
ET MALWARE DNS Query to Gamaredon Domain (koroglugo .shop) ET MALWARE DNS Query to Gamaredon Domain (raidla .ru)
ET MALWARE Observed Gamaredon Domain (plutoniumo .ru in TLS ET MALWARE Observed Gamaredon Domain (koroglugo .shop in TLS
SNI) SNI)
ET MALWARE Observed Gamaredon Domain (raidla .ru in TLS SNI) ET MALWARE Gamaredon APT Related Maldoc Activity (POST)
ET MALWARE Observed Lumma Stealer Related Domain in TLS SNI
ET MALWARE Gamaredon APT Related Maldoc Activity (GET)
(referralpublicationjk .pw)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(referralpublicationjk .pw) (playerweighmailydailew .pw)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(latetemporarynuance .pw) (blastechohackopeower .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(latetemporarynuance .pw in TLS SNI) (playerweighmailydailew .pw in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(blastechohackopeower .pw in TLS SNI) (reviveincapablewew .pw)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Sharp Panda APT Related Activity M3
(reviveincapablewew .pw in TLS SNI)
ET MALWARE Sharp Panda APT Related Domain in DNS Lookup ET MALWARE SocGholish Domain in DNS Lookup (retraining
(openxmlformats .shop) .allstardriving .org)
ET MALWARE SocGholish Domain in TLS SNI (retraining .allstardriving ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity
.org) M1
ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity ET MALWARE Lumma Stealer Related Domain in DNS Lookup
M2 (evokenumberpottruckere .fun)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(evokenumberpottruckere .fun in TLS SNI) (goddirtybrilliancece .fun)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(goddirtybrilliancece .fun in TLS SNI) (maskmusicalproplemanw .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e
(maskmusicalproplemanw .pw in TLS SNI) .kr)
ET MALWARE Test CnC Domain in DNS Lookup (test .com) ET MALWARE X CnC Domain in DNS Lookup (test .com)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(sideindexfollowragelrew .pw) (sideindexfollowragelrew .pw in TLS SNI)
ET MALWARE TrollAgent CnC Domain in DNS Lookup (ar .kostin .p-e ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity
.kr) M3
ET MALWARE Lumma Stealer Related Domain in DNS Lookup
ET MALWARE TrollAgent Checkin
(ranchguarrelguidewa .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE TrollAgent CnC Domain in DNS Lookup (ol .negapa .p-e
(ranchguarrelguidewa .pw in TLS SNI) .kr)
ET MALWARE TrollAgent CnC Domain in DNS Lookup (ai .kostin .p-e
ET MALWARE TrollAgent CnC Domain in DNS Lookup (winters .r-e .kr)
.kr)
ET MALWARE Observed TrollAgent Domain (winters .r-e .kr in TLS ET MALWARE Observed TrollAgent Domain (ai .kostin .p-e .kr in TLS
SNI) SNI)

295 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed TrollAgent Domain (ol .negapa .p-e .kr in TLS ET MALWARE Observed TrollAgent Domain (ar .kostin .p-e .kr in TLS
SNI) SNI)
ET MALWARE Sea Turtle APT Checkin ET MALWARE Blister Loader Cobalt Strike C2 Profile M1
ET MALWARE Blister Loader Cobalt Strike C2 Profile M2 ET MALWARE Blister Loader Cobalt Strike C2 Profile M3
ET MALWARE Blister Loader Cobalt Strike C2 Profile M4 ET MALWARE Blister Loader Cobalt Strike C2 Profile M5
ET MALWARE Blister Loader Cobalt Strike C2 Profile M6 ET MALWARE Blister Loader Cobalt Strike C2 Profile M7
ET MALWARE Blister Loader Cobalt Strike C2 Profile M8 ET MALWARE Blister Loader Cobalt Strike C2 Profile M9
ET MALWARE Blister Loader Cobalt Strike C2 Profile M10 ET MALWARE Blister Loader Cobalt Strike C2 Profile M11
ET MALWARE Blister Loader Cobalt Strike C2 Profile M12 ET MALWARE Blister Loader Cobalt Strike C2 Profile M13
ET MALWARE Blister Loader Cobalt Strike C2 Profile M14 ET MALWARE Blister Loader Cobalt Strike C2 Profile M15
ET MALWARE Blister Loader Cobalt Strike C2 Profile M16 ET MALWARE Blister Loader Cobalt Strike C2 Profile M17
ET MALWARE Blister Loader Cobalt Strike C2 Profile M18 ET MALWARE Blister Loader Cobalt Strike C2 Profile M19
ET MALWARE Blister Loader Cobalt Strike C2 Profile M20 ET MALWARE Blister Loader Cobalt Strike C2 Profile M21
ET MALWARE Blister Loader Mythic C2 Profile M1 ET MALWARE Blister Loader Mythic C2 Profile M2
ET MALWARE Blister Loader Mythic C2 Profile M3 ET MALWARE Blister Loader Mythic C2 Profile M4
ET MALWARE Possible GIFTEDVISITOR Activity - Ivanti Connect Secure ET MALWARE Suspected UTA0178 Domain in DNS Lookup
ET MALWARE Suspected UTA0178 Domain in DNS Lookup ET MALWARE UTA0178 Domain in DNS Lookup
ET MALWARE Suspected UTA0178 Domain in TLS SNI ET MALWARE Suspected UTA0178 Domain in TLS SNI
ET MALWARE UTA0178 Domain in TLS SNI ET MALWARE OrbitalBeam CnC Token Request
ET MALWARE OrbitalBeam CnC Token Response ET MALWARE OrbitalBeam CnC Activity (Info)
ET MALWARE OrbitalBeam CnC Response (Info) ET MALWARE OrbitalBeam CnC Activity (Debug)
ET MALWARE Observed Epsilon Stealer Domain (3ps1l0n .life) in TLS
ET MALWARE Epsilon Stealer Domain in DNS Lookup (3ps1l0n .life)
SNI
ET MALWARE SocGholish Domain in DNS Lookup (event .coachgreb
ET MALWARE SocGholish Domain in TLS SNI (event .coachgreb .com)
.com)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(recessionconceptjetwe .pwc) (recessionconceptjetwe .pwc in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(recessionconceptjetwe .pwc) (recessionconceptjetwe .pwc in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(copyexpertisesausewaverw .site) (copyexpertisesausewaverw .site in TLS SNI)
ET MALWARE Jupyter Stealer CnC Checkin M2 ET MALWARE Win32/Rust Miner CnC Activity
ET MALWARE HailBot CnC Domain in DNS Lookup (asdsdfjsdfsd .indy) ET MALWARE HailBot CnC Domain in DNS Lookup (jiggaboo .oss)
ET MALWARE HailBot CnC Domain in DNS Lookup (sfdopospdofpsdo
ET MALWARE HailBot CnC Domain in DNS Lookup (pposdif .parody)
.dyn)
ET MALWARE HailBot CnC Domain in DNS Lookup (wendykortiz ET MALWARE HailBot CnC Domain in DNS Lookup (yoursocuteong
.gopher) .dyn)
ET MALWARE Observed HailBot Domain (asdsdfjsdfsd .indy in TLS
ET MALWARE Observed HailBot Domain (jiggaboo .oss in TLS SNI)
SNI)
ET MALWARE Observed HailBot Domain (sfdopospdofpsdo .dyn in
ET MALWARE Observed HailBot Domain (pposdif .parody in TLS SNI)
TLS SNI)
ET MALWARE Observed HailBot Domain (wendykortiz .gopher in TLS ET MALWARE Observed HailBot Domain (yoursocuteong .dyn in TLS
SNI) SNI)
ET MALWARE HailBot Server Response ET MALWARE Hailbot CnC Checkin
ET MALWARE SocGholish Domain in DNS Lookup (surprise ET MALWARE SocGholish Domain in TLS SNI (surprise .refillpantrysd
.refillpantrysd .com) .com)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(contextsuffreintymore .fun) (contextsuffreintymore .fun in TLS SNI)
ET MALWARE BackConnect CnC Activity (Set Sleep Timer) ET MALWARE BackConnect CnC Activity (Bot Task Request) M1
ET MALWARE BackConnect CnC Activity (Bot Task Request) M2 ET MALWARE BackConnect CnC Activity (Bot Error) M1
ET MALWARE BackConnect CnC Activity (Bot Error) M2 ET MALWARE BackConnect CnC Activity (Bot Reconnect) M1
ET MALWARE BackConnect CnC Activity (Start SOCKS) M1 ET MALWARE BackConnect CnC Activity (Start SOCKS) M2
ET MALWARE BackConnect CnC Activity (Start VNC) M1 ET MALWARE BackConnect CnC Activity (Start VNC) M2
ET MALWARE BackConnect CnC Activity (Start VNC) M3 ET MALWARE BackConnect CnC Activity (Start VNC) M4
ET MALWARE BackConnect CnC Activity (Start File Manager) M1 ET MALWARE BackConnect CnC Activity (Start File Manager) M2
ET MALWARE BackConnect CnC Activity (Start Reverse Shell) M1 ET MALWARE BackConnect CnC Activity (Start Reverse Shell) M2
ET MALWARE BackConnect CnC Activity (Bot Reconnect) M2 ET MALWARE Win32/Neptune Loader Activity (GET)
ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive
ET MALWARE DNS Query to TA453 Domain (coral-polydactyl-
ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2
dragonfruit .glitch .me)
ET MALWARE DNS Query to TA453 Domain (kwhfibejjyxregxmnpcs ET MALWARE DNS Query to TA453 Domain (cloud-document-edit
.supabase .co) .onrender .com)
ET MALWARE DNS Query to TA453 Domain (ndrrftqrlblfecpupppp ET MALWARE DNS Query to TA453 Domain (east-healthy-dress .glitch
.supabase .co) .me)
ET MALWARE DNS Query to TA453 Domain (epibvgvoszemkwjnplyc ET MALWARE Observed TA453 Domain (coral-polydactyl-dragonfruit
.supabase .co) .glitch .me in TLS SNI)

296 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed TA453 Domain (kwhfibejjyxregxmnpcs ET MALWARE Observed TA453 Domain (cloud-document-edit
.supabase .co in TLS SNI) .onrender .com in TLS SNI)
ET MALWARE Observed TA453 Domain (ndrrftqrlblfecpupppp ET MALWARE Observed TA453 Domain (east-healthy-dress .glitch .me
.supabase .co in TLS SNI) in TLS SNI)
ET MALWARE Observed TA453 Domain (epibvgvoszemkwjnplyc ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
.supabase .co in TLS SNI) (groannysoapblockedstiw .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(worrystitchsounddywuwp .site) (weedpairfolkloredheryw .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(copyrightspareddcitwew .site) (qualifiedbehaviorrykej .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(combinethemepiggerygoj .site) (lendremindcenterpassew .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(expenditureddisumilarwo .site) (groannysoapblockedstiw .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(worrystitchsounddywuwp .site in TLS SNI) (paperambiguonusphoterew .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(weedpairfolkloredheryw .site in TLS SNI) (copyrightspareddcitwew .site in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(paperambiguonusphoterew .site) (expenditureddisumilarwo .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(combinethemepiggerygoj .site in TLS SNI) (qualifiedbehaviorrykej .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(lendremindcenterpassew .site in TLS SNI) (accouncementdivecane .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(accouncementdivecane .site in TLS SNI) (fleetconsciousnessjuiw .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(fleetconsciousnessjuiw .site in TLS SNI) (carpetcupboardtejjerew .site)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Win32/AdAptertrAin CnC Server Response
(carpetcupboardtejjerew .site in TLS SNI)
ET MALWARE Trojanized Software Download Domain in DNS Lookup
ET MALWARE Win32/AdAptertrAin CnC Server Checkin
(macyy .cn)
ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .cc) ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .info)
ET MALWARE Khepri CnC Domain in DNS Lookup (securecrt .vip) ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktophub .com)
ET MALWARE Khepri CnC Domain in DNS Lookup (macnavicat .com) ET MALWARE Khepri CnC Domain in DNS Lookup (vscode .digital)
ET MALWARE Khepri CnC Domain in DNS Lookup (ultraedit .vip) ET MALWARE Khepri CnC Domain in DNS Lookup (finallshell .cc)
ET MALWARE Khepri CnC Domain in DNS Lookup (rdesktopconnect
ET MALWARE Khepri CnC Domain in DNS Lookup (finalshell .me)
.com)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE Khepri CnC Domain in DNS Lookup (xmindcn .cc)
(benddiscoleideasbridrew .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(benddiscoleideasbridrew .site in TLS SNI) (lastbishopmultiplyeow .site)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Atomic Stealer Related Activity (POST)
(lastbishopmultiplyeow .site in TLS SNI)
ET MALWARE [ANY.RUN] ZharkBOT HTTP CnC Checkin ET MALWARE Brosql Stealer Screenshot Exfil
ET MALWARE Brosql Stealer Browser Login Exfil ET MALWARE Brosql Stealer Browser Cookie Exfil
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (app ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo
.documentoffice .club) .live)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefitinfo ET MALWARE ScarCruft TA409 Domain in DNS Lookup (benefiturl
.pro) .pro)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (careagency ET MALWARE ScarCruft TA409 Domain in DNS Lookup (cra-
.online) receivenow .online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (crareceive
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .co)
.site)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (direct
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (depositurl .lat)
.traderfree .online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (forex ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate
.traderfree .online) .online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (groceryrebate ET MALWARE ScarCruft TA409 Domain in DNS Lookup (gstcreceive
.site) .online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (instantreceive ET MALWARE ScarCruft TA409 Domain in DNS Lookup (nav
.org) .offlinedocument .site)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receiveinstant
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (receive .bio)
.online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy ET MALWARE ScarCruft TA409 Domain in DNS Lookup (rentsubsidy
.help) .online)
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (tinyurlinstant
ET MALWARE ScarCruft TA409 Domain in DNS Lookup (urldepost .co)
.co)

297 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE ScarCruft TA409 Domain in DNS Lookup (verifyca ET MALWARE ScarCruft TA409 Domain in DNS Lookup (visiononline
.online) .store)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (app
ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .live)
.documentoffice .club)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefitinfo .pro) ET MALWARE ScarCruft TA409 Domain in TLS SNI (benefiturl .pro)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (cra-receivenow
ET MALWARE ScarCruft TA409 Domain in TLS SNI (careagency .online)
.online)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (crareceive .site) ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .co)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (direct .traderfree
ET MALWARE ScarCruft TA409 Domain in TLS SNI (depositurl .lat)
.online)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (forex .traderfree ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate
.online) .online)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (groceryrebate
ET MALWARE ScarCruft TA409 Domain in TLS SNI (gstcreceive .online)
.site)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (nav
ET MALWARE ScarCruft TA409 Domain in TLS SNI (instantreceive .org)
.offlinedocument .site)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (receiveinstant
ET MALWARE ScarCruft TA409 Domain in TLS SNI (receive .bio)
.online)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .help) ET MALWARE ScarCruft TA409 Domain in TLS SNI (rentsubsidy .online)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (tinyurlinstant .co) ET MALWARE ScarCruft TA409 Domain in TLS SNI (urldepost .co)
ET MALWARE ScarCruft TA409 Domain in TLS SNI (verifyca .online) ET MALWARE ScarCruft TA409 Domain in TLS SNI (visiononline .store)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(demonstratorleasheropw .site) (demonstratorleasheropw .site in TLS SNI)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .colors ET MALWARE SocGholish CnC Domain in TLS SNI (* .colors .usajicgu
.usajicgu .com) .com)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(racerecessionrestrai .site) (cooperatecliqueobstac .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(braidfadefriendklypk .site) (vesselspeedcrosswakew .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(communicationinchoicer .site) (carvewomanflavourwop .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(retainfactorypunishjkw .site) (willpoweragreebokkskiew .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(willpoweragreebokkskiew .site in TLS SNI) (braidfadefriendklypk .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(racerecessionrestrai .site in TLS SNI) (vesselspeedcrosswakew .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(brickabsorptiondullyi .site in TLS SNI) (retainfactorypunishjkw .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(communicationinchoicer .site in TLS SNI) (willpoweragreebokkskiew .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(carvewomanflavourwop .site in TLS SNI) (vesselspeedcrosswakew .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(cooperatecliqueobstac .site in TLS SNI) (racerecessionrestrai .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(braidfadefriendklypk .site in TLS SNI) (gearboomchocolateowfs .site)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE [ANY.RUN] RadX RAT Check-In (POST)
(gearboomchocolateowfs .site in TLS SNI)
ET MALWARE [ANY.RUN] RadX RAT Keep-Alive Activity (POST) ET MALWARE Win32/Cobalt Strike CnC Activity M1
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE Win32/Cobalt Strike CnC Activity M2
(brickabsorptiondullyi .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(crisisestimatehealtwh .site) (crisisestimatehealtwh .site in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(consciouosoepewmausj .site) (consciouosoepewmausj .site in TLS SNI)
ET MALWARE nspx30 Backdoor Trigger Response Observed ET MALWARE nspx30 Orchestrator CnC Checkin
ET MALWARE Earth Preta PUBLOAD Activity M2 ET MALWARE Earth Preta PUBLOAD Activity M3
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(mealroomrallpassiveer .shop) (mealroomrallpassiveer .shop in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(tonguehypnothesislan .shop) (tonguehypnothesislan .shop in TLS SNI)
ET MALWARE Allakore RAT CnC Domain in DNS Lookup (hhplaytom ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uperrunplay
.com) .com)
ET MALWARE Allakore RAT CnC Domain in DNS Lookup (uplayground
ET MALWARE Allakore RAT CnC Domain in DNS Lookup (zulabra .com)
.online)
ET MALWARE Allakore RAT CnC Domain in DNS Lookup (flapawer ET MALWARE Allakore RAT CnC Domain in DNS Lookup
.com) (chaucheneguer .com)

298 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE SocGholish Domain in DNS Lookup (miner .eastestsite


ET MALWARE SocGholish Domain in TLS SNI (miner .eastestsite .com)
.com)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .honors ET MALWARE SocGholish CnC Domain in TLS SNI (* .honors
.howamerica .com) .howamerica .com)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(culturesketchfinanciall .shop) (secretionsuitcasenioise .shop)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(claimconcessionrebe .shop) (liabilityarrangemenyit .shop)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(gemcreedarticulateod .shop) (modestessayevenmilwek .shop)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(sofahuntingslidedine .shop) (triangleseasonbenchwj .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(triangleseasonbenchwj .shop in TLS SNI) (claimconcessionrebe .shop in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(culturesketchfinanciall .shop in TLS SNI) (gemcreedarticulateod .shop in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(sofahuntingslidedine .shop in TLS SNI) (modestessayevenmilwek .shop in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(secretionsuitcasenioise .shop in TLS SNI) (liabilityarrangemenyit .shop in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(nationalistvetecanve .shop) (nationalistvetecanve .shop in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(cakecoldsplurgrewe .pw) (bombertublestylebanws .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(diagramfiremonkeyowwa .fun) (dayfarrichjwclik .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(ratefacilityframw .fun) (cakecoldsplurgrewe .pw in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(bombertublestylebanws .fun in TLS SNI) (diagramfiremonkeyowwa .fun in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(dayfarrichjwclik .fun in TLS SNI) (ratefacilityframw .fun in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(healthrankunderow .fun) (healthrankunderow .fun in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(cakecoldsplurgrewe .pw) (cakecoldsplurgrewe .pw in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(offerimagefancine .shop) (offerimagefancine .shop in TLS SNI)
ET MALWARE [ANY.RUN] ToneShell FakeTLS Check-In (APT Mustang ET MALWARE [ANY.RUN] BACKDOOR [ANY.RUN] ToneShell FakeTLS
Panda / Earth Preta) M1 Check-In (APT Mustang Panda / Earth Preta) M2
ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang ET MALWARE [ANY.RUN] ToneShell FakeTLS Response (APT Mustang
Panda / Earth Preta) M1 Panda / Earth Preta) M2
ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report
ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request
Exfiltration
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE Allakore RAT CnC Checkin M2
(fantasticabnormally .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE DNS Query to Malicious Domain (pdfmicrosoft .ddns
(fantasticabnormally .shop in TLS SNI) .net)
ET MALWARE Observed Malicious Domain (pdfmicrosoft .ddns .net in ET MALWARE KrustyLoader CnC Domain in DNS Lookup (farstream
TLS SNI) .org)
ET MALWARE KrustyLoader CnC Domain in DNS Lookup (sysupdates ET MALWARE Observed KrustyLoader Domain (farstream .org) in TLS
.org) SNI
ET MALWARE Observed KrustyLoader Domain (sysupdates .org) in ET MALWARE KrustyLoader CnC Domain in DNS Lookup (be-at-home
TLS SNI .s3 .ap-northeast-2 .amazonaws .com)
ET MALWARE KrustyLoader CnC Domain in DNS Lookup (bbr-promo ET MALWARE KrustyLoader CnC Domain in DNS Lookup
.s3 .amazonaws .com) (bigtimeassets .s3 .amazonaws .com)
ET MALWARE KrustyLoader CnC Domain in DNS Lookup (acapros-app ET MALWARE KrustyLoader CnC Domain in DNS Lookup (beansdeals-
.s3-us-west-2 .amazonaws .com) static .s3 .amazonaws .com)
ET MALWARE KrustyLoader CnC Domain in DNS Lookup ET MALWARE KrustyLoader CnC Domain in DNS Lookup (2261992 .s3
(bringthenoiseappnew .s3 .amazonaws .com) .amazonaws .com)
ET MALWARE KrustyLoader CnC Domain in DNS Lookup (ahha-asset ET MALWARE KrustyLoader CnC Domain in DNS Lookup (breaknlinks
.s3 .ap-northeast-2 .amazonaws .com) .s3 .amazonaws .com)
ET MALWARE HTTP POST with Suspicious User-Agent Observed - ET MALWARE HTTP POST with Suspicious User-Agent Observed -
Possible ZLoader Activity M1 Possible ZLoader Activity M2
ET MALWARE LIGHTWIRE Web Shell Activity Observed ET MALWARE CHAINLINE Web Shell Activity Observed
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE FRAMEREST Web Shell Activity Observed
(knonkcdalfyhitt .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(knonkcdalfyhitt .shop in TLS SNI) (birdvigorousedetertyw .shop)

299 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(birdvigorousedetertyw .shop in TLS SNI) (telldruggcommitetter .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity
(telldruggcommitetter .shop in TLS SNI) M4
ET MALWARE Suspected TA451 Related FalseFont Backdoor Activity
ET MALWARE Suspected TA451 Related FalseFont Backdoor Response
M5
ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup
ET MALWARE RubySleet APT TrollAgent CnC Checkin
(ol .negapa .p-e .kr)
ET MALWARE RubySleet APT TrollAgent CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(ai .kostin .p-e .kr) (feturepoudbicchteo .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(feturepoudbicchteo .shop in TLS SNI) (pavementpreferencewjiao .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(pavementpreferencewjiao .site in TLS SNI) (despairphtsograpgp .shop)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Mispadu Stealer CnC Checkin M1
(despairphtsograpgp .shop in TLS SNI)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .our
ET MALWARE Mispadu Stealer CnC Checkin M2
.openarmscv .org)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .our .openarmscv ET MALWARE Lumma Stealer Related Domain in DNS Lookup
.org) (samplepoisonbarryntj .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(samplepoisonbarryntj .shop in TLS SNI) (decorousnumerousieo .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE DNS Query to Malware Delivery Domain (a0917004
(decorousnumerousieo .shop in TLS SNI) .xsph .ru)
ET MALWARE DNS Query to XWORM Domain (sponsored-ate .gl .at ET MALWARE Observed Malware Delivery Domain (a0917004 .xsph .ru
.ply .gg) in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(resergvearyinitiani .shop) (resergvearyinitiani .shop in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(landgateindirectdangre .shop) (landgateindirectdangre .shop in TLS SNI)
ET MALWARE Lumma Stealer Related Domain in DNS Lookup
ET MALWARE FormBook CnC Checkin (GET) M5
(flexibleagttypoceo .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(flexibleagttypoceo .shop in TLS SNI) (exitassumebangpastcone .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related Domain in DNS Lookup
(exitassumebangpastcone .shop in TLS SNI) (vatleaflettrusteeooj .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE SocGholish CnC Domain in DNS Lookup (* .day
(vatleaflettrusteeooj .shop in TLS SNI) .50adayplan .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .day .50adayplan
ET MALWARE MacOS RustDoor Related Activity M1 (POST)
.com)
ET MALWARE MacOS RustDoor Related CnC Domain in DNS Lookup
ET MALWARE MacOS RustDoor Related Activity M2 (POST)
(serviceicloud .com)
ET MALWARE Observed MacOS RustDoor Related Domain ET MALWARE Observed Malicious Domain
(serviceicloud .com in TLS SNI) (ewbjr2h375tjz5fh3wvohsetk .com in TLS SNI)
ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)
ET MALWARE Synapse/Lambda Ransomware CnC Checkin ET MALWARE PikaBot Java Loader CnC Checkin
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(bicyclesunhygenico .fun) (reechoingkaolizationp .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(antiuncontemporary .fun) (pielumchalotpostwo .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(unexaminablespectrall .fun) (muggierdragstemmio .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(fishboatnurrybeauti .fun) (mazumaponyanthus .fun)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(bicyclesunhygenico .fun in TLS SNI) (reechoingkaolizationp .fun in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(antiuncontemporary .fun in TLS SNI) (pielumchalotpostwo .fun in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(unexaminablespectrall .fun in TLS SNI) (muggierdragstemmio .fun in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(fishboatnurrybeauti .fun in TLS SNI) (mazumaponyanthus .fun in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(bleednumberrottern .home) (brakesummitfiightre .pics)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(bleednumberrottern .home in TLS SNI) (brakesummitfiightre .pics in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(lawwormroleveinn .mom) (baresoakopiniocowe .fun)

300 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(baketransparentadw .pics) (legislationdictater .mom)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(mercyaloofprincipleo .pics) (developmentalveiop .home)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(hunterstrawmersp .home) (lawwormroleveinn .mom in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(baresoakopiniocowe .fun in TLS SNI) (baketransparentadw .pics in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(legislationdictater .mom in TLS SNI) (mercyaloofprincipleo .pics in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(developmentalveiop .home in TLS SNI) (hunterstrawmersp .home in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(ironshottallinko .funu) (ironshottallinko .funu in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(lawwormroleveinn .momu) (lawwormroleveinn .momu in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(scshemevalleywelferw .site) (scshemevalleywelferw .site in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(snuggleapplicationswo .fun) (strainriskpropos .store)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(theoryapparatusjuko .fun) (telephoneverdictyow .site)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(punchtelephoneverdi .store) (smallrabbitcrossing .site)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(snuggleapplicationswo .fun in TLS SNI) (strainriskpropos .store in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(theoryapparatusjuko .fun in TLS SNI) (telephoneverdictyow .site in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(punchtelephoneverdi .store in TLS SNI) (smallrabbitcrossing .site in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(fossillandscapefewkew .site) (fossillandscapefewkew .site in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(townsfolkhiwoeko .fun) (townsfolkhiwoeko .fun in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(colonmoonmushroo .mom) (colonmoonmushroo .mom in TLS SNI)
ET MALWARE Pikabot Related Activity M5 (POST) ET MALWARE Possible PikaBot Java Loader CnC Checkin
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(cattilecodereowop .pw) (cattilecodereowop .pw in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(thinrecordsunrjisow .pw) (thinrecordsunrjisow .pw in TLS SNI)
ET MALWARE BunnyLoader 3.0 Initial Checkin ET MALWARE BunnyLoader 3.0 Initial Checkin Response
ET MALWARE BunnyLoader 3.0 Heartbeat Checkin ET MALWARE BunnyLoader 3.0 Heartbeat Response
ET MALWARE BunnyLoader 3.0 Tasking Checkin ET MALWARE BunnyLoader 3.0 Tasking Response
ET MALWARE BunnyLoader 3.0 Echo Checkin ET MALWARE BunnyLoader 3.0 DBID Checkin
ET MALWARE BunnyLoader 3.0 CID Checkin ET MALWARE DOILoader Activity M2 (GET)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE JS/GootLoader Activity M2 (GET)
(healthproline .pro)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(theoryapparatusjuko .funr) (healthproline .pro in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE TinyTurlaNG Turla APT Initial Client Beacon
(theoryapparatusjuko .funr in TLS SNI)
ET MALWARE TinyTurlaNG Turla APT GetTask Request ET MALWARE DNS Query to TinyTurla Domain (caduff-sa .ch)
ET MALWARE DNS Query to TinyTurla Domain (jeepcarlease .com) ET MALWARE DNS Query to TinyTurla Domain (carleasingguru .com)
ET MALWARE DNS Query to TinyTurla Domain (buy-new-car .com) ET MALWARE DNS Query to TinyTurla Domain (thefinetreats .com)
ET MALWARE DNS Query to TinyTurla Domain (hanagram .jp) ET MALWARE Observed TinyTurla Domain (caduff-sa .ch in TLS SNI)
ET MALWARE Observed TinyTurla Domain (jeepcarlease .com in TLS ET MALWARE Observed TinyTurla Domain (carleasingguru .com in TLS
SNI) SNI)
ET MALWARE Observed TinyTurla Domain (buy-new-car .com in TLS ET MALWARE Observed TinyTurla Domain (thefinetreats .com in TLS
SNI) SNI)
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .members
ET MALWARE Observed TinyTurla Domain (hanagram .jp in TLS SNI)
.openarmscv .com)
ET MALWARE SocGholish CnC Domain in TLS SNI (* .members ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
.openarmscv .com) (associationokeo .shop)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(pooreveningfuseor .pw) (chocolatedepressofw .fun)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(problemregardybuiwo .fun) (turkeyunlikelyofw .shop)

301 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(associationokeo .shop in TLS SNI) (pooreveningfuseor .pw in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(chocolatedepressofw .fun in TLS SNI) (problemregardybuiwo .fun in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(turkeyunlikelyofw .shop in TLS SNI) (theoryapparatusjuko .funy)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(theoryapparatusjuko .funy in TLS SNI) (greenbowelsustainny .fun)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(greenbowelsustainny .fun in TLS SNI) (theoryapparatusjuko .funl)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(theoryapparatusjuko .funl in TLS SNI) (fikkeropendorwiw .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(fikkeropendorwiw .pw in TLS SNI) (numberlesswortheiwol .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(numberlesswortheiwol .shop in TLS SNI) (superiorhardwaerw .pw)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(superiorhardwaerw .pw in TLS SNI) (pooreveningfuseor .pwl)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Observed Lumma Stealer Related Domain
(villagemagneticcsa .fun) (pooreveningfuseor .pwl in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE Win/Ghostlocker Ransomware Activity M1 (POST)
(villagemagneticcsa .fun in TLS SNI)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
ET MALWARE Win/Ghostlocker Ransomware Activity M2 (POST)
(detectordiscusser .shop)
ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup
(woodfeetumhblefepoj .shop) (technologyenterdo .shop)
ET MALWARE Observed Lumma Stealer Related Domain ET MALWARE Observed Lumma Stealer Related Domain
(detectordiscusser .shop in TLS SNI) (woodfeetumhblefepoj .shop in TLS SNI)
ET MALWARE Observed Lumma Stealer Related Domain
ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
(technologyenterdo .shop in TLS SNI)
ET MALWARE Lazarus Group Backdoor CnC Checkin M1 ET MALWARE Lazarus Group Backdoor CnC Checkin M2
ET MALWARE Lazarus Group Domain in DNS Lookup (contact .rgssm
ET MALWARE Lazarus Group Domain in DNS Lookup (sifucanva .com)
.in)
ET MALWARE Lazarus Group Domain in DNS Lookup
ET MALWARE Lazarus Group Domain in DNS Lookup (chrysalisc .com)
(rginfotechnology .com)
ET MALWARE Lazarus Group Domain in DNS Lookup (thefrostery .co ET MALWARE Lazarus Group Domain in DNS Lookup (job4writers
.uk) .com)
ET MALWARE Observed Lazarus Group Domain (rginfotechnology ET MALWARE Observed Lazarus Group Domain (sifucanva .com) in
.com) in TLS SNI TLS SNI
ET MALWARE Observed Lazarus Group Domain (thefrostery .co .uk) in ET MALWARE Observed Lazarus Group Domain (contact .rgssm .in) in
TLS SNI TLS SNI
ET MALWARE Observed Lazarus Group Domain (chrysalisc .com) in ET MALWARE Observed Lazarus Group Domain (job4writers .com) in
TLS SNI TLS SNI
ET MALWARE Lazarus Group Domain in DNS Lookup (updating ET MALWARE SocGholish Domain in DNS Lookup (stake
.dothome .co .kr) .libertariancounterpoint .com)
ET MALWARE SocGholish Domain in TLS SNI (stake
ET MALWARE DNS Query to Malicious Domain (countrysvc .pe .kr)
.libertariancounterpoint .com)
ET MALWARE DNS Query to Malicious Domain (kakaoteam .site) ET MALWARE DNS Query to Malicious Domain (naverscorp .shop)
ET MALWARE DNS Query to Malicious Domain (ned .newnotification
ET MALWARE DNS Query to Malicious Domain (mofamail .shop)
.server .korea)
ET MALWARE DNS Query to Malicious Domain (cloudown .store) ET MALWARE DNS Query to Malicious Domain (navigation .cc)
ET MALWARE DNS Query to Malicious Domain (nmail .navermail
ET MALWARE DNS Query to Malicious Domain (nidnaver .info)
.online .korea)
ET MALWARE DNS Query to Malicious Domain (naveralarm .com) ET MALWARE DNS Query to Malicious Domain (navecorps .com)
ET MALWARE DNS Query to Malicious Domain (naveralert .com) ET MALWARE DNS Query to Malicious Domain (nidnaver .help)
ET MALWARE DNS Query to Malicious Domain (navercafe .info) ET MALWARE DNS Query to Malicious Domain (civilizations .store)
ET MALWARE DNS Query to Malicious Domain (upbit-service .pe .kr) ET MALWARE DNS Query to Malicious Domain (akites .site)
ET MALWARE DNS Query to Malicious Domain (taxservice .pe .kr) ET MALWARE DNS Query to Malicious Domain (mofamail .homes)
ET MALWARE DNS Query to Malicious Domain (kakaoaccouts .store) ET MALWARE DNS Query to Malicious Domain (upbit2024 .re .kr)
ET MALWARE DNS Query to Malicious Domain (nsvc .mail .server ET MALWARE Observed Malicious Domain (countrysvc .pe .kr in TLS
.korea) SNI)
ET MALWARE Observed Malicious Domain (naverscorp .shop in TLS
ET MALWARE Observed Malicious Domain (kakaoteam .site in TLS SNI)
SNI)
ET MALWARE Observed Malicious Domain (ned .newnotification
ET MALWARE Observed Malicious Domain (mofamail .shop in TLS SNI)
.server .korea in TLS SNI)
ET MALWARE Observed Malicious Domain (cloudown .store in TLS
ET MALWARE Observed Malicious Domain (navigation .cc in TLS SNI)
SNI)

302 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed Malicious Domain (nmail .navermail .online


ET MALWARE Observed Malicious Domain (nidnaver .info in TLS SNI)
.korea in TLS SNI)
ET MALWARE Observed Malicious Domain (naveralarm .com in TLS ET MALWARE Observed Malicious Domain (navecorps .com in TLS
SNI) SNI)
ET MALWARE Observed Malicious Domain (naveralert .com in TLS SNI) ET MALWARE Observed Malicious Domain (nidnaver .help in TLS SNI)
ET MALWARE Observed Malicious Domain (civilizations .store in TLS
ET MALWARE Observed Malicious Domain (navercafe .info in TLS SNI)
SNI)
ET MALWARE Observed Malicious Domain (upbit-service .pe .kr in
ET MALWARE Observed Malicious Domain (akites .site in TLS SNI)
TLS SNI)
ET MALWARE Observed Malicious Domain (taxservice .pe .kr in TLS ET MALWARE Observed Malicious Domain (mofamail .homes in TLS
SNI) SNI)
ET MALWARE Observed Malicious Domain (kakaoaccouts .store in TLS ET MALWARE Observed Malicious Domain (upbit2024 .re .kr in TLS
SNI) SNI)
ET MALWARE Observed Malicious Domain (nsvc .mail .server .korea in
ET MALWARE Elusive Stealer CnC Exfil via Telegram
TLS SNI)
ET MALWARE Win32/AsyncRAT CnC Checkin (GET) ET MALWARE PyRation Variant - Command Sent to Client
ET MALWARE PyRation Variant - Action Sent to Client ET MALWARE PyRation Variant - Configuration Response
ET MALWARE PyRation Variant - Configuration Request ET MALWARE DNS Query to Lactrodectus Domain
ET MALWARE DNS Query to Lactrodectus Domain ET MALWARE Observed Lactrodectus Domain in TLS SNI
ET MALWARE Observed Lactrodectus Domain in TLS SNI ET MALWARE Malvertising Domain in DNS Lookup (parsic .org)
ET MALWARE Malvertising Domain in DNS Lookup (reclaimmycredit
ET MALWARE Observed Malvertising Domain (parsic .org) in TLS SNI
.com)
ET MALWARE Observed Malvertising Domain (reclaimmycredit .com)
ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin)
in TLS SNI
ET MALWARE SocGholish CnC Domain in DNS Lookup (* .collection ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts
.aixpirts .com) .com)
ET MALWARE Win32/MarioLoader CnC Activity (POST) M1 ET MALWARE Win32/MarioLoader Payload Request (GET)
ET MALWARE Win32/MarioLoader CnC Activity (POST) M2 ET MALWARE Unknown Powershell Malvertising Payload CnC Checkin
ET MALWARE Malvertising Related Domain in DNS Lookup ET MALWARE Malvertising Related Domain in DNS Lookup
(hmgcyberschools .com) (darknetlinks .wiki)
ET MALWARE Malvertising Related Domain in DNS Lookup (legit ET MALWARE Malvertising Related Domain in DNS Lookup
.onelink .me) (healthbeautycosmetics .com)
ET MALWARE Observed Malvertising Related Domain ET MALWARE Observed Malvertising Related Domain (darknetlinks
(hmgcyberschools .com) in TLS SNI .wiki) in TLS SNI
ET MALWARE Observed Malvertising Related Domain (legit .onelink ET MALWARE Observed Malvertising Related Domain
.me) in TLS SNI (healthbeautycosmetics .com) in TLS SNI
ET MALWARE Suspected TA430/Andariel AndarLoader Related CnC
ET MALWARE TA421 Wineloader CnC Checkin
Domain in DNS Lookup
ET MALWARE Suspected TA430/Andariel AndarLoader Related
ET MALWARE TA430/Andariel AndarLoader Related Activity M1
Domain in TLS SNI
ET MALWARE TA430/Andariel Related Domain in DNS Lookup ET MALWARE TA430/Andariel AndarLoader Related Activity M2
ET MALWARE TA430/Andariel AndarLoader Related Activity M3 ET MALWARE DuckTail APT CnC Activity (GET)
ET MALWARE DNS Query to Ducktail APT Domain
ET MALWARE DNS Query to Ducktail APT Domain (123online .uk)
(mountainseagroup3 .top)
ET MALWARE DNS Query to Ducktail APT Domain (dailyfasterauto
ET MALWARE DNS Query to Ducktail APT Domain (mafiakorea .com)
.info)
ET MALWARE Observed Ducktail Domain (mountainseagroup3 .top in
ET MALWARE Observed Ducktail Domain (123online .uk in TLS SNI)
TLS SNI)
ET MALWARE Observed Ducktail Domain (dailyfasterauto .info in TLS
ET MALWARE Observed Ducktail Domain (mafiakorea .com in TLS SNI)
SNI)
ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup
ET MALWARE Lazarus Group Comebacker Backdoor CnC Checkin
(blockchain-newtech .com)
ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup ET MALWARE Lazarus Group Combacker CnC Domain in DNS Lookup
(chaingrown .com) (fasttet .com)
ET MALWARE TA430/Andariel NukeSped Backdoor Variant Activity
ET MALWARE TA430/Andariel NukeSped Backdoor Variant Activity M1
M2
ET MALWARE TA430/Andariel NukeSped Backdoor Variant Server ET MALWARE TA430/Andariel NukeSped Backdoor Variant Server
Response M1 Response M2
ET MALWARE DNS Query to TA455 Domain (xboxplayservice .com) ET MALWARE Observed TA455 Domain in TLS SNI (vsliveagent .com)
ET MALWARE Observed TA455 Domain in TLS SNI (xboxplayservice ET MALWARE Observed TA455 Domain in TLS SNI (teledyneflir.com
.com) .de)
ET MALWARE Observed UNC1549/TA455 Domain (qaquestionsapi
ET MALWARE Observed TA455 Domain in TLS SNI (1stemployer .com)
.azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (vscodeupdater ET MALWARE Observed UNC1549/TA455 Domain (helicoptersahtests
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (airconnectionsapi ET MALWARE Observed UNC1549/TA455 Domain (regionuaequestions
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)

303 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain


(testmanagementapisjson .azurewebsites .net in TLS SNI) (blognewsalphaapijson .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed ET MALWARE Observed UNC1549/TA455 Domain
.cloudapp .azure .com in TLS SNI) (notebooktextcheckings .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (apphrquizapi ET MALWARE Observed UNC1549/TA455 Domain (onequestionsapi
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(notebooktextchecking .azurewebsites .net in TLS SNI) (onequestionsapicheck .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (arquestionsapi
(questionsapplicationbackup .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (uaeaircheckon
(customercareservice .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (blogvolleyballstatus ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed
.azurewebsites .net in TLS SNI) .centralus .cloudapp .azure .com in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (emiratescheckapi ET MALWARE Observed UNC1549/TA455 Domain (notebooktexts
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (questionsurveyapp ET MALWARE Observed UNC1549/TA455 Domain (quiztestapplication
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (engineeringrssfeed
(manpowerfeedapijson .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (airconnectionapi ET MALWARE Observed UNC1549/TA455 Domain (javaruntime
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (coffeeonlineshop ET MALWARE Observed UNC1549/TA455 Domain (onequestions
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (javaruntimestestapi ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (logupdatemanagementapijson .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeedp ET MALWARE Observed UNC1549/TA455 Domain (qaquestions
.cloudapp .azure .com in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (roadmapselector ET MALWARE Observed UNC1549/TA455 Domain (homefurniture
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (engineeringssfeed ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (blogvolleyballstatusapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (technewsblogapi
(integratedblognewsapi .azurewebsites .com in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (airgadgetsolutions ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (emiratescheckapijson .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (qaquestionapi ET MALWARE Observed UNC1549/TA455 Domain (airgadgetsolution
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (iaidevrssfeed ET MALWARE Observed UNC1549/TA455 Domain (surveyappquery
.centrualus .cloudapp .azure .com in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(boeisurveyapplications .azurewebsites .net in TLS SNI) (jupyternotebookcollection .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (helicopterahtest ET MALWARE Observed UNC1549/TA455 Domain (hrapplicationtest
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (altnametestapi ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (identifycheckapplication .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (manpowerfeedapi
(ilengineeringrssfeed .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(integratedblognewfeed .azurewebsites .net in TLS SNI) (workersquestionsapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (optionalapplication
(javaruntimeversionchecking .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (connectairapijson ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (flighthelicopterahtest .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(integratedblognewsapi .azurewebsites .net in TLS SNI) (customercareserviceapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(notebooktextcheckings .com in TLS SNI) (exchtestcheckingapihealth .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (surveyonlinetest ET MALWARE Observed UNC1549/TA455 Domain (questionsdatabases
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(questionsapplicationapijson .azurewebsites .net in TLS SNI) (humanresourcesapijson .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(openapplicationcheck .azurewebsites .net in TLS SNI) (logsapimanagement .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (browsercheckap
(workersquestionsjson .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (integratedblognews
(checkapicountryquestionsjson .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)

304 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (cashcloudservices


(changequestionstypeapi .azurewebsites .net in TLS SNI) .com in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (audiomanagerapi
(questionsurveyappserver .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(coffeeonlineshoping .azurewebsites .net in TLS SNI) (exchtestcheckingapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (surveyonlinetestapi ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (personalizationsurvey .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (turkairline
(questionsapplicationapi .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(identifycheckingapplications .azurewebsites .net in TLS SNI) (testquestionapplicationapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (tnlsowki .westus3 ET MALWARE Observed UNC1549/TA455 Domain (registerinsurance
.cloudapp .azure .com in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (hiringarabicregion ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (countrybasedquestions .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (apphrquestion ET MALWARE Observed UNC1549/TA455 Domain (javaruntimetestapi
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(browsercheckingapi .azurewebsites .net in TLS SNI) (logupdatemanagementapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (qaquestionsapijson ET MALWARE Observed UNC1549/TA455 Domain (sportblogs
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(changequestiontypesapi .azurewebsites .net in TLS SNI) (intergratedblognewsapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (queryfindquestions ET MALWARE Observed UNC1549/TA455 Domain (queryquestions
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (audioservicetestapi
(checkapicountryquestions .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (workersquestions ET MALWARE Observed UNC1549/TA455 Domain (uaeairchecks
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (refaeldevrssfeed
(jupyternotebookscollection .azurewebsites .net in TLS SNI) .centralus .cloudapp .azure .com in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (apphrquestions ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (personalitytestquestionapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (tnlsowkis .westus3 ET MALWARE Observed UNC1549/TA455 Domain (humanresourcesapi
.cloudapp .azure .com in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (testtesttes
(checkservicecustomerapi .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(humanresourcesapiquiz .azurewebsites .net in TLS SNI) (jupyternotebookcollections .com in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain (helicopterahtests
(jupyternotebookcollections .azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(changequestiontypes .azurewebsites .net in TLS SNI) (testmanagementapi1 .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (browsercheckjson ET MALWARE Observed UNC1549/TA455 Domain (answerssurveytest
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(airconnectionsapijson .azurewebsites .net in TLS SNI) (changequestionstypejsonapi .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (marineblogapi ET MALWARE Observed UNC1549/TA455 Domain
.azurewebsites .net in TLS SNI) (logsapimanagements .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(javaruntimeversioncheckingapi .azurewebsites .net in TLS SNI) (identifycheckapplications .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain ET MALWARE Observed UNC1549/TA455 Domain
(connectionhandlerapi .azurewebsites .net in TLS SNI) (testmanagementapis .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (tiappschecktest ET MALWARE Observed UNC1549/TA455 Domain (arquestions
.azurewebsites .net in TLS SNI) .azurewebsites .net in TLS SNI)
ET MALWARE Observed UNC1549/TA455 Domain (roadmapselectorapi ET MALWARE Observed UNC1549/TA455 Domain (birngthemhomenow
.azurewebsites .net in TLS SNI) .co .il in TLS SNI)
GPL MALWARE BackOrifice access
emerging-misc.rules Hide
ET MISC HP Web JetAdmin ExecuteFile admin access GPL MISC Teardrop attack
GPL MISC Ascend Route GPL MISC Finger remote command execution attempt
GPL MISC Finger remote command pipe execution attempt GPL MISC Finger bomb attempt
GPL MISC Time-To-Live Exceeded in Transit GPL MISC Connection Closed MSG from Port 80
GPL MISC source route ssrr GPL MISC Source Port 20 to <1024
GPL MISC source port 53 to <1024 GPL MISC Invalid PCAnywhere Login
GPL MISC xdmcp query GPL MISC ip reserved bit set
GPL MISC rlogin bin GPL MISC rlogin echo++

305 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL MISC rlogin root GPL MISC rsh echo + +


GPL MISC rsh froot GPL MISC rsh root
GPL MISC ident version request GPL MISC 0 ttl
GPL MISC rwhoisd format string attempt GPL MISC UPnP malformed advertisement
GPL MISC UPnP Location overflow GPL MISC AUTHINFO USER overflow attempt
GPL MISC Unassigned/Reserved IP protocol GPL MISC return code buffer overflow attempt
GPL MISC UPnP service discover attempt GPL MISC bootp hardware address length overflow
GPL MISC bootp invalid hardware type GPL MISC CVS invalid user authentication response
GPL MISC CVS invalid repository response GPL MISC CVS double free exploit attempt response
GPL MISC CVS invalid directory response GPL MISC CVS missing cvsroot response
GPL MISC CVS invalid module response GPL MISC rsyncd overflow attempt
GPL MISC BGP invalid length GPL MISC BGP invalid type 0
GPL MISC IP Proto 53 SWIPE GPL MISC IP Proto 55 IP Mobility
GPL MISC IP Proto 77 Sun ND GPL MISC IP Proto 103 PIM
GPL MISC CVS non-relative path error response GPL MISC NNTP sendsys overflow attempt
GPL MISC NNTP senduuname overflow attempt GPL MISC NNTP version overflow attempt
GPL MISC NNTP checkgroups overflow attempt GPL MISC NNTP ihave overflow attempt
GPL MISC NNTP sendme overflow attempt GPL MISC NNTP newgroup overflow attempt
GPL MISC Nntp rmgroup overflow attempt GPL MISC NNTP article post without path attempt
GPL MISC HP Web JetAdmin remote file upload attempt GPL MISC HP Web JetAdmin setinfo access
GPL MISC HP Web JetAdmin file write attempt GPL MISC rsync backup-dir directory traversal attempt
GPL MISC NNTP XPAT pattern overflow attempt GPL MISC nntp SEARCH pattern overflow attempt
GPL MISC squid WCCP I_SEE_YOU message overflow attempt
emerging-mobile_malware.rules Hide
ET MOBILE_MALWARE Android Trojan Command and Control
ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2
Communication
ET MOBILE_MALWARE Android Trojan DroidDream Command and
ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1
Control Communication
ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing
ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2
File HTTP Request
ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File
Missing File HTTP Request HTTP Request
ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request
ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2 ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3
ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App
International Mobile Equipment Identity in URI Sending User Information to Server
ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server
Communication Communication
ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server
ET MOBILE_MALWARE SymbOS/Merogo User Agent
Communication
ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call
Geographic Location Logs To Remote Server Logs to Remote Server
ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS
ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server
Logs to Remote Server
ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0
ET MOBILE_MALWARE SslCrypt Server Communication ET MOBILE_MALWARE SslCrypt Server Communication
ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection
ET MOBILE_MALWARE SslCrypt Server Communication
to Server
ET MOBILE_MALWARE Android/Smspacem CnC Communication
ET MOBILE_MALWARE Iphone iKee.B Checkin
Attempt
ET MOBILE_MALWARE Possible Post of Infected Mobile Device
ET MOBILE_MALWARE DroidKungFu Checkin
Location Information
ET MOBILE_MALWARE DNS Query for gongfu-android.com
ET MOBILE_MALWARE DroidKungFu Checkin 2
DroidKungFu CnC Server
ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control
ET MOBILE_MALWARE Android.Tonclank JAR File Download
Server (waplove .cn)
ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control ET MOBILE_MALWARE Android.Plankton/Tonclank Successful
Server (searchwebmobile .com) Installation Device Information POST
ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server
ET MOBILE_MALWARE DroidKungFu Checkin 3
Responding With JAR Download URL
ET MOBILE_MALWARE Android.HongTouTou Checkin ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message
ET MOBILE_MALWARE Android.YzhcSms URL for Possible File ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile
Download Equipment Identity
ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile
ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message
Subscriber Identity
ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message

306 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard
Message Coded CnC
ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent
ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server
From CnC Server
ET MOBILE_MALWARE Android/GoldDream Infected Device
ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server
Registration
ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files
ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage
ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin
Malware Binary
ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message
ET MOBILE_MALWARE Android/HippoSms Method Request to CnC
Template from CnC Server
ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC
ET MOBILE_MALWARE Android.AdSms XML File From CnC Server
Server
ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to ET MOBILE_MALWARE Android/Netisend.A Posting Information to
CnC Server CnC
ET MOBILE_MALWARE Android/SndApp.B Sending Device Information ET MOBILE_MALWARE Android/Ozotshielder.A Checkin
ET MOBILE_MALWARE Android/KungFu Package Delete Command ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC
ET MOBILE_MALWARE Android/SndApps.SM Sending Information to ET MOBILE_MALWARE Android/Plankton.P Commands Request to
CnC CnC Server
ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access ET MOBILE_MALWARE Android/Updtkiller Sending Device Information
ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information
ET MOBILE_MALWARE Android/Ksapp.A Checkin
To CnC
ET MOBILE_MALWARE Android TrojanFakeLookout.A ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin
ET MOBILE_MALWARE DroidKungFu Variant ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report
ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware
CnC Beacon C2 Domain
ET MOBILE_MALWARE signed-unsigned integer mismatch code-
ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon
verification bypass
ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon
ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access
takeCameraPicture getGalleryImage
ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access
makeCall postToSocial
ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access
sendMail sendSMS
ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install
registerMicListener CnC Beacon
ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking
ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon
App Install CnC Server Acknowledgement
ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC
ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon
Beacon
ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC
ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon
Beacon
ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest
ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request
CnC Beacon
ET MOBILE_MALWARE Android/FakeKakao checkin 1 ET MOBILE_MALWARE Android/FakeKakao checkin 2
ET MOBILE_MALWARE Android/FakeKakao checkin 3 ET MOBILE_MALWARE SMSSend Fake flappy bird APK
ET MOBILE_MALWARE AndroidOS/Lotoor.Q ET MOBILE_MALWARE Android.Adware.Wapsx.A
ET MOBILE_MALWARE Andr/com.sdwiurse ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon
ET MOBILE_MALWARE Android Spyware Dowgin Checkin ET MOBILE_MALWARE Android ScarePakage checkin
ET MOBILE_MALWARE Android ScarePakage checkin 2 ET MOBILE_MALWARE AndroidOS.Simplocker Checkin
ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS
ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin
via SMTP
ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin ET MOBILE_MALWARE Android/Locker.B Checkin 1
ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC
ET MOBILE_MALWARE Android/Locker.B Checkin 2
Beacon
ET MOBILE_MALWARE iOS/AppBuyer Checkin 1 ET MOBILE_MALWARE iOS/AppBuyer Checkin 2
ET MOBILE_MALWARE Possible Android CVE-2014-6041 ET MOBILE_MALWARE Android/Code4hk.A Checkin
ET MOBILE_MALWARE iOS/Xsser Checkin ET MOBILE_MALWARE iOS/Xsser sending GPS info
ET MOBILE_MALWARE iOS/Xsser sending files ET MOBILE_MALWARE iOS/Xsser checking library version
ET MOBILE_MALWARE Android/Koler.C Checkin ET MOBILE_MALWARE Android.Stealthgenie Checkin
ET MOBILE_MALWARE CoolReaper CnC Beacon 1 ET MOBILE_MALWARE CoolReaper CnC Beacon 2
ET MOBILE_MALWARE CoolReaper User-Agent ET MOBILE_MALWARE Android Syria-Twitter Checkin
ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin
ET MOBILE_MALWARE IOS_XAGENT UA ET MOBILE_MALWARE Possible Android CVE-2014-6041
ET MOBILE_MALWARE Possible Android CVE-2014-6041 ET MOBILE_MALWARE Android.Trojan.SMSSend.Y
ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin

307 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android BatteryBotPro Checkin ET MOBILE_MALWARE Android BatteryBotPro Checkin 2


ET MOBILE_MALWARE Android Gunpoder Checkin ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query
ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2 ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin
ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2 ET MOBILE_MALWARE YiSpecter Activity M1
ET MOBILE_MALWARE YiSpecter Activity M2 ET MOBILE_MALWARE Android/Kemoge DNS Lookup
ET MOBILE_MALWARE Android/Kemoge Checkin ET MOBILE_MALWARE Android/Kemoge Checkin 2
ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c Checkin
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/
ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host
SLocker Checkin
ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials
ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain
Upload
ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy
Domain Domain 2
ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query ET MOBILE_MALWARE iOS DualToy Checkin
ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com) ET MOBILE_MALWARE Adware.Adwo.A
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending
ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1
Credit Card Info
ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2 ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin
ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2 ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert
ET MOBILE_MALWARE Unknown Redirector Nov 17 2016 ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin ET MOBILE_MALWARE Android Fancy Bear Checkin
ET MOBILE_MALWARE Android Fancy Bear Checkin 2 ET MOBILE_MALWARE Android Fancy Bear Checkin 3
ET MOBILE_MALWARE Android Fancy Bear Checkin 4 ET MOBILE_MALWARE Android Fancy Bear Checkin 5
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC
ET MOBILE_MALWARE Android Fancy Bear Checkin 6
Cert
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon
ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2
ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC
ET MOBILE_MALWARE Android.Dropper.Abd Checkin
Beacon
ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup ET MOBILE_MALWARE WireX Botnet DNS Lookup
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14
ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15 ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon ET MOBILE_MALWARE Android JadeRAT CnC Beacon
ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen
ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2
Bank Targeting (set)
ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse ET MOBILE_MALWARE Android Marcher Trojan Download -
Bank Targeting (set) BankAustria Targeting (set)
ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup
Bank Targeting 1
ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup
2 3
ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup
ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup
4
ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS
Lookup 1 (goldncup .com) Lookup 2 (glancelove .com)
ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS
Lookup 3 (autoandroidup .website) Lookup 4 (mobilestoreupdate .website)
ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup
Lookup 5 (updatemobapp .website)
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5
ET MOBILE_MALWARE Android Golden Rat Checkin ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12
ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14

308 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15 ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16


ET MOBILE_MALWARE NSO Related Domain 1 ET MOBILE_MALWARE NSO Related Domain 2
ET MOBILE_MALWARE NSO Related Domain 3 ET MOBILE_MALWARE NSO Related Domain 4
ET MOBILE_MALWARE NSO Related Domain 5 ET MOBILE_MALWARE NSO Related Domain 6
ET MOBILE_MALWARE NSO Related Domain 7 ET MOBILE_MALWARE NSO Related Domain 8
ET MOBILE_MALWARE NSO Related Domain 9 ET MOBILE_MALWARE NSO Related Domain 10
ET MOBILE_MALWARE NSO Related Domain 11 ET MOBILE_MALWARE NSO Related Domain 12
ET MOBILE_MALWARE NSO Related Domain 13 ET MOBILE_MALWARE NSO Related Domain 14
ET MOBILE_MALWARE NSO Related Domain 15 ET MOBILE_MALWARE NSO Related Domain 16
ET MOBILE_MALWARE NSO Related Domain 17 ET MOBILE_MALWARE NSO Related Domain 18
ET MOBILE_MALWARE NSO Related Domain 19 ET MOBILE_MALWARE NSO Related Domain 20
ET MOBILE_MALWARE NSO Related Domain 21 ET MOBILE_MALWARE NSO Related Domain 22
ET MOBILE_MALWARE NSO Related Domain 24 ET MOBILE_MALWARE NSO Related Domain 25
ET MOBILE_MALWARE NSO Related Domain 26 ET MOBILE_MALWARE NSO Related Domain 27
ET MOBILE_MALWARE NSO Related Domain 28 ET MOBILE_MALWARE NSO Related Domain 29
ET MOBILE_MALWARE NSO Related Domain 30 ET MOBILE_MALWARE NSO Related Domain 31
ET MOBILE_MALWARE NSO Related Domain 32 ET MOBILE_MALWARE NSO Related Domain 33
ET MOBILE_MALWARE NSO Related Domain 34 ET MOBILE_MALWARE NSO Related Domain 35
ET MOBILE_MALWARE NSO Related Domain 36 ET MOBILE_MALWARE NSO Related Domain 37
ET MOBILE_MALWARE NSO Related Domain 38 ET MOBILE_MALWARE NSO Related Domain 39
ET MOBILE_MALWARE NSO Related Domain 40 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2
Beacon
ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/
ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)
Dingwe) Check-in
ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS
ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in
ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in
ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in
TLS SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in
ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS
ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS
TLS SNI) Lookup)

309 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS


ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in
ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in
ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in
TLS SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in
TLS SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS
ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)
SNI)
ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in
SNI) TLS SNI)
ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS
DNS Lookup) Lookup)

310 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS


ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS
ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS
ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS
ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in
ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS
ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)
SNI)
ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS
ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in
ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI) ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in
ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in
ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)
TLS SNI)
ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)
Lookup)

311 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS
ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in
ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in
ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS
ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS
ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in
ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS
ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS
ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)
SNI)
ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS
ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS
ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in
ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow
SNI) .website in DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in
.website in TLS SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in
SNI) DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS
TLS SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)
Lookup)

312 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS


ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS
ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in
ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)
DNS Lookup)
ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS
ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS
ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS
ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS
SNI) Lookup)
ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS
ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)
Lookup)
ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS
ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)
Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(areadozemode .space in DNS Lookup) (selectnew25mode .space in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
.cc in DNS Lookup) (project2anub .xyz in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(taiprotectsq .xyz in DNS Lookup) (uwannaplaygame .space in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(projectpredator .space in DNS Lookup) (nihaobrazzzahit .top in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(aserogeege .space in DNS Lookup) (hdfuckedin18 .top in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(dingpsounda .space in DNS Lookup) (wantddantiprot .space in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d
(privateanbshouse .space in DNS Lookup) (seconddoxed .space in DNS Lookup)

313 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3


.space in DNS Lookup) .html5100 .com in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls
.space in DNS Lookup) .space in DNS Lookup)
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in
.space in DNS Lookup) in DNS Lookup)
ET MOBILE_MALWARE Android/Xnore Fake Facebook Login
ET MOBILE_MALWARE Android/BasBanke CnC Checkin
Credentials Collected
ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup ET MOBILE_MALWARE Windows Phone PUA.Redpher
Android CnC) (myservicessapps .com in DNS Lookup)
ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com
in DNS Lookup) in DNS Lookup)
ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload
DNS Lookup) .space in DNS Lookup)
ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS
in DNS Lookup) Lookup)
ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor Module Download
DNS Lookup) Request
ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net
.click in DNS Lookup) in DNS Lookup)
ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in
ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin
DNS Lookup)
ET MOBILE_MALWARE Apple iPhone Implant - Boundary Observed ET MOBILE_MALWARE Apple iPhone Implant - Upload Files
ET MOBILE_MALWARE Apple iPhone Implant - Command Executed ET MOBILE_MALWARE Evil Eye Android Malware Beacon
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin ET MOBILE_MALWARE MOONSHINE payload C2 activity
ET MOBILE_MALWARE Android/Geost CnC Checkin ET MOBILE_MALWARE Suspected SandCat Related CnC
ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity ET MOBILE_MALWARE Android Lightspy Implant CnC
ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant
ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
CnC Activity
ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC
ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)
(getsettings)
ET MOBILE_MALWARE Suspected PROJECTSPY Cookie ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup
ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC) ET MOBILE_MALWARE Android/xDrop Ransomware CnC Checkin
ET MOBILE_MALWARE Android Malvertising Communication ET MOBILE_MALWARE ActionSpy CnC (POST)
ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (urlpush ET MOBILE_MALWARE NSO Group Domain in DNS Lookup
.net) (free247downloads .com)
ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
(chretiendaujoudhui .com) (leprotestant .com)
ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (vie- ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup
en-islam .com) (viedechretien .org)
ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup) ET MOBILE_MALWARE Android Joker CnC Configuration Retrieval
ET MOBILE_MALWARE TransparentTribe AhMyth RAT Variant Activity ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in
(POST) DNS Lookup)
ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com
DNS Lookup) in DNS Lookup)
ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
in DNS Lookup) (img565vv6 .holdmydoor .com)
ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(crashparadox .net) (f15fwd322 .regularhours .net)
ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI
(bananakick .net) (stilloak .net)
ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil
(flowersarrows .com) (POST)
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (bald-panel ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (hawkshaw-
.firebaseio .com in DNS Lookup) cae48 .firebaseio .com in DNS Lookup)
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (phoenix-
(spitfirepanel .firebaseio .com in DNS Lookup) panel .firebaseio .com in DNS Lookup)
ET MOBILE_MALWARE ITW Android Post-Exploit Downloader CnC
ET MOBILE_MALWARE Android GolfSpy (services4me .net in TLS SNI)
Activity
ET MOBILE_MALWARE Possible Phenakite User-Agent ET MOBILE_MALWARE Phenakite Audio Upload CnC
ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .firebaseio .com in
ET MOBILE_MALWARE Phenakite Image Upload CnC activity
DNS Lookup)
ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .appspot .com in ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .firebaseio .com
DNS Lookup) in DNS Lookup)

314 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .appspot .com ET MOBILE_MALWARE Arid Viper (calculator-1e016 .firebaseio .com in
in DNS Lookup) DNS Lookup)
ET MOBILE_MALWARE Arid Viper (calculator-1e016 .appspot .com in ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .firebaseio .com in
DNS Lookup) DNS Lookup)
ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .appspot .com in ET MOBILE_MALWARE Arid Viper (play-store-51182 .firebaseio .com in
DNS Lookup) DNS Lookup)
ET MOBILE_MALWARE Arid Viper (play-store-51182 .appspot .com in ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .firebaseio .com in
DNS Lookup) DNS Lookup)
ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .appspot .com in ET MOBILE_MALWARE Arid Viper (es-last-telegram .firebaseio .com in
DNS Lookup) DNS Lookup)
ET MOBILE_MALWARE Arid Viper (es-last-telegram .appspot .com in ET MOBILE_MALWARE Arid Viper (margarita-smith .host in DNS
DNS Lookup) Lookup)
ET MOBILE_MALWARE Arid Viper (fasibauik .co in DNS Lookup) ET MOBILE_MALWARE Arid Viper (fasebcak .co in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup) ET MOBILE_MALWARE Arid Viper (fasebcoki .com in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (fasebcak .com in DNS Lookup) ET MOBILE_MALWARE Arid Viper (fasbcaok .com in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (fasebaak .com in DNS Lookup) ET MOBILE_MALWARE Arid Viper (fasebaok .co in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (fasebaook .com in DNS Lookup) ET MOBILE_MALWARE Arid Viper (fasebaok .com in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (log-yoahao .co in DNS Lookup) ET MOBILE_MALWARE Arid Viper (log-yoheo .info in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (kevin-good .top in DNS Lookup) ET MOBILE_MALWARE Arid Viper (marty-colvard .top in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (anna-sanchez .online in DNS ET MOBILE_MALWARE Arid Viper (wendy-johnston .pw in DNS
Lookup) Lookup)
ET MOBILE_MALWARE Arid Viper (goerge-amper .website in DNS
ET MOBILE_MALWARE Arid Viper (jennifer-marler .pw in DNS Lookup)
Lookup)
ET MOBILE_MALWARE Arid Viper (stacks-zadar .website in DNS
ET MOBILE_MALWARE Arid Viper (joe-rumley .pw in DNS Lookup)
Lookup)
ET MOBILE_MALWARE Arid Viper (richardbeman .info in DNS Lookup) ET MOBILE_MALWARE Arid Viper (vickeryduncan .site in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (moggfelicio .info in DNS Lookup) ET MOBILE_MALWARE Arid Viper (stevensmalley .pro in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (kentporter .site in DNS Lookup) ET MOBILE_MALWARE Arid Viper (chad-jessie .info in DNS Lookup)
ET MOBILE_MALWARE Arid Viper (lordblackwood .club in DNS
ET MOBILE_MALWARE Arid Viper (julie-parker .top in DNS Lookup)
Lookup)
ET MOBILE_MALWARE Arid Viper (hannah-parsons .info in DNS
ET MOBILE_MALWARE Arid Viper (tim-jordan .info in DNS Lookup)
Lookup)
ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil
(POST) 2 (POST) 3
ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin ET MOBILE_MALWARE PJobRat System Exfil to CnC
ET MOBILE_MALWARE PJobRat CnC Checkin ET MOBILE_MALWARE NSO Pegasus iOS Activity (GET)
ET MOBILE_MALWARE NSO Pegasus iOS CnC Domain in DNS Lookup
ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Activity (GET)
(opposedarrangement .net)
ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Gatekeeper ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/
Activity (GET) FakeAdBlocker CnC)
ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/ ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/
FakeAdBlocker CnC) FakeAdBlocker CnC)
ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/ ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/
FakeAdBlocker CnC) FakeAdBlocker CnC)
ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/ ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/
FakeAdBlocker CnC) FakeAdBlocker CnC)
ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/ ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/
FakeAdBlocker CnC) FakeAdBlocker CnC)
ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain
(quantumbots .xyz in TLS SNI) (marcobrando .xyz in TLS SNI)
ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain
(montanatony .xyz in TLS SNI) (smoothcbots .xyz in TLS SNI)
ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain
(omegabots .xyz in TLS SNI) (gogleadser .xyz in TLS SNI)
ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain
ET MOBILE_MALWARE Oscorp/UBEL Activity
(callbinary .xyz in TLS SNI)
ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter
Activity (POST) Activity (POST) M2
ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter
Activity (POST) M3 Activity (POST) M4
ET MOBILE_MALWARE Android Vultr Checkin ET MOBILE_MALWARE Android/FlyTrap Activity (POST)
ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity
update) (number update)
ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (session ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot
cookie delete) registration)
ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (log
ET MOBILE_MALWARE Android/Spy.Agent.BEH Variant Activity (POST)
post)

315 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Observed APT-C-23 Related Domain (linda- ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup
gaytan .website in TLS SNI) (linda-gaytan .website)
ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in
(javan-demsky .website) DNS Lookup (google-play .serveftp .com)
ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot
ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin M2
Activity (DNS Lookup)
ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot
ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin
Activity (DNS Lookup) 2
ET MOBILE_MALWARE Android Brunhilda Dropper ET MOBILE_MALWARE Android Brunhilda Dropper
(protectionguardapp .club in DNS Lookup) (protectionguardapp .club in TLS SNI)
ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner
.club in DNS Lookup) .club in TLS SNI)
ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club
in DNS Lookup) in TLS SNI)
ET MOBILE_MALWARE Android Brunhilda Dropper ET MOBILE_MALWARE Android Gymdrop Dropper
(multifuctionscanner .club in DNS Lookup) (onlinefitnessanalysis .com in DNS Lookup)
ET MOBILE_MALWARE Android Brunhilda Dropper ET MOBILE_MALWARE Android Gymdrop Dropper
(multifuctionscanner .club in TLS SNI) (onlinefitnessanalysis .com in TLS SNI)
ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS ET MOBILE_MALWARE Android/FluBot Trojan Sending Information
Lookup (POST)
ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST) ET MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)
ET MOBILE_MALWARE Android.BankBot.11270 (TLS SNI) ET MOBILE_MALWARE Android/TrojanDropper.Agent.GWO Checkin
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (DNS
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (TLS SNI)
Lookup)
ET MOBILE_MALWARE Android/SharkBot Related Domain in DNS
ET MOBILE_MALWARE Android.Trojan.AndroRAT.CE Checkin
Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI)
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 2 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 2
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 3 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 3
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 4 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 4
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 5 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 5
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 6 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 6
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 7 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 7
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 8 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 8
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 9 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 9
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup)
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 10
10
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 11 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 11
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 12 ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 12
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22
ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23 ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24
ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in
DNS Lookup) TLS SNI)
ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in
DNS Lookup) TLS SNI)
ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website
in DNS Lookup) in TLS SNI)
ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner
.website in DNS Lookup) .website in TLS SNI)
ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website
in DNS Lookup) in TLS SNI)
ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website
in DNS Lookup) in TLS SNI)
ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (ifn1h8ag1g .com in TLS SNI) Domain (s22231232fdnsjds .top in TLS SNI)
ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo
Domain (equisdeperson .space in TLS SNI) Domain (xipxesip .design in TLS SNI)

316 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe


(api .dreamloan .cc in TLS SNI) Domain in TLS SNI
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package
ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET)
Delivery)
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Origami.b / Donot DNS ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Origami.b /
Lookup Donot Domain in TLS SNI
ET MOBILE_MALWARE Android ERMAC Banker (PL) Related Domain in ET MOBILE_MALWARE Observed Android ERMAC Banker (PL) Domain
DNS Lookup (bolt-food .site) (bolt-food .site in TLS SNI)
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS ET MOBILE_MALWARE Android/Revive Banking Trojan Initial Checkin
Lookup Activity (POST)
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Dropper Checkin Activity (POST) ET MOBILE_MALWARE Android.Trojan.Banker.XJ Activity
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Ermak.a Checkin ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.hf Checkin
ET MOBILE_MALWARE Android/IRATA CnC Domain (rimotgozaran .tk) ET MOBILE_MALWARE Android/IRATA CnC Domain (rimot-anitain .tk)
in DNS Lookup in DNS Lookup
ET MOBILE_MALWARE Observed Android/IRATA Domain ET MOBILE_MALWARE Observed Android/IRATA Domain (rimot-anitain
(rimotgozaran .tk) in TLS SNI .tk) in TLS SNI
ET MOBILE_MALWARE Android/Zanubis CnC Domain (fullcircleteam
ET MOBILE_MALWARE Android/IRATA Data Exfiltration Attempt
.com) in DNS Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.aam CnC Domain
ET MOBILE_MALWARE XX-Net VPN Client CnC Checkin
in DNS Lookup
ET MOBILE_MALWARE Trojan-Ransom.AndroidOS.Agent.bi CnC ET MOBILE_MALWARE Trojan-Ransom.AndroidOS.Agent.bi CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Guerrilla.h CnC
ET MOBILE_MALWARE Android/Drinik Checkin Activity (POST)
Domain in DNS Lookup
ET MOBILE_MALWARE Android/Drinik Activity (POST) ET MOBILE_MALWARE Android/Drinik Activity M2 (POST)
ET MOBILE_MALWARE Android/Drinik CnC Domain (gia .3utilities
ET MOBILE_MALWARE Android/RatMilad CnC Checkin
.com) in DNS Lookup
ET MOBILE_MALWARE Android/RatMilad CnC Domain (api .numrent ET MOBILE_MALWARE Android/ShartBot CNC Domain (cdopea .store)
.shop) in DNS Lookup in DNS Lookup
ET MOBILE_MALWARE Bahamut Group Fake VPN Payload Delivery ET MOBILE_MALWARE Bahamut Group Fake VPN CnC Domain
Domain (thesecurevpn .com) in DNS Lookup (ft8hua063okwfdcu21pw .de) in DNS Lookup
ET MOBILE_MALWARE Android/LoanBee Data Stealer Data Exfiltration ET MOBILE_MALWARE Android/Spy.Agent.AKS CnC Domain in DNS
Domain (api .loanbee .tech) in DNS Lookup Lookup
ET MOBILE_MALWARE Backdoor.AndroidOS.Xhunter.a CnC Domain in ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ld CnC Domain
DNS Lookup in DNS Lookup

317 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ld CnC Domain ET MOBILE_MALWARE Android/Spy.Vultur.A CnC Domain in DNS


in DNS Lookup Lookup
ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ta CnC Domain ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Banbra.aa CnC
in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC ET MOBILE_MALWARE Android/Spy.SmsSpy.XC CnC Domain in DNS
Domain in DNS Lookup Lookup
ET MOBILE_MALWARE Android/Spy.Banker.BOF CnC Domain in DNS ET MOBILE_MALWARE Android.Backdoor.866.origin CnC Domain in
Lookup DNS Lookup
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Rewardsteal.e CnC ET MOBILE_MALWARE Android/Gigabud CnC Domain (lionaiothai
Domain in DNS Lookup .com) in DNS Lookup
ET MOBILE_MALWARE Android/Gigabud CnC Domain (cmnb9 .cc) in ET MOBILE_MALWARE Android/Gigabud CnC Domain (bweri6 .cc) in
DNS Lookup DNS Lookup
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M1 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M2
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M3 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M4
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M5 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M6
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M7 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M8
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M9 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M10
ET MOBILE_MALWARE Android/Gigabud CnC Check-in M11 ET MOBILE_MALWARE Android/Gigabud CnC Check-in M12
ET MOBILE_MALWARE Android/Spy.Banker.BTO CnC Domain in DNS
ET MOBILE_MALWARE Android/FakeCalls CnC Server Response
Lookup
ET MOBILE_MALWARE Trojan-Banker.AndroidOS.GoatRat CnC Domain
ET MOBILE_MALWARE Android/Harly.AO CnC Domain in DNS Lookup
in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
ET MOBILE_MALWARE Trojan-Ransom.AndroidOS.CryCrypt.c Checkin
Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC ET MOBILE_MALWARE Trojan/iOS Operation Triangulation CnC
Domain in DNS Lookup Domain in DNS Lookup
ET MOBILE_MALWARE Android/Spy.Bahamut.I CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup

318 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup

319 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup

320 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup

321 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS
Lookup Lookup
ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS ET MOBILE_MALWARE Android/InfamousChisel.InfoStealer APT28/
Lookup SANDWORM Data Exfiltration
ET MOBILE_MALWARE Android/MMRAT Data Exfiltration Attempt ET MOBILE_MALWARE Android/MMRAT CnC Checkin M1
ET MOBILE_MALWARE Android/MMRAT CnC Checkin M2 ET MOBILE_MALWARE Android Nexus Banking Botnet Activity (GET)
ET MOBILE_MALWARE Fake Rocket Alerts App Sending Phone
ET MOBILE_MALWARE Android FastViewer Variant Check-In (GET)
Information (POST)
ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (ks8cb ET MOBILE_MALWARE Observed GoldDigger Domain (ks8cb .cc in
.cc) TLS SNI)
ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (bv8k ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (t8bc
.xyz) .xyz)
ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (hzc5 ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup
.xyz) (ms2ve .cc)

322 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET MOBILE_MALWARE GoldDigger CnC Domain in DNS Lookup (zu7kt ET MOBILE_MALWARE Observed GoldDigger Domain (bv8k .xyz in
.cc) TLS SNI)
ET MOBILE_MALWARE Observed GoldDigger Domain (t8bc .xyz in TLS ET MOBILE_MALWARE Observed GoldDigger Domain (hzc5 .xyz in TLS
SNI) SNI)
ET MOBILE_MALWARE Observed GoldDigger Domain (ms2ve .cc in ET MOBILE_MALWARE Observed GoldDigger Domain (zu7kt .cc in TLS
TLS SNI) SNI)
ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (blsdk5
ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (nnzf1 .cc)
.cc)
ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (bweri6 ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (bc2k
.cc) .xyz)
ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (re6s ET MOBILE_MALWARE Gigabud CnC Domain in DNS Lookup (js6kk
.xyz) .xyz)
ET MOBILE_MALWARE Observed Gigabud Domain (re6s .xyz in TLS ET MOBILE_MALWARE Observed Gigabud Domain (js6kk .xyz in TLS
SNI) SNI)
ET MOBILE_MALWARE Observed Gigabud Domain (bc2k .xyz in TLS ET MOBILE_MALWARE Observed Gigabud Domain (bweri6 .cc in TLS
SNI) SNI)
ET MOBILE_MALWARE Observed Gigabud Domain (nnzf1 .cc in TLS ET MOBILE_MALWARE Observed Gigabud Domain (blsdk5 .cc in TLS
SNI) SNI)
ET MOBILE_MALWARE Android Kamran Malware Related CnC Domain
in DNS Lookup
emerging-netbios.rules Hide
ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit ET NETBIOS LSA exploit
ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)
ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt ET NETBIOS ms05-011 exploit
ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play
ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt
Vulnerability
ET NETBIOS SMB-DS DCERPC PnP bind attempt ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt
ET NETBIOS SMB DCERPC PnP bind attempt ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt
ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request
(possible MS06-040) (possible MS06-040)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (1) MS08-067 (2)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (3) MS08-067 (4)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (5) MS08-067 (7)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (8) MS08-067 (9)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (10) MS08-067 - Known Exploit Instance
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (11) MS08-067 (12)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (13) MS08-067 (14)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (15) MS08-067 (16)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (17) MS08-067 (18)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (19) MS08-067 (20)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (22) MS08-067 (23)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (24) MS08-067 (25)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (27) MS08-067 (28)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
MS08-067 (29) MS08-067 (30)
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound -
ET NETBIOS Remote SMB2.0 DoS Exploit
MS08-067 - Known Exploit Instance (2)
ET NETBIOS windows recycler request - suspicious ET NETBIOS windows recycler .exe request - suspicious
ET NETBIOS Microsoft Windows SMB Client Race Condition Remote ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info
Code Execution SrvSmbQueryFsInformation Pool Buffer Overflow
ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-
ET NETBIOS Tree Connect AndX Request IPC$ Unicode
Auth BROWSER ELECTION Heap Overflow Attempt
ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode
ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution ET NETBIOS DCERPC WMI Remote Process Execution

323 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely


ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement
Lateral Movement
GPL NETBIOS x86 Linux samba overflow GPL NETBIOS DOS RFPoison
GPL NETBIOS NT NULL session GPL NETBIOS SMB ADMIN$ share access
GPL NETBIOS SMB C$ share access GPL NETBIOS SMB CD..
GPL NETBIOS SMB CD... GPL NETBIOS SMB D$ share access
GPL NETBIOS SMB IPC$ share access GPL NETBIOS SMB IPC$ unicode share access
GPL NETBIOS xp_reg* - registry access GPL NETBIOS xp_reg* registry access
GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max
GPL NETBIOS RFParalyze Attempt
Count of 0 DOS Attempt
GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0
GPL NETBIOS SMB trans2open buffer overflow attempt
DOS Attempt
GPL NETBIOS SMB winreg create tree attempt GPL NETBIOS SMB winreg unicode create tree attempt
GPL NETBIOS SMB startup folder access GPL NETBIOS SMB startup folder unicode access
GPL NETBIOS DCERPC invalid bind attempt GPL NETBIOS SMB DCERPC invalid bind attempt
GPL NETBIOS DCERPC ISystemActivator bind attempt GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt
GPL NETBIOS DCERPC Remote Activation bind attempt GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow
GPL NETBIOS DCERPC Messenger Service buffer overflow attempt
attempt
GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt GPL NETBIOS SMB DCERPC Workstation Service bind attempt
GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind
GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
attempt
GPL NETBIOS DCERPC Workstation Service direct service bind GPL NETBIOS DCERPC Workstation Service direct service access
attempt attempt
GPL NETBIOS SMB-DS DCERPC print spool bind attempt GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt
GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
GPL NETBIOS SMB Session Setup AndX request username overflow GPL NETBIOS SMB-DS Session Setup AndX request username
attempt overflow attempt
GPL NETBIOS SMB Session Setup AndX request unicode username GPL NETBIOS SMB-DS Session Setup AndX request unicode
overflow attempt username overflow attempt
GPL NETBIOS SMB-DS IPC$ share access GPL NETBIOS SMB-DS IPC$ unicode share access
GPL NETBIOS SMB D$ unicode share access GPL NETBIOS SMB-DS D$ share access
GPL NETBIOS SMB-DS D$ unicode share access GPL NETBIOS SMB C$ unicode share access
GPL NETBIOS SMB-DS C$ share access GPL NETBIOS SMB-DS C$ unicode share access
GPL NETBIOS SMB ADMIN$ unicode share access GPL NETBIOS SMB-DS ADMIN$ share access
GPL NETBIOS SMB-DS ADMIN$ unicode share access GPL NETBIOS SMB-DS winreg create tree attempt
GPL NETBIOS SMB-DS winreg unicode create tree attempt GPL NETBIOS SMB-DS winreg bind attempt
GPL NETBIOS SMB-DS winreg unicode bind attempt GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt
GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian
GPL NETBIOS SMB-DS InitiateSystemShutdown attempt
attempt
GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt
GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt GPL NETBIOS DCERPC LSASS bind attempt
GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit
GPL NETBIOS SMB DCERPC LSASS unicode bind attempt
attempt
GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer
GPL NETBIOS SMB DCERPC LSASS bind attempt
exploit attempt
GPL NETBIOS SMB-DS DCERPC LSASS bind attempt GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt
GPL NETBIOS SMB-DS DCERPC LSASS
GPL NETBIOS DCERPC LSASS direct bind attempt
DsRolerUpgradeDownlevelServer exploit attempt
GPL NETBIOS SMB DCERPC LSASS direct bind attempt GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt
GPL NETBIOS NS lookup response name overflow attempt GPL NETBIOS SMB repeated logon failure
GPL NETBIOS SMB-DS repeated logon failure GPL NETBIOS SMB nddeapi create tree attempt
GPL NETBIOS SMB nddeapi unicode create tree attempt GPL NETBIOS SMB-DS nddeapi create tree attempt
GPL NETBIOS SMB-DS nddeapi unicode create tree attempt GPL NETBIOS SMB nddeapi bind attempt
GPL NETBIOS SMB nddeapi unicode bind attempt GPL NETBIOS SMB-DS nddeapi bind attempt
GPL NETBIOS SMB-DS nddeapi unicode bind attempt GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt
GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt
GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow
GPL NETBIOS SMB winreg bind attempt
attempt
GPL NETBIOS SMB winreg unicode bind attempt GPL NETBIOS SMB InitiateSystemShutdown attempt
GPL NETBIOS SMB InitiateSystemShutdown little endian attempt GPL NETBIOS SMB InitiateSystemShutdown unicode attempt
GPL NETBIOS SMB InitiateSystemShutdown unicode little endian GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow
attempt attempt
GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow
overflow attempt attempt

324 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian


GPL NETBIOS SMB too many stacked requests
overflow attempt
GPL NETBIOS SMB-DS too many stacked requests GPL NETBIOS SMB-DS IPC$ andx share access
GPL NETBIOS SMB-DS IPC$ unicode andx share access GPL NETBIOS SMB nddeapi andx create tree attempt
GPL NETBIOS SMB nddeapi unicode andx create tree attempt GPL NETBIOS SMB-DS nddeapi andx create tree attempt
GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt GPL NETBIOS SMB nddeapi andx bind attempt
GPL NETBIOS SMB nddeapi unicode andx bind attempt GPL NETBIOS SMB-DS nddeapi andx bind attempt
GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt
GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow
attempt attempt
GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx
GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt
overflow attempt
GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow
overflow attempt attempt
GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian
GPL NETBIOS SMB-DS D$ andx share access
andx overflow attempt
GPL NETBIOS SMB-DS D$ unicode andx share access GPL NETBIOS SMB-DS C$ andx share access
GPL NETBIOS SMB-DS C$ unicode andx share access GPL NETBIOS SMB-DS ADMIN$ andx share access
GPL NETBIOS SMB-DS ADMIN$ unicode andx share access GPL NETBIOS SMB winreg andx create tree attempt
GPL NETBIOS SMB winreg unicode andx create tree attempt GPL NETBIOS SMB-DS winreg andx create tree attempt
GPL NETBIOS SMB-DS winreg unicode andx create tree attempt GPL NETBIOS SMB winreg andx bind attempt
GPL NETBIOS SMB winreg unicode andx bind attempt GPL NETBIOS SMB-DS winreg andx bind attempt
GPL NETBIOS SMB-DS winreg unicode andx bind attempt GPL NETBIOS SMB InitiateSystemShutdown andx attempt
GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt
GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx
GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt
attempt
GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx
GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt
attempt
GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow
andx attempt attempt
GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1
attempt overflow attempt
GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow
attempt attempt
GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor
overflow attempt attempt
GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security
Descriptor attempt Descriptor attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security
Security Descriptor attempt Descriptor attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized
Descriptor attempt Security Descriptor attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized
GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt
Security Descriptor attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow
GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt
attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow
GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt
attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow
attempt attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL
GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt
overflow attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow
GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt
attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow
GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt
attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow
attempt attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos
overflow attempt attempt
GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size
dos attempt dos attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
ace size dos attempt attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace
size dos attempt size dos attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos
ace size dos attempt attempt

325 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size
dos attempt dos attempt
GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
ace size dos attempt attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace
size dos attempt size dos attempt
GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL
GPL NETBIOS SMB llsrpc create tree attempt
ace size dos attempt
GPL NETBIOS SMB llsrpc unicode create tree attempt GPL NETBIOS SMB llsrpc andx create tree attempt
GPL NETBIOS SMB llsrpc unicode andx create tree attempt GPL NETBIOS SMB-DS llsrpc create tree attempt
GPL NETBIOS SMB-DS llsrpc unicode create tree attempt GPL NETBIOS SMB-DS llsrpc andx create tree attempt
GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt GPL NETBIOS SMB llsrpc bind attempt
GPL NETBIOS SMB llsrpc little endian bind attempt GPL NETBIOS SMB llsrpc unicode bind attempt
GPL NETBIOS SMB llsrpc unicode little endian bind attempt GPL NETBIOS SMB llsrpc andx bind attempt
GPL NETBIOS SMB llsrpc little endian andx bind attempt GPL NETBIOS SMB llsrpc unicode andx bind attempt
GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt GPL NETBIOS SMB-DS llsrpc bind attempt
GPL NETBIOS SMB-DS llsrpc little endian bind attempt GPL NETBIOS SMB-DS llsrpc unicode bind attempt
GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt GPL NETBIOS SMB-DS llsrpc andx bind attempt
GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt
GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt GPL NETBIOS SMB llsrconnect overflow attempt
GPL NETBIOS SMB llsrconnect little endian overflow attempt GPL NETBIOS SMB llsrconnect unicode overflow attempt
GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt GPL NETBIOS SMB llsrconnect andx overflow attempt
GPL NETBIOS SMB llsrconnect little endian andx overflow attempt GPL NETBIOS SMB llsrconnect unicode andx overflow attempt
GPL NETBIOS SMB llsrconnect unicode little endian andx overflow
GPL NETBIOS SMB-DS llsrconnect overflow attempt
attempt
GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt
GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow
GPL NETBIOS SMB-DS llsrconnect andx overflow attempt
attempt
GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt
GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow
GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt
attempt
GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt
GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt
GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt
GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt
GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow
GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt
attempt
GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow
GPL NETBIOS DCERPC msqueue bind attempt
attempt
GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow
GPL NETBIOS DCERPC msqueue little endian bind attempt
attempt
GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt GPL NETBIOS SMB msqueue bind attempt
GPL NETBIOS SMB msqueue little endian bind attempt GPL NETBIOS SMB msqueue unicode bind attempt
GPL NETBIOS SMB msqueue unicode little endian bind attempt GPL NETBIOS SMB msqueue andx bind attempt
GPL NETBIOS SMB msqueue little endian andx bind attempt GPL NETBIOS SMB msqueue unicode andx bind attempt
GPL NETBIOS SMB msqueue unicode little endian andx bind attempt GPL NETBIOS SMB-DS msqueue bind attempt
GPL NETBIOS SMB-DS msqueue little endian bind attempt GPL NETBIOS SMB-DS msqueue unicode bind attempt
GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt GPL NETBIOS SMB-DS msqueue andx bind attempt
GPL NETBIOS SMB-DS msqueue little endian andx bind attempt GPL NETBIOS SMB-DS msqueue unicode andx bind attempt
GPL NETBIOS SMB-DS msqueue unicode little endian andx bind
GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt
attempt
GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow
GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt
attempt
GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian
GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt
overflow attempt
GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow
attempt attempt
GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx
GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt
overflow attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow
attempt attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian
GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt
overflow attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow
overflow attempt attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian
GPL NETBIOS name query overflow attempt TCP
andx overflow attempt

326 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL NETBIOS DCERPC ISystemActivator path overflow attempt little


GPL NETBIOS name query overflow attempt UDP
endian
GPL NETBIOS DCERPC ISystemActivator path overflow attempt big
GPL NETBIOS WINS name query overflow attempt UDP
endian
GPL NETBIOS SMB winreg bind attempt GPL NETBIOS SMB winreg little endian bind attempt
GPL NETBIOS SMB winreg unicode bind attempt GPL NETBIOS SMB winreg unicode little endian bind attempt
GPL NETBIOS SMB winreg andx bind attempt GPL NETBIOS SMB winreg little endian andx bind attempt
GPL NETBIOS SMB winreg unicode andx bind attempt GPL NETBIOS SMB winreg unicode little endian andx bind attempt
GPL NETBIOS SMB-DS winreg bind attempt GPL NETBIOS SMB-DS winreg little endian bind attempt
GPL NETBIOS SMB-DS winreg unicode bind attempt GPL NETBIOS SMB-DS winreg unicode little endian bind attempt
GPL NETBIOS SMB-DS winreg andx bind attempt GPL NETBIOS SMB-DS winreg little endian andx bind attempt
GPL NETBIOS SMB-DS winreg unicode andx bind attempt GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt
GPL NETBIOS SMB OpenKey overflow attempt GPL NETBIOS SMB OpenKey little endian overflow attempt
GPL NETBIOS SMB OpenKey unicode overflow attempt GPL NETBIOS SMB OpenKey unicode little endian overflow attempt
GPL NETBIOS SMB OpenKey andx overflow attempt GPL NETBIOS SMB OpenKey little endian andx overflow attempt
GPL NETBIOS SMB OpenKey unicode little endian andx overflow
GPL NETBIOS SMB OpenKey unicode andx overflow attempt
attempt
GPL NETBIOS SMB-DS OpenKey overflow attempt GPL NETBIOS SMB-DS OpenKey little endian overflow attempt
GPL NETBIOS SMB-DS OpenKey unicode little endian overflow
GPL NETBIOS SMB-DS OpenKey unicode overflow attempt
attempt
GPL NETBIOS SMB-DS OpenKey andx overflow attempt GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt
GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow
GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt
attempt
GPL NETBIOS Messenger message little endian overflow attempt GPL NETBIOS Messenger message overflow attempt
GPL NETBIOS DCERPC irot bind attempt GPL NETBIOS DCERPC irot little endian bind attempt
GPL NETBIOS DCERPC IrotIsRunning attempt GPL NETBIOS DCERPC IrotIsRunning little endian attempt
GPL NETBIOS SMB irot bind attempt GPL NETBIOS SMB irot little endian bind attempt
GPL NETBIOS SMB irot unicode bind attempt GPL NETBIOS SMB irot unicode little endian bind attempt
GPL NETBIOS SMB irot andx bind attempt GPL NETBIOS SMB irot little endian andx bind attempt
GPL NETBIOS SMB irot unicode andx bind attempt GPL NETBIOS SMB irot unicode little endian andx bind attempt
GPL NETBIOS SMB-DS irot bind attempt GPL NETBIOS SMB-DS irot little endian bind attempt
GPL NETBIOS SMB-DS irot unicode bind attempt GPL NETBIOS SMB-DS irot unicode little endian bind attempt
GPL NETBIOS SMB-DS irot andx bind attempt GPL NETBIOS SMB-DS irot little endian andx bind attempt
GPL NETBIOS SMB-DS irot unicode andx bind attempt GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt
GPL NETBIOS SMB IrotIsRunning attempt GPL NETBIOS SMB IrotIsRunning little endian attempt
GPL NETBIOS SMB IrotIsRunning unicode attempt GPL NETBIOS SMB IrotIsRunning unicode little endian attempt
GPL NETBIOS SMB IrotIsRunning andx attempt GPL NETBIOS SMB IrotIsRunning little endian andx attempt
GPL NETBIOS SMB IrotIsRunning unicode andx attempt GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt
GPL NETBIOS SMB-DS IrotIsRunning attempt GPL NETBIOS SMB-DS IrotIsRunning little endian attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode attempt GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt
GPL NETBIOS SMB-DS IrotIsRunning andx attempt GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt
GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx
GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt
attempt
GPL NETBIOS DCERPC IActivation bind attempt GPL NETBIOS DCERPC IActivation little endian bind attempt
GPL NETBIOS SMB IActivation bind attempt GPL NETBIOS SMB IActivation little endian bind attempt
GPL NETBIOS SMB IActivation unicode bind attempt GPL NETBIOS SMB IActivation unicode little endian bind attempt
GPL NETBIOS SMB IActivation andx bind attempt GPL NETBIOS SMB IActivation little endian andx bind attempt
GPL NETBIOS SMB IActivation unicode andx bind attempt GPL NETBIOS SMB IActivation unicode little endian andx bind attempt
GPL NETBIOS SMB-DS IActivation bind attempt GPL NETBIOS SMB-DS IActivation little endian bind attempt
GPL NETBIOS SMB-DS IActivation unicode bind attempt GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt
GPL NETBIOS SMB-DS IActivation andx bind attempt GPL NETBIOS SMB-DS IActivation little endian andx bind attempt
GPL NETBIOS SMB-DS IActivation unicode little endian andx bind
GPL NETBIOS SMB-DS IActivation unicode andx bind attempt
attempt
GPL NETBIOS SMB ISystemActivator bind attempt GPL NETBIOS SMB ISystemActivator little endian bind attempt
GPL NETBIOS SMB ISystemActivator unicode little endian bind
GPL NETBIOS SMB ISystemActivator unicode bind attempt
attempt
GPL NETBIOS SMB ISystemActivator andx bind attempt GPL NETBIOS SMB ISystemActivator little endian andx bind attempt
GPL NETBIOS SMB ISystemActivator unicode little endian andx bind
GPL NETBIOS SMB ISystemActivator unicode andx bind attempt
attempt
GPL NETBIOS SMB-DS ISystemActivator bind attempt GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt
GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind
GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt
attempt
GPL NETBIOS SMB-DS ISystemActivator little endian andx bind
GPL NETBIOS SMB-DS ISystemActivator andx bind attempt
attempt
GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx
GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt
bind attempt

327 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL NETBIOS SMB RemoteActivation attempt GPL NETBIOS SMB RemoteActivation little endian attempt
GPL NETBIOS SMB RemoteActivation unicode attempt GPL NETBIOS SMB RemoteActivation unicode little endian attempt
GPL NETBIOS SMB RemoteActivation andx attempt GPL NETBIOS SMB RemoteActivation little endian andx attempt
GPL NETBIOS SMB RemoteActivation unicode little endian andx
GPL NETBIOS SMB RemoteActivation unicode andx attempt
attempt
GPL NETBIOS SMB-DS RemoteActivation attempt GPL NETBIOS SMB-DS RemoteActivation little endian attempt
GPL NETBIOS SMB-DS RemoteActivation unicode attempt GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt
GPL NETBIOS SMB-DS RemoteActivation andx attempt GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt
GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx
GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt
attempt
GPL NETBIOS SMB CoGetInstanceFromFile attempt GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt
GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian
GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt
attempt
GPL NETBIOS SMB CoGetInstanceFromFile andx attempt GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt
GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx
GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt
attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt
attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx
GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt
attempt
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian
GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt
andx attempt
emerging-p2p.rules Show
emerging-phishing.rules Hide
ET PHISHING Paypal Phishing victim POSTing data ET PHISHING Potential Paypal Phishing Form Attachment
ET PHISHING Potential ACH Transaction Phishing Attachment ET PHISHING Successful Generic Credit Card Information Phish
ET PHISHING Successful Generic PII Phish ET PHISHING Successful Bank of America Phish M1 Oct 01 2012
ET PHISHING Possible Successful AOL Phish Nov 21 2012 ET PHISHING Possible Successful Yahoo Phish Nov 21 2012
ET PHISHING Possible Successful Gmail Phish Nov 21 2012 ET PHISHING Possible Successful Hotmail Phish Nov 21 2012
ET PHISHING Possible Successful Phish - Other Credentials Nov 21
ET PHISHING Spam Campaign JPG CnC Link
2012
ET PHISHING Chase/Bank of America Phishing Landing Uri Structure
ET PHISHING Possible Successful Generic SSN Phish
Nov 27 2012
ET PHISHING PHISH Generic - Bank and Routing ET PHISHING Successful PayPal Phish Nov 30 2012
ET PHISHING Successful Google Account Phish Dec 04 2012 ET PHISHING PHISH Bank - York - Creds Phished
ET PHISHING Possible Successful Phish - Generic POST to myform.php
ET PHISHING Successful PayPal Phish Dec 19 2012
Feb 01 2013
ET PHISHING Possible Generic Phishing Landing Jul 12 2013 ET PHISHING Possible Successful AOL Phish Nov 25 2013
ET PHISHING Possible Successful Yahoo Phish Nov 25 2013 ET PHISHING Possible Successful Gmail Phish Nov 25 2013
ET PHISHING Possible Successful Remax Phish - Hotmail Creds Nov 25 ET PHISHING Possible Successful Phish - Other Credentials Nov 25
2013 2013
ET PHISHING Apple Phishing Landing Jan 30 2014 ET PHISHING PHISH Visa - Landing Page
ET PHISHING Possible Successful Verified by Visa Phish Jan 30 2014 ET PHISHING Possible Phish - Mirrored Website Comment Observed
ET PHISHING Possible iTunes Phishing Landing - Title over non SSL ET PHISHING Successful iTunes Phish Mar 21 2014
ET PHISHING Successful iTunes Phish Mar 21 2014 ET PHISHING Possible Phish - Saved Website Comment Observed
ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30
ET PHISHING Potential Sofacy Phishing Redirect
2014
ET PHISHING Operation Huyao Landing Page Nov 07 2014 ET PHISHING Operation Huyao Phishing Page Nov 07 2014
ET PHISHING Successful AOL/PayPal Phish Nov 24 2014 ET PHISHING Successful PayPal Phish Nov 24 2014
ET PHISHING Successful Paypal Phish Nov 24 2014 ET PHISHING Successful Paypal Phish Nov 24 2014
ET PHISHING PayPal Phishing Landing Nov 24 2014 ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL
ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac ET PHISHING Successful Adobe Phish Jun 17 2015
ET PHISHING Successful Google Drive Phish June 17 2015 ET PHISHING Successful Dropbox Phish June 17 2015
ET PHISHING Possible Successful Remax Phish - AOL Creds Jun 23
ET PHISHING Possible Successful Yahoo Phish Jun 23 2015
2015
ET PHISHING Possible Successful Remax Phish - Other Creds Jun 23 ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10
2015 2015
ET PHISHING Google Drive Phishing Landing M1 July 24 2015 ET PHISHING Google Drive Phishing Landing M2 July 24 2015
ET PHISHING Possible Generic Phishing Landing Jul 28 2015 ET PHISHING Possible Generic Phishing Landing Jul 28 2015
ET PHISHING Possible Generic Phishing Landing Jul 28 2015 ET PHISHING Possible Generic Phishing Landing Jul 28 2015
ET PHISHING Possible Successful Generic Phish - Three Security
ET PHISHING Possible Successful Generic Phish - Credit Card
Questions
ET PHISHING Possible Successful Phish - Generic Status Messages
ET PHISHING Successful Phish Outlook Credentials Oct 01 2015
Sept 11 2015
ET PHISHING Potential Data URI Phishing Oct 02 2015 ET PHISHING Successful Paypal Account Phish Oct 30
ET PHISHING Successful Paypal Account Phish 2015-10-30 2 ET PHISHING Successful Paypal Account Phish 2015-10-30 3

328 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Jimdo.com Phishing PDF via HTTP ET PHISHING Google Drive (Remax) Phish Landing Nov 4
ET PHISHING Mailbox Renewal Phish Landing Nov 13 ET PHISHING Revalidation Phish Landing Nov 13 2015
ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16 ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015
ET PHISHING Generic Phishing Landing Uri Nov 25 2015 ET PHISHING Successful Google Drive Phish Dec 4 2015 M1
ET PHISHING Chrome Extension Phishing DNS Request ET PHISHING Chrome Extension Phishing HTTP Request
ET PHISHING Suspicious LastPass URI Structure - Possible Phishing ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool
ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing
ET PHISHING Successful Apple Phish M1 Feb 06 2016
Tool
ET PHISHING Successful Apple Phish M2 Feb 06 2016 ET PHISHING Successful Apple Phish M3 Feb 06 2016
ET PHISHING Possible Phishing Landing - Data URI Inline Javascript
ET PHISHING JS Obfuscation - Possible Phishing 2016-03-01
Mar 07 2016
ET PHISHING Successful Enom Phish Mar 08 2016 ET PHISHING Possible Chase Phishing Domain Mar 14 2016
ET PHISHING Possible Apple Phishing Domain Mar 14 2016 ET PHISHING Possible USAA Phishing Domain Mar 14 2016
ET PHISHING Possible Paypal Phishing Domain Mar 14 2016 ET PHISHING PhishMe.com Phishing Exercise - Client Plugins
ET PHISHING Suspicious Hidden Javascript Redirect - Possible
ET PHISHING PhishMe.com Phishing Landing Exercise
Phishing Jun 17
ET PHISHING Successful Google Drive/Dropbox Phish Nov 20 2016 ET PHISHING Successful Bank of Oklahoma Phish M1 Jul 21 2016
ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09
ET PHISHING Successful Bank of Oklahoma Phish M2 Jul 21 2016
2016
ET PHISHING Successful Apple Suspended Account Phish M2 Aug 09 ET PHISHING Apple Suspended Account Phishing Landing Aug 09
2016 2016
ET PHISHING Excel Online Phishing Landing Aug 09 2016 ET PHISHING Adobe Shared Document Phishing Landing Nov 19 2015
ET PHISHING Successful Generic Adobe Shared Document Phish Aug
ET PHISHING Successful Excel Phish Aug 15 2016
11 2016
ET PHISHING Email Storage Upgrade Phishing Landing 2016-08-15 ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1
ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2 ET PHISHING Possible Square Enix Phishing Domain 2016-08-15
ET PHISHING Possible Bank of America Phishing Domain Aug 15 2016 ET PHISHING Successful Netflix Phish Aug 17 2016
ET PHISHING Netflix Phishing Landing 2016-08-17 ET PHISHING Possible Google Drive Phishing Domain Aug 25 2016
ET PHISHING Possible Successful Phish to .tk domain Aug 26 2016 ET PHISHING Form Data Submitted to yolasite.com - Possible Phishing
ET PHISHING Possible Fake AV Phone Scam Long Domain Sept 15
ET PHISHING DNS Query to Ebay Phishing Domain
2016
ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016 ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016
ET PHISHING Possible Cartasi Phishing Domain Nov 08 2016 ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016
ET PHISHING Successful XBOOMBER Paypal Phish Nov 28 2016 ET PHISHING Successful iCloud Phish Oct 10 2016
ET PHISHING Possible Linkedin Phishing Domain Dec 09 2016 ET PHISHING Possible Phishing Redirect Dec 13 2016
ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16
ET PHISHING Successful Bradesco Bank Phish M1 Jan 05 2017
2016
ET PHISHING Successful Bradesco Bank Phish M2 Jan 05 2017 ET PHISHING Successful National Bank Phish Jan 05 2017
ET PHISHING Paypal Phishing Landing Jan 09 2017 ET PHISHING Possible Successful Generic Paypal Phish Jan 23 2016
ET PHISHING Successful Paypal Phish Jan 23 2017 ET PHISHING Successful RBC Royal Bank Phish Jan 30 2017
ET PHISHING Possible Ebay Phishing Domain Jan 30 2017 ET PHISHING Possible Successful Ebay Phish Jan 30 2017
ET PHISHING Possible Discover Phishing Domain Feb 02 2017 ET PHISHING Possible Successful Chase Phish Feb 02 2017
ET PHISHING Possible Successful Apple Phishing Domain Feb 02 2017 ET PHISHING Possible Successful USAA Phishing Domain Feb 02 2017
ET PHISHING Possible Successful Bank of America Phishing Domain
ET PHISHING Possible Successful Paypal Phishing Domain Feb 02 2017
Feb 02 2017
ET PHISHING Possible Successful Google Drive Phishing Domain Feb
ET PHISHING Possible Successful Cartasi Phishing Domain Feb 02 2017
02 2017
ET PHISHING Possible Successful Linkedin Phishing Domain Feb 02
ET PHISHING Possible Successful Ebay Phishing Domain Feb 02 2017
2017
ET PHISHING Possible Successful Discover Phish Feb 02 2017 ET PHISHING DNS Request to NilePhish Domain 01
ET PHISHING DNS Request to NilePhish Domain 02 ET PHISHING DNS Request to NilePhish Domain 03
ET PHISHING DNS Request to NilePhish Domain 04 ET PHISHING DNS Request to NilePhish Domain 05
ET PHISHING DNS Request to NilePhish Domain 06 ET PHISHING DNS Request to NilePhish Domain 07
ET PHISHING DNS Request to NilePhish Domain 08 ET PHISHING DNS Request to NilePhish Domain 09
ET PHISHING DNS Request to NilePhish Domain 10 ET PHISHING DNS Request to NilePhish Domain 11
ET PHISHING DNS Request to NilePhish Domain 12 ET PHISHING DNS Request to NilePhish Domain 13
ET PHISHING DNS Request to NilePhish Domain 14 ET PHISHING DNS Request to NilePhish Domain 15
ET PHISHING DNS Request to NilePhish Domain 16 ET PHISHING DNS Request to NilePhish Domain 17
ET PHISHING DNS Request to NilePhish Domain 18 ET PHISHING DNS Request to NilePhish Domain 19
ET PHISHING DNS Request to NilePhish Domain 20 ET PHISHING DNS Request to NilePhish Domain 21
ET PHISHING DNS Request to NilePhish Domain 22 ET PHISHING DNS Request to NilePhish Domain 23
ET PHISHING DNS Request to NilePhish Domain 24 ET PHISHING DNS Request to NilePhish Domain 25
ET PHISHING DNS Request to NilePhish Domain 26 ET PHISHING DNS Request to NilePhish Domain 27
ET PHISHING DNS Request to NilePhish Domain 28 ET PHISHING DNS Request to NilePhish Domain 29
ET PHISHING DNS Request to NilePhish Domain 30 ET PHISHING DNS Request to NilePhish Domain 31
ET PHISHING DNS Request to NilePhish Domain 32 ET PHISHING DNS Request to NilePhish Domain 33

329 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING DNS Request to NilePhish Domain 34 ET PHISHING DNS Request to NilePhish Domain 35
ET PHISHING Possible Successful Craigslist Phishing Domain Feb 07
ET PHISHING Successful Apple Phish Feb 09 2017
2017
ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017 ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017
ET PHISHING Successful WeTransfer Phish Oct 04 2016 ET PHISHING Successful Apple Account Phish Feb 17 2017
ET PHISHING Successful iCloud (CN) Phish Feb 17 2017 ET PHISHING Successful California Bank & Trust Phish Feb 17 2017
ET PHISHING Possible Phishing Verified by Visa title over non SSL Feb
ET PHISHING Successful Banco Itau (BR) Mobile Phish Feb 17 2017
17 2017
ET PHISHING Suspicious JS Refresh - Possible Phishing Redirect Feb
ET PHISHING Possible Phishing Redirect Feb 24 2017
24 2017
ET PHISHING Successful Craigslist (RO) Phish M1 Feb 24 2017 ET PHISHING Successful Craigslist (RO) Phish M2 Feb 24 2017
ET PHISHING Successful Orderlink (IN) Phish Feb 24 2017 ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017
ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017 ET PHISHING Common Paypal Phishing URI Feb 24 2017
ET PHISHING Paypal Phishing Landing Feb 24 2017 ET PHISHING Successful Paypal Phish Mar 13 2017
ET PHISHING Successful National Bank Phish Mar 13 2017 ET PHISHING Successful Instagram Phish Mar 14 2017
ET PHISHING Successful Paypal Phish Mar 14 2017 ET PHISHING Successful iCloud Phish Mar 15 2017
ET PHISHING Successful Apple Phish M1 Mar 15 2017 ET PHISHING Successful Apple Phish M2 Mar 15 2017
ET PHISHING Windows Settings Phishing Landing Jul 22 2016 ET PHISHING Successful Paypal Phish Mar 22 2017
ET PHISHING Successful RBC Royal Bank Phish Mar 27 2017 ET PHISHING Successful Mail.ru Phish Apr 04 2017
ET PHISHING Successful HM Revenue & Customs Phish M1 Apr 07 ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07
2017 2017
ET PHISHING Successful Santander Phish M1 Apr 07 2017 ET PHISHING Successful Santander Phish M2 Apr 07 2017
ET PHISHING Lets Encrypt Free SSL Cert Observed with IDN/
ET PHISHING Successful Santander Phish M3 Apr 07 2017
Punycode Domain - Possible Phishing
ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible
ET PHISHING iCloud Phishing Landing 2016-09-02
Phishing Landing Apr 19 2017
ET PHISHING Successful iCloud Phish Apr 20 2017 ET PHISHING Successful Alitalia Airline Phish Apr 20 2017
ET PHISHING Miniproxy Cloned Page - Possible Phishing Landing ET PHISHING Successful Scotiabank Phish M1 May 24 2017
ET PHISHING Successful Scotiabank Phish M2 May 24 2017 ET PHISHING Successful Banco do Brasil Phish Mar 30 2017
ET PHISHING Successful Banco do Brasil Phish May 25 2017 ET PHISHING Successful Poste Italiane Phish Jun 08 2017
ET PHISHING Successful Banco Itau (BR) Phish Jun 09 2017 ET PHISHING Successful Apple Phish Jun 09 2017
ET PHISHING Generic Credit Card Information in HTTP POST - Possible
ET PHISHING Possible Successful Hostinger Generic Phish Jun 09 2017
Successful Phish Jun 12 2017
ET PHISHING Possible Google Docs Phishing Landing - Title over non
ET PHISHING Possible iCloud Phishing Landing - Title over non SSL
SSL
ET PHISHING Possible Docusign Phishing Landing - Title over non SSL ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL
ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL
ET PHISHING Possible Excel Online Phishing Landing - Title over non
ET PHISHING Possible Paypal Phishing Landing - Title over non SSL
SSL
ET PHISHING Possible Free Mobile Phishing Landing - Title over non
ET PHISHING Possible AOL Mail Phishing Landing - Title over non SSL
SSL
ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL
ET PHISHING Possible Facebook Help Center Phishing Landing - Title
ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL
over non SSL
ET PHISHING Possible Adobe PDF Phishing Landing - Title over non
ET PHISHING Possible DHL Phishing Landing - Title over non SSL
SSL
ET PHISHING Possible Adobe ID Phishing Landing - Title over non SSL ET PHISHING Possible Facebook Phishing Landing - Title over non SSL
ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL ET PHISHING Amazon Phish Landing Jun 22 2017
ET PHISHING Suspicious HTML Hex Obfuscated Title - Possible ET PHISHING Possible Phishing Blockchain title over non SSL Jul 10
Phishing Landing Jun 28 2017 2017
ET PHISHING Possible Capitech Internet Banking Phishing Landing -
ET PHISHING Possible Facebook Phishing Landing - Title over non SSL
Title over non SSL
ET PHISHING Successful Netflix Payment Phish M1 Jan 04 2017 ET PHISHING DNS Query to Generic 107 Phishing Domain
ET PHISHING HTTP POST to Free Webhost - Possible Successful Phish ET PHISHING Phishery Phishing Tool - Default SSL Certificate
(site40 . net) Jul 18 2017 Observed
ET PHISHING Possible Successful Phish - Verify Email Error Message
ET PHISHING Successful Mail.ru Phish Aug 10 2017
M1 Aug 14 2017
ET PHISHING Successful Paypal Phish M2 Aug 14 2017 ET PHISHING Successful Paypal Phish M3 Aug 14 2017
ET PHISHING Successful Square Phish Nov 16 2015 ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016
ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016 ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016
ET PHISHING Possible Successful Generic Phish (set) Jun 8 2016 ET PHISHING Possible Successful Generic Phish (set) Jul 13 2016
ET PHISHING Possible Successful Generic Phish (set) Aug 19 2016 ET PHISHING Possible Successful Generic Phish (set) Sept 02 2016
ET PHISHING Possible Successful Generic Phish (set) Oct 13 2016 ET PHISHING Possible Successful Generic Phish (set) Oct 25 2016
ET PHISHING Possible Successful Generic Phish (set) Oct 26 2016 ET PHISHING Possible Successful Generic Phish (set) Nov 15 2016
ET PHISHING Possible Successful Generic Phish (set) Nov 16 2016 ET PHISHING Possible Successful Generic Phish (set) Nov 22 2016
ET PHISHING Possible Successful Generic Phish (set) Dec 07 2016 ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016
ET PHISHING Possible Successful Generic Phish (set) Dec 20 2016 ET PHISHING Possible Successful Generic Phish (set) Dec 27 2016

330 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Possible Successful Generic Phish (set) Jan 03 2017 ET PHISHING Possible Successful Generic Phish (set) Jan 12 2017
ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017 ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017
ET PHISHING Possible Successful Generic Phish (set) May 24 2017 ET PHISHING Possible Successful Generic Phish (set) May 25 2017
ET PHISHING Possible Successful Generic Phish (set) May 31 2017 ET PHISHING Possible Successful Generic Phish (set) Jun 08 2017
ET PHISHING Possible Successful Generic Phish (set) Jul 06 2017 ET PHISHING Possible Successful Generic Phish (set) Jul 10 2017
ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title
ET PHISHING Possible Successful Generic Phish (set) Jul 11 2017
over non SSL
ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017 ET PHISHING Successful RBC Royal Bank Phish M2 Aug 17 2017
ET PHISHING Possible Interac Phish Aug 18 2017 ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017
ET PHISHING Successful Poloniex Cryptocurrency Exchange Phish Aug
ET PHISHING Successful Blockchain Account Phish Aug 19 2016
28 2017
ET PHISHING Successful Exmo Cryptocurrency Exchange Phish Aug ET PHISHING Successful Paxful Cryptocurrency Wallet Phish Aug 30
28 2017 2017
ET PHISHING Possible NatWest Bank Phishing Landing - Title over non ET PHISHING Possible NatWest Bank Phishing Landing - Title over non
SSL SSL
ET PHISHING Possible NatWest Bank Phishing Landing - Title over non
ET PHISHING Possible Successful Generic Phish (set) Aug 31 2017
SSL
ET PHISHING Successful LocalBitcoins Cryptocurrency Exchange Phish
ET PHISHING Dropbox Phishing Landing - Title over non SSL
Aug 30 2017
ET PHISHING Apple Phishing Landing M1 Sep 14 2017 ET PHISHING Apple Phishing Landing M2 Sep 14 2017
ET PHISHING Apple Phishing Landing M3 Sep 14 2017 ET PHISHING Possible Apple Phishing Landing - Title over non SSL
ET PHISHING Possible Raiffeisen Bank Phishing Landing - Title over
ET PHISHING Successful Banco do Brasil Phish M1 Sep 29 2017
non SSL
ET PHISHING Successful Banco do Brasil Phish M2 Sep 29 2017 ET PHISHING Successful Banco do Brasil Phish M3 Sep 29 2017
ET PHISHING Possible Scotiabank Phishing Landing - Title over non ET PHISHING Possible Desjardins Phishing Landing - Title over non
SSL SSL
ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title
ET PHISHING Possible CIBC Phishing Landing - Title over non SSL
over non SSL
ET PHISHING Phishing Landing Oct 04 2017 ET PHISHING Successful Santander Phish M1 Oct 04 2017
ET PHISHING Successful Santander Phish M3 Oct 04 2017 ET PHISHING Successful Santander Phish M2 Oct 04 2017
ET PHISHING Possible Facebook Phishing Landing - Title over non SSL ET PHISHING Possible Paypal Phishing Domain (IT) Oct 10 2017
ET PHISHING Possible Successful Paypal Phishing Domain (IT) Oct 10
ET PHISHING Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017
2017
ET PHISHING Possible Google Docs Phishing Landing - Title over non
ET PHISHING Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017
SSL
ET PHISHING Successful Paypal Phish Oct 16 2017 ET PHISHING Successful Paypal (FR) Phish Oct 16 2017
ET PHISHING 401TRG Successful Multi-Email Phish - Observed in
ET PHISHING Successful HMRC Phish Oct 18 2017
Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017
ET PHISHING Raiffeisen Phishing Domain Nov 03 2017 ET PHISHING Sparkasse Phishing Domain Nov 03 2017
ET PHISHING BankAustria Phishing Domain Nov 03 2017 ET PHISHING Successful Raiffeisen Phish Nov 03 2017
ET PHISHING Successful Sparkasse Phish Nov 03 2017 ET PHISHING Successful BankAustria Phish Nov 03 2017
ET PHISHING Possible Paypal Phishing Landing - Title over non SSL ET PHISHING Browser Plugin Detect - Observed in Apple Phishing
ET PHISHING Successful Generic AES Phish M1 Oct 24 2017 ET PHISHING Successful Generic AES Phish M2 Oct 24 2017
ET PHISHING Possible Successful Phish to Hostinger Domains Apr 4
ET PHISHING Successful OWA Phish Apr 25 2017
M4
ET PHISHING Possible Successful Websocket Credential Phish Sep 15 ET PHISHING Successful Personalized OWA Webmail Phish Oct 04
2017 2016
ET PHISHING Successful TeamIPwned Phish 2016-08-30 ET PHISHING Google Drive Phishing Landing Sept 3
ET PHISHING Possible Successful Generic Phish Jan 14 2016 ET PHISHING Possible Phishing Redirect Feb 09 2016
ET PHISHING Possible Successful Generic Phish (set) Nov 20 2017 ET PHISHING Successful Tesco Bank Phish (set) Jul 17 2017
ET PHISHING Successful Tesco Phish (set) M1 Jul 18 2017 ET PHISHING Successful Tesco Phish (set) M2 Jul 18 2017
ET PHISHING Successful Tesco Phish (set) M3 Jul 18 2017 ET PHISHING Successful Tesco Phish (set) M4 Jul 18 2017
ET PHISHING Successful Generic Phish (set) Aug 21 2017 ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017
ET PHISHING Possible Successful Generic Phish (set) Sep 19 2017 ET PHISHING Successful Generic Phish (set) Sep 28 2017
ET PHISHING Successful Generic Credit Card Information Phish Oct 10
ET PHISHING Successful Office 365 Phish Oct 10 2017 (set)
2017
ET PHISHING Possible Successful Generic Phish (set) Oct 26 2017 ET PHISHING Successful Generic Phish (set) Oct 30 2017
ET PHISHING Possible Successful Generic Phish Nov 09 2017 (set) ET PHISHING Possible Successful Generic Phish (set) 2017-12-03
ET PHISHING Possible Credentials Sent to Suspicious TLD via HTTP
ET PHISHING Successful EDU Phish 2017-12-04
GET
ET PHISHING Possible Successful Generic Phish (set) 2017-12-04 ET PHISHING Possible Facebook Phishing Landing - Title over non SSL
ET PHISHING Possible MyEtherWallet Phishing Landing - Title over
ET PHISHING Possible Fedex Phishing Landing - Title over non SSL
non SSL
ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non ET PHISHING Possible Ziraat Bank (TK) Phishing Landing - Title over
SSL non SSL
ET PHISHING Successful Yobit Cryptocurrency Exchange Phish
ET PHISHING Paypal Phishing Landing 2017-12-26
2017-12-28

331 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful HitBTC Cryptocurrency Exchange Phish ET PHISHING Successful Liqui Cryptocurrency Exchange Phish
2017-12-28 2017-12-28
ET PHISHING Possible Successful Generic Phish (set) 2018-01-02 ET PHISHING Paypal Phishing Landing 2018-01-03
ET PHISHING Dropbox Phishing Landing 2018-01-18 ET PHISHING Chase Phishing Landing 2018-01-18
ET PHISHING Office 365 Phishing Landing 2018-01-18 ET PHISHING Chase Phishing Landing 2018-01-18
ET PHISHING Bank of America Phishing Landing 2018-01-18 M1 ET PHISHING Bank of America Phishing Landing 2018-01-18 M2
ET PHISHING Possible Chase Phishing Landing - Title over non SSL ET PHISHING Paypal Phishing Landing 2018-01-18 M1
ET PHISHING Paypal Phishing Landing 2018-01-18 M2 ET PHISHING Microsoft Questionnaire Phishing Landing 2018-01-19
ET PHISHING Possible Phishing Landing - Common Multiple JS
ET PHISHING Email Verification/Upgrade Phishing Landing 2018-01-22
Unescape May 25 2017
ET PHISHING Multiple Javascript Unescapes - Common Obfuscation ET PHISHING Email Server Mobile Security Settings Phishing Landing
Observed in Phish Landing 2018-01-22
ET PHISHING Possible Compromised Wordpress - Generic Phishing
ET PHISHING Dropbox Phishing Landing - Title over non SSL
Landing 2018-01-22
ET PHISHING Blocked Incoming Emails Phishing Landing 2018-01-23 ET PHISHING ABSA Online Phishing Landing 2018-01-23
ET PHISHING AT&T Phishing Landing 2018-01-23 ET PHISHING Facebook Phishing Landing 2018-01-23
ET PHISHING LCL Banque et Assurance (FR) Phishing Landing
ET PHISHING Paypal Phishing Landing 2018-01-25
2018-01-23
ET PHISHING Generic Multi-Email Popupwnd Phishing Landing
ET PHISHING Generic Multi-Email Phishing Landing 2018-01-25
2018-01-25
ET PHISHING Office 365 Phishing Landing 2018-01-25 ET PHISHING Mailbox Phishing Landing 2018-01-29
ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non
ET PHISHING Generic Smail Phishing Landing 2018-01-29
SSL
ET PHISHING Apple Phishing Landing 2018-01-29 M1 ET PHISHING Generic Phishing Landing M2 2018-01-29
ET PHISHING Paypal Phishing Landing 2018-01-29 ET PHISHING Office 365 Phishing Landing 2018-01-29
ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29 ET PHISHING Smartsheet Phishing Landing 2018-01-29
ET PHISHING Possible Phishing Redirect 2018-01-30 ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30
ET PHISHING Turbotax Phishing Landing 2018-01-30 ET PHISHING Bank of America Phishing Landing 2018-01-30
ET PHISHING Possible Capital One Phishing Landing - Title over non
ET PHISHING Verizon Wireless Phishing Landing 2018-01-30
SSL
ET PHISHING Paypal Phishing Landing 2018-01-31 ET PHISHING Apple iTunes Phishing Landing (DE) 2018-01-31
ET PHISHING Mailbox Verification Phishing Landing 2018-01-31 ET PHISHING Hellion Postmaster Phishing Landing 2018-01-31
ET PHISHING Generic Roundcube Multi-Brand Phishing Landing ET PHISHING Cloned Website Phishing Landing - Saved Website
2018-01-31 Comment Observed
ET PHISHING Cloned Website Phishing Landing - Mirrored Website
ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01
Comment Observed
ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01 ET PHISHING Wells Fargo Phishing Landing 2018-02-01
ET PHISHING Likely Cloned .EDU Website Phishing Landing
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M1
2018-02-02
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M2 ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M4 ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M5
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M6 ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M7
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M8 ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M9
ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M10 ET PHISHING Banque Populaire Phishing Landing 2018-02-05
ET PHISHING Paypal Phishing Landing 2018-02-05 ET PHISHING Possible Generic Antibots Phishing Landing 2018-02-05
ET PHISHING Facebook Upgrade Payment Phishing Landing
ET PHISHING Mailbox Upgrade Phishing Landing 2018-02-05
2018-02-05
ET PHISHING Yahoo Account Verification Phishing Landing ET PHISHING Google/Adobe Shared Document Phishing Landing
2018-02-05 2018-02-05
ET PHISHING Orange Phishing Landing 2018-02-05 (FR) ET PHISHING Office 365 Phishing Landing 2018-02-06
ET PHISHING Possible MyEtherWallet Phishing Landing - SSL/TLS ET PHISHING Possible MyMonero Phishing Landing - SSL/TLS
Certificate Observed Certificate Observed
ET PHISHING Ebay Phishing Landing 2018-02-07 ET PHISHING Google Drive Phishing Landing 2018-02-07
ET PHISHING Dropbox Business Phishing Landing 2018-02-07 ET PHISHING Apple Phishing Landing 2018-02-07
ET PHISHING Dropbox Business Phishing Landing 2018-02-07 ET PHISHING Outlook Web App Phishing Landing 2018-02-07
ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07 ET PHISHING Chase Phishing Landing 2018-02-07
ET PHISHING Mailbox Verification Phishing Landing 2018-02-07 ET PHISHING Successful Generic .EDU Phish (Legit Set)
ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1 ET PHISHING LinkedIn Phishing Landing 2018-02-09 M1
ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2 ET PHISHING Wells Fargo Phishing Landing 2018-02-09
ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2 ET PHISHING Facebook Phishing Landing 2018-02-09
ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09 ET PHISHING Facebook Phishing Landing 2018-02-12
ET PHISHING OneDrive Phishing Landing 2018-02-12 ET PHISHING Wells Fargo Phishing Landing 2018-02-12
ET PHISHING Facebook Phishing Landing 2018-02-13 M1 ET PHISHING Facebook Phishing Landing 2018-02-13 M2
ET PHISHING LinkedIn Phishing Landing 2018-02-13 ET PHISHING Capital One Phishing Landing 2018-02-13 M1
ET PHISHING Wells Fargo Phishing Landing 2018-02-13 ET PHISHING Capital One Phishing Landing 2018-02-13 M2
ET PHISHING Generic Email Validation Phishing Landing 2018-02-13 ET PHISHING Possible Successful Generic Phish (set) 2018-02-13
ET PHISHING Dropbox Phishing Landing 2018-02-14 ET PHISHING Linkedin Phishing Landing 2018-02-14

332 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Possible Wells Fargo Phishing Landing - Title over non


ET PHISHING Facebook Phishing Landing 2018-02-14
SSL
ET PHISHING Sparkasse Phishing Landing 2018-02-15 ET PHISHING Dropbox Phishing Landing 2018-02-15
ET PHISHING Facebook Phishing Landing 2018-02-15 ET PHISHING Google Docs Phishing Landing 2018-02-15
ET PHISHING Dropbox Phishing Landing 2018-02-15 ET PHISHING Chase Phishing Landing 2018-02-15
ET PHISHING Square Phishing Landing 2018-02-15 ET PHISHING Successful Generic Multi-Account Phish 2018-02-16
ET PHISHING Spotify Phishing Landing 2018-02-19 ET PHISHING Smartermail Phishing Landing 2018-02-20
ET PHISHING USAA Phishing Landing 2018-02-20 ET PHISHING Yahoo Phishing Landing 2018-02-20
ET PHISHING Wells Fargo Phishing Landing 2018-02-22 ET PHISHING Office 365 Phishing Landing 2018-02-22
ET PHISHING Upgrade Advantage Phishing Landing 2018-02-22 ET PHISHING Wells Fargo Phishing Landing 2018-02-22
ET PHISHING Credit Mutuel de Bretagne (FR) Phishing Landing
ET PHISHING Craigslist Phishing Landing 2018-02-26
2018-02-26
ET PHISHING Facebook Mobile Phishing Landing 2018-02-26 ET PHISHING Mailbox Update Phishing Landing 2018-02-26
ET PHISHING Suspicious Browser Plugin Detect - Observed in Phish
ET PHISHING Amazon Phishing Landing (DE) 2018-02-26
Landings
ET PHISHING OneDrive Phishing Landing 2018-03-08 ET PHISHING Successful Generic Phish (set) 2018-03-12
ET PHISHING Chalbhai Phishing Landing 2018-03-12 ET PHISHING Successful O2 Phish 2018-03-12
ET PHISHING Successful Wells Fargo Phish 2018-03-12 ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12
ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12 ET PHISHING Ourtime Phishing Landing 2018-03-12
ET PHISHING Successful Generic Phish (set) 2018-03-13 ET PHISHING Adobe PDF Reader Phishing Landing 2018-03-27
ET PHISHING IRS Phishing Landing 2018-03-28 ET PHISHING Chase Phishing Landing 2018-03-28
ET PHISHING Impots Phishing Landing 2018-03-28 ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30
ET PHISHING Wells Fargo Phishing Landing 2018-04-09 ET PHISHING DHL Phishing Landing 2018-04-09
ET PHISHING Chase Phishing Landing 2018-04-09 ET PHISHING [eSentire] Docusign Phishing Landing 2018-04-09
ET PHISHING s0m3 Phishing Landing 2018-04-09 ET PHISHING Paypal Phishing Landing 2018-04-09
ET PHISHING Facebook Phishing Landing 2018-04-09 ET PHISHING OneDrive Phishing Landing 2018-04-09
ET PHISHING Apple Phishing Landing 2018-04-09 ET PHISHING Post.ch Cloned Phishing Landing 2018-04-09
ET PHISHING Google Drive Phishing Landing 2018-04-14 ET PHISHING Successful Halkbank Phish M1 2018-04-16
ET PHISHING Successful Halkbank Phish M2 2018-04-16 ET PHISHING Successful Facebook Phish 2018-04-16
ET PHISHING Successful DenizBank Phish 2018-04-16 ET PHISHING Successful Generic Phish (set) 2018-04-17
ET PHISHING Mail Verification Phishing Landing 2018-04-18 ET PHISHING PDF Cloud Phishing Landing 2018-04-19
ET PHISHING Bank of America Phishing Landing 2018-04-19 ET PHISHING Dropbox 000webhost Phishing Landing 2018-04-19
ET PHISHING Centurylink Phishing Landing 2018-04-19 ET PHISHING MyADP Phishing Landing 2018-04-19
ET PHISHING Microsoft Account Phishing Landing M1 2018-04-19 ET PHISHING Microsoft Account Phishing Landing M2 2018-04-19
ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19 ET PHISHING Comcast/Xfinity Phishing Landing 2018-04-19
ET PHISHING LCL Banque Phishing Landing 2018-04-19 ET PHISHING Outlook Web App Phishing Landing 2018-04-26
ET PHISHING Bank of America Phishing Landing 2018-05-01 ET PHISHING OneDrive Phishing Landing 2018-05-01
ET PHISHING Docusign Phishing Landing 2018-05-01 ET PHISHING Possible Successful Generic Phish (set) 2018-05-02
ET PHISHING Netflix Phishing Landing 2018-05-02 ET PHISHING Paypal Phishing Landing 2018-05-02
ET PHISHING IRS Phishing Landing 2018-05-07 ET PHISHING Successful IRS Phish 2018-05-07
ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07 ET PHISHING Possible Successful TSB Bank Phish 2018-05-07
ET PHISHING Successful Generic Phish 2018-05-08 (set) ET PHISHING Successful Generic Phish 2018-05-08 (set)
ET PHISHING Netflix Phishing Landing 2018-05-09 ET PHISHING Netflix Phishing Landing 2018-05-09
ET PHISHING Paypal Phishing Landing 2018-05-09 ET PHISHING Paypal Phishing Landing 2018-05-09
ET PHISHING Paypal Phishing Landing 2018-05-09 ET PHISHING Paypal Phishing Landing 2018-05-09
ET PHISHING Successful Generic Phish 2018-05-16 (set) ET PHISHING Possible Successful Generic Phish (set) 2018-05-31
ET PHISHING Possible Successful Generic Phish (set) 2018-06-11 ET PHISHING Possible Successful Generic Phish (set) 2018-06-14
ET PHISHING Generic Paypal Phish Kit Landing ET PHISHING Santander Phishing Landing
ET PHISHING Santander Phishing Landing ET PHISHING Microsoft Live Phishing Landing
ET PHISHING Adobe PDF Online Phishing Landing ET PHISHING Banque et Assurances Phishing Landing
ET PHISHING iTunes Connect Phishing Landing ET PHISHING Facebook Phishing Landing
ET PHISHING Microsoft Account Phishing Landing ET PHISHING Paypal Phishing Landing
ET PHISHING Assurance Maladie Phishing Landing ET PHISHING Adobe Phishing Landing
ET PHISHING Capital One Phishing Landing ET PHISHING US Bank Phishing Landing
ET PHISHING American Express Phishing Landing ET PHISHING HM Revenue Phishing Landing
ET PHISHING Generic Phishing Kit Landing ET PHISHING Office 365 Phishing Landing
ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20 ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15
ET PHISHING [eSentire] Successful Generic Phish 2018-06-15 ET PHISHING [eSentire] Successful Personalized Phish 2018-06-15
ET PHISHING Successful Generic Phish 2018-06-27 (set) ET PHISHING Successful Generic Phish (set) 2018-06-29
ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing
ET PHISHING [eSentire] Adobe Phishing Landing 2018-07-04
2018-05-10
ET PHISHING Chalbhai Phishing Landing Feb 18 2016 ET PHISHING Chalbhai Phishing Landing Oct 23 2017
ET PHISHING AES Crypto Observed in Javascript - Possible Phishing ET PHISHING AES Crypto Observed in Javascript - Possible Phishing
Landing Landing M1 Dec 28 2015
ET PHISHING Generic Phishing Landing M1 2017-02-13 ET PHISHING Suspicious Dropbox Page - Possible Phishing Landing
ET PHISHING Paypal Phishing Landing Jun 28 2017 ET PHISHING Dropbox Phishing Landing May 31 2017

333 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Docusign Phishing Landing Mar 08 2017 ET PHISHING Generic Financial Phish Landing 2017-12-21
ET PHISHING Microsoft Live Email Account Phishing Landing Mar 16
ET PHISHING Generic Credential Phishing Landing Aug 11 2015
2017
ET PHISHING Bank of America Phishing Landing Aug 19 2015 ET PHISHING Apple Phishing Landing M2 Feb 13 2017
ET PHISHING Suspicious Google Docs Page - Possible Phishing
ET PHISHING Stripe Phishing Landing Dec 09 2016
Landing
ET PHISHING Suspicious Wordpress Redirect - Possible Phishing
ET PHISHING Wells Fargo Mobile Phishing Landing 2016-08-01
Landing Jan 7 2016
ET PHISHING Shared Document Phishing Landing Nov 16 2016 ET PHISHING Possible Office 365 Phishing Landing 2016-08-24
ET PHISHING Microsoft Live External Link Phishing Landing M2 Feb 14
ET PHISHING Possible Chase Phishing Landing - Title over non SSL
2017
ET PHISHING Mailbox Update Phishing Landing M2 2016-05-16 ET PHISHING Mailbox Update Phishing Landing M1 2016-05-16
ET PHISHING INTERAC Payment Multibank Phishing Landing Mar 14
ET PHISHING Mailbox Shutdown Phishing Landing 2017-12-11
2017
ET PHISHING Google Drive Phishing Landing Nov 6 2015 M2 ET PHISHING Google Drive Phishing Landing Nov 6 2015 M1
ET PHISHING Google Drive Phishing Landing Jul 24 2015 ET PHISHING Google Drive Phishing Landing Jul 10 2015
ET PHISHING Google Drive Phish Landing 2016-09-01 ET PHISHING Generic Phishing Landing 2018-01-12
ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015 ET PHISHING Email Settings Error Phishing Landing Nov 16 2016
ET PHISHING Dropbox Shared Document Phishing Landing Feb 21
ET PHISHING Dropbox Phishing Landing Feb 27 2017
2017
ET PHISHING DHL Phish Landing Sept 14 2015 ET PHISHING Chase Mobile Phishing Landing M2
ET PHISHING Chase Account Phish Landing Oct 22 ET PHISHING Apple Phishing Landing Nov 10 2017
ET PHISHING Adobe Online Document Phishing Landing M1 Mar 25 ET PHISHING Suspicious Wordpress Redirect - Possible Phishing
2017 Landing (set) Jan 7
ET PHISHING Bank of America Phishing Landing ET PHISHING Possible Successful Generic Phish (set) 2018-07-19
ET PHISHING Successful Generic Phish (set) 2018-07-19 ET PHISHING Badoo Phishing Landing 2018-07-19
ET PHISHING GitLab Phishing Landing 2018-07-19 ET PHISHING Github Phishing Landing 2018-07-19
ET PHISHING Twitter Phishing Landing 2018-07-19 ET PHISHING Netflix Phishing Landing 2017-07-20
ET PHISHING LinkedIn Phishing Landing 2017-07-20 ET PHISHING [eSentire] DHL Phish Landing July 24 2018
ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25 ET PHISHING Paypal Phishing Landing 2018-07-30
ET PHISHING Successful Generic Phish (set) 2018-08-01 ET PHISHING Christian Mingle Phishing Landing 2018-08-07
ET PHISHING Microsoft Account Phishing Landing 2018-08-07 ET PHISHING Paypal Phishing Landing 2018-08-07
ET PHISHING Free Mobile Phishing Landing 2018-08-07 ET PHISHING Adobe Phishing Landing 2018-08-07
ET PHISHING Microsoft Ajax Phishing Landing 2018-08-07 ET PHISHING Alibaba Phishing Landing 2018-08-07
ET PHISHING Microsoft Phishing Landing 2018-08-07 ET PHISHING Successful Generic Phish Phish 2018-08-21
ET PHISHING Successful Generic Phish (set) 2018-08-27 ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30
ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30 ET PHISHING Generic AES Phishing Landing 2018-08-30
ET PHISHING Hellion Postmaster Phishing Landing 2018-08-30 ET PHISHING Microsoft Document Phishing Landing 2018-08-30
ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30 ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30
ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30 ET PHISHING Apple AES Phishing Landing 2018-08-30
ET PHISHING Stripe Phishing Landing 2018-08-30 ET PHISHING Adobe PDF Phishing Landing 2018-08-30
ET PHISHING Google Docs Phishing Landing 2018-08-30 ET PHISHING WeTransfer Phishing Landing 2018-08-30
ET PHISHING Bank of America Phishing Landing 2018-08-30 ET PHISHING Bank of America Phishing Landing 2018-08-30
ET PHISHING Generic Mailbox Phishing Landing 2018-08-30 ET PHISHING Generic Mailbox Phishing Landing 2018-08-30
ET PHISHING Dropbox Phishing Landing 2018-08-30 ET PHISHING Linkedin Phishing Landing 2018-08-30
ET PHISHING AT&T Phishing Landing 2018-08-30 ET PHISHING Generic PhishKit Author Comment M1 2018-08-30
ET PHISHING Generic PhishKit Author Comment M2 2018-08-30 ET PHISHING Generic PhishKit Author Comment M3 2018-08-30
ET PHISHING Generic PhishKit Author Comment M4 2018-08-30 ET PHISHING Generic PhishKit Author Comment M5 2018-08-30
ET PHISHING Generic PhishKit Author Comment M6 2018-08-30 ET PHISHING Generic PhishKit Author Comment M7 2018-08-30
ET PHISHING Generic PhishKit Author Comment M8 2018-08-30 ET PHISHING Generic PhishKit Author Comment M9 2018-08-30
ET PHISHING Generic PhishKit Author Comment M10 2018-08-30 ET PHISHING Successful Generic Phish (set) 2018-09-21
ET PHISHING Successful Generic Phish (set) 2018-09-24 ET PHISHING Successful Generic Phish (set) 2018-09-26
ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27 ET PHISHING Successful Generic .EDU.TW Phish (Legit Set)
ET PHISHING Successful Generic Phish (set) 2018-10-10 ET PHISHING Successful Generic Phish (set) 2018-10-10
ET PHISHING DNS Lookup for Possible Common Brand Phishing ET PHISHING Request for Possible Common Brand Phishing Hosted on
Hosted on Legitimate Windows Service Legitimate Windows Service
ET PHISHING Successful Generic Phish (set) 2018-10-16 ET PHISHING Successful Generic Phish (set) 2018-10-16
ET PHISHING Possible Successful Phish - Generic Credential POST to
ET PHISHING Successful Generic Phish (set) 2018-10-18
Ngrok.io
ET PHISHING Successful Fedex/DHL Phish (set) 2018-10-22 ET PHISHING Successful Generic Phish (set) 2018-10-22
ET PHISHING Possible Successful Generic Phish to .ml Domain ET PHISHING Possible Successful Generic Phish to .cf Domain
2018-10-23 2018-10-23
ET PHISHING Possible Successful Generic Phish to .ga Domain ET PHISHING Possible Successful Generic Phish to .gq Domain
2018-10-23 2018-10-23
ET PHISHING Possible Successful Generic Phish to .gqn Domain ET PHISHING Successful Generic Phish to zap-webspace.com Webhost
2018-10-23 2018-10-25

334 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Cryptocurrency Exchange Phish (set)


ET PHISHING Generic Xbalti Phishing Landing 2018-11-26
2018-10-25
ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31 ET PHISHING Apple Phishing Redirect 2019-01-02
ET PHISHING Suspicious Generic Login - Possible Successful Phish ET PHISHING Possible Successful Generic Phish to .icu Domain
2019-01-02 2019-02-06
ET PHISHING Successful Generic .EDU.CO Phish (Legit Set) ET PHISHING Successful Generic .EDU.BR Phish (Legit Set)
ET PHISHING Possible Successful Generic Phish (set) 2019-02-13 ET PHISHING Possible Successful Generic Phish (set) 2019-02-13
ET PHISHING Possible Successful Generic Phish (set) 2019-02-13 ET PHISHING Possible Successful Generic Phish (set) 2019-02-13
ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible ET PHISHING Suspicious CVV Parameter in HTTP POST - Possible
Phishing Phishing
ET PHISHING Possible Successful Generic Phish (set) 2019-03-06 ET PHISHING PirateBay Phish - Possibly PirateMatryoshka Related
ET PHISHING Possible Successful Phish - Password Submitted to
ET PHISHING Successful Generic Phish (set) 2019-04-12
*.000webhostapp.com
ET PHISHING Request for Possible Binance Phishing Hosted on ET PHISHING Request for Possible Paypal Phishing Hosted on
Github.io Github.io
ET PHISHING Request for Possible Webmail Phishing Hosted on
ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io
Github.io
ET PHISHING Request for Possible Account Phishing Hosted on ET PHISHING Request for Possible Office Phishing Hosted on
Github.io Github.io
ET PHISHING Request for Possible Outlook Phishing Hosted on
ET PHISHING Request for Possible DHL Phishing Hosted on Github.io
Github.io
ET PHISHING Request for Possible Docusign Phishing Hosted on ET PHISHING Request for Possible Adobe Phishing Hosted on
Github.io Github.io
ET PHISHING Request for Possible Microsoft Phishing Hosted on ET PHISHING Request for Possible Facebook Phishing Hosted on
Github.io Github.io
ET PHISHING Successful Generic Phish 2019-04-30 (set) ET PHISHING Successful Generic Phish (set) 2019-05-21
ET PHISHING Cloned La Banque Postale FR Page - Possible Phishing
ET PHISHING Cloned EWE Telecom Page - Possible Phishing Landing
Landing
ET PHISHING Cloned ATB Bank Online Page - Possible Phishing ET PHISHING Cloned RBC Royal Bank Page - Possible Phishing
Landing Landing
ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M1 ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing
ET PHISHING Cloned Instagram Page - Possible Phishing Landing M1 ET PHISHING Cloned Instagram Page - Possible Phishing Landing M2
ET PHISHING Cloned Spotify Page - Possible Phishing Landing ET PHISHING Cloned ADP Page - Possible Phishing Landing
ET PHISHING Cloned Westpac Bank Page - Possible Phishing Landing ET PHISHING Cloned Simplii Page - Possible Phishing Landing
ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M2 ET PHISHING Cloned Chase Page - Possible Phishing Landing
ET PHISHING Cloned Scotiabank Page - Possible Phishing Landing ET PHISHING Cloned Cox Page - Possible Phishing Landing M1
ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing
ET PHISHING Cloned Cox Page - Possible Phishing Landing M2
Landing
ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing
ET PHISHING Cloned Telstra Page - Possible Phishing Landing
Landing
ET PHISHING Cloned Bank of America Page - Possible Phishing
ET PHISHING Cloned Itscom Page - Possible Phishing Landing
Landing M1
ET PHISHING Cloned Bank of America Page - Possible Phishing ET PHISHING Cloned Bank of America Page - Possible Phishing
Landing M2 Landing M3
ET PHISHING Cloned Microsoft Office Apps Page - Possible Phishing ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing
Landing Landing
ET PHISHING Cloned Societe Generale FR Page - Possible Phishing
ET PHISHING Cloned Fidelity Page - Possible Phishing Landing
Landing
ET PHISHING Cloned Impots Gouv FR Page - Possible Phishing
ET PHISHING Cloned Godaddy Page - Possible Phishing Landing
Landing
ET PHISHING Cloned American Express Page - Possible Phishing
ET PHISHING Cloned Dropbox Page - Possible Phishing Landing
Landing
ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing ET PHISHING Cloned Match Dating Page - Possible Phishing Landing
ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing ET PHISHING Cloned South State Bank Page - Possible Phishing
Landing Landing
ET PHISHING Cloned Google Tools Page - Possible Phishing Landing ET PHISHING Cloned Yahoo Page - Possible Phishing Landing
ET PHISHING Cloned Discover Page - Possible Phishing Landing ET PHISHING Cloned Linkedin Page - Possible Phishing Landing
ET PHISHING Cloned NAB Page - Possible Phishing Landing ET PHISHING Cloned Ziggo NL Page - Possible Phishing Landing
ET PHISHING Generic Miarroba Phishing Landing ET PHISHING Possible Phishing Landing - Zeus365 Encoding
ET PHISHING SSL/TLS Certificate Observed (Lucy Phishing Awareness
ET PHISHING Generic Goth Phishing Landing
Default Certificate)
ET PHISHING Successful France Ministry of Action and Public ET PHISHING France Ministry of Action and Public Accounts Phish
Accounts Phish 2019-07-04 Landing
ET PHISHING Successful Generic Miarroba Phish 2019-07-11 ET PHISHING Successful Generic Adobe Phish 2019-07-29
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query

335 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Protonmail Phishing Domain in DNS Query ET PHISHING Possible Protonmail Phishing Domain in DNS Query
ET PHISHING Possible Phishing Landing Obfuscation 2016-03-17 ET PHISHING Successful Generic Phish (set) 2019-08-23
ET PHISHING Successful Apple Phish (set) 2016-03-01 ET PHISHING Successful Gmail Phish (set) 2016-09-12
ET PHISHING Successful My ADP Phish (set) 2017-02-16 ET PHISHING Successful Bank of America Phish (set) 2016-02-27
ET PHISHING Generic XBALTI Phishing Landing ET PHISHING Facebook Phishing Domain in DNS Lookup
ET PHISHING Possible Successful Generic Phish (set) 2019-11-06 ET PHISHING Possible Successful Generic Phish (set) 2019-11-06
ET PHISHING Successful Generic Email Account Phish 2019-12-10 ET PHISHING Successful Generic Phish (set) 2019-12-12
ET PHISHING Observed Malicious SSL Cert (Office365 Phish Landing
ET PHISHING Successful Generic Phish 2020-01-29 (set)
Page 2020-01-09)
ET PHISHING Possible Glitch.me Phishing Domain ET PHISHING Possible Successful Generic Phish Aug 31 2015
ET PHISHING Successful DHL Account Phish 2015-11-03 ET PHISHING Successful DHL Phish 2015-09-14
ET PHISHING Terse POST to Wordpress Folder - Probable Successful
ET PHISHING Successful Mailbox Update Phish 2016-02-17
Phishing M2
ET PHISHING Successful Generic Phish (302) 2016-12-16 ET PHISHING Microsoft Office Phishing Landing 2016-12-18
ET PHISHING Successful DHL Phish (Meta HTTP-Equiv Refresh) ET PHISHING Successful Generic Phish - Fake Loading Page
2017-02-08 2017-08-03
ET PHISHING Successful Facebook Mobile Phish 2017-08-15 ET PHISHING Successful Generic .EDU Phish Aug 17 2017
ET PHISHING Successful Generic 000webhostapp.com Phish
ET PHISHING Successful OX App Suite Phish 2017-10-12
2017-10-27
ET PHISHING Successful Facebook Phish 2018-01-26 ET PHISHING Successful Generic Personalized Phish 2018-09-27 M2
ET PHISHING Successful Fedex/DHL Phish 2018-10-22 ET PHISHING Successful Microsoft Account Phish 2019-01-29
ET PHISHING Successful Generic Personalized Phish 2019-02-13 ET PHISHING Successful Generic Mailbox Phish 2019-03-07
ET PHISHING Successful Generic Personalized Phish 2019-03-11 ET PHISHING Successful Facebook Phish 2019-04-12
ET PHISHING Successful Facebook Phish 2019-04-26 ET PHISHING Successful Interac Phish 2019-05-15
ET PHISHING Successful Generic Credit Card Information Phish ET PHISHING Successful Generic Credit Card Information Phish
2019-06-04 2019-08-02
ET PHISHING Successful Facebook Phish 2019-08-29 ET PHISHING Successful Facebook Phish 2019-08-29
ET PHISHING Successful Generic Credit Card Information Phish
ET PHISHING Successful DHL Phish 2019-10-18
2019-11-04
ET PHISHING Successful Microsoft Account Phish 2019-11-06 ET PHISHING Successful Apple Phish 2019-12-18
ET PHISHING Successful Generic Credit Card Information Phish
ET PHISHING Successful Facebook Phish 2020-01-10
2020-01-27
ET PHISHING Successful Generic Credit Card Information Phish ET PHISHING Successful Generic Credit Card Information Phish
2020-02-21 2020-02-21
ET PHISHING Successful Generic Credit Card Information Phish ET PHISHING Successful Generic Credit Card Information Phish
2020-02-21 2020-02-21
ET PHISHING Successful Generic Credit Card Information Phish ET PHISHING Successful Generic Credit Card Information Phish
2020-02-21 2020-02-21
ET PHISHING Successful Generic Credit Card Information Phish
ET PHISHING Successful Microsoft Office Phish 2020-02-26
2020-02-25
ET PHISHING Fake World Health Organization COVID-19 Portal
ET PHISHING Successful Microsoft Account Phish 2020-03-04
2020-03-20
ET PHISHING Successful World Health Organization COVID-19 Phish
ET PHISHING Successful NHS Webmail Phish 2020-03-23
2020-03-23
ET PHISHING Common Unhidebody Function Observed in Phishing
ET PHISHING UK GOV Identity Verification Phishing Landing
Landing
ET PHISHING Successful Colleagues Quarantined with COVID-19 Phish
ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-25
2020-03-25
ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-26 ET PHISHING Possible Successful COVID-19 Related Phish M1
ET PHISHING Successful Canada Revenue Agency COVID-19
ET PHISHING Possible Successful COVID-19 Related Phish M2
Assistance Eligability Phish 2020-04-01
ET PHISHING Successful Canada Revenue Agency COVID-19 ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility
Assistance Eligability (FR) Phish 2020-04-01 Phishing Landing 2020-04-01
ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility ET PHISHING Possible Successful CDC Coronavirus Related Phish
Phishing Landing 2020-04-01 2020-04-07
ET PHISHING CDC Coronavirus Related Phishing Landing 2020-04-07 ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06
ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06 ET PHISHING OneDrive Phishing Landing 2020-04-10
ET PHISHING OneDrive Phishing Landing 2020-04-10 ET PHISHING Instagram Phishing Landing 2020-04-10
ET PHISHING 16Shop Phishing Kit Accessed on External Compromised
ET PHISHING Spotify Phishing Landing 2020-04-14
Server
ET PHISHING French Government COVID-19 Landing Page ET PHISHING NHS Gov UK COVID-19 Landing Page
ET PHISHING IRS COVID-19 Landing Page ET PHISHING Possible Successful Phish to NOIP DynDNS Domain
ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic
Domain DNS Domain

336 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Lucy Security - Phishing Landing Page M1 ET PHISHING Successful Generic Phish (set) 2020-06-10
ET PHISHING Common Form POST - CenturyLink Phishing Landing ET PHISHING Common Form POST - Chase Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - SunTrust Phishing Landing
ET PHISHING Generic T.Goe Phishing Landing
2020-06-11
ET PHISHING Common Form POST - Instagram Phishing Landing ET PHISHING Common Form POST - Facebook Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Facebook Phishing Landing ET PHISHING Common Form POST - Webmail Mini Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Chase Phishing Landing ET PHISHING Common Form POST - Yahoo Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Linkedin Phishing Landing
ET PHISHING Common Form POST - Cox Phishing Landing 2020-06-11
2020-06-11
ET PHISHING Common Form POST - SunTrust Phishing Landing ET PHISHING Common Form POST - Whatsapp/Facebook Phishing
2020-06-11 Landing 2020-06-11
ET PHISHING Common Form POST - M&T Bank Phishing Landing ET PHISHING Common Form POST - Yahoo Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Paypal Phishing Landing ET PHISHING Common Form POST - Multibrand Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Instagram Phishing Landing ET PHISHING Common Form POST - SunTrust Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Possible Generic Phishing
ET PHISHING Common Form POST - VK Phishing Landing 2020-06-11
Landing 2020-06-11
ET PHISHING Common Form POST - Chase Phishing Landing ET PHISHING Common Form POST - Instagram Phishing Landing
2020-06-11 2020-06-11
ET PHISHING Common Form POST - Netease Webmail Phishing ET PHISHING Common Form POST - Paypal Phishing Landing
Landing 2020-06-11 2020-06-11
ET PHISHING Common Form POST - Microsoft Account Phishing ET PHISHING Common Form POST - Yahoo Phishing Landing
Landing 2020-06-11 2020-06-11
ET PHISHING Chalbhai Phishing Landing 2020-06-22 ET PHISHING Lucy Security - Successful Phish
ET PHISHING Successful Wombat Phishing Test ET PHISHING T-Mobile Phishing Landing
ET PHISHING Possible Successful Generic Phish to .ma Domain ET PHISHING Possible Successful Phish - Saved Website Comment
2020-07-15 Observed
ET PHISHING Successful Generic Redeye Phish 2020-07-24 ET PHISHING Generic Phishing Panel Accessed on External Server
ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io
ET PHISHING Generic Phishing Panel Accessed on Internal Server
M1
ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io
M2 M3
ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io
ET PHISHING Possible Phishing Landing Captcha Check
M4
ET PHISHING Generic Phishing Panel Accessed on External Server ET PHISHING Generic Phishing Panel Accessed on Internal Server
ET PHISHING Instagram Fake Copyright Infringement Hosted on
ET PHISHING Possible Phishing Script Hosted on 000webhostapp
000webhostapp
ET PHISHING Observed Let's Encrypt Certificate containing Instagram ET PHISHING Generic Webmail Phishing Landing
ET PHISHING Generic Financial Phone Support Scam/Phishing Landing ET PHISHING Generic Financial Phone Support Scam/Phishing Landing
M1 M2
ET PHISHING Possible Sucessful Generic Phish (set) 2020-08-04 ET PHISHING Possible Generic Microsoft Hosted Phishing Landing M2
ET PHISHING Successful Paxful Cryptocurrency Wallet Phish ET PHISHING Possible Successful Credential Phish - Form submitted to
2020-08-17 submit-form Form Hosting
ET PHISHING Microsoft Account Phishing Landing on Appspot
ET PHISHING GET Request to Appspot Hosting (set)
Hosting
ET PHISHING Outlook Web App Phishing Landing on Appspot ET PHISHING Microsoft Account Phishing Landing on Appspot
Hosting Hosting
ET PHISHING Outlook Webapp Phishing Landing on Appspot Hosting ET PHISHING Linkedin Phishing Landing on Appspot Hosting
ET PHISHING Outlook Web App Phishing Landing on Appspot
ET PHISHING OneDrive Phishing Landing on Appspot Hosting
Hosting
ET PHISHING Microsoft Account Phishing Landing on Appspot ET PHISHING Adobe Shared Document Phishing Landing on Appspot
Hosting Hosting
ET PHISHING Possible Webmail Phishing Landing Utilizing Clearbit ET PHISHING Fedex Phishing Landing on Appspot Hosting
ET PHISHING GET Request to Googleapis Hosting (set) ET PHISHING Generic Phishing Panel Accessed on External Server
ET PHISHING Generic Phishing Panel Accessed on Internal Server ET PHISHING Caixa Phishing Landing
ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io
ET PHISHING Zimbra Phishing Landing on Appspot Hosting
M5
ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io
ET PHISHING Mailgun Phishing Landing
M6
ET PHISHING Docusign Phishing Landing Hosted via Weebly ET PHISHING Generic Phishing Landing Hosted via Weebly
ET PHISHING Generic Phishing Landing Hosted via Weebly ET PHISHING Generic Phishing Landing Hosted via Weebly
ET PHISHING Instagram Phishing Landing 2020-10-13 ET PHISHING Amazon Phishing Landing 2020-10-13

337 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Possible Instagram Phishing Domain ET PHISHING Microsoft Account Login Hosted on Firebasestorage
ET PHISHING Possible Successful Generic Web.App Hosted Phish
ET PHISHING Chase Phish Landing 2020-10-13
2020-10-14
ET PHISHING Possible Successful Generic Windows.net Hosted Phish
ET PHISHING Suntrust Captcha Phishing Landing
2020-10-14
ET PHISHING Apple Phishing Panel Accessed on Internal Server ET PHISHING Apple Phishing Panel Accessed on External Server
ET PHISHING Outlook Phishing Landing 2020-10-23 ET PHISHING Generic Custom Logo Phishing Landing
ET PHISHING Generic Custom Logo Phishing Landing ET PHISHING Generic Custom Logo Phishing Landing
ET PHISHING Multibank Captcha Phishing Landing ET PHISHING Suspected Appspot Hosted Phishing Domain
ET PHISHING Cloned IRS Page - Possible Phishing Landing ET PHISHING Generic Google Firebase Hosted Phishing Landing
ET PHISHING Generic Personalized Google Firebase Hosted Phishing ET PHISHING Generic Personalized Google Firebase Hosted Phishing
Landing Landing
ET PHISHING Generic Personalized Google Firebase Hosted Phishing
ET PHISHING Possible Successful Generic Phish (set) 2020-11-19
Landing
ET PHISHING Cloned Instagram Page - Possible Phishing Landing M3 ET PHISHING Chase Phish Landing 2020-11-26
ET PHISHING Generic Tombol Microsoft Account Phishing Landing
ET PHISHING Successful Clydesdale Bank Phish 2020-12-30
2020-12-16
ET PHISHING Apple Phishing Panel Accessed on Internal ET PHISHING Apple Phishing Panel Accessed on External
Compromised Server Compromised Server
ET PHISHING Suspicious TikTok Domain Request - Possible Phishing or
ET PHISHING Possible Instagram Phishing or Scam Landing Page
Scam
ET PHISHING Terse POST to Wordpress Folder - Probable Successful
ET PHISHING Possible Successful Credential Phish Oct 1 2015
Phishing M5
ET PHISHING Terse POST to Wordpress Folder - Probable Successful
ET PHISHING Successful Paypal Phish M1 Dec 8 2015
Phishing
ET PHISHING Terse POST to Wordpress Folder - Probable Successful
ET PHISHING Suspicious Redirect - Possible Phishing May 25 2016
Phishing M3
ET PHISHING Successful Dynamic Folder Phishing Oct 06 2016 ET PHISHING Successful Dynamic Folder Phish Oct 07 2016
ET PHISHING Terse POST to Wordpress Folder - Probable Successful ET PHISHING Terse POST to Wordpress Folder - Probable Successful
Phishing M4 Phishing M6
ET PHISHING Successful Generic Phish (Meta HTTP-Equiv Refresh) Dec
ET PHISHING Successful Chase Phish Dec 29 2016
29 2016
ET PHISHING Successful Chase Phish M1 Aug 15 2017 ET PHISHING Successful Paypal Phish M1 Sep 15 2017
ET PHISHING Successful Paypal Phish M2 Sep 15 2017 ET PHISHING Generic 302 Redirect to Phishing Landing
ET PHISHING Terse POST to Wordpress Folder - Probable Successful
ET PHISHING Successful Outlook Webmail Account Phish 2015-09-02
Phishing M7
ET PHISHING Successful Bank of America Phish 2015-10-02 ET PHISHING Successful Paypal Account Phish 2015-10-16
ET PHISHING Yahoo Account Phish Landing 2015-10-23 ET PHISHING Successful Zimbra Phish 2015-11-03
ET PHISHING Outlook WebApp Phish Landing 2015-11-05 ET PHISHING Outlook WebApp Phish Landing 2015-11-05
ET PHISHING Excel Online Phish Landing 2015-12-08 ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29
ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing
ET PHISHING PHOEN!X Phish Loading Page 2015-12-29
Obfuscation 2016-01-01
ET PHISHING Fake Webmail Account Phishing Landing 2015-09-10 ET PHISHING Phishing Fake Document Loading Error 2015-10-01
ET PHISHING Obfuscated Phishing Landing 2015-11-05 ET PHISHING Metro Document Phishing Landing 2015-11-17
ET PHISHING Wire Transfer Phishing Landing 2015-11-19 ET PHISHING Google Drive Phishing Landing 2015-11-20
ET PHISHING Outlook Webmail Phishing Landing 2015-11-21 ET PHISHING Successful Outlook Webmail Phishing 2015-11-21
ET PHISHING cPanel Phishing Landing 2015-12-01 ET PHISHING Anonisma Phishing Landing 2015-12-01
ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29 ET PHISHING Possible Google Drive Phishing Landing 2015-07-13
ET PHISHING Apple Phishing Landing 2015-07-27 ET PHISHING Possible Successful Apple Phish 2015-07-27
ET PHISHING Possible Successful Apple Phish 2015-07-27 ET PHISHING Possible Successful Apple Phish 2015-07-27
ET PHISHING Google Drive Phishing Landing 2015-07-28 ET PHISHING Google Drive Phishing Landing 2015-07-28
ET PHISHING Possible Fedex Phishing Landing 2015-07-28 ET PHISHING Possible Apple Store Phish Landing 2015-07-30
ET PHISHING Possible Apple Store Phish Landing 2015-07-30 ET PHISHING Possible Apple Store Phish Landing 2015-07-30
ET PHISHING Successful Generic Credential Phish - Loading Messages
ET PHISHING Possible Apple Store Phish Landing 2015-07-30
2015-08-12
ET PHISHING Successful Survey Credential Phish 2015-08-12 ET PHISHING Cloud Drive Phish Landing 2015-08-12
ET PHISHING Mailbox Renewal Phish Landing 2015-08-14 ET PHISHING Apple ID Phishing Landing 2015-08-19
ET PHISHING Successful Commonwealth Bank Phish Fake Error Page
ET PHISHING Horde Webmail Phishing Landing 2015-08-21
2015-08-20
ET PHISHING Successful Horde Webmail Phish 2015-08-21 ET PHISHING Successful Fake Webmail Quota Phish 2015-09-10
ET PHISHING DHL Phish Landing Page 2015-10-17 ET PHISHING Successful Battle.net Phish 2015-09-22
ET PHISHING Successful Vmware/Zimbra Phish 2015-09-28 ET PHISHING Successful Outlook Web App Phish 2015-10-15
ET PHISHING Successful Paypal Phish 2015-10-28 ET PHISHING Successful Paypal Phish 2015-10-28 3
ET PHISHING Successful Paypal Phish 2015-11-03 M3 ET PHISHING Successful Paypal Phish 2015-11-03 M4
ET PHISHING Google Drive Phishing Landing 2015-11-06 ET PHISHING Adobe Shared Document Phish Landing 2015-11-14
ET PHISHING Successful Adobe Shared Document Phish 2015-11-14 ET PHISHING DHL Phish Landing 2015-11-14

338 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible


ET PHISHING Apple Account Phishing Landing 2015-11-18
Phishing Landing 2015-12-29
ET PHISHING Successful Phish Fake Document Loading Error
ET PHISHING Possible Successful Docusign Phish 2015-07-27
2015-07-27
ET PHISHING Possible Successful Google Drive Phish M1 2015-07-28 ET PHISHING Possible Successful Google Drive Phish 2015-07-28
ET PHISHING Possible Successful Fedex Phish 2015-07-28 ET PHISHING Possible Successful Apple Phish 2015-07-30
ET PHISHING Possible Successful Apple Phish 2015-07-31 ET PHISHING Possible Successful Generic Phish 2015-07-31
ET PHISHING Possible Successful AirCanada Phish 2015-08-06 ET PHISHING Successful Email Credential Phish 2015-08-12
ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18 ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18
ET PHISHING Successful Amazon Account Phish 2015-08-21 ET PHISHING Successful Amazon Account Phish 2015-08-21
ET PHISHING Successful Adobe Online Account Phish 2015-08-21 ET PHISHING Successful BBVA Compass Account Phish 2015-08-21
ET PHISHING Successful Carribean International Bank Account Phish
ET PHISHING Successful Adobe Phish 2015-08-31
2015-08-25
ET PHISHING Successful Account Update Phish 2015-09-01 ET PHISHING Successful EDF Account Phish 2015-09-01
ET PHISHING Successful Amazon Phish 2015-09-22 ET PHISHING Successful Chase Phish 2015-09-24
ET PHISHING Successful Chase Phish 2015-09-24 ET PHISHING Successful Chase Phish 2015-09-24
ET PHISHING Successful Adobe Online Phish 2015-09-30 ET PHISHING Successful Bank of America Phish M2 2015-10-02
ET PHISHING Successful Yahoo Credential Phish 2015-10-03 ET PHISHING Successful Alibaba Credential Phish 2015-10-05
ET PHISHING Successful Blackboard Account Phish 2015-10-08 ET PHISHING Successful AOL Phish 2015-10-09
ET PHISHING Successful Apple Phish 2015-10-23 ET PHISHING Successful Bank of America Phish 2015-10-29
ET PHISHING Successful Paypal Phish 2015-10-29 ET PHISHING Successful Bank of Scotland Phish M1 2015-11-05
ET PHISHING Successful Amazon Phish 2015-11-07 ET PHISHING Data Submitted to Weebly.com - Possible Phishing
ET PHISHING Weebly Phishing Landing Observed 2015-11-10 ET PHISHING Google Drive Phishing Landing 2015-11-17
ET PHISHING Successful Adobe Shared Document Phishing 2015-11-20 ET PHISHING Successful Bank of America Phish 2015-11-21
ET PHISHING Successful SFR Phishing 2015-11-24 ET PHISHING Anonisma Phishing CSS 2015-12-01
ET PHISHING Successful Apple Phish M1 2015-12-02 ET PHISHING Successful iCloud Phish 2015-12-02
ET PHISHING Successful Wildblue/CenturyLink Phish 2015-12-08 ET PHISHING Successful Paypal Phish 2015-12-05
ET PHISHING Successful Google Docs Phish 2015-12-09 ET PHISHING Successful Dropbox Phish 2015-12-10
ET PHISHING Successful Chase Phish 2015-12-22 ET PHISHING Successful Paypal Phish 2015-12-24 M1
ET PHISHING Anonisma Phishing CSS 2015-12-29 ET PHISHING Successful Anonisma Paypal Phish 2015-12-29
ET PHISHING Successful PHOEN!X Apple Phish M2 2015-12-29 ET PHISHING Successful Mailbox Renew Phish 2015-08-14
ET PHISHING Successful Apple ID Phish 2015-08-18 ET PHISHING Successful Wells Fargo Account Phish 2015-08-18
ET PHISHING Successful Commonwealth Bank Phish 2015-08-20 ET PHISHING Successful Amazon Account Phish M3 2015-08-21
ET PHISHING Successful Impots.gouv.fr Phish M1 2015-08-21 ET PHISHING Successful Impots.gouv.fr Phish M2 2015-08-21
ET PHISHING Successful OWA Account Phish 2015-08-21 ET PHISHING Successful Horde Webmail Phish 2015-08-21
ET PHISHING Successful Facebook Phish 2015-08-27 ET PHISHING Successful Woodforest Bank Phish M1 2015-08-31
ET PHISHING Successful SFR Account Phish 2015-09-01 ET PHISHING Successful Generic Phish - Phone Number 2015-09-02
ET PHISHING Successful Google Drive Phish Sept 1 M2 2015-09-02 ET PHISHING Successful Webmail Account Phish 2015-09-02
ET PHISHING Successful Telstra Phish M1 2015-09-05 ET PHISHING Successful USAA Phish 2015-09-05
ET PHISHING Successful ViewDocsOnline Phish 2015-09-15 ET PHISHING Successful LinkedIn Phish 2015-09-17
ET PHISHING Successful DHL Phish 2015-09-17 ET PHISHING Successful Google Drive Phish 2015-09-22
ET PHISHING Successful DHL Phish 2015-09-30 ET PHISHING Successful Phish Gmail Recovery Information 2015-10-01
ET PHISHING Successful Mailbox Update Credential Phish 2015-10-02 ET PHISHING Successful Generic Credential Phish 2015-10-03
ET PHISHING Successful Webmail Update Phish 2015-10-08 ET PHISHING Successful Samsung Portal Phish 2015-10-13
ET PHISHING Successful Paypal Account Phish 2015-10-16 ET PHISHING Successful USAA Phish 2015-10-20
ET PHISHING Successful Zimbra Account Phish 2015-10-23 ET PHISHING Successful Paypal Phish 2015-10-23
ET PHISHING Successful Paypal Phish 2015-10-23 ET PHISHING Successful Paypal Phish 2015-10-23
ET PHISHING Successful Paypal Phish 2015-10-23 ET PHISHING Successful Docusign Phish 2015-10-28
ET PHISHING Successful IBC Bank Phish 2015-10-29 ET PHISHING Successful Zimbra Phish 2015-10-30
ET PHISHING Successful NatWest Bank Phish 2015-11-03 ET PHISHING Successful Chase Phish 2015-11-03
ET PHISHING Successful Dropbox Phish 2015-11-04 ET PHISHING Successful UPS Phish 2015-11-05
ET PHISHING Successful LCL Bank Phish 2015-11-05 ET PHISHING Successful Bank of America Phish 2015-11-06
ET PHISHING Successful DHL Phish 2015-11-14 ET PHISHING Successful Tradekey Phish 2015-11-19
ET PHISHING Successful Hinet Phish 2015-11-19 ET PHISHING Successful Excel Online Phish 2015-12-08
ET PHISHING Successful Paypal Phish 2015-12-08 M3 ET PHISHING Anonisma Paypal Phishing Uri Structure 2015-12-29
ET PHISHING Successful Generic L33bo Phish - URI Contents (set) ET PHISHING Possible Successful Generic Phish (set) 2017-12-19
ET PHISHING Possible Successful Generic Phish (set) 2017-12-20 ET PHISHING Successful Generic Phish 2018-02-26 (set)
ET PHISHING Successful Generic Phish (set) 2018-03-08 ET PHISHING Possible Successful Generic Phish (set) 2019-01-30
ET PHISHING Successful Generic Phish (set) 2019-05-14 ET PHISHING Successful Generic Phish (set) 2019-07-09
ET PHISHING Successful Generic Phish (set) 2020-08-07 ET PHISHING Possible Successful Generic Phish (set) 2020-09-03
ET PHISHING Possible Successful Generic Phish (set) 2020-09-29 ET PHISHING Generic Credential Phish 2020-07-27 (set)
ET PHISHING Possible Successful Phish (Google/Dropbox/Netflix)
ET PHISHING Possible Successful Generic Phish (set) 2021-03-08
2015-07-11
ET PHISHING Successful Wells Fargo Account Phish 2015-08-14 ET PHISHING Successful Outlook Phish 2015-08-18
ET PHISHING Successful Key Bank Phish M1 2015-08-20 ET PHISHING Successful Key Bank Phish M2 2015-08-20
ET PHISHING Successful Wells Fargo/CIBC Bank Phish M1 2015-08-25 ET PHISHING Successful Webmail Phish 2015-08-27

339 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Google Drive Phish 2015-09-04 ET PHISHING Successful Telstra Phish M2 2015-09-05
ET PHISHING Successful Chase Phish 2015-09-23 ET PHISHING Successful Shipping Document Phish 2015-09-29
ET PHISHING APT SWC PluginDetect Landing Cookie 2015-10-15 ET PHISHING Successful Paypal Phish M2 2015-11-03
ET PHISHING Successful Gmail Phish 2015-11-05 ET PHISHING Successful Squirrelmail Phishing 2015-11-20
ET PHISHING Successful Natwest Bank Phish 2015-11-21 ET PHISHING Successful Wells Fargo Phish M1 2015-11-21
ET PHISHING Successful Wells Fargo Phish M2 2015-11-21 ET PHISHING Successful Outlook Webmail Phishing M2 2015-11-21
ET PHISHING Successful Wildblue Phishing M1 2015-11-24 ET PHISHING Successful Wildblue Phishing M2 2015-11-24
ET PHISHING Successful Xoom Phishing 2015-11-24 ET PHISHING Successful Trademe Phish M3 2015-11-26
ET PHISHING Possible Base64 Obfuscated Phishing Landing
ET PHISHING Successful Excel Online Phish 2015-11-26
2015-11-30
ET PHISHING Successful Chase Phish M2 2015-12-01 ET PHISHING Successful Anonisma Phish 2015-12-01
ET PHISHING Successful Apple Phish M2 2015-12-02 ET PHISHING Successful Halifax Bank Phish M1 2015-12-10
ET PHISHING Successful Dropbox Phish M2 2015-12-10 ET PHISHING Successful US Bank Phish M1 2015-12-22
ET PHISHING Successful US Bank Phish M2 2015-12-22 ET PHISHING Successful PHOEN!X Apple Phish M1 2015-12-29
ET PHISHING Successful Gmail Account Update Phish 2016-05-10 ET PHISHING Microsoft Account Phishing Landing 2021-03-10
ET PHISHING Generic Redirector Phishing Landing 2021-03-10 ET PHISHING Generic Encoded Phishing Landing 2021-03-10
ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10 ET PHISHING Generic NewInjection Phishing Landing 2021-03-10
ET PHISHING Generic NewInjection Phishing Landing 2021-03-10 ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08
ET PHISHING Email Account Exceeded Quota Phishing Landing
ET PHISHING Successful Adobe Phish M3 2016-07-11
2016-07-11
ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing
ET PHISHING Wells Fargo Phishing Landing 2016-01-07
Landing
ET PHISHING Successful Wells Fargo Phish Loading Page 2016-01-07 ET PHISHING IRS Phishing Landing 2016-01-15
ET PHISHING Webmail Update Phishing Landing 2016-01-15 ET PHISHING Successful Paypal Phish M1 2016-01-19
ET PHISHING Successful Paypal Phish 2016-01-15 M2 ET PHISHING Successful Paypal Phish 2016-01-15 M3
ET PHISHING Phishing Landing via Webeden.co.uk (set) 2016-01-22 ET PHISHING Phishing Landing via Webeden.co.uk M1 2016-01-22
ET PHISHING Canada Revenue Agency Phishing Landing 2016-01-25 ET PHISHING Navy Federal Credit Union Phishing Landing 2016-01-30
ET PHISHING USPS Phishing Landing 2016-02-10 ET PHISHING Successful Mailbox Update Phish 2016-02-17 M2
ET PHISHING Possible Phishing Landing - Data URI Inline Javascript
ET PHISHING Google Maps Phishing Landing 2016-02-17
2016-02-09
ET PHISHING USAA Phishing Landing 2016-02-26 ET PHISHING Successful Apple Phishing 2016-03-01 M3
ET PHISHING Apple Phishing Landing 2016-03-01 M2 ET PHISHING Apple Phishing Landing 2016-03-01 M3
ET PHISHING Successful Apple Phishing 2016-03-01 M5 ET PHISHING Phishing Landing via MyFreeSites.com (set) 2016-03-31
ET PHISHING Phishing Landing via MyFreeSites.com M2 2016-03-31 ET PHISHING Phishing Landing via Tripod.com M1 2016-03-31
ET PHISHING Phishing Landing via Tripod.com M2 2016-03-31 ET PHISHING Possible Successful Tripod.com Phish 2016-03-31
ET PHISHING OWA Phishing Landing 2016-04-04 M2 ET PHISHING Email System Manager Phishing Landing 2016-04-12
ET PHISHING Adobe Online Document Phishing Landing M1 ET PHISHING Adobe Online Document Phishing Landing M2
2016-04-25 2016-04-25
ET PHISHING Successful Adobe Online Document Phish 2016-04-25 ET PHISHING Successful Craigslist Phish 2016-04-25
ET PHISHING Successful Citizenbank Phish 2016-05-24 M1 ET PHISHING Successful Citizenbank Phish 2016-05-24 M2
ET PHISHING Phishing Fake Mailbox Quota Increase Messages
ET PHISHING Suspicious File Download Post-Phishing 2016-05-25
2016-05-25
ET PHISHING Successful Paypal Phish 2016-05-26 ET PHISHING Avast Phishing Landing 2016-06-02
ET PHISHING Generic Email Login Phishing Landing 2016-06-02 ET PHISHING DrSpam Phishing Landing 2016-06-08
ET PHISHING DrSpam Phishing Landing CSS 2016-06-08 ET PHISHING Successful DrSpam Phish 2016-06-08 M1
ET PHISHING Successful DrSpam Phish 2016-06-08 M2 ET PHISHING DHL Phishing Landing 2016-07-11
ET PHISHING OneDrive Phishing Landing 2021-03-15 ET PHISHING Phishing Landing via Tripod.com (set) 2016-03-31
ET PHISHING Phishing Landing via Tripod.com Mar 31 M3 ET PHISHING Possible Websc Phishing Page 2016-02-05
ET PHISHING Tripod/Lycos Form Submission - Possible Successful
ET PHISHING Successful US Bank Phish 2016-06-09 M1
Phish
ET PHISHING Successful US Bank Phish 2016-06-09 M2 ET PHISHING Email Termination Phishing Landing 2016-06-22
ET PHISHING Webmail Phishing Landing 2016-06-22 ET PHISHING Microsoft Encrypted Email Phishing Landing 2016-06-23
ET PHISHING Possible Phishing Data Submitted to yolasite.com ET PHISHING Mailbox Upgrade Phishing Landing 2016-06-27
ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M1 ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M2
ET PHISHING Data Submitted to MyFreeSites.com - Possible Phishing ET PHISHING Possible USAA Phishing Landing 2016-07-05
ET PHISHING Successful Hotmail Phish 2016-07-14 ET PHISHING Synchronize Email Account Phishing Landing 2016-07-15
ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-15 ET PHISHING Successful Generic Webmail Account Phish 2016-07-15
ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-20 ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M1
ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M2 ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M3
ET PHISHING Suspicious Credential POST to FormBuddy.com -
ET PHISHING DHL/EMS Documents Phishing Landing 2016-08-10
Possible Phishing Aug 10 2016
ET PHISHING Successful Tectite Web Form Submission - Possible
ET PHISHING Possible Phishing Landing - Tectite Web Form Abuse
Phishing
ET PHISHING Adobe Shared Document Phishing Landing Common
ET PHISHING Successful Gmail Phish M1 2016-08-12
CSS 2016-08-10
ET PHISHING Successful Phish OWA Credentials 2016-08-16 ET PHISHING Adobe Phishing Landing M1 2016-08-16

340 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Docusign Phish M1 2016-08-17 ET PHISHING Adobe Shared Document Phishing Landing 2016-08-19
ET PHISHING Universal Webmail Phishing Landing 2016-08-19 ET PHISHING Possible Phishing Data Submitted to yolasite.com M2
ET PHISHING Blocked Email Account Phishing Landing 2016-08-23 ET PHISHING Successful Blocked Email Account Phish M2 2016-08-23
ET PHISHING Targeted Office 365 Phishing Landing 2016-08-23 ET PHISHING Yahoo Password Strength Phishing Landing 2016-08-24
ET PHISHING Successful Yahoo Password Strength Phish M1
ET PHISHING Successful Team IPwned Phish 2016-08-24
2016-08-24
ET PHISHING Successful Yahoo Password Strength Phish M2
ET PHISHING Google Drive Phishing Landing 2016-08-25
2016-08-24
ET PHISHING Successful Chase Phish M1 2016-08-26 ET PHISHING Successful Chase Phish M3 2016-08-26
ET PHISHING Successful Chase Phish M4 2016-08-26 ET PHISHING Suspicious Yahoo Page - Possible Phishing Landing
ET PHISHING Successful Paypal Phish 2016-08-30 ET PHISHING TeamIPwned/Hellion Phishing Landing 2016-08-30
ET PHISHING Successful CIBC Phish 2016-08-30 ET PHISHING Successful Paypal Phish 2016-08-31
ET PHISHING DHL Phishing Landing 2016-08-31 ET PHISHING Successful Dropbox Phish 2016-08-31
ET PHISHING Adobe Shared Document Phishing Landing M2
ET PHISHING Adobe Shared Document Phishing Landing 2016-08-30
2016-08-31
ET PHISHING Outlook 365 Encrypted Email Phishing Landing M1
ET PHISHING Alibaba Phishing Landing 2016-08-31
2016-08-31
ET PHISHING Data Submitted to Webeden.co.uk - Possible Phishing ET PHISHING Data Submitted to Weebly.com - Possible Phishing
ET PHISHING Successful Outlook Password Update Phish M1
ET PHISHING Successful Google Docs Phish 2016-09-01
2016-09-01
ET PHISHING Successful Outlook Password Update Phish M2 ET PHISHING Successful Outlook Password Update Phish M3
2016-09-01 2016-09-01
ET PHISHING Facebook Phishing Landing 2016-09-02 ET PHISHING Successful Facebook Phish 2016-09-02
ET PHISHING Possible Phishing Landing via MoonFruit.com M1
ET PHISHING Possible Phishing Landing via MoonFruit.com (set)
2016-01-22
ET PHISHING Possible Phishing Landing via MoonFruit.com M2 ET PHISHING Possible Phishing Landing via MoonFruit.com M3
2016-01-22 2016-01-22
ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-01-26 ET PHISHING Successful Google Drive Phish 2016-09-02
ET PHISHING Successful Chase Phish 2016-09-02 ET PHISHING Successful Webmail Validator Phish M2 2016-09-02
ET PHISHING Webmail Validator Phishing Landing 2016-09-02 ET PHISHING Account Update Phishing Landing 2016-09-06
ET PHISHING Suspicious Minimal HTTP Refresh to Googledrive.com -
ET PHISHING Successful Paypal Phish 2016-09-06
Possible Phishing
ET PHISHING Successful Microsoft Live Email Account Phish
ET PHISHING Fedex Javascript Phishing Landing 2016-09-08
2016-09-08
ET PHISHING Successful Paypal Phish 2016-09-09 ET PHISHING Successful SeniorPeopleMeet Phish M1 2016-09-14
ET PHISHING Successful SeniorPeopleMeet Phish M2 2016-09-14 ET PHISHING Successful View Samples Phish 2016-09-09
ET PHISHING Successful Wells Fargo Phish M1 2016-09-16 ET PHISHING Successful Wells Fargo Phish M2 2016-09-16
ET PHISHING Successful US Bank Phish 2016-09-20 ET PHISHING Successful Excel Phish 2016-09-26
ET PHISHING Successful Apple Phish 2016-09-27 ET PHISHING Successful FreeMobile (FR) Phish 2016-09-28
ET PHISHING Successful Dropbox Phish 2016-09-29 ET PHISHING Successful Apple Phish M1 2016-09-29
ET PHISHING Successful Postbank Online Banking Phish M1
ET PHISHING Successful Facebook Phish M1 2016-09-30
2016-09-30
ET PHISHING Successful Postbank Online Banking Phish M2
ET PHISHING Possible Phishing Landing via Moonfruit M1 2016-10-03
2016-09-30
ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-10-03 ET PHISHING Suspicious Byethost Phishing Redirect 2016-10-04
ET PHISHING Successful Generic OWA Phish 2016-10-04 ET PHISHING Paypal Phishing Landing (DE) 2016-10-04
ET PHISHING Successful Amazon Phish M1 2016-10-05 ET PHISHING Successful Paypal Phish M2 2016-10-05
ET PHISHING Successful Orange (FR) Phish 2016-10-06 ET PHISHING Successful Supplier Portal Phish 2016-10-07
ET PHISHING Successful DHL Phish 2016-10-07 ET PHISHING Successful Apple Phish (FR) M1 2016-10-07
ET PHISHING Successful Apple Phish (FR) M2 2016-10-07 ET PHISHING Successful Bank of America Phish M2 2016-10-10
ET PHISHING Successful Google Drive Phish 2016-10-11 ET PHISHING Successful Gmail Phish M2 2016-10-12
ET PHISHING Phishing Landing via Webeden.net 2016-10-13 ET PHISHING Successful Yahoo Phish 2016-10-14
ET PHISHING Successful Paypal Phish M1 2016-10-17 ET PHISHING Successful DHL Phish 2016-10-18
ET PHISHING Successful Generic Webmail Phish 2016-10-21 ET PHISHING Successful Wells Fargo Phish 2016-10-21
ET PHISHING Successful Yahoo Phish 2016-10-25 ET PHISHING Successful Banco do Brasil Phish M2 2016-10-25
ET PHISHING Successful Outlook Phish 2016-10-25 ET PHISHING Successful Apple ID Phish 2016-10-25
ET PHISHING Successful Chase Phish 2016-10-25 ET PHISHING Successful 163.com Email Account Phish 2016-10-26
ET PHISHING Successful Office 365 Phish 2016-10-31 ET PHISHING Successful American Express Phish M1 2016-10-31
ET PHISHING Successful American Express Phish M2 2016-10-31 ET PHISHING Successful Impots.gouv.fr Phish 2016-10-31
ET PHISHING Successful Paypal Phish 2016-10-31 ET PHISHING Successful Apple Phish M1 2016-11-15
ET PHISHING Successful Apple Phish M2 2016-11-15 ET PHISHING Successful Dropbox Business Phish 2016-11-17
ET PHISHING Successful Personalized Email Update Phish 2016-11-17 ET PHISHING Possible Successful Generic Phish (set) 2021-03-18
ET PHISHING Successful Generic Phish (Redirect to Download PDF)
ET PHISHING Shared Document Base64 Phishing Landing 2016-01-20
2016-02-08
ET PHISHING Successful Apple Phishing 2016-03-03 ET PHISHING Successful Apple Phish 2016-03-09
ET PHISHING Successful Google Drive Phish 2016-08-18 ET PHISHING Successful Bank of America Phish M1 2016-08-31
ET PHISHING Successful Google Drive Phish M1 2016-09-01 ET PHISHING Successful Western Union/Paypal Phish 2016-09-26

341 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Apple Phish M2 2016-09-29 ET PHISHING Successful Gmail Phish 2016-09-30
ET PHISHING Successful Google Drive Phish 2016-10-14 ET PHISHING Successful Credit Agricole Bank (FR) Phish M1 2016-10-19
ET PHISHING Successful Windows Live Account Phish 2016-10-26 ET PHISHING Successful Yahoo Phish 2016-10-27
ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-31 ET PHISHING Successful Shared Adobe PDF Phish 2016-11-17
ET PHISHING Successful Linkedin Phish 2016-11-18 ET PHISHING Successful Credential Phish (Multiple Brands) 2016-11-18
ET PHISHING Successful HM Revenue Phish 2016-11-23 ET PHISHING Successful Barclays Phish M1 2016-11-23
ET PHISHING Successful Personalized Adobe Online PDF Phish
ET PHISHING Successful Chase Phish 2016-12-01
2016-11-28
ET PHISHING Successful WhatsApp Phish M2 2016-12-07 ET PHISHING Successful Free Mobile (FR) Phish 2016-12-08
ET PHISHING Javascript XOR Encoding - Observed in Apple Phishing
ET PHISHING Successful Paypal Phish 2016-12-09
2016-12-09
ET PHISHING Successful Password Protected AMEX Phish 2016-12-09 ET PHISHING Successful Chase Phishing 2016-12-12
ET PHISHING Successful Paypal Phish M1 2016-12-13 ET PHISHING Successful Paypal Phish M2 2016-12-13
ET PHISHING Successful Paypal Phish M3 2016-12-13 ET PHISHING Successful Paypal Phish M4 2016-12-13
ET PHISHING Successful Paypal Phish M5 2016-12-13 ET PHISHING Successful Adobe Shared PDF Phish 2016-12-13
ET PHISHING Successful Chase Phish 2016-12-13 ET PHISHING Mailbox Deactivation Phishing Landing 2016-12-15
ET PHISHING Successful Mailbox Deactivation Phish 2016-12-15 ET PHISHING Successful Credential Phish (Multiple Brands) 2016-12-22
ET PHISHING Successful Windows Live Phish 2016-12-23 ET PHISHING Successful Banamex Bank Phish 2016-12-29
ET PHISHING Successful Adobe Phish 2016-04-29 ET PHISHING Successful Adobe Shared Document Phish 2016-05-04
ET PHISHING Successful Adobe Phish M1 2016-07-11 ET PHISHING Successful AOL Phish M1 2016-07-14
ET PHISHING Successful AOL Phish M1 2016-07-14 ET PHISHING Successful AOL Phish M3 2016-07-14
ET PHISHING Successful Adobe Phish 2016-07-21 ET PHISHING Successful Adobe Shared Document Phish 2016-08-10
ET PHISHING Successful Apple Store Transaction Cancellation Phish
ET PHISHING Successful Adobe Shared Document Phish 2016-08-26
2016-08-30
ET PHISHING Successful Generic Epass Phish 2016-09-01 ET PHISHING Successful Account Update Phish 2016-09-06
ET PHISHING Successful Apple Phish M1 2016-09-14 ET PHISHING Successful Apple Phish M2 2016-09-14
ET PHISHING Successful Apple Phish M3 2016-09-14 ET PHISHING Successful Adobe Phish 2016-09-14
ET PHISHING Possible Successful Phish - Generic Form Names
ET PHISHING Successful Personalized Phish 2016-09-14
2016-09-16
ET PHISHING Successful Alibaba Phish 2016-09-28 ET PHISHING Successful Adobe Shared Document Phish 2016-09-29
ET PHISHING Successful Alibaba Phish 2016-09-29 ET PHISHING Successful Apple Phish M3 2016-09-29
ET PHISHING Successful Apple ID Phish M1 2016-10-04 ET PHISHING Successful Apple Phish 2016-10-05
ET PHISHING Successful Amazon Phish M2 2016-10-05 ET PHISHING Successful Apple Phish M1 2016-10-07
ET PHISHING Successful Apple Phish M2 2016-10-07 ET PHISHING Successful Amazon (UK) Phish 2016-10-17
ET PHISHING Successful Alibaba Phish 2016-10-18 ET PHISHING Successful Alibaba Phish 2016-10-26
ET PHISHING Successful ABSA Phish 2016-10-26 ET PHISHING Successful Ameli.fr Phish M1 2016-10-26
ET PHISHING Successful Ameli.fr Phish M2 Oct 26 2016-10-26 ET PHISHING Successful Alibaba Phish 2016-10-28
ET PHISHING Successful Apple Phish Oct 31 2016 ET PHISHING Successful Adobe Shared Document Phish 2016-11-15
ET PHISHING Successful Generic Webmail Phish M1 2016-11-18 ET PHISHING Successful Alibaba Phish 2016-12-20
ET PHISHING Successful Apple Store Phish M1 2016-12-29 ET PHISHING Successful Apple Store Phish M2 2016-12-29
ET PHISHING Successful Apple Store Phish M3 2016-12-29 ET PHISHING Successful Apple Store Phish M4 2016-12-29
ET PHISHING Successful UK Tax Phishing M1 2016-02-01 ET PHISHING Successful UK Tax Phishing M2 2016-02-01
ET PHISHING L33bo Phishing Kit - Successful Credential Phish M1
ET PHISHING Successful Apple Phishing M1 2016-03-01
2016-03-29
ET PHISHING L33bo Phishing Kit - Successful Credential Phish M2 ET PHISHING L33bo Phishing Kit - Successful Credential Phish M3
2016-03-29 2016-03-29
ET PHISHING L33bo Phishing Kit - Successful Credential Phish M4
ET PHISHING Successful Dropbox Phish 2016-05-16
2016-03-29
ET PHISHING Successful Webmail Phish M2 2016-06-22 ET PHISHING Successful Webmail Phish M3 2016-06-22
ET PHISHING Successful Outlook Phish 2016-07-14 ET PHISHING Successful Blocked Email Account Phish M1 2016-08-23
ET PHISHING Successful Canada Revenue Agency Phish 2016-08-30 ET PHISHING Successful Barclays Phish M1 2016-09-09
ET PHISHING Successful Barclays Phish M2 2016-09-09 ET PHISHING Successful Barclays Phish M3 2016-09-09
ET PHISHING Possible Successful Banking Phish (BR) 2016-09-29 ET PHISHING Successful Bank of America Phish 2016-10-03
ET PHISHING Successful Barclays Phish M1 2016-10-06 ET PHISHING Successful Barclays Phish M2 2016-10-06
ET PHISHING Successful CenturyLink Phish 2016-10-12 ET PHISHING Successful Chase Phish M1 2016-10-17
ET PHISHING Successful Chase Phish M2 2016-10-17 ET PHISHING Successful Bank of America Phish M2 2016-10-21
ET PHISHING Successful Bank of America Phish M1 2016-10-27 ET PHISHING Successful Bank of America Phish M2 2016-10-27
ET PHISHING Successful Bank of America Phish M3 2016-10-27 ET PHISHING Successful Bank of America Phish M4 2016-10-27
ET PHISHING Successful Bank of America Phish M1 2016-11-23 ET PHISHING Successful Bank of America Phish M2 2016-11-23
ET PHISHING Successful Chase Phish M2 2016-12-07 ET PHISHING Successful Banco Itau (BR) Phish M1 2016-12-08
ET PHISHING Successful Banco Itau (BR) Phish M2 2016-12-08 ET PHISHING Successful Banque Populaire (FR) Phish 2016-12-12
ET PHISHING Successful Chase Phish 2016-12-16 ET PHISHING Observed CloudFlare Interstitial Phishing Page
ET PHISHING ANTIBOT Phishing Panel Accessed on Internal ET PHISHING ANTIBOT Phishing Panel Accessed on External
Compromised Server Compromised Server
ET PHISHING Generic Phishing Panel Accessed on External Server ET PHISHING Generic Phishing Panel Accessed on Internal Server

342 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Formbuddy Credential Phish Submission


ET PHISHING DHL Phishing Landing 2016-01-07
2016-01-15
ET PHISHING Phishing Landing via Weebly.com (set) 2016-02-02 ET PHISHING Phishing Landing via Weebly.com M1 2016-02-02
ET PHISHING Phishing Landing via Weebly.com M2 2016-02-02 ET PHISHING Phishing Landing via Weebly.com M3 2016-02-02
ET PHISHING Phishing Landing via Weebly.com M4 2016-02-02 ET PHISHING Common /mpp/ Phishing URI Structure 2016-02-08
ET PHISHING Am3Refh Obfuscated Phishing Landing 2016-02-23 ET PHISHING Possible Phishing Landing Obfuscation 2016-02-26
ET PHISHING Adobe Phishing Landing 2016-03-10 ET PHISHING Successful Free.fr Phish 2016-03-10
ET PHISHING Obfuscated Chase Phishing Landing 2016-03-23 ET PHISHING L33bo Phishing Landing 2016-03-29
ET PHISHING Possible Successful Phish to Hostinger Domains M1 ET PHISHING Possible Successful Phish to Hostinger Domains M2
2016-04-04 2016-04-04
ET PHISHING Possible Successful Phish to Hostinger Domains M3 ET PHISHING Possible Successful Phish to Hostinger Domains M5
2016-04-04 2016-04-04
ET PHISHING Adobe Online Document Phishing Landing 2016-05-02 ET PHISHING Successful Mailbox Shutdown Phish M1 2016-05-16
ET PHISHING Successful Mailbox Shutdown Phish M2 2016-05-16 ET PHISHING Successful Mailbox Shutdown Phish M3 2016-05-16
ET PHISHING Successful Wells Fargo Phish 2016-05-26 ET PHISHING Adobe Cloud Phishing Landing 2016-06-02
ET PHISHING Suspicious Compound Refresh - Possible Phishing
ET PHISHING Possible HMRC Phishing Domain 2016-06-08
Redirect 2016-06-09
ET PHISHING Possible Apple Phishing Domain 2016-06-14 ET PHISHING Successful Chase Phish 2016-06-15
ET PHISHING Successful Apple Phish 2016-06-15 ET PHISHING Successful USAA Phish 2016-06-15
ET PHISHING Successful Paypal Phish 2016-06-15 ET PHISHING Phishing Landing via Weebly.com 2016-06-22
ET PHISHING Shipping Document Phishing Landing 2016-06-23 ET PHISHING Successful Amazon.com Phish M1 2016-06-27
ET PHISHING Data Submitted to ukit domain - Possible Phishing M1 ET PHISHING Data Submitted to ukit domain - Possible Phishing M2
2016-06-29 2016-06-29
ET PHISHING Successful DHL Phish 2016-07-11 ET PHISHING Successful Yahoo Phish 2016-07-11
ET PHISHING Successful Generic Phish - JS Redirect to PDF
ET PHISHING Successful Intuit Phish 2016-07-21
2016-08-24
ET PHISHING Successful FR Carte Bleue / BCP Phish 2016-09-06 ET PHISHING Successful Gmail Phish M1 2016-10-12
ET PHISHING Successful Generic Phish - Observed in Apple/Bank of
ET PHISHING Successful Banco de la Nacion Phish 2016-10-18
America/Amazon 2016-10-26
ET PHISHING Successful Generic Phish 2016-10-27 ET PHISHING Successful Generic Phish M2 2016-10-27
ET PHISHING Successful Email Settings Phish 2016-10-28 ET PHISHING Successful Dropbox/Docusign Phish 2016-10-28
ET PHISHING Successful Linkedin Phish 2016-11-17 ET PHISHING Successful Generic Wembail Phish M2 2016-11-18
ET PHISHING Successful Bank of America Phish 2016-12-05 ET PHISHING Successful Microsoft Phish 2016-12-08
ET PHISHING Obfuscated Phishing Landing 2016-12-19 ET PHISHING Successful Poste Italiane Phish 2016-12-23
ET PHISHING Successful Excel Online Phish 2016-01-06 ET PHISHING Successful Google Drive Phish 2016-01-12
ET PHISHING Successful IRS Phish (set) 2016-01-23 ET PHISHING Successful Workspace Phish 2016-01-26
ET PHISHING Successful Navy Federal Credit Union Phish 2016-02-01 ET PHISHING Successful USAA Phish M1 2016-02-06
ET PHISHING Successful USAA Phish M2 2016-02-06 ET PHISHING Successful Google Credential Phish 2016-02-17
ET PHISHING Successful Maersk Phishing 2016-02-25 ET PHISHING Successful FR Gmail Phish M1 2016-03-15
ET PHISHING Successful FR Gmail Phish M2 2016-03-15 ET PHISHING Successful Email System Manager Phish 2016-04-13
ET PHISHING Successful Sign PDF Phish 2016-05-18 ET PHISHING Successful Facebook Phish 2016-05-18
ET PHISHING Successful Excel Shared Document Phish 2016-06-02 ET PHISHING Successful Ebay Phish 2016-06-14
ET PHISHING Successful Yahoo Phish M2 2016-06-15 ET PHISHING Successful Square Phish 2016-06-15
ET PHISHING Successful Navy Federal Phish 2016-06-16 ET PHISHING Successful Earthlink Phish 2016-06-16
ET PHISHING Successful Christian Mingle Phish 2016-06-17 ET PHISHING Successful Maybank2u Phish 2016-06-17
ET PHISHING Successful Xfinity/Comcast Phish 2016-06-17 ET PHISHING Possible Amazon Phishing Domain 2016-06-21
ET PHISHING Possible barclays .co. uk Phishing Domain 2016-06-22 ET PHISHING Successful Singtel Phish 2016-06-22
ET PHISHING Successful Email Termination Phish 2016-06-22 ET PHISHING Successful H&M Revenue Phish M2 2016-06-22
ET PHISHING Successful Microsoft Encrypted Email Phish M2
ET PHISHING Successful Standard Bank Phish 2016-06-23
2016-06-23
ET PHISHING Successful Google Drive Phish M1 2016-06-11 ET PHISHING Successful Google Drive Phish M2 2016-06-11
ET PHISHING Successful Synchronize Email Account Phish 2016-06-15 ET PHISHING Successful Webmail Account Upgrade Phish 2016-07-15
ET PHISHING Successful Earthlink Phish 2016-07-19 ET PHISHING Successful Webmail Account Upgrade Phish 2016-07-21
ET PHISHING Successful Intuit Phish 2016-08-01 ET PHISHING Tectite Web Form Submission - Possible Successful Phish
ET PHISHING Successful DHL Phish 2016-08-11 ET PHISHING Successful Adobe Shared Document Phish 2016-08-11
ET PHISHING Successful Personalized Adobe PDF Online Phish
ET PHISHING Successful Dropbox Phish 2016-09-14
2016-10-26
ET PHISHING Successful Santander Bank Phish 2016-10-28 ET PHISHING Successful Wells Fargo Phish 2016-11-28
ET PHISHING Successful Generic Webmail Phish 2016-12-02 ET PHISHING Successful WhatsApp Phish M1 2016-12-07
ET PHISHING Successful BB&T Bank Phish 2016-12-15 ET PHISHING Possible Sparkasse Phishing Domain 2021-04-05
ET PHISHING HTTP POST Contains Only Password (tk) 2021-04-05 ET PHISHING HTTP POST Contains Only Password (ml) 2021-04-05
ET PHISHING HTTP POST Contains Only Password (gq) 2021-04-05 ET PHISHING HTTP POST Contains Only Password (ga) 2021-04-05
ET PHISHING HTTP POST Contains Only Password (cf) 2021-04-05 ET PHISHING HTTP POST Contains Only Password (xyz) 2021-04-05
ET PHISHING Generic Phishing Panel Accessed on External Server ET PHISHING Generic Phishing Panel Accessed on Internal Server
ET PHISHING Generic Phishing Panel Accessed on External Server ET PHISHING Generic Phishing Panel Accessed on Internal Server
ET PHISHING Successful Docusign/Outlook Phish 2016-08-17 ET PHISHING Successful Docusign Phish M2 2016-08-17

343 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Comcast Phish 2016-08-18 ET PHISHING Successful Gmail Phish 2016-08-18
ET PHISHING Successful Mailbox Renewal Phish 2016-08-19 ET PHISHING Successful Excel Phish 2016-08-19
ET PHISHING Successful Mailbox Deactivation Phish 2016-08-19 ET PHISHING Successful Universal Webmail Phish 2016-08-19
ET PHISHING Successful Tata Communications Phish 2016-08-19 ET PHISHING Successful Office 365 Phish 2016-08-24
ET PHISHING Successful USAA Phish 2016-08-30 ET PHISHING Successful Westpac Bank Phish 2016-08-31
ET PHISHING Successful Wells Fargo Phish 2016-08-31 ET PHISHING Successful HealthEquity Phish 2016-09-01
ET PHISHING Successful WhatsApp Payment Phish 2016-09-01 ET PHISHING Successful Outlook WebApp Phish 2016-09-02
ET PHISHING Successful Webmail Validator Phish M1 2016-09-02 ET PHISHING Successful iCloud Phish 2016-09-02
ET PHISHING Successful Webmail Mailbox Quota Phish 2016-09-02 ET PHISHING Successful Generic Phish 2016-09-08
ET PHISHING Successful Yahoo Phish M1 2016-09-08 ET PHISHING Successful DHL Phish 2016-09-16
ET PHISHING Successful Yahoo Phish 2016-09-27 ET PHISHING Successful Google Drive Phish 2016-09-27
ET PHISHING Successful Western Union Phish 2016-09-27 ET PHISHING Generic Bank Captcha Phishing Landing
ET PHISHING Generic Hidden Text - Possible Phishing Landing ET PHISHING Generic Bank Captcha Phishing Landing
ET PHISHING Office Related Appspot Hosted Shared Document
ET PHISHING Microsoft Account Redirect to Phishing Landing
Phishing Landing
ET PHISHING Generic Multibrand NewInjection Phishing Landing
ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing
Template
ET PHISHING Generic Multibrand NewInjection Phishing Landing ET PHISHING Generic Multibrand NewInjection Phishing Landing
Template Template
ET PHISHING Generic Bank Captcha Phishing Landing ET PHISHING Possible Successful Generic Phish (set) 2021-04-08
ET PHISHING Successful Linkedin Phish 2016-09-27 ET PHISHING Successful National Australia Bank 2016-09-28
ET PHISHING Successful Made In China Phish 2016-09-28 ET PHISHING Successful Google Docs Phish 2016-09-28
ET PHISHING Successful Paypal Phish M1 2016-09-29 ET PHISHING Successful Paypal Phish M2 2016-09-29
ET PHISHING Successful Paypal Phish M3 2016-09-29 ET PHISHING Successful Keybank Phish 2016-09-29
ET PHISHING Successful Gmail Phish M2 2016-09-29 ET PHISHING Successful Facebook Payment Phish M1 2016-09-29
ET PHISHING Successful Emirate Phish 2016-09-29 ET PHISHING Successful Hotmail Phish 2016-09-29
ET PHISHING Successful Wells Fargo Phish M1 2016-09-30 ET PHISHING Successful Facebook Phish M2 2016-09-30
ET PHISHING Successful Outlook Phish 2016-10-03 ET PHISHING Successful Sparkasse Phish 2016-10-03
ET PHISHING Successful Apple ID Phish M2 2016-10-04 ET PHISHING Successful Paypal (DE) Phish 2016-10-04
ET PHISHING Successful Adobe Personalized Phish 2016-10-04 ET PHISHING Successful Personalized Webmail Phish 2016-10-05
ET PHISHING Successful Wells Fargo Phish 2016-10-05 ET PHISHING Successful Wells Fargo Phish 2016-10-05
ET PHISHING Successful Paypal Phish M1 2016-10-05 ET PHISHING Successful Paypal Phish M3 2016-10-05
ET PHISHING Successful Excel Online Phish 2016-10-05 ET PHISHING Successful View Invoice Phish M1 2016-10-05
ET PHISHING Successful View Invoice Phish M2 2016-10-05 ET PHISHING Successful Facebook Phish 2016-10-06
ET PHISHING Successful Paypal Phish M4 2016-10-06 ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06
ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06 ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06
ET PHISHING Successful Wells Fargo Phish 2016-10-06 ET PHISHING Successful Paypal Phish M2 2016-10-06
ET PHISHING Successful Paypal Phish M3 2016-10-06 ET PHISHING Successful HM Revenue Phish 2016-10-06
ET PHISHING Successful Personalized DHL Phish 2016-10-12 ET PHISHING Successful Linkedin Phish 2016-10-12
ET PHISHING Successful Netflix Phish 2016-10-12 ET PHISHING Successful HBL Bank Phish M1 2016-10-12
ET PHISHING Successful HBL Bank Phish M2 2016-10-12 ET PHISHING Successful Facebook Phish 2016-10-12
ET PHISHING Successful Dropbox Phish 2016-10-14 ET PHISHING Successful Yahoo Mail Phish 2016-10-14
ET PHISHING Successful PNC Bank Phish M1 2016-10-14 ET PHISHING Successful PNC Bank Phish M2 2016-10-14
ET PHISHING Successful Bank of America Phish (set) M1 2016-10-14 ET PHISHING Successful Bank of America Phish (set) M2 2016-10-14
ET PHISHING Successful Bank of America Phish (set) M3 2016-10-14 ET PHISHING Successful Paypal Phish M2 2016-10-17
ET PHISHING Successful Outlook Phish 2016-10-18 ET PHISHING Successful Chase Phish 2016-10-18
ET PHISHING Successful Microsoft Live Email Account Phish 2016-10-18 ET PHISHING Successful NatWest Bank Phish M3 2016-10-19
ET PHISHING Successful Google Docs Phish M1 2016-10-19 ET PHISHING Successful NAB Bank Phish M1 2016-10-19
ET PHISHING Successful Credit Agricole Bank (FR) Phish M2
ET PHISHING Successful NAB Bank Phish M2 2016-10-19
2016-10-19
ET PHISHING Successful Credit Agricole Bank (FR) Phish M3
ET PHISHING Successful Personalized DHL Phish 2016-10-20
2016-10-19
ET PHISHING Successful EC21 B2B Phish 2016-10-21 ET PHISHING Successful Earthlink Phish 2016-10-21
ET PHISHING Successful UBS Phish 2016-10-21 ET PHISHING Successful iTunes Connect Phish M1 2016-10-21
ET PHISHING Successful LCL Banque et Assurance (FR) Phish
ET PHISHING Successful Paypal Phish 2016-10-21
2016-10-22
ET PHISHING Successful Impots.gouv.fr Phish 2016-10-24 ET PHISHING Successful AOL Phish 2016-10-24
ET PHISHING Successful Dropbox Phish 2016-10-25 ET PHISHING Successful Outlook Phish 2016-10-26
ET PHISHING Successful Personalized Outlook Phish 2016-10-26 ET PHISHING Successful Paypal Phish M3 2016-10-26
ET PHISHING Successful Danske Bank Phish (DA) 2016-10-27 ET PHISHING Successful Chase Phish 2016-10-31
ET PHISHING Successful DHL Phish 2016-11-15 ET PHISHING Successful Netflix Phish 2016-11-15
ET PHISHING Successful WhatsApp Payment Phish M1 2016-11-15 ET PHISHING Successful WhatsApp Payment Phish M2 2016-11-15
ET PHISHING Successful Paypal Phish M1 2016-11-17 ET PHISHING Successful Paypal Phish M2 2016-11-17
ET PHISHING Successful Docusign Phish 2016-11-17 ET PHISHING Successful Excel Phish 2016-11-17
ET PHISHING Successful Email Settings Error Phish 2016-11-17 ET PHISHING Successful Wells Fargo Phish M1 2016-11-18
ET PHISHING Successful Wells Fargo Phish M2 2016-11-18 ET PHISHING Successful Google Drive Phish 2016-11-18

344 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Office 365 Phish 2016-11-18 ET PHISHING Successful Sparkasse (DE) Phish 2016-11-28
ET PHISHING Successful Western Union Phish 2016-09-27 ET PHISHING Successful Paypal Phish M2 2016-10-06
ET PHISHING Successful Ourtime.com Phish 2016-11-28 ET PHISHING Successful Paypal Phish M1 2016-11-29
ET PHISHING Successful Paypal Phish M2 2016-11-29 ET PHISHING Successful Microsoft Live Email Account Phish 2016-11-29
ET PHISHING Successful Google Drive Phish M1 2016-12-02 ET PHISHING Successful Google Drive Phish M2 2016-12-02
ET PHISHING Successful Three Step Gmail Phish (2 of 3) Phish
ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02
2016-12-02
ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02 ET PHISHING Successful Paypal Phish M2 2016-12-05
ET PHISHING Successful Gmail Phish 2016-12-06 ET PHISHING Successful Google Drive Phish 2016-12-07
ET PHISHING Successful Yahoo Phish 2016-12-08 ET PHISHING Successful DHL Phish 2016-12-08
ET PHISHING Successful Facebook (TR) Phish 2016-12-08 ET PHISHING Successful Stripe Phish 2016-12-09
ET PHISHING Successful Linkedin Phish 2016-12-09 ET PHISHING Successful Spyus Phish (Multiple Brands) M1 2016-12-12
ET PHISHING Successful Spyus Phish (Multiple Brands) M2 2016-12-12 ET PHISHING Successful Ebay Phish 2016-12-12
ET PHISHING Successful Telstra Refund Phish 2016-12-13 ET PHISHING Successful iTunes Connect Phish M1 2016-12-13
ET PHISHING Successful iTunes Connect Phish M2 2016-12-13 ET PHISHING Successful iTunes Connect Phish M3 2016-12-13
ET PHISHING Successful Discover Phish M2 2016-12-14 ET PHISHING Successful Discover Phish M3 2016-12-14
ET PHISHING Successful Tesco Bank Phish M1 Phish 2016-12-15 ET PHISHING DHL/Adobe/Excel Phishing Landing 2016-01-07
ET PHISHING Successful Dynamic Folder Phishing 2016-01-08 ET PHISHING Successful PNC Bank Phish 2016-01-09
ET PHISHING Successful IRS Phish 2016-01-23 ET PHISHING Successful DHL Phish 2016-02-09
ET PHISHING Successful Dynamic Folder Phishing 2016-02-23 ET PHISHING Successful Apple Phish M1 2016-02-23
ET PHISHING Successful Phish to Compromised Wordpress Site
ET PHISHING Successful Adobe Phish 2016-03-10
2016-03-23
ET PHISHING Redirect to Adobe Shared Document Phishing M3
ET PHISHING Possible Successful SWF/XML Phish 2016-05-02
2016-04-18
ET PHISHING Successful Onedrive Phish 2016-05-16 ET PHISHING Possible Successful Generic Phish 2016-05-26
ET PHISHING Successful Email Login Phish 2016-06-02 ET PHISHING Successful Yahoo Phish M1 2016-06-15
ET PHISHING Possible Successful Generic Phish 2016-06-22 ET PHISHING Successful Webmail Phish M1 2016-06-22
ET PHISHING Successful Craigslist Phish 2016-07-11 ET PHISHING Successful Docusign/O365 Phish 2016-07-15
ET PHISHING Successful Personalized Email Phish 2016-07-22 ET PHISHING Possible Successful Generic Phish 2016-08-19
ET PHISHING Successful Adobe Shared Document Phish 2016-08-19 ET PHISHING Possible Successful Citibank Phish M1 2016-08-22
ET PHISHING Possible Successful Citibank Phish M2 2016-08-22 ET PHISHING Team IPwned Phishing Landing 2016-08-24
ET PHISHING Successful Personalized Phish (Multiple Brands)
ET PHISHING Successful Google Drive Phish M2 2016-08-25
2016-08-30
ET PHISHING Successful Bank of America Phish M2 2016-08-31 ET PHISHING Successful Outlook Phish 2016-08-31
ET PHISHING Successful Dynamic Folder Phishing 2016-09-12 ET PHISHING Successful Dynamic Folder Phishing M1 2016-09-26
ET PHISHING Successful Adobe Shared Document Phish 2016-10-03 ET PHISHING Successful Paypal Phish 2016-10-04
ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing
ET PHISHING Successful Paypal Phish M1 2016-10-06
2016-10-06
ET PHISHING Successful Paypal Phish M1 2016-10-06 ET PHISHING Successful Google Drive Phish 2016-10-06
ET PHISHING Possible Successful Generic Phish 2016-10-07 ET PHISHING Successful Chase Phish 2016-10-07
ET PHISHING Successful Dynamic Folder Phish 2016-10-10 ET PHISHING Successful Google Drive Phish 2016-10-12
ET PHISHING Successful Bank of America Phish 2016-10-14 ET PHISHING Successful Google Docs Phish M2 2016-10-19
ET PHISHING Successful Dynamic Folder Phish 2016-10-26 ET PHISHING Successful Amazon Phish 2016-10-27
ET PHISHING Successful Generic Banking Phish 2016-10-28 ET PHISHING Successful Dynamic Folder Phish 2016-11-15
ET PHISHING Successful USAA Phish 2016-11-22 ET PHISHING Successful Dynamic Folder Phish M1 2016-11-22
ET PHISHING Successful Dynamic Folder Phish M3 2016-11-22 ET PHISHING Successful Dynamic Folder Phish 2016-11-28
ET PHISHING Successful Generic Brand Phish 2016-12-01 ET PHISHING Successful National Australia Bank Phish 2016-12-02
ET PHISHING Successful Dynamic Folder Phish M1 2016-12-02 ET PHISHING Successful Dynamic Folder Phish M2 2016-12-02
ET PHISHING Successful Paypal Phish M1 2016-12-05 ET PHISHING Possible Successful *.myjino. ru Phish 2016-12-16
ET PHISHING Successful PDF Online Phish 2016-12-19 ET PHISHING Successful Paypal (DE) Phish 2016-12-19
ET PHISHING Successful Etisalat Phish 2016-12-20 ET PHISHING Successful Dubai Islamic Internet Bank Phish 2016-12-20
ET PHISHING Successful Google Drive Phish 2016-12-22 ET PHISHING Successful Sparkasse (DE) Phish 2016-12-22
ET PHISHING Possible Successful Outlook Web App Phish 2016-12-28 ET PHISHING Successful Webmail Account Upgrade Phish 2016-12-27
ET PHISHING Successful Protected PDF (Excel Template) Phish
ET PHISHING Successful Ebay Phish M1 2016-12-29
2016-12-28
ET PHISHING Successful Ebay Phish M2 2016-12-29 ET PHISHING Successful Wells Fargo Phish M1 2016-12-29
ET PHISHING Observed Phish Domain in DNS Query ET PHISHING Observed Phish Domain in DNS Query
(daviviendapersonalingresos .live) 2021-04-15 (daviviendapersonalingresos .xyz) 2021-04-15
ET PHISHING Observed DNS Query to Phishing Domain ET PHISHING Observed DNS Query to Phishing Domain
(apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr .eur .lc) (hombreymaquina .com)
ET PHISHING Observed DNS Query to Phishing Domain (igconsulting.
ET PHISHING Possible Phishing Landing Page 2021-05-18
pe)
ET PHISHING Successful Generic Phish 2020-09-21 ET PHISHING Successful Chase Phish 2020-10-14
ET PHISHING PerSwaysion Landing Page M1 ET PHISHING PerSwaysion JavaScript Response M1
ET PHISHING Possible Phishing Landing Page 2021-05-24 ET PHISHING PerSwaysion Landing Page M2
ET PHISHING PerSwaysion JavaScript Response M2 ET PHISHING Observed UK Gov Support Landing 2021-06-01

345 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING PerSwaysion Landing Page M3 ET PHISHING Secure Email Portal Lure Landing Page
ET PHISHING Observed Possible Phishing Landing Page 2021-06-22 ET PHISHING Observed Possible Phishing Landing Page 2021-06-24
ET PHISHING Observed Possible Phishing Landing Page 2021-06-25 ET PHISHING Observed Possible Phishing Landing Page 2021-06-29
ET PHISHING Observed Possible Phishing Landing Page 2021-06-29 ET PHISHING Observed Possible Phishing 2021-06-29
ET PHISHING Observed DNS Query to Known Scam/Phishing Domain ET PHISHING Observed OneDrive Phishing Landing Page 2021-08-09
ET PHISHING Observed Zimbra Phishing Landing Page 2021-08-09 ET PHISHING Observed OWA Phishing Landing Page 2021-08-20
ET PHISHING Client Cloaking Javascript Observed ET PHISHING PerSwaysion Phishkit Javascript Checks if New Visitor
ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive
ET PHISHING PerSwaysion Phishkit Javascript Config Variables
Custom CSS Components
ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive
ET PHISHING PerSwaysion Phishkit Javascript Variable
Custom JS Components
ET PHISHING PerSwaysion Phishkit Landing Page ET PHISHING PerSwaysion Phishkit Message Variables
ET PHISHING BulletProofLink Phishkit Activity (GET) ET PHISHING BulletProofLink Phishkit Activity (POST)
ET PHISHING BulletProofLink Phishkit Password-Processing URL ET PHISHING Generic Phishkit Activity (GET)
ET PHISHING Possible Generic Phishkit Landing Page M1 ET PHISHING Generic Phishkit Landing Page M2
ET PHISHING Generic Phishkit Landing Page M3 ET PHISHING Covid19 Stimulus Payment Phish Inbound M1 (2021-10-21)
ET PHISHING Covid19 Stimulus Payment Phish Inbound M2 (2021-10-21) ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21)
ET PHISHING Covid19 Stimulus Payment Phish Inbound M4 (2021-10-21) ET PHISHING Successful Zoom.us Phish 2021-10-25
ET PHISHING TodayZoo Phishing Kit GET M1 ET PHISHING TodayZoo Phishing Kit GET M2
ET PHISHING Successful CSIS Credential Phish ET PHISHING Successful Generic Credential Phish Activity POST
ET PHISHING Generic Credential Phish Activity GET ET PHISHING Successful Generic Credential Phish Activity POST
ET PHISHING Generic Credential Phish Activity GET ET PHISHING Generic Credential Phish Activity POST
ET PHISHING IRS Payment Credential Phish Form ET PHISHING IRS Credential Phish Direct Deposit Payment Data Exfil
ET PHISHING IRS Payment Credential Phish Debit Card or Check Data
ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil
Exfil
ET PHISHING Successful Citibank Phish Landing Page ET PHISHING Successful Citibank Phish 2021-11-10
ET PHISHING Successful PlayerUnknown's Battlegrounds Phish
ET PHISHING Successful Generic Phish 2021-11-10
2021-11-10
ET PHISHING ghayt_Zone Phishing Kit ET PHISHING Nourblog1 Phish Kit
ET PHISHING Nourblog1 Phish Kit ET PHISHING Nourblog1 Phish Kit
ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving
ET PHISHING Successful Facebook Credential Phish 2021-11-16
Images
ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving
ET PHISHING Possible BulletProofLink Phishkit Activity - Redirect
Resources
ET PHISHING BulletProofLink Phishkit Template ET PHISHING Generic Banking Phish Landing Page 2022-01-11
ET PHISHING Successful Generic Banking Phish 2022-01-11 ET PHISHING Successful Generic Banking Phish 2022-01-11
ET PHISHING Successful Adobe Phish 2022-01-12 ET PHISHING Adobe Phish Landing Page 2022-01-12
ET PHISHING Successful Metawallet Phish 2022-01-13 ET PHISHING Metawallet Phish Landing Page 2022-01-13
ET PHISHING Generic Phish Landing Page 2022-01-14 ET PHISHING DarkX Phish Landing Page 2022-01-22
ET PHISHING LinkedIn Phish Landing Page 2022-01-31 ET PHISHING lordspartner Phish Kit
ET PHISHING DAWN Comment in Phish Landing Page 2022-02-01 ET PHISHING Successful Intuit Phish 2022-02-03
ET PHISHING Generic Landing Page 2022-02-04 ET PHISHING Successful Generic Credential Phish 2022-02-04
ET PHISHING Standard Bank Login Phish 2022-02-04 ET PHISHING Successful Monzo Credential Phish M1 2022-02-17
ET PHISHING Successful Monzo Credential Phish M2 2022-02-17 ET PHISHING Successful Monzo Credential Phish M3 2022-02-17
ET PHISHING Monzo Credential Phish Landing Page 2022-02-17 ET PHISHING Generic Credential Phish Landing Page 2022-02-25
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (id .bigmir .space) Lookup (aplikacje .ron-mil .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (i .ua-passport .space) Lookup (akademia-mil .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain
(akademia-mil .space in TLS SNI) (aplikacje .ron-mil .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain (id ET PHISHING Suspected TA445 Spearphishing Related Domain (i .ua-
.bigmir .space in TLS SNI) passport .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (creditals-email .space) Lookup (ua-passport .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (mil-gov .space) Lookup (verify-email .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (weryfikacja-konta .space) Lookup (konto-verify .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (walidacja-uzytkownika .space) Lookup (kontrola-poczty .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (weryfikacja-poczty .space) Lookup (walidacja-poczty .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (bigmir .space) Lookup (mod-mil .site)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (mirrohost .space) Lookup (mirohost .online)

346 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (meta-ua .space) Lookup (mod-mil .online)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (kontrola-poczty .site) Lookup (creditals-mirohost .space)
ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS
Lookup (verify-mail .space) Lookup (mirohost .site)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain (ua-
(creditals-email .space in TLS SNI) passport .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain (mil- ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-
gov .space in TLS SNI) email .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain (konto-
(weryfikacja-konta .space in TLS SNI) verify .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain
(walidacja-uzytkownika .space in TLS SNI) (kontrola-poczty .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain
(weryfikacja-poczty .space in TLS SNI) (walidacja-poczty .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain (bigmir ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-
.space in TLS SNI) mil .site in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain
(mirrohost .space in TLS SNI) (mirohost .online in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain (meta- ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-
ua .space in TLS SNI) mil .online in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain ET PHISHING Suspected TA445 Spearphishing Related Domain
(kontrola-poczty .site in TLS SNI) (creditals-mirohost .space in TLS SNI)
ET PHISHING Suspected TA445 Spearphishing Related Domain (verify- ET PHISHING Suspected TA445 Spearphishing Related Domain
mail .space in TLS SNI) (mirohost .site in TLS SNI)
ET PHISHING Generic Credential Phish Landing Page 2022-03-01 ET PHISHING Successful Generic Credential Phish 2022-03-02
ET PHISHING Successful Royal Bank of Canada Credential Phish
ET PHISHING Successful Generic Credential Phish 2022-03-02
2022-03-02
ET PHISHING FancyBear/APT28 Related Phish Landing Page ET PHISHING FancyBear/APT28 Related Phish Landing Page
2022-03-08 2022-03-08
ET PHISHING Successful Generic Phish 2022-03-11 ET PHISHING Microsoft Credential Phish 2022-03-14
ET PHISHING Ping Identity Landing Page 2022-03-14 ET PHISHING Generic Credential Phish Redirection 2022-03-14
ET PHISHING Successful TA422 Credential Phish 2022-03-17 M1 ET PHISHING Successful TA422 Credential Phish 2022-03-17 M2
ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17 ET PHISHING Successful Generic Credential Phish 2022-03-18
ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-
ET PHISHING Generic Credential Phish 2022-03-18
eu. com)
ET PHISHING Generic Phishing domain observed in TLS SNI (info-
ET PHISHING Successful Generic Phish 2022-03-28
getting-eu. com)
ET PHISHING Successful Generic Social Media Credential Phish
ET PHISHING Generic Phish Landing Page 2022-03-29
2022-03-31
ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05 ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05
ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05 ET PHISHING Suspicious Form with Action Value Equal to bit .ly
ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13 ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13
ET PHISHING Sparkasse Credential Phish Landing Page M2
ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13
2022-04-13
ET PHISHING Sparkasse Credential Phish Landing Page M3 ET PHISHING Sparkasse Credential Phish Landing Page M4
2022-04-13 2022-04-13
ET PHISHING Successful Banca Monte dei Paschi di Siena Credential
ET PHISHING Successful Wells Fargo Phish 2021-03-16
Phish 2022-04-22
ET PHISHING Banca Monte dei Paschi di Siena Credential Phish ET PHISHING Tech Support/Refund Scam Landing Inbound
Landing Page 2022-04-22 2022/04/25
ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts
(Tech Support/Refund Scam Landing) (Tech Support/Refund Scam Landing)
ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts
(Tech Support/Refund Scam Landing) (Tech Support/Refund Scam Landing)
ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts
(Tech Support/Refund Scam Landing) (Tech Support/Refund Scam Landing)
ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts
(Tech Support/Refund Scam Landing) (Tech Support/Refund Scam Landing)
ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts ET PHISHING IRS Credential Phish Domain in DNS Lookup
(Tech Support/Refund Scam Landing) (supportmicrohere .com)
ET PHISHING IRS Credential Phish Domain in DNS Lookup (jbdelmarket
ET PHISHING Successful IRS Credential Phish 2022-04-25
.com)
ET PHISHING Successful Microsoft Account Credential Phish ET PHISHING Microsoft Account Credential Phish Landing Page
2022-04-26 2022-04-26
ET PHISHING Successful Survey Credential Phish M1 2022-04-04 ET PHISHING Successful Survey Credential Phish M2 2022-04-04
ET PHISHING Successful Survey Credential Phish M3 2022-04-04 ET PHISHING Successful Survey Credential Phish M4 2022-04-04

347 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Survey Credential Phish M5 2022-04-04 ET PHISHING Successful Survey Credential Phish M6 2022-04-04
ET PHISHING Successful Survey Credential Phish M7 2022-04-04 ET PHISHING Survey Credential Phish Landing Page 2022-04-04
ET PHISHING Successful Generic Cryptowallet Credential Phish
ET PHISHING Possible Cryptowallet Mining Pool Scam Landing Page
2022-05-12
ET PHISHING Axie Infinity Credential Phish Landing Page M1
ET PHISHING Successful Axie Infinity Credential Phish M1 2022-05-18
2022-05-18
ET PHISHING Axie Infinity Credential Phish Landing Page M2
ET PHISHING Successful Axie Infinity Credential Phish M2 2022-05-18
2022-05-18
ET PHISHING Axie Infinity Credential Phish Landing Page M3
ET PHISHING Spox Phishkit HTTP POST Observed
2022-05-18
ET PHISHING Spox Phishkit Landing Page Inbound ET PHISHING Successful Generic Phish Observed
ET PHISHING Successful Generic Credential Phish 2022-05-24 ET PHISHING Generic Credential Phish Landing Page 2022-05-24
ET PHISHING Credito Emiliano Credential Phish Landing Page
ET PHISHING Successful Microsoft Credential Phish 2022-05-26
2022-05-26
ET PHISHING Successful Generic Credential Phish 2022-05-27 ET PHISHING ING Credential Phish Landing Page 2022-05-27
ET PHISHING Facebook Credential Phish Landing Page M2
ET PHISHING Faebook Credential Phish Landing Page M1 2022-05-27
2022-05-27
ET PHISHING Generic Credential Phish Landing Page 2022-05-27 ET PHISHING Facebook Credential Phish Landing Page M1 2022-06-01
ET PHISHING Successful Generic Credential Phish 2022-06-01 ET PHISHING Facebook Credential Phish Landing Page M2 2022-06-01
ET PHISHING Generic Cryptowallet Credential Phish Landing Page
ET PHISHING Generic Credential Phish Landing Page 2022-06-02
2022-06-03
ET PHISHING Facebook Credential Phish Landing Page 2022-06-08 ET PHISHING Successful Generic Credential Phish M1 2022-06-08
ET PHISHING Successful Generic Credential Phish M2 2022-06-08 ET PHISHING DHL Credential Phish Landing Page 2022-06-09
ET PHISHING Successful DHL Credential Phish M1 2022-06-09 ET PHISHING Successful DHL Credential Phish M2 2022-06-09
ET PHISHING Sparkasse Credential Phish Landing Page 2022-06-10 ET PHISHING Successful Generic Credential Phish 2022-06-13
ET PHISHING Generic Credential Phish Landing Page 2022-06-13 ET PHISHING Successful Generic Credential Phish 2022-06-14
ET PHISHING Generic Phishing DNS Lookup (xn--sapeaunoticias-kjb
ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat .co .il)
.com .br)
ET PHISHING GCash Credential Phish 2022-06-17 ET PHISHING GCash Credential Phish Landing Page 2022-06-17
ET PHISHING Successful Generic Credential Phish 2022-06-17 ET PHISHING Generic Credential Phish Landing Page 2022-06-21
ET PHISHING Apple Credential Phish Landing Page M1 2022-06-21 ET PHISHING Apple Credential Phish Landing Page M2 2022-06-21
ET PHISHING Facebook Credential Phish Landing Page 2022-06-21 ET PHISHING Successful Adobe Credential Phish 2022-06-21
ET PHISHING Emirates NBD Bank Credential Phish Landing Page
ET PHISHING Successful Phish OWA Credentials 2022-06-20
2022-06-23
ET PHISHING Successful Emirates NBD Bank Credential Phish
ET PHISHING Observed DNS Query to Nedbank Phishing Domain
2022-06-23
ET PHISHING Nedbank Phishing Landing Page 2022-06-22 ET PHISHING Observed DNS Query to OWA Phishing Domain
ET PHISHING Successful OWA Phish 2022-06-23 ET PHISHING Successful ING Group Phish 2022-06-24
ET PHISHING Observed DNS Query to American Express Phishing
ET PHISHING Observed DNS Query to ING Group Phishing Domain
Domain
ET PHISHING Sendinblue Credential Phish Landing Page 2022-06-28 ET PHISHING Successful ANZ Internet Banking Phish 2022-06-23
ET PHISHING Generic Credential Phish Landing Page 2022-06-29 ET PHISHING Successful Caixa Credential Phish 2022-06-29
ET PHISHING Observed DNS Query to Alibaba Phishing Domain
ET PHISHING Successful Onedrive Credential Phish 2022-06-22
(krikam .net)
ET PHISHING Observed DNS Query to ING Bank Phishing Domain
ET PHISHING Malicious SSL Certificate detected (Alibaba Phishing)
(servesrs -kontendiba .cyou)
ET PHISHING Successful Microsoft Credential Phish 2022-06-28 ET PHISHING Sucessful Global Sources Credential Phish 2022-06-29
ET PHISHING Observed Malicious SSL/TLS Certificate (PayPal Phish
ET PHISHING Sucessful Alibaba Credential Phish 2022-06-29
Landing)
ET PHISHING PlayerUnknown's Battlegrounds Credential Phish
ET PHISHING BT Group Credential Phish Landing Page 2022-07-01
Landing Page M1 2022-07-05
ET PHISHING Successful PlayerUnknown's Battlegrounds Credential ET PHISHING PlayerUnknown's Battlegrounds Credential Phish
Phish 2022-07-05 Landing Page M2 2022-07-05
ET PHISHING Navy Federal Credit Union Credential Phish Landing
ET PHISHING Spox Phish Kit Landing Page 2022-07-05
Page 2022-07-05
ET PHISHING Successful Facebook Credential Phish 2022-07-05 ET PHISHING Caixa Credential Phish Landing Page 2022-07-05
ET PHISHING Successful Caixa Credential Phish 2022-07-05 ET PHISHING Radobank Phishing Landing Page 2022-07-05
ET PHISHING Australian Government Credential Phish Landing Page ET PHISHING Successful Australian Government Credential Phish
2022-07-06 2022-07-06
ET PHISHING Successful Orange Credential Phish 2022-07-07 ET PHISHING Successful Adobe Credential Phish 2022-07-08
ET PHISHING Successful Generic Credential Phish 2022-07-08 ET PHISHING Successful OWA Phish 2022-07-11
ET PHISHING Midea Credential Phish Landing Page 2022-07-12 ET PHISHING Successful Midea Credential Phish 2022-07-12
ET PHISHING Successful Standard Bank Credential Phish 2022-07-12
ET PHISHING Successful Microsoft Phish 2022-07-10
M1
ET PHISHING Successful Standard Bank Credential Phish 2022-07-12 ET PHISHING Successful Standard Bank Credential Phish 2022-07-12
M2 M3

348 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Standard Bank Credential Phish 2022-07-12


ET PHISHING Successful OWA Credential Phish 2022-07-13
M4
ET PHISHING Successful OWA Phish 2022-07-15 ET PHISHING Facebook Credential Phish Landing Page 2022-07-18
ET PHISHING Successful Office 365 Phish 2022-07-19 ET PHISHING Successful Coinbase Phish 2022-07-18
ET PHISHING Successful RoundCube Phish 2022-07-18 ET PHISHING Successful Facebook Phish 2022-07-18
ET PHISHING Successful FedEx Phish 2022-07-20 ET PHISHING Successful Idaho Central CU Phish 2022-07-24
ET PHISHING AlaskaUSA FCU Phish 2022-07-24 ET PHISHING Generic Credential Phish Landing Page 2022-07-26
ET PHISHING Successful Generic Credential Phish Landing Page
ET PHISHING Phishing Landing Page - Excel Purchase Order Form
2022-07-26
ET PHISHING [TW] EvilProxy AiTM Set-Cookie ET PHISHING [TW] EvilProxy AiTM Username Checkin
ET PHISHING [TW] EvilProxy AiTM Cookie Value M1 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M1
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M2 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M3
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M4 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M11
ET PHISHING [TW] EvilProxy AiTM Network Reporting ET PHISHING [TW] Robin Banks HTTP HOST M1
ET PHISHING [TW] Robin Banks HTTP HOST M2 ET PHISHING [TW] Robin Banks HTTP GET Struct
ET PHISHING [TW] Robin Banks Redirect M1 ET PHISHING [TW] Robin Banks Redirect M2
ET PHISHING Facebook Credential Phish Landing Page 2022-07-29 ET PHISHING Successful Generic Phish 2022-07-29
ET PHISHING Facebook Credential Phish Landing Page M1 2022-08-01 ET PHISHING Successful Facebook Credential Phish 2022-08-01
ET PHISHING Facebook Credential Phish Landing Page M2 2022-08-01 ET PHISHING America First CU Successful Phish 2022-10-27
ET PHISHING America First CU Account Recovery 2022-10-27 ET PHISHING Successful Commerce Bank Phish 2022-07-30
ET PHISHING Successful Generic Phish 2022-08-01 ET PHISHING Successful Idaho Central Credit Union Credential Phish
ET PHISHING Possible Phish with cazanova= Cookie ET PHISHING Successful OWA Phish 2022-08-17
ET PHISHING Facebook Credential Phish Landing Page 2022-08-22 ET PHISHING PUBG Credential Phish Landing Page 2022-08-22
ET PHISHING Successful Generic Credential Phish 2022-08-23 ET PHISHING Generic Credential Phish Landing Page 2022-08-23
ET PHISHING PyPI Successful Credential Harvesting Attempt ET PHISHING Successful Generic Credential Phish 2022-08-26
ET PHISHING Successful Bank of America Credential Phish
ET PHISHING Successful Telstra Credential Phish 2022-08-26
2022-08-25
ET PHISHING Union Bank Credential Phish Landing Page 2022-08-29 ET PHISHING Successful Telstra Credential Phish 2022-08-29
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST Struct M1 ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST Struct M2
ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST Struct M3 ET PHISHING Successful Generic Credential Phish (.ngrok .io)
ET PHISHING Successful BECU Phish 2022-09-08 ET PHISHING Generic Credential Phish Landing Page 2022-09-14
ET PHISHING Successful Generic Credential Phish 2022-09-14 ET PHISHING TA398 Phishing Kit URI Pattern M1
ET PHISHING TA398 Phishing Kit URI Pattern M2 ET PHISHING Generic Credential Phish Landing Page 2022-09-23
ET PHISHING Successful Credential Phish M1 2022-09-23 ET PHISHING Successful Credential Phish M2 2022-09-23
ET PHISHING Successful Credential Phish M3 2022-09-23 ET PHISHING Generic Credential Phish Landing Page 2022-09-26
ET PHISHING Successful TA398/Sidewinder APT Related Phish
ET PHISHING Successful Generic Credential Phish 2022-09-26
2022-09-28
ET PHISHING Generic Credential Phish Landing Page M1 2022-09-28 ET PHISHING Generic Credential Phish Landing Page M2 2022-09-28
ET PHISHING Interac (CA) Account Credential Phish Landing Page
ET PHISHING Successful Generic Credential Phish
2022-09-30
ET PHISHING Successful Microsoft Outlook Credential Phish
ET PHISHING Generic Credential Phish Landing Page 2022-10-03
2022-10-03
ET PHISHING Microsoft Excel Credential Phish Landing Page
ET PHISHING DHL Credential Phish Landing Page 2022-10-07
2022-10-03
ET PHISHING Binance Credential Phish Landing Page 2022-10-07 ET PHISHING Successful Binance Credential Phish 2022-10-07
ET PHISHING Successful Outlook Phish 2022-10-06 ET PHISHING Successful Generic Credential Phish 2022-10-10
ET PHISHING Account Credential Phish Landing Page 2022-10-10 ET PHISHING Generic Credential Phish Landing Page 2022-10-10
ET PHISHING Generic Credential Phish Landing Page M1 2022-10-11 ET PHISHING Successful Generic Credential Phish 2022-10-11
ET PHISHING Successful Generic Credential Phish 2022-10-11 ET PHISHING Generic Credential Phish Landing Page M2 2022-10-11
ET PHISHING Generic Credential Phish Landing Page M1 2022-10-11 ET PHISHING Successful Generic Credential Phish 2022-10-11
ET PHISHING Generic Successful Phish 2022-10-11 ET PHISHING Successful Navy Federal Phish 2022-10-11
ET PHISHING Successful Trust Wallet Phish 2022-10-11 ET PHISHING Generic Credential Phish Landing Page 2022-10-12
ET PHISHING Successful Generic Credential Phish 2022-10-12 ET PHISHING Generic Credential Phish 2022-10-12
ET PHISHING Observed DNS Query to Phishing Domain (ficosha .com) ET PHISHING Successful mail .ru Credential Phish
ET PHISHING Successful Generic Credential Phish 2022-10-20 ET PHISHING Successful Generic Credential Phish 2022-10-20
ET PHISHING Generic Credential Phish Landing Page 2022-10-20 ET PHISHING Successful Luno Credential Phish 2022-10-20
ET PHISHING Successful BoA Credential Phish 2022-10-24 ET PHISHING Successful Citizens Bank Credential Phish 2022-10-24
ET PHISHING Generic Credential Phish Landing Page 2022-10-26 ET PHISHING Successful Generic Credential Phish 2022-10-26
ET PHISHING Successful Generic Credential Phish 2022-10-26 ET PHISHING Successful Generic Credential Phish 2022-10-26
ET PHISHING Generic Credential Phish Landing Page 2022-10-28 ET PHISHING Successful RBFCU Credential Phish 2022-10-31
ET PHISHING TMOBILE Credential Phish Landing Page 2022-11-01 ET PHISHING TMOBILE Successful Credential Phish 2022-11-01
ET PHISHING Twitter Credential Phish Landing Page 2022-11-04 ET PHISHING Successful Nordea Netbank Credential Phish 2022-11-04

349 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Successful Veridian Credit Union Credential Phish


ET PHISHING Successful Roundcube Credential Phish 2022-11-08
2022-11-08
ET PHISHING TA398/Sidewinder Credential Phish Landing Page M1
ET PHISHING Successful GNCU Credential Phish 2022-11-14
2022-11-18
ET PHISHING TA398/Sidewinder Credential Phish Landing Page M2 ET PHISHING TA398/Sidewinder Credential Phish Landing Page M3
2022-11-18 2022-11-18
ET PHISHING Generic Credential Phish Landing Page 2022-11-22 ET PHISHING Ulpian Credential Phish Landing Page 2022-11-22
ET PHISHING Successful Generic Credential OTP Phish 2022-11-22 ET PHISHING Successful Generic Credential Phish 2022-11-22
ET PHISHING Successful Credit Agricole Credential Phish 2022-11-23 ET PHISHING Successful BT GROUP Credential Phish 2022-11-23
ET PHISHING WalletConnect Stealer Landing Page 2022-11-23 ET PHISHING Coinbase Credential Phish Landing Page 2022-11-29
ET PHISHING Successful Banco de la Repblica Oriental del Uruguay
ET PHISHING Successful Alibaba Credential Phish 2022-11-30
Phish 2022-11-30
ET PHISHING ING Group Credential Phish Landing Page 2022-12-02 ET PHISHING Coinbase Credential Phish Landing Page 2022-12-02
ET PHISHING Generic Credential Phish Landing Page 2022-12-02 ET PHISHING Generic Credential Phish Landing Page 2022-12-02
ET PHISHING Observed Phish Domain in DNS Lookup (administrator- ET PHISHING Observed Phish Domain in DNS Lookup (registration-
enoc .com) 2022-12-05 adnoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (kilimondoilgas- ET PHISHING Observed Phish Domain in DNS Lookup
dubai .com) 2022-12-05 (horsespeedtravel .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (snocprojectae ET PHISHING Observed Phish Domain in DNS Lookup (snoc-projectae
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (qatarenergys ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (nowmcopetroleum .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (bidders-enoc ET PHISHING Observed Phish Domain in DNS Lookup (proposal-enoc
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (llhhospitals ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (alzarafatravellsae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (specgulfae ET PHISHING Observed Phish Domain in DNS Lookup (eaglestravels-
.com) 2022-12-05 ae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (consultant-enoc
(stalinschoolintlacademy .com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (vendor-enocbid ET PHISHING Observed Phish Domain in DNS Lookup (proposal-ae-
.com) 2022-12-05 enoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (zbavitae .com) ET PHISHING Observed Phish Domain in DNS Lookup (bid-taqa .com)
2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (safetravel- ET PHISHING Observed Phish Domain in DNS Lookup
services .com) 2022-12-05 (gulfcoastoilngas-ae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (camschooluae ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (alhmodzinoilfildservices .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (nipmse .com) ET PHISHING Observed Phish Domain in DNS Lookup (globalhospae
2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (gulfins-ae .com) ET PHISHING Observed Phish Domain in DNS Lookup (zirvaenergy
2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (tenders-adio ET PHISHING Observed Phish Domain in DNS Lookup (uae-
.com) 2022-12-05 snocproject .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (alfayhaatravels ET PHISHING Observed Phish Domain in DNS Lookup (contract-snoc
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (biding-enoc ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (dibfinancialservice-uae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (registrations- ET PHISHING Observed Phish Domain in DNS Lookup (enocbids .com)
adnoc .com) 2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (snocprojectuae ET PHISHING Observed Phish Domain in DNS Lookup (adio-gov .com)
.com) 2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup
(gulfmarineoilservices .com) 2022-12-05 (fenczyflyemiratetravels .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup
(abienceinvestments-fze .com) 2022-12-05 (flywaytravelandtourism .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (aiischools .com) ET PHISHING Observed Phish Domain in DNS Lookup
2022-12-05 (emspgenerahospae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (investinadio ET PHISHING Observed Phish Domain in DNS Lookup (mohregov-ae
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (emsclikoil .com)
(enacopetroleum .com) 2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (contact-
(westernmedicalspecialisthosp .com) 2022-12-05 adnocae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (quickcitytravel ET PHISHING Observed Phish Domain in DNS Lookup (snoc-
.com) 2022-12-05 projectuae .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (consultant-ae- ET PHISHING Observed Phish Domain in DNS Lookup
enoc .com) 2022-12-05 (salacomimmigration .com) 2022-12-05

350 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Observed Phish Domain in DNS Lookup (dubaiferryae ET PHISHING Observed Phish Domain in DNS Lookup (bid-adnoc
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (adbntogo .com) ET PHISHING Observed Phish Domain in DNS Lookup
2022-12-05 (iconiqueimmigration .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (alfujairah-ae ET PHISHING Observed Phish Domain in DNS Lookup (contractors-
.com) 2022-12-05 adnoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (stabluk .com) ET PHISHING Observed Phish Domain in DNS Lookup (bid-enoc .com)
2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (proposals-ae-
(siemenoilandgas .com) 2022-12-05 enoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (hamraoilgroup ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (flylinkimmigration .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (ae-snoctenders ET PHISHING Observed Phish Domain in DNS Lookup (contracts-
.com) 2022-12-05 adnoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (registrations- ET PHISHING Observed Phish Domain in DNS Lookup (uae-
enoc .com) 2022-12-05 snoctenders .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (rfq-taziz .com)
(oceanicflyimmigration .com) 2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (consultants-ae- ET PHISHING Observed Phish Domain in DNS Lookup
enoc .com) 2022-12-05 (abbrossgeneralhospital .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (snocproject-ae ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (dahilalcapitalinvest .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (biddings-enoc
(duramtravelagency .com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (hpschooluae ET PHISHING Observed Phish Domain in DNS Lookup (rakpetrolae
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (snocuae .com)
(arabianmigration .com) 2022-12-05 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (atenaeps .com) ET PHISHING Observed Phish Domain in DNS Lookup (ae-snocproject
2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup (registration-ae-
(harvesttravelagency .com) 2022-12-05 enoc .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (toursolutions4u ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (easternbaytravels .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (contractor-enoc ET PHISHING Observed Phish Domain in DNS Lookup (ahaliahospitalae
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (tenders-adnoc ET PHISHING Observed Phish Domain in DNS Lookup
.com) 2022-12-05 (emarataljabrisolicitors .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (abdul-sattar- ET PHISHING Observed Phish Domain in DNS Lookup (tenders-
abdul-tr .com) 2022-12-05 aisschools .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (builds-emaar ET PHISHING Observed Phish Domain in DNS Lookup (tender-adnoc
.com) 2022-12-05 .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup ET PHISHING Observed Phish Domain in DNS Lookup
(sheikhmouradoil .com) 2022-12-05 (diligencefinconsultants .com) 2022-12-05
ET PHISHING Observed Phish Domain in DNS Lookup (rambolloil .com)
ET PHISHING Successful Generic Credential Phish 2022-12-06
2022-12-05
ET PHISHING Fifth Third Banking Credential Phish Landing Page
ET PHISHING iCloud Credential Phish Landing Page 2022-12-06
2022-12-07
ET PHISHING Generic Credential Phish Landing Page 2022-12-07 ET PHISHING ING Banking Credential Phish Landing Page 2022-12-12
ET PHISHING Successful ING Banking Credential Phish 2022-12-12 ET PHISHING e-Orico Credential Phish Landing Page 2022-12-12
ET PHISHING Successful Australian Government myGov Credential
ET PHISHING Successful PostBank Credential Phish 2022-12-12
Phish 2022-12-14
ET PHISHING Successful America First CU Credential Phish 2022-12-14 ET PHISHING Successful Made in China Credential Phish 2022-12-14
ET PHISHING Suncoast Credit Union Credential Phish Landing Page
ET PHISHING DarkX Phish Landing Page 2022-12-19
2022-12-19
ET PHISHING Successful DarkX Credential Phish 2022-12-19 ET PHISHING Successful o365 Credential Phish 2022-12-19
ET PHISHING Lucy Security Time Tracking POST ET PHISHING Lucy Security - Phishing Landing Page M2
ET PHISHING Socios Credential Phish Landing Page 2022-12-22 ET PHISHING Facebook Credential Phish Landing Page 2022-12-27
ET PHISHING Generic Cryptocurrency Credential Phish Related
ET PHISHING Generic Credential Phish Landing Page 2022-12-27
Domain in DNS Lookup (thedoodles .site)
ET PHISHING US Government Bid Credential Phish Landing Page ET PHISHING Successful US Government Bid Credential Phish
2022-12-28 2022-12-28
ET PHISHING Successful MetaMask Pass Phrase Phish 2022-12-27 ET PHISHING Successful Netflix Credential Phish 2022-12-27
ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse ET PHISHING Office 365 Credential Harvesting Domain (rightofcourse
.com) in DNS Lookup .com) in TLS SNI
ET PHISHING Successful American First CU Credential Phish
ET PHISHING Generic Korean Bank Credential Theft 2023-01-09
2023-01-03

351 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Observed Phishing Domain in DNS Lookup (circle-ci


ET PHISHING Successful Coinbase Credential Phish 2023-01-09
.com)
ET PHISHING Observed Phishing Domain in DNS Lookup (infollnes-r-us ET PHISHING Observed Phishing Domain in DNS Lookup (mcrsfts-
.co .uk) passwdupdate .com)
ET PHISHING Observed Phishing Domain in DNS Lookup
ET PHISHING Manhattan College Phish Landing Page 2022-01-10
(microsoftonlinesupport .cf)
ET PHISHING Successful Manhattan College Credential Phish
ET PHISHING EvilProxy AiTM Cookie Value M2
2022-01-10
ET PHISHING Successful Banco G&T Continental Credential Phish
ET PHISHING Successful Banco Galacia Credential Phish 2023-01-23
2023-01-25
ET PHISHING Successful AU myGov Credential Phish 2023-01-30 ET PHISHING Successful VyStar CU Credential Phish 2023-01-31
ET PHISHING Successful Metamask Pass Phrase Phish 2023-02-01 ET PHISHING Successful Wallet Connect Private Key Phish 2023-02-03
ET PHISHING Successful Wallet Connect Pass Phrase Phish
ET PHISHING Successful Wallet Connect Key Store Phish 2023-02-03
2023-02-03
ET PHISHING Possible Phishing Domain in DNS Lookup (c1 .biz) ET PHISHING Successful Generic Credential Phish 2023-02-07
ET PHISHING AWS Phishing Domain (aws1-console-login .us) in DNS ET PHISHING AWS Phishing Domain (us2-eat-a-w-s .blogspot .com) in
Lookup DNS Lookup
ET PHISHING AWS Phishing Domain (aws1-us-west .info) in DNS ET PHISHING AWS Phishing Domain (aws1-ec2-console .com) in DNS
Lookup Lookup
ET PHISHING AWS Phishing Domain (aws2-console-login .xyz) in DNS
ET PHISHING myGov Credential Phish 2023-02-15
Lookup
ET PHISHING Sidewinder Credential Phish Landing Page M1
ET PHISHING Prohqcker Phish Kit
2023-02-16
ET PHISHING Sidewinder Credential Phish Landing Page M2
ET PHISHING Generic Credential Phish Landing Page 2023-02-21
2023-02-16
ET PHISHING VigLink Redirect To HiYu Phishing Landing Page ET PHISHING Generic Credential Phish Landing Page M1 2023-02-22
ET PHISHING Successful Generic Credential Phish M1 2023-02-22 ET PHISHING Generic Credential Phish Landing Page M2 2023-02-22
ET PHISHING Successful Generic Credential Phish M2 2023-02-22 ET PHISHING Successful Generic Credential Phish M1 2023-02-22
ET PHISHING Successful Generic Credential Phish M2 2023-02-22 ET PHISHING Successful Generic Credential Phish M3 2023-02-22
ET PHISHING Successful Royal Credit Union Credential Phish
ET PHISHING Successful Generic Credential Phish M4 2023-02-22
2023-02-23
ET PHISHING HiYu - Request for Victim Enrichment ET PHISHING HiYu - Victim Enrichment Response M1
ET PHISHING HiYu - Victim Enrichment Response M2 ET PHISHING HiYu - Victim Enrichment Response M3
ET PHISHING HiYu - Request for User Specific Landing Page ET PHISHING TA453 Phishing Domain in DNS Lookup
ET PHISHING TA453 Phishing Domain in DNS Lookup ET PHISHING TA453 Phishing Domain in DNS Lookup
ET PHISHING TA453 Phishing Domain in DNS Lookup ET PHISHING TA453 Phishing Domain in DNS Lookup
ET PHISHING Coinbase Credential Phish 2023-02-24 ET PHISHING Successful Generic Credential Phish 2023-02-27
ET PHISHING Generic Credential Phish Landing Page 2023-02-27 ET PHISHING Successful Orange.fr Credential Phish 2023-02-27
ET PHISHING Successful Ionos Credential Phish 2023-02-28 ET PHISHING Successful CenturyLink Credential Phish 2023-03-01
ET PHISHING PUBG Credential Phish 2023-03-06 ET PHISHING Roblox Credential Phish 2023-03-06
ET PHISHING Possible Credential Phish Landing Page 2023-03-10 ET PHISHING United Parcel Service Landing Page 2023-03-10
ET PHISHING Observed DNS Query to Possible Phish Hosted on
ET PHISHING Scam Redirect Domain in DNS Lookup
onlinehome.us
ET PHISHING Generic Credential Phish Landing Page 2023-03-13 ET PHISHING EDD Credential Phish Landing Page 2023-03-16 M1
ET PHISHING EDD Credential Phish Landing Page M2 2023-03-16 ET PHISHING Generic Credential Phish Landing Page 2023-03-16
ET PHISHING Silicon Valley Bank Credential Phish Landing Page M1 ET PHISHING Silicon Valley Bank Credential Phish Landing Page M2
ET PHISHING Silicon Valley Bank Phish Domain in DNS Lookup
ET PHISHING Generic Credential Phish Landing Page 2023-03-21
(cash4svb .com)
ET PHISHING Generic Credential Phish Landing Page using submit-
ET PHISHING Snapchat Credential Phish Landing Page 2023-03-21
form .com
ET PHISHING Silicon Valley Bank Credential Phish Landing Page
ET PHISHING Successful Office365 Credential Phish 2023-03-31
(2023-03-30)
ET PHISHING Generic Credential Phish Landing Page 2023-04-03 ET PHISHING Generic Credential Phish Landing Page 2023-04-05
ET PHISHING Generic Antibot Phish Landing Page 2023-04-05 ET PHISHING Crypto Credential Phish Landing Page 2023-04-17
ET PHISHING Tech Support Phone Scam Landing 2023-04-17 ET PHISHING Successful Bank of America Credential Phish 2023-04-17
ET PHISHING Successful International Card Services Credential Phish
ET PHISHING Successful OneDrive Credential Phish 2023-04-18
2023-04-20
ET PHISHING Fake Google Chrome Error Landing Page, Anti-Analysis ET PHISHING Fake Google Chrome Error Landing Page, Control
Technique Access with Cookie
ET PHISHING Fake Google Chrome Error Landing Page, Load Payload ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-24
ET PHISHING Successful Generic Credential Phish from W3LL STORE
ET PHISHING Successful DHL Credential Phish 2023-04-24
Phishkit 2023-04-25
ET PHISHING W3LL STORE Credential Phish Landing Page 2023-04-25 ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26
ET PHISHING USPS Credential Phish Landing Page M1 2023-04-28 ET PHISHING USPS Credential Phish Landing Page M2 2023-04-28
ET PHISHING Generic Credential Phish Landing Page 2023-04-28 ET PHISHING Lucy Security - Phishing Framework Plugin List POST
ET PHISHING Generic Credential Phish Landing Page from Text Scam ET PHISHING Generic Credential Phish Landing Page from Text Scam
M1 2023-05-01 M2 2023-05-01

352 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Generic Credential Phish Landing Page from Text Scam ET PHISHING Generic Credential Phish Landing Page from Text Scam
M3 2023-05-01 M4 2023-05-01
ET PHISHING W3LL STORE Phish Kit Landing Page 2023-05-02 ET PHISHING W3LL STORE Phish Kit Landing Page 2023-05-05
ET PHISHING W3LL STORE Credential Phish Landing Page (Capt) ET PHISHING W3LL STORE Credential Phish Landing Page (Index)
2023-05-05 2023-05-05
ET PHISHING W3LL STORE Credential Phish Landing Page (Success)
ET PHISHING Successful W3LL STORE Credential Phish 2023-05-10
2023-05-05
ET PHISHING DarkWatchman Phish Domain in DNS Lookup (cryptopro-
ET PHISHING Greatness Phish Kit Landing Page M1 2023-05-15
download .one)
ET PHISHING Successful iCloud Credential Phish 2023-06-12 ET PHISHING GreetingGhoul Stealer Crypto Landing Page
ET PHISHING Known Phishing Related Domain in DNS Lookup ET PHISHING Generic Survey Credential Phish Landing Page
(schseels .com) 2022-06-20
ET PHISHING ID.me Credential Theft Landing Page 2023-06-21 ET PHISHING Obfuscated MrxC0DER Credential Phish Landing Page
ET PHISHING Generic Obfuscated Sign In Landing Page 2023-06-22 ET PHISHING Suspicious IPFS Domain Rewritten with Google Translate
ET PHISHING Successful BDO Bank Credential Phish 2023-06-23 ET PHISHING Successful Yahoo Credential Phish 2023-06-30
ET PHISHING Ankarex Smishing as a Service Domain in DNS Lookup
ET PHISHING Successful SFR Mail Credential Phish 2023-07-07
(ankarex .net)
ET PHISHING RomCom Phishing Domain in DNS Lookup
ET PHISHING Vietnamese Govt Credential Phish M1 2023-07-18
(ukrainianworldcongress .info)
ET PHISHING Vietnamese Govt Credential Phish M2 2023-07-18 ET PHISHING Vietnamese Govt Credential Phish M3 2023-07-18
ET PHISHING Generic Credential Phish Landing Page 2023-08-09 ET PHISHING TOAD Domain in DNS Lookup (mshelp53 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp06 .us) ET PHISHING TOAD Domain in DNS Lookup (pcxhelp .us)
ET PHISHING TOAD Domain in DNS Lookup (hpsupport08 .us) ET PHISHING TOAD Domain in DNS Lookup (ppalsecure .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp011 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp2 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples9 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp101 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp51 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapp04 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp03 .us) ET PHISHING TOAD Domain in DNS Lookup (help88 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp09 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp013 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp52 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp6 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp010 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp01 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapp05 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp12 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp103 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport02 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp09 .us) ET PHISHING TOAD Domain in DNS Lookup (quickcare .cc)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp08 .us) ET PHISHING TOAD Domain in DNS Lookup (apples12 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp08 .us) ET PHISHING TOAD Domain in DNS Lookup (pcdelta .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp14 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp05 .us)
ET PHISHING TOAD Domain in DNS Lookup (help81 .us) ET PHISHING TOAD Domain in DNS Lookup (mscare .cc)
ET PHISHING TOAD Domain in DNS Lookup (pcjet .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp05 .us)
ET PHISHING TOAD Domain in DNS Lookup (hpsupport03 .us) ET PHISHING TOAD Domain in DNS Lookup (apples10 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp10 .us) ET PHISHING TOAD Domain in DNS Lookup (jcb24 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp02 .us) ET PHISHING TOAD Domain in DNS Lookup (support24 .cc)
ET PHISHING TOAD Domain in DNS Lookup (help87 .us) ET PHISHING TOAD Domain in DNS Lookup (apples8 .us)
ET PHISHING TOAD Domain in DNS Lookup (helpdesk24 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp012 .us)
ET PHISHING TOAD Domain in DNS Lookup (pccharlie .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp102 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp03 .us) ET PHISHING TOAD Domain in DNS Lookup (apples6 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp01 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp06 .us)
ET PHISHING TOAD Domain in DNS Lookup (help89 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp104 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp08 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport09 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples5 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp105 .cc)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp01 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp105 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp8 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport07 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp3 .us) ET PHISHING TOAD Domain in DNS Lookup (apples14 .us)
ET PHISHING TOAD Domain in DNS Lookup (refundpvt .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp010 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp15 .us) ET PHISHING TOAD Domain in DNS Lookup (b124 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapp02 .us) ET PHISHING TOAD Domain in DNS Lookup (securehelp .cc)
ET PHISHING TOAD Domain in DNS Lookup (mshelp12 .us) ET PHISHING TOAD Domain in DNS Lookup (help84 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples4 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp03 .us)
ET PHISHING TOAD Domain in DNS Lookup (help86 .us) ET PHISHING TOAD Domain in DNS Lookup (help90 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples3 .us) ET PHISHING TOAD Domain in DNS Lookup (apples11 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples1 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp13 .us)
ET PHISHING TOAD Domain in DNS Lookup (pcecho .us) ET PHISHING TOAD Domain in DNS Lookup (nrtnhelp .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp02 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp14 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples13 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp5 .us)
ET PHISHING TOAD Domain in DNS Lookup (pcbravo .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp .us)
ET PHISHING TOAD Domain in DNS Lookup (securenetwork .cc) ET PHISHING TOAD Domain in DNS Lookup (mshelp015 .us)
ET PHISHING TOAD Domain in DNS Lookup (cshelp04 .us) ET PHISHING TOAD Domain in DNS Lookup (jivajii .us)

353 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING TOAD Domain in DNS Lookup (mshelp13 .us) ET PHISHING TOAD Domain in DNS Lookup (pckilo .us)
ET PHISHING TOAD Domain in DNS Lookup (help82 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport01 .us)
ET PHISHING TOAD Domain in DNS Lookup (apples15 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp1 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp10 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp05 .us)
ET PHISHING TOAD Domain in DNS Lookup (ncare360 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapp01 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp11 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapp03 .us)
ET PHISHING TOAD Domain in DNS Lookup (hpsupport04 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp11 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapphelp04 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp07 .us)
ET PHISHING TOAD Domain in DNS Lookup (live855 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp011 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp4 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport06 .us)
ET PHISHING TOAD Domain in DNS Lookup (help83 .us) ET PHISHING TOAD Domain in DNS Lookup (help85 .us)
ET PHISHING TOAD Domain in DNS Lookup (pcindigo .us) ET PHISHING TOAD Domain in DNS Lookup (msofthelp .com)
ET PHISHING TOAD Domain in DNS Lookup (pchorse .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp9 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp06 .us) ET PHISHING TOAD Domain in DNS Lookup (mshelp07 .us)
ET PHISHING TOAD Domain in DNS Lookup (a128 .us) ET PHISHING TOAD Domain in DNS Lookup (apples7 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp014 .us) ET PHISHING TOAD Domain in DNS Lookup (hpsupport05 .us)
ET PHISHING TOAD Domain in DNS Lookup (pcalpha .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp02 .us)
ET PHISHING TOAD Domain in DNS Lookup (securedhelp .us) ET PHISHING TOAD Domain in DNS Lookup (pcfox .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp7 .us) ET PHISHING TOAD Domain in DNS Lookup (cshelp07 .us)
ET PHISHING TOAD Domain in DNS Lookup (cashapp06 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp012 .us)
ET PHISHING TOAD Domain in DNS Lookup (supportlife .us) ET PHISHING TOAD Domain in DNS Lookup (apples2 .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp04 .us) ET PHISHING TOAD Domain in DNS Lookup (gshelp .us)
ET PHISHING Observed TOAD Domain (mshelp53 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp06 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (pcxhelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (hpsupport08 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (ppalsecure .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp011 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp2 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples9 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp101 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp51 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapp04 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp03 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (help88 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp09 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp013 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp52 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp6 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp010 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp01 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapp05 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp12 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp103 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport02 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp09 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (quickcare .cc in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp08 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples12 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp08 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (pcdelta .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp14 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp05 .us in TLS SNI) ET PHISHING Observed TOAD Domain (help81 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mscare .cc in TLS SNI) ET PHISHING Observed TOAD Domain (pcjet .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp05 .us in TLS SNI) ET PHISHING Observed TOAD Domain (hpsupport03 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples10 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp10 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (jcb24 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp02 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (support24 .cc in TLS SNI) ET PHISHING Observed TOAD Domain (help87 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples8 .us in TLS SNI) ET PHISHING Observed TOAD Domain (helpdesk24 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp012 .us in TLS SNI) ET PHISHING Observed TOAD Domain (pccharlie .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp102 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp03 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples6 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp01 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp06 .us in TLS SNI) ET PHISHING Observed TOAD Domain (help89 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp104 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp08 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport09 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples5 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp105 .cc in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp01 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp105 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp8 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport07 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp3 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples14 .us in TLS SNI) ET PHISHING Observed TOAD Domain (refundpvt .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp010 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp15 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (b124 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapp02 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (securehelp .cc in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp12 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (help84 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples4 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp03 .us in TLS SNI) ET PHISHING Observed TOAD Domain (help86 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (help90 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples3 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples11 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples1 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp13 .us in TLS SNI) ET PHISHING Observed TOAD Domain (pcecho .us in TLS SNI)
ET PHISHING Observed TOAD Domain (nrtnhelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp02 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp14 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples13 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp5 .us in TLS SNI) ET PHISHING Observed TOAD Domain (pcbravo .us in TLS SNI)

354 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Observed TOAD Domain (mshelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (securenetwork .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp015 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cshelp04 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (jivajii .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp13 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (pckilo .us in TLS SNI) ET PHISHING Observed TOAD Domain (help82 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport01 .us in TLS SNI) ET PHISHING Observed TOAD Domain (apples15 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp1 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp10 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp05 .us in TLS SNI) ET PHISHING Observed TOAD Domain (ncare360 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapp01 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp11 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapp03 .us in TLS SNI) ET PHISHING Observed TOAD Domain (hpsupport04 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp11 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp04 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp07 .us in TLS SNI) ET PHISHING Observed TOAD Domain (live855 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp011 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp4 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport06 .us in TLS SNI) ET PHISHING Observed TOAD Domain (help83 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (help85 .us in TLS SNI) ET PHISHING Observed TOAD Domain (pcindigo .us in TLS SNI)
ET PHISHING Observed TOAD Domain (msofthelp .com in TLS SNI) ET PHISHING Observed TOAD Domain (pchorse .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp9 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp06 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp07 .us in TLS SNI) ET PHISHING Observed TOAD Domain (a128 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples7 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp014 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hpsupport05 .us in TLS SNI) ET PHISHING Observed TOAD Domain (pcalpha .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp02 .us in TLS SNI) ET PHISHING Observed TOAD Domain (securedhelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (pcfox .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp7 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp07 .us in TLS SNI) ET PHISHING Observed TOAD Domain (cashapp06 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp012 .us in TLS SNI) ET PHISHING Observed TOAD Domain (supportlife .us in TLS SNI)
ET PHISHING Observed TOAD Domain (apples2 .us in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp04 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (gshelp .us in TLS SNI) ET PHISHING Ferest Smuggler Request M1
ET PHISHING Ferest Smuggler Request M2 ET PHISHING Facebook Credential Phish Landing Page 2023-09-01
ET PHISHING Generic Credential Phish Landing Page 2023-09-05 ET PHISHING [TW] NOTG Obfuscation Redirect Observed M1
ET PHISHING [TW] NOTG Obfuscation Redirect Observed M2 ET PHISHING [TW] NOTG Redirect URL Struct
ET PHISHING [TW] NOTG Check Expirations URL Struct ET PHISHING [TW] NOTG Password URL Struct
ET PHISHING [TW] Tycoon Phishkit Domain Observed
ET PHISHING [TW] NOTG Check Add User URL Struct
(codecrafterspro .com)
ET PHISHING [TW] Tycoon Phishkit Domain Observed (codecrafters ET PHISHING [TW] Tycoon Phishkit Domain Observed
.su) (devcraftingsolutions .com)
ET PHISHING [TW] Tycoon Phishkit Domain (devcraftingsolutions .com ET PHISHING [TW] Tycoon Phishkit Domain (codecrafterspro .com in
in TLS SNI) TLS SNI)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (snxn298y5brpxd67rbntynb6p4qupuuv .com) Lookup (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com) Lookup (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com) Lookup (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com) Lookup (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com) Lookup (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com) Lookup (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com) Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com)
ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS ET PHISHING [TW] Microsoft Credential Phish V3 CnC Domain in DNS
Lookup (bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com) Lookup (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(snxn298y5brpxd67rbntynb6p4qupuuv .com in TLS SNI) (3aqulcx8xkg6qxrhxgmisecrt98kxlenzj .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1q922jh6d3zk0aelqdfc7yygzjr29sle .com in TLS SNI) (bc1qc230lt32ey73qlaj9rkujm0ujtv090 .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1q8hn7d0uhpspz9xcp3hl9e5erddlew .com in TLS SNI) (bc1qr0kxc4gcqt2lcpkdnz8ehs02u9n2xkgz89rwpr .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1qp2we64k79237y0npqehprfgynlz02fwpktlwte .com in TLS SNI) (bc1q6zd25jmkfh5x24ymp60tq99xdugpq .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1qm34lmk6eesc65zpw79lxes69zkq3ew .com in TLS SNI) (1kmtet1wyig94bxbcke45nivfx1w3m3hth .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(13fzyjcfqhnryc4dkxkykbaawkzwrmhcfc .com in TLS SNI) (bc1q6crq62w2sclm0cwwk6m2wugr6jkh .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1q0hcvl2p88zdv4dj97mfwtwv4usxm .com in TLS SNI) (bc1qm34lsc65zpw79lxes69zkqmk6ee3ew .com in TLS SNI)
ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain ET PHISHING [TW] Observed Microsoft Credential Phish V3 Domain
(bc1qjywr9cpsm5u7e4yrmnx2jsahgzzmm7 .com in TLS SNI) (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h .com in TLS SNI)

355 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING Generic Phishing - Successful Landing Interaction ET PHISHING DNS Query to TOAD Domain (eshopper .top)
ET PHISHING Observed TOAD Domain (eshopper .top in TLS SNI) ET PHISHING TOAD Domain in DNS Lookup (athelp .live)
ET PHISHING TOAD Domain in DNS Lookup (login .pcsystem247 .cc) ET PHISHING TOAD Domain in DNS Lookup (jxhelp .cc)
ET PHISHING TOAD Domain in DNS Lookup (mghelp .live) ET PHISHING TOAD Domain in DNS Lookup (wdhelp .us)
ET PHISHING TOAD Domain in DNS Lookup (support7 .cc) ET PHISHING TOAD Domain in DNS Lookup (wdhelp .live)
ET PHISHING TOAD Domain in DNS Lookup (mta-sts .gub .bio) ET PHISHING TOAD Domain in DNS Lookup (kbhelp .info)
ET PHISHING TOAD Domain in DNS Lookup (axhelp .live) ET PHISHING TOAD Domain in DNS Lookup (helpsystem .cc)
ET PHISHING TOAD Domain in DNS Lookup (mail .retfaqboos .site) ET PHISHING TOAD Domain in DNS Lookup (gbhelp .live)
ET PHISHING TOAD Domain in DNS Lookup (gbhelp .cc) ET PHISHING TOAD Domain in DNS Lookup (gchelp .info)
ET PHISHING TOAD Domain in DNS Lookup (jxhelp .us) ET PHISHING TOAD Domain in DNS Lookup (cxhelp .us)
ET PHISHING TOAD Domain in DNS Lookup (retfaqboos .site) ET PHISHING TOAD Domain in DNS Lookup (mail .mrree .gub .bio)
ET PHISHING TOAD Domain in DNS Lookup (dfhelp .cc) ET PHISHING TOAD Domain in DNS Lookup (pcsystem247 .cc)
ET PHISHING TOAD Domain in DNS Lookup (pxhelp .us) ET PHISHING TOAD Domain in DNS Lookup (amz34 .us)
ET PHISHING TOAD Domain in DNS Lookup (emv1 .gub .bio) ET PHISHING TOAD Domain in DNS Lookup (mchelp .cc)
ET PHISHING TOAD Domain in DNS Lookup (login .helpsystem .cc) ET PHISHING TOAD Domain in DNS Lookup (jxhelp .info)
ET PHISHING TOAD Domain in DNS Lookup (33 .gub .bio) ET PHISHING TOAD Domain in DNS Lookup (dbhelp .info)
ET PHISHING TOAD Domain in DNS Lookup (gub .bio) ET PHISHING TOAD Domain in DNS Lookup (lbhelp .us)
ET PHISHING TOAD Domain in DNS Lookup (mshelp58 .us) ET PHISHING TOAD Domain in DNS Lookup (cashapphelp19 .us)
ET PHISHING Observed TOAD Domain (login .helpsystem .cc in TLS
ET PHISHING Observed TOAD Domain (gbhelp .cc in TLS SNI)
SNI)
ET PHISHING Observed TOAD Domain (lbhelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (wdhelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mchelp .cc in TLS SNI) ET PHISHING Observed TOAD Domain (kbhelp .info in TLS SNI)
ET PHISHING Observed TOAD Domain (mta-sts .gub .bio in TLS SNI) ET PHISHING Observed TOAD Domain (amz34 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (login .pcsystem247 .cc in TLS
ET PHISHING Observed TOAD Domain (gbhelp .live in TLS SNI)
SNI)
ET PHISHING Observed TOAD Domain (dbhelp .info in TLS SNI) ET PHISHING Observed TOAD Domain (jxhelp .info in TLS SNI)
ET PHISHING Observed TOAD Domain (axhelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (jxhelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cashapphelp19 .us in TLS SNI) ET PHISHING Observed TOAD Domain (jxhelp .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (pcsystem247 .cc in TLS SNI) ET PHISHING Observed TOAD Domain (athelp .live in TLS SNI)
ET PHISHING Observed TOAD Domain (wdhelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (gub .bio in TLS SNI)
ET PHISHING Observed TOAD Domain (mail .retfaqboos .site in TLS
ET PHISHING Observed TOAD Domain (mghelp .live in TLS SNI)
SNI)
ET PHISHING Observed TOAD Domain (support7 .cc in TLS SNI) ET PHISHING Observed TOAD Domain (33 .gub .bio in TLS SNI)
ET PHISHING Observed TOAD Domain (mail .mrree .gub .bio in TLS
ET PHISHING Observed TOAD Domain (pxhelp .us in TLS SNI)
SNI)
ET PHISHING Observed TOAD Domain (emv1 .gub .bio in TLS SNI) ET PHISHING Observed TOAD Domain (helpsystem .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (retfaqboos .site in TLS SNI) ET PHISHING Observed TOAD Domain (cxhelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (gchelp .info in TLS SNI) ET PHISHING Observed TOAD Domain (mshelp58 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (dfhelp .cc in TLS SNI) ET PHISHING TOAD Domain in DNS Lookup (gxcare .cc)
ET PHISHING TOAD Domain in DNS Lookup (tenty247 .top) ET PHISHING Observed TOAD Domain (gxcare .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (tenty247 .top in TLS SNI) ET PHISHING Crypto Phishing DNS Lookup
ET PHISHING Phishing Domain in TLS SNI (imedcloud .net) ET PHISHING Crypto Phishing DNS Lookup
ET PHISHING Observed Crypto Phishing Domain in TLS SNI ET PHISHING [TW] Trex Phishkit POST
ET PHISHING [TW] Tycoon Phishkit Config Vars ET PHISHING [TW] Tycoon Phishkit CSS
ET PHISHING Netscaler Gateway Credential Theft (POST) ET PHISHING MageCart 404 COOKIE_ANNOT
ET PHISHING DNS Query to TOAD Domain (300005 .ru) ET PHISHING DNS Query to TOAD Domain (helpset123 .site)
ET PHISHING Observed TOAD Domain (300005 .ru in TLS SNI) ET PHISHING Observed TOAD Domain (helpset123 .site in TLS SNI)
ET PHISHING DNS Query to TOAD Domain (bshelp .us) ET PHISHING DNS Query to TOAD Domain (b2care .cc)
ET PHISHING DNS Query to TOAD Domain (cshelp03 .us) ET PHISHING DNS Query to TOAD Domain (r2care .cc)
ET PHISHING DNS Query to TOAD Domain (bghelp .us) ET PHISHING DNS Query to TOAD Domain (r2care .us)
ET PHISHING DNS Query to TOAD Domain (dfhelp .live) ET PHISHING DNS Query to TOAD Domain (hshelp .live)
ET PHISHING DNS Query to TOAD Domain (j2care .cc) ET PHISHING DNS Query to TOAD Domain (hscare .cc)
ET PHISHING DNS Query to TOAD Domain (i2care .us) ET PHISHING DNS Query to TOAD Domain (hshelp .info)
ET PHISHING DNS Query to TOAD Domain (bgcare .info) ET PHISHING DNS Query to TOAD Domain (bgcare .us)
ET PHISHING DNS Query to TOAD Domain (a2help .us) ET PHISHING DNS Query to TOAD Domain (bshelp .support)
ET PHISHING DNS Query to TOAD Domain (bscare .help) ET PHISHING DNS Query to TOAD Domain (c2care .cc)
ET PHISHING DNS Query to TOAD Domain (hscare .info) ET PHISHING DNS Query to TOAD Domain (hscare .live)
ET PHISHING DNS Query to TOAD Domain (brhelp .live) ET PHISHING DNS Query to TOAD Domain (bscare .cc)
ET PHISHING DNS Query to TOAD Domain (cancel247 .info) ET PHISHING DNS Query to TOAD Domain (m2care .cc)
ET PHISHING DNS Query to TOAD Domain (aphelp .us) ET PHISHING DNS Query to TOAD Domain (d2care .cc)
ET PHISHING DNS Query to TOAD Domain (g2care .us) ET PHISHING DNS Query to TOAD Domain (bgcare .live)
ET PHISHING DNS Query to TOAD Domain (j2care .us) ET PHISHING DNS Query to TOAD Domain (bshelp .info)
ET PHISHING DNS Query to TOAD Domain (n2care .us) ET PHISHING DNS Query to TOAD Domain (nxhelp .live)
ET PHISHING DNS Query to TOAD Domain (bghelp .online) ET PHISHING DNS Query to TOAD Domain (catreenpr .is)
ET PHISHING DNS Query to TOAD Domain (hscare .online) ET PHISHING DNS Query to TOAD Domain (kelbyonel .nl)
ET PHISHING DNS Query to TOAD Domain (m2care .us) ET PHISHING DNS Query to TOAD Domain (hshelp .online)

356 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING DNS Query to TOAD Domain (bscare .info) ET PHISHING DNS Query to TOAD Domain (hshelp .us)
ET PHISHING DNS Query to TOAD Domain (hscare .us) ET PHISHING DNS Query to TOAD Domain (h2care .cc)
ET PHISHING DNS Query to TOAD Domain (b2care .us) ET PHISHING DNS Query to TOAD Domain (bscare .live)
ET PHISHING DNS Query to TOAD Domain (bshelp .live) ET PHISHING DNS Query to TOAD Domain (suvfix .us)
ET PHISHING DNS Query to TOAD Domain (axhelp .us) ET PHISHING DNS Query to TOAD Domain (g2care .cc)
ET PHISHING DNS Query to TOAD Domain (a2care .cc) ET PHISHING DNS Query to TOAD Domain (i2care .cc)
ET PHISHING DNS Query to TOAD Domain (mshelp09 .live) ET PHISHING DNS Query to TOAD Domain (n2care .cc)
ET PHISHING DNS Query to TOAD Domain (cashapphelp2 .us) ET PHISHING DNS Query to TOAD Domain (bscare .us)
ET PHISHING DNS Query to TOAD Domain (hshelp .cc) ET PHISHING DNS Query to TOAD Domain (a2care .us)
ET PHISHING DNS Query to TOAD Domain (bghelp .live) ET PHISHING DNS Query to TOAD Domain (bgcare .cc)
ET PHISHING DNS Query to TOAD Domain (h2care .us) ET PHISHING DNS Query to TOAD Domain (bgcare .help)
ET PHISHING DNS Query to TOAD Domain (bghelp .cc) ET PHISHING DNS Query to TOAD Domain (bgcare .online)
ET PHISHING DNS Query to TOAD Domain (q2care .us) ET PHISHING DNS Query to TOAD Domain (d2care .us)
ET PHISHING DNS Query to TOAD Domain (c2care .us) ET PHISHING Observed TOAD Domain (nxhelp .live in TLS SNI)
ET PHISHING Observed TOAD Domain (r2care .cc in TLS SNI) ET PHISHING Observed TOAD Domain (bgcare .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (hscare .us in TLS SNI) ET PHISHING Observed TOAD Domain (bgcare .online in TLS SNI)
ET PHISHING Observed TOAD Domain (bscare .live in TLS SNI) ET PHISHING Observed TOAD Domain (c2care .us in TLS SNI)
ET PHISHING Observed TOAD Domain (cshelp03 .us in TLS SNI) ET PHISHING Observed TOAD Domain (a2help .us in TLS SNI)
ET PHISHING Observed TOAD Domain (hscare .cc in TLS SNI) ET PHISHING Observed TOAD Domain (h2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (bghelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (bgcare .info in TLS SNI)
ET PHISHING Observed TOAD Domain (bshelp .info in TLS SNI) ET PHISHING Observed TOAD Domain (cashapphelp2 .us in TLS SNI)
ET PHISHING Observed TOAD Domain (d2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (c2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (g2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (hscare .info in TLS SNI)
ET PHISHING Observed TOAD Domain (a2care .cc in TLS SNI) ET PHISHING Observed TOAD Domain (hscare .online in TLS SNI)
ET PHISHING Observed TOAD Domain (bscare .cc in TLS SNI) ET PHISHING Observed TOAD Domain (hshelp .online in TLS SNI)
ET PHISHING Observed TOAD Domain (n2care .cc in TLS SNI) ET PHISHING Observed TOAD Domain (n2care .us in TLS SNI)
ET PHISHING Observed TOAD Domain (mshelp09 .live in TLS SNI) ET PHISHING Observed TOAD Domain (i2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (b2care .cc in TLS SNI) ET PHISHING Observed TOAD Domain (bghelp .online in TLS SNI)
ET PHISHING Observed TOAD Domain (bscare .us in TLS SNI) ET PHISHING Observed TOAD Domain (bscare .help in TLS SNI)
ET PHISHING Observed TOAD Domain (bshelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (g2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (h2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (j2care .us in TLS SNI)
ET PHISHING Observed TOAD Domain (q2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (r2care .us in TLS SNI)
ET PHISHING Observed TOAD Domain (a2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (d2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (axhelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (bgcare .help in TLS SNI)
ET PHISHING Observed TOAD Domain (i2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (suvfix .us in TLS SNI)
ET PHISHING Observed TOAD Domain (bghelp .cc in TLS SNI) ET PHISHING Observed TOAD Domain (m2care .us in TLS SNI)
ET PHISHING Observed TOAD Domain (dfhelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (j2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (bgcare .live in TLS SNI) ET PHISHING Observed TOAD Domain (bshelp .live in TLS SNI)
ET PHISHING Observed TOAD Domain (hshelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (m2care .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (brhelp .live in TLS SNI) ET PHISHING Observed TOAD Domain (hshelp .cc in TLS SNI)
ET PHISHING Observed TOAD Domain (bghelp .us in TLS SNI) ET PHISHING Observed TOAD Domain (cancel247 .info in TLS SNI)
ET PHISHING Observed TOAD Domain (b2care .us in TLS SNI) ET PHISHING Observed TOAD Domain (hshelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (bscare .info in TLS SNI) ET PHISHING Observed TOAD Domain (hscare .live in TLS SNI)
ET PHISHING Observed TOAD Domain (kelbyonel .nl in TLS SNI) ET PHISHING Observed TOAD Domain (catreenpr .is in TLS SNI)
ET PHISHING Observed TOAD Domain (hshelp .info in TLS SNI) ET PHISHING Observed TOAD Domain (aphelp .us in TLS SNI)
ET PHISHING Observed TOAD Domain (bshelp .support in TLS SNI) ET PHISHING Observed TOAD Domain (bgcare .us in TLS SNI)
ET PHISHING Generic Phish Landing Page (2023-10-26) ET PHISHING Generic Phish Landing Page (2023-10-26)
ET PHISHING Generic Phish Landing Page (2023-10-30) ET PHISHING SWAT USA Drop Login Panel
ET PHISHING SWAT USA Drop Login Panel ET PHISHING Successful Greatness Credential Phish M1 (2023-11-07)
ET PHISHING Successful Greatness Credential Phish M2 (2023-11-07) ET PHISHING Successful Greatness Credential Phish M3 (2023-11-07)
ET PHISHING Possible Generic Credential Phish with Obfuscated
ET PHISHING Tycoon Landing Page
Javascript
ET PHISHING Suspected Evri Phish Landing Page 2023-12-01 ET PHISHING USPS Phish Landing Page 2023-12-05
ET PHISHING TA444 Domain in DNS Lookup (team-meet .xyz) ET PHISHING TA444 Domain in DNS Lookup (team-meeting .pro)
ET PHISHING TA444 Domain in DNS Lookup (onelao .line .pm) ET PHISHING TA444 Domain in DNS Lookup (tiena .einei .line .pm)
ET PHISHING TA444 Domain in DNS Lookup (meetingverse .app) ET PHISHING TA444 Domain in DNS Lookup (ovcloud .online)
ET PHISHING TA444 Domain in DNS Lookup (online-processing .online) ET PHISHING TA444 Domain in DNS Lookup (meeting-online .site)
ET PHISHING TA444 Domain in DNS Lookup (group-meeting .team) ET PHISHING TA444 Domain in DNS Lookup (group-meeting .online)
ET PHISHING TA444 Domain in DNS Lookup (privymeet .com) ET PHISHING TA444 Domain in DNS Lookup (naverk .myvnc .com)
ET PHISHING TA444 Domain in DNS Lookup (blackleopard .myvnc
ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .myvnc .com)
.com)
ET PHISHING TA444 Domain in DNS Lookup (skyboxdrive .cloud) ET PHISHING TA444 Domain in DNS Lookup (meetcentralhub .online)
ET PHISHING TA444 Domain in DNS Lookup (team-meeting .xyz) ET PHISHING TA444 Domain in DNS Lookup (syncmeet .online)
ET PHISHING TA444 Domain in DNS Lookup (online-meeting .team) ET PHISHING TA444 Domain in DNS Lookup (safemeeting .online)
ET PHISHING TA444 Domain in DNS Lookup (team-meet .online) ET PHISHING TA444 Domain in DNS Lookup (videomeethub .online)

357 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING TA444 Domain in DNS Lookup (myself .hopto .org) ET PHISHING TA444 Domain in DNS Lookup (manchestercity .work .gd)
ET PHISHING TA444 Domain in DNS Lookup (dubai .network .cloud ET PHISHING TA444 Domain in DNS Lookup (group .evalaskatours
.doc-shared .linkpc .net) .com)
ET PHISHING TA444 Domain in DNS Lookup (internal .bounceme .net) ET PHISHING TA444 Domain in DNS Lookup (mclearoptical .com)
ET PHISHING TA444 Domain in DNS Lookup (support .cisco-webex
ET PHISHING TA444 Domain in DNS Lookup (pdf .cisco-webex .online)
.online)
ET PHISHING TA444 Domain in DNS Lookup (docshared .col-link ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .presentations
.linkpc .net) .life)
ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .pd .linkpc
ET PHISHING TA444 Domain in DNS Lookup (on-global .xyz)
.net)
ET PHISHING TA444 Domain in DNS Lookup (internal .group .link-net ET PHISHING TA444 Domain in DNS Lookup (j-ic .co .intneral-
.publicvm .com) document-he-gr-me .run .place)
ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .im .linkpc ET PHISHING TA444 Domain in DNS Lookup (doc .global-link .run
.net) .place)
ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .deck .linkpc
ET PHISHING TA444 Domain in DNS Lookup (bitscrunch .co)
.net)
ET PHISHING TA444 Domain in TLS SNI (team-meet .xyz) ET PHISHING TA444 Domain in TLS SNI (team-meeting .pro)
ET PHISHING TA444 Domain in TLS SNI (onelao .line .pm) ET PHISHING TA444 Domain in TLS SNI (tiena .einei .line .pm)
ET PHISHING TA444 Domain in TLS SNI (meetingverse .app) ET PHISHING TA444 Domain in TLS SNI (ovcloud .online)
ET PHISHING TA444 Domain in TLS SNI (online-processing .online) ET PHISHING TA444 Domain in TLS SNI (meeting-online .site)
ET PHISHING TA444 Domain in TLS SNI (group-meeting .team) ET PHISHING TA444 Domain in TLS SNI (group-meeting .online)
ET PHISHING TA444 Domain in TLS SNI (privymeet .com) ET PHISHING TA444 Domain in TLS SNI (naverk .myvnc .com)
ET PHISHING TA444 Domain in TLS SNI (blackleopard .myvnc .com) ET PHISHING TA444 Domain in TLS SNI (bitscrunch .myvnc .com)
ET PHISHING TA444 Domain in TLS SNI (skyboxdrive .cloud) ET PHISHING TA444 Domain in TLS SNI (meetcentralhub .online)
ET PHISHING TA444 Domain in TLS SNI (team-meeting .xyz) ET PHISHING TA444 Domain in TLS SNI (syncmeet .online)
ET PHISHING TA444 Domain in TLS SNI (online-meeting .team) ET PHISHING TA444 Domain in TLS SNI (safemeeting .online)
ET PHISHING TA444 Domain in TLS SNI (team-meet .online) ET PHISHING TA444 Domain in TLS SNI (videomeethub .online)
ET PHISHING TA444 Domain in TLS SNI (myself .hopto .org) ET PHISHING TA444 Domain in TLS SNI (manchestercity .work .gd)
ET PHISHING TA444 Domain in TLS SNI (dubai .network .cloud .doc-
ET PHISHING TA444 Domain in TLS SNI (group .evalaskatours .com)
shared .linkpc .net)
ET PHISHING TA444 Domain in TLS SNI (internal .bounceme .net) ET PHISHING TA444 Domain in TLS SNI (mclearoptical .com)
ET PHISHING TA444 Domain in TLS SNI (pdf .cisco-webex .online) ET PHISHING TA444 Domain in TLS SNI (support .cisco-webex .online)
ET PHISHING TA444 Domain in TLS SNI (docshared .col-link .linkpc
ET PHISHING TA444 Domain in TLS SNI (bitscrunch .presentations .life)
.net)
ET PHISHING TA444 Domain in TLS SNI (bitscrunch .pd .linkpc .net) ET PHISHING TA444 Domain in TLS SNI (on-global .xyz)
ET PHISHING TA444 Domain in TLS SNI (internal .group .link-net ET PHISHING TA444 Domain in TLS SNI (j-ic .co .intneral-document-he-
.publicvm .com) gr-me .run .place)
ET PHISHING TA444 Domain in TLS SNI (bitscrunch .im .linkpc .net) ET PHISHING TA444 Domain in TLS SNI (doc .global-link .run .place)
ET PHISHING TA444 Domain in TLS SNI (bitscrunch .deck .linkpc .net) ET PHISHING TA444 Domain in TLS SNI (bitscrunch .co)
ET PHISHING Tycoon Landing Page ET PHISHING Obfuscated Javascript from Generic Phishkit
ET PHISHING Lucy Security Time Tracking - Phishing Simulation ET PHISHING Lucy Security - Credential Submission (set)
ET PHISHING Lucy Security - Phishing Landing Page M3 ET PHISHING Lucy Security - Phishing to Awareness Landing Page
ET PHISHING Meta Credential Phish Landing Page 2024-01-08 ET PHISHING Successful Metamask PassPhrase Phish 2024-01-24
ET PHISHING Metamask Credential Phish Landing Page 2024-01-24 ET PHISHING DNS Query to TOAD Domain (desktool .buzz)
ET PHISHING Observed TOAD Domain (desktool .buzz in TLS SNI) ET PHISHING DNS Query to TOAD Domain (mvhelp .cc)
ET PHISHING Observed TOAD Domain (mvhelp .cc in TLS SNI) ET PHISHING [TW] Possible Crypto Wallet Drainer JS M1
ET PHISHING [TW] Possible Crypto Wallet Drainer JS M2 ET PHISHING [TW] Possible Crypto Wallet Drainer Domain Observed
ET PHISHING ResumeLooter Domain in DNS Lookup (qu3 .cc) ET PHISHING ResumeLooter Domain in DNS Lookup (7o .ae)
ET PHISHING ResumeLooter Domain in DNS Lookup (cloudnetsofe
ET PHISHING ResumeLooter Domain in DNS Lookup (8t .ae)
.com)
ET PHISHING ResumeLooter Domain in DNS Lookup (foundit .asia) ET PHISHING ResumeLooter Domain in DNS Lookup (xn--31-rha .me)
ET PHISHING ResumeLooter Domain in DNS Lookup (9gp .cc) ET PHISHING ResumeLooter Domain in DNS Lookup (8r .ae)
ET PHISHING ResumeLooter Domain in DNS Lookup (iimjobs .asia) ET PHISHING ResumeLooter Domain in DNS Lookup (sb8 .co)
ET PHISHING Observed ResumeLooter Domain (qu3 .cc in TLS SNI) ET PHISHING Observed ResumeLooter Domain (7o .ae in TLS SNI)
ET PHISHING Observed ResumeLooter Domain (cloudnetsofe .com in
ET PHISHING Observed ResumeLooter Domain (8t .ae in TLS SNI)
TLS SNI)
ET PHISHING Observed ResumeLooter Domain (foundit .asia in TLS ET PHISHING Observed ResumeLooter Domain (xn--31-rha .me in TLS
SNI) SNI)
ET PHISHING Observed ResumeLooter Domain (9gp .cc in TLS SNI) ET PHISHING Observed ResumeLooter Domain (8r .ae in TLS SNI)
ET PHISHING Observed ResumeLooter Domain (iimjobs .asia in TLS
ET PHISHING Observed ResumeLooter Domain (sb8 .co in TLS SNI)
SNI)
ET PHISHING Observed DNS Query to Phishing Related Domain
ET PHISHING Observed Phishing Related Domain [Redacted - Vulgar]
[Redacted - Vulgar]
ET PHISHING Generic Phish Landing Page 2024-02-12 ET PHISHING Successful Generic Phish 2024-02-12
ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS ET PHISHING Savvy Seahorse CNAME TDS Related Domain in DNS
Lookup (b36cname .site) Lookup (getyourapi .site)
ET PHISHING DNS Query to TA455 Domain (teledyneflir.com .de) ET PHISHING DNS Query to TA455 Domain (1stemployer .com)

358 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestionsapi


ET PHISHING DNS Query to TA455 Domain (vsliveagent .com)
.azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (vscodeupdater ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (helicoptersahtests .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(airconnectionsapi .azurewebsites .net) (regionuaequestions .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(testmanagementapisjson .azurewebsites .net) (blognewsalphaapijson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed ET PHISHING DNS Query to UNC1549/TA455 Domain
.cloudapp .azure .com) (notebooktextcheckings .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquizapi ET PHISHING DNS Query to UNC1549/TA455 Domain (onequestionsapi
.azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(notebooktextchecking .azurewebsites .net) (onequestionsapicheck .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (arquestionsapi
(questionsapplicationbackup .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (uaeaircheckon
(customercareservice .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed
(blogvolleyballstatus .azurewebsites .net) .centralus .cloudapp .azure .com)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (notebooktexts
(emiratescheckapi .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(questionsurveyapp .azurewebsites .net) (quiztestapplication .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(manpowerfeedapijson .azurewebsites .net) (engineeringrssfeed .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (airconnectionapi ET PHISHING DNS Query to UNC1549/TA455 Domain (javaruntime
.azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (onequestions
(coffeeonlineshop .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(javaruntimestestapi .azurewebsites .net) (logupdatemanagementapijson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeedp ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestions
.cloudapp .azure .com) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (roadmapselector ET PHISHING DNS Query to UNC1549/TA455 Domain (homefurniture
.azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(engineeringssfeed .azurewebsites .net) (blogvolleyballstatusapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(integratedblognewsapi .azurewebsites .com) (technewsblogapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(airgadgetsolutions .azurewebsites .net) (emiratescheckapijson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (qaquestionapi ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (airgadgetsolution .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (iaidevrssfeed ET PHISHING DNS Query to UNC1549/TA455 Domain (surveyappquery
.centrualus .cloudapp .azure .com) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(boeisurveyapplications .azurewebsites .net) (jupyternotebookcollection .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (helicopterahtest ET PHISHING DNS Query to UNC1549/TA455 Domain (hrapplicationtest
.azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (altnametestapi ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (identifycheckapplication .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(ilengineeringrssfeed .azurewebsites .net) (manpowerfeedapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(integratedblognewfeed .azurewebsites .net) (workersquestionsapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(javaruntimeversionchecking .azurewebsites .net) (optionalapplication .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(connectairapijson .azurewebsites .net) (flighthelicopterahtest .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(integratedblognewsapi .azurewebsites .net) (customercareserviceapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(notebooktextcheckings .com) (exchtestcheckingapihealth .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (surveyonlinetest ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (questionsdatabases .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(questionsapplicationapijson .azurewebsites .net) (humanresourcesapijson .azurewebsites .net)

359 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(openapplicationcheck .azurewebsites .net) (logsapimanagement .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (browsercheckap
(workersquestionsjson .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(checkapicountryquestionsjson .azurewebsites .net) (integratedblognews .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(changequestionstypeapi .azurewebsites .net) (intengineeringrssfeed .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(cashcloudservices .com) (questionsurveyappserver .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(audiomanagerapi .azurewebsites .net) (coffeeonlineshoping .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(exchtestcheckingapi .azurewebsites .net) (surveyonlinetestapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(personalizationsurvey .azurewebsites .net) (questionsapplicationapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (turkairline ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (identifycheckingapplications .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (tnlsowki
(testquestionapplicationapi .azurewebsites .net) .westus3 .cloudapp .azure .com)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(registerinsurance .azurewebsites .net) (hiringarabicregion .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquestion
(countrybasedquestions .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(javaruntimetestapi .azurewebsites .net) (browsercheckingapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(logupdatemanagementapi .azurewebsites .net) (qaquestionsapijson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (sportblogs ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (changequestiontypesapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(intergratedblognewsapi .azurewebsites .net) (queryfindquestions .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (queryquestions ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (checkapicountryquestions .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(audioservicetestapi .azurewebsites .net) (workersquestions .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (uaeairchecks ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (jupyternotebookscollection .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (refaeldevrssfeed ET PHISHING DNS Query to UNC1549/TA455 Domain (apphrquestions
.centralus .cloudapp .azure .com) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (tnlsowkis
(personalitytestquestionapi .azurewebsites .net) .westus3 .cloudapp .azure .com)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(humanresourcesapi .azurewebsites .net) (checkservicecustomerapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (testtesttes ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (humanresourcesapiquiz .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(jupyternotebookcollections .com) (jupyternotebookcollections .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(helicopterahtests .azurewebsites .net) (changequestiontypes .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(testmanagementapi1 .azurewebsites .net) (browsercheckjson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(answerssurveytest .azurewebsites .net) (airconnectionsapijson .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (marineblogapi
(changequestionstypejsonapi .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(logsapimanagements .azurewebsites .net) (javaruntimeversioncheckingapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain
(identifycheckapplications .azurewebsites .net) (connectionhandlerapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain ET PHISHING DNS Query to UNC1549/TA455 Domain (tiappschecktest
(testmanagementapis .azurewebsites .net) .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain (arquestions ET PHISHING DNS Query to UNC1549/TA455 Domain
.azurewebsites .net) (roadmapselectorapi .azurewebsites .net)
ET PHISHING DNS Query to UNC1549/TA455 Domain
(birngthemhomenow .co .il)
emerging-policy.rules Show
emerging-pop3.rules Hide

360 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL POP3 x86 BSD overflow GPL POP3 x86 BSD overflow 2
GPL POP3 x86 Linux overflow GPL POP3 x86 SCO overflow
GPL POP3 POP3 PASS overflow attempt GPL POP3 APOP overflow attempt
GPL POP3 USER overflow attempt GPL POP3 AUTH overflow attempt
GPL POP3 LIST overflow attempt GPL POP3 XTND overflow attempt
GPL POP3 CAPA overflow attempt GPL POP3 TOP overflow attempt
GPL POP3 STAT overflow attempt GPL POP3 DELE overflow attempt
GPL POP3 RSET overflow attempt GPL POP3 DELE negative argument attempt
GPL POP3 UIDL negative argument attempt GPL POP3 USER format string attempt
GPL POP3 APOP USER overflow attempt GPL POP3 PASS format string attempt
emerging-rpc.rules Hide
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access GPL RPC snmpXdmi overflow attempt TCP
GPL RPC mountd TCP export request GPL RPC portmap admind request UDP
GPL RPC portmap amountd request UDP GPL RPC portmap bootparam request UDP
GPL RPC portmap cmsd request UDP GPL RPC portmap mountd request UDP
GPL RPC portmap nisd request UDP GPL RPC portmap pcnfsd request UDP
GPL RPC portmap rexd request UDP GPL RPC portmap rstatd request UDP
GPL RPC portmap rusers request UDP GPL RPC portmap sadmind request UDP
GPL RPC portmap selection_svc request UDP GPL RPC portmap status request UDP
GPL RPC portmap ttdbserv request UDP GPL RPC portmap yppasswd request UDP
GPL RPC portmap ypserv request UDP GPL RPC portmap ypupdated request TCP
GPL RPC portmap snmpXdmi request TCP GPL RPC portmap espd request TCP
GPL RPC portmap listing TCP 111 GPL RPC rlogin LinuxNIS
GPL RPC rlogin login failure GPL RPC rlogin login failure
GPL RPC portmap admind request TCP GPL RPC portmap amountd request TCP
GPL RPC portmap bootparam request TCP GPL RPC portmap cmsd request TCP
GPL RPC portmap nisd request TCP GPL RPC portmap pcnfsd request TCP
GPL RPC portmap rexd request TCP GPL RPC portmap rstatd request TCP
GPL RPC portmap rusers request TCP GPL RPC portmap sadmind request TCP
GPL RPC portmap selection_svc request TCP GPL RPC portmap ttdbserv request TCP
GPL RPC portmap yppasswd request TCP GPL RPC portmap ypserv request TCP
GPL RPC portmap ypupdated request UDP GPL RPC portmap snmpXdmi request UDP
GPL RPC portmap listing UDP 111 GPL RPC portmap listing UDP 32771
GPL RPC portmap rwalld request UDP GPL RPC portmap rwalld request TCP
GPL RPC portmap cachefsd request UDP GPL RPC portmap cachefsd request TCP
GPL RPC xdmcp info query GPL RPC status GHBN format string attack
GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt
GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN
GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt
overflow attempt
GPL RPC STATD UDP stat mon_name format string exploit attempt GPL RPC STATD TCP stat mon_name format string exploit attempt
GPL RPC STATD UDP monitor mon_name format string exploit
GPL RPC STATD TCP monitor mon_name format string exploit attempt
attempt
GPL RPC portmap proxy attempt TCP GPL RPC portmap proxy attempt UDP
GPL RPC mountd UDP export request GPL RPC mountd TCP exportall request
GPL RPC mountd UDP exportall request GPL RPC portmap SET attempt TCP 111
GPL RPC portmap SET attempt UDP 111 GPL RPC mountd TCP mount request
GPL RPC mountd UDP mount request GPL RPC sadmind UDP PING
GPL RPC sadmind TCP PING GPL RPC portmap NFS request UDP
GPL RPC portmap NFS request TCP GPL RPC portmap RQUOTA request UDP
GPL RPC portmap RQUOTA request TCP GPL RPC RQUOTA getquota overflow attempt UDP
GPL RPC tooltalk UDP overflow attempt GPL RPC tooltalk TCP overflow attempt
GPL RPC portmap kcms_server request UDP GPL RPC portmap kcms_server request TCP
GPL RPC kcms_server directory traversal attempt GPL RPC portmap UNSET attempt TCP 111
GPL RPC portmap UNSET attempt UDP 111 GPL RPC portmap status request TCP
GPL RPC portmap espd request UDP GPL RPC mountd TCP dump request
GPL RPC mountd UDP dump request GPL RPC mountd TCP unmount request
GPL RPC mountd UDP unmount request GPL RPC mountd TCP unmountall request
GPL RPC yppasswd username overflow attempt UDP GPL RPC yppasswd username overflow attempt TCP
GPL RPC yppasswd old password overflow attempt UDP GPL RPC yppasswd old password overflow attempt TCP
GPL RPC yppasswd new password overflow attempt UDP GPL RPC yppasswd new password overflow attempt TCP
GPL RPC yppasswd user update UDP GPL RPC yppasswd user update TCP
GPL RPC ypserv maplist request UDP GPL RPC portmap network-status-monitor request UDP
GPL RPC portmap network-status-monitor request TCP GPL RPC portmap nlockmgr request UDP
GPL RPC portmap nlockmgr request TCP GPL RPC portmap rpc.xfsmd request UDP
GPL RPC portmap rpc.xfsmd request TCP GPL RPC rpc.xfsmd xfs_export attempt UDP

361 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

GPL RPC rpc.xfsmd xfs_export attempt TCP GPL RPC ypupdated arbitrary command attempt UDP
GPL RPC portmap proxy integer overflow attempt TCP GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt
GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt GPL RPC rexec username too long response
GPL RPC rexec password overflow attempt GPL RPC mountd TCP mount path overflow attempt
GPL RPC mountd UDP mount path overflow attempt GPL RPC sadmind query with root credentials attempt TCP
GPL RPC sadmind query with root credentials attempt UDP GPL RPC kerberos principal name overflow UDP
GPL RPC kerberos principal name overflow TCP
emerging-scada.rules Hide
ET SCADA CitectSCADA ODBC Overflow Attempt ET SCADA RealWin SCADA System Buffer Overflow
ET SCADA DATAC RealWin SCADA Server Buffer Overflow ET SCADA ICONICS WebHMI ActiveX Stack Overflow
ET SCADA DATAC RealWin SCADA Server 2 ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow
On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability Vulnerability
ET SCADA Golden FTP Server PASS Command Remote Buffer
ET SCADA PcVue Activex Control Insecure method (AddPage)
Overflow Attempt
ET SCADA PcVue Activex Control Insecure method (DeletePage) ET SCADA PcVue Activex Control Insecure method (SaveObject)
ET SCADA PcVue Activex Control Insecure method
ET SCADA PcVue Activex Control Insecure method (LoadObject)
(GetExtendedColor)
ET SCADA Sunway ForceControl Activex Control Remote Code
ET SCADA Sunway ForceControl Activex Control Vulnerability
Execution Vulnerability 2
ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg) ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend)
ET SCADA SEIG SYSTEM 9 - Remote Code Execution ET SCADA SEIG Modbus 3.4 - Remote Code Execution
ET SCADA IEC-104 TESTFR (Test Frame) Activation ET SCADA IEC-104 TESTFR (Test Frame) Confirmation
ET SCADA IEC-104 STARTDT (Start Data Transfer) Activation ET SCADA IEC-104 STARTDT (Start Data Transfer) Confirmation
ET SCADA IEC-104 STOPDT (Stop Data Transfer) Activation ET SCADA IEC-104 STOPDT (Stop Data Transfer) Confirmation
ET SCADA IEC-104 Station Interrogation - Global ASDU Broadcast ET SCADA IEC-104 Clock Synchronization Command
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - TCP Statistics Advanced Diagnostics Information Disclosure Attempt - UDP Statistics
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - IP Routing
System Data Details Information Disclosure Attempt
Data
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - General Advanced Diagnostics Information Disclosure Attempt - General Heap
Memory Statistics Memory Statistics
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - ICMP Advanced Diagnostics Information Disclosure Attempt - IGMP
Statistics Statistics
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - Interface
Advanced Diagnostics Information Disclosure Attempt - ARP Statistics
Statistics
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Advanced Diagnostics Information Disclosure Attempt - IP Statistics Possible Unauthorized Access Attempt - Request for radevice.css
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Information Disclosure Attempt - System List Information Disclosure Attempt - Browse Chasis
ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation
Information Disclosure Attempt - Chassis Detail Request Information Disclosure Attempt - Crashdump Display
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties
SEL-series Possible Unauthorized Access Attempt - Request for
SEL-series Possible Unauthorized Access - Request for home.sel
err401.sel
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties
Laboratories SEL-series Possible Unauthorized Access - Request for SEL-2488 Possible Unauthorized Access Attempt - Request for /
default.sel scripts/dScripts.sel
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
SEL-2488 Possible Unauthorized Access Attempt - Request for /css/ Laboratories SEL-series Dropbear SSH Banner - Possible SSH Login
sel.css attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL-3530-RTAC AcSELerator Firmware Activity Laboratories SEL-3620 Default X509 Certificate String
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL-3620 Default Cert Subject Common Name Laboratories SEL-3620 Default Cert Issuer Common Name
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL-2488 Default Cert Subject Common Name Laboratories SEL-2488 Default Cert Issuer Common Name
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL Telnet Activity Laboratories SEL Telnet Elevated Access
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL 2032 Processor Telnet Banner Laboratories SEL Calibration Access Level Login Success
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - Change working directory
Laboratories SEL FTP Server Activity - Access Change
2701

362 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering


ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - DNPMAP.TXT File Download
Laboratories SEL FTP Server Activity - Current directory /SEL-2701
Attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - STOR SET_DNP1.TXT File
Laboratories SEL FTP Server Activity - SET_ File Upload Attempt
Upload Attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - User ACC Login Attempt Laboratories SEL FTP Server Activity - Default Password otter
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - DNPMAP.TXT File Upload Laboratories SEL FTP Server Activity - ERR.TXT File Download
Attempt Attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - SET_DNP1.TXT File Download
Laboratories SEL FTP Server Activity - SET_ File Download Attempt
Attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
Laboratories SEL FTP Server Activity - Default User Account FTPUSER Laboratories SEL FTP Server Activity - Default User Account Password
Login Attempt TAIL Login Attempt
ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering
ET SCADA [nsacyber/ELITEWOLF] Possible Siemens S7-1200
Laboratories SEL FTP Server Activity - SEL-751A FTP Banner
Unauthorized Access Attempt - Request for /Images/CPU1200/
Observed
ET SCADA [nsacyber/ELITEWOLF] Possible Siemens S7-1200 ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default X509
Unauthorized Access Attempt - Request for /CSS/S7Web.css Certificate String
ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default Cert ET SCADA [nsacyber/ELITEWOLF] Siemens S7-1200 Default Cert
Subject Common Name Issuer Common Name
ET SCADA [nsacyber/ELITEWOLF] Siemens S7 Redpoint NSE Request ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default X509
CPU Function Read SZL attempt Certificate String
ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default Cert ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraAX Default Cert
Subject Common Name Issuer Common Name
ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default X509 ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default Cert
Certificate String Subject Common Name
ET SCADA [nsacyber/ELITEWOLF] Tridium NiagaraN4 Default Cert ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default X509
Issuer Common Name Certificate String
ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara4 Default Cert
Subject Common Name Issuer Common Name
ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default X509 ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert
Certificate Subject Common Name
ET SCADA [nsacyber/ELITEWOLF] Tridium Niagara Default Cert Issuer
ET SCADA Rockwell RNA Message Large Header Length - 8Kb
Common Name
emerging-scan.rules Hide
ET SCAN NMAP -sO ET SCAN NMAP -sS window 2048
ET SCAN NMAP -sA (1) ET SCAN NMAP -sA (2)
ET SCAN NMAP -f -sF ET SCAN NMAP -f -sN
ET SCAN NMAP -f -sV ET SCAN NMAP -f -sX
ET SCAN ICMP PING IPTools ET SCAN Potential SSH Scan
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or
ET SCAN Possible SSL Brute Force attack or Site Crawl
Infection
ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or
Infection Infection
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or
Infection Infection
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or ET SCAN Behavioral Unusually fast inbound Telnet Connections,
Infection Potential Scan or Brute Force
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential
ET SCAN MYSQL 4.0 brute force root login attempt
Scan or Infection (Inbound)
ET SCAN Potential FTP Brute-Force attempt response ET SCAN Nessus User Agent
ET SCAN Nikto Web App Scan in Progress ET SCAN Yahoo Crawler Crawl
ET SCAN MYSQL 4.1 brute force root login attempt ET SCAN Potential VNC Scan 5800-5820
ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or
ET SCAN Potential VNC Scan 5900-5920
Backdoor
ET SCAN Rapid POP3 Connections - Possible Brute Force Attack ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
ET SCAN Rapid IMAP Connections - Possible Brute Force Attack ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
ET SCAN Potential SSH Scan OUTBOUND ET SCAN IBM NSA User Agent
ET SCAN PHP Attack Tool Morfeus F Scanner ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan
ET SCAN ProxyReconBot CONNECT method to Mail ET SCAN ProxyReconBot POST method to Mail
ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce
ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)
Attack
ET SCAN w3af User Agent ET SCAN Grim's Ping ftp scanning tool
ET SCAN Internal to Internal UPnP Request tcp port 2555 ET SCAN External to Internal UPnP Request tcp port 2555

363 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SCAN External to Internal UPnP Request udp port 1900 ET SCAN PRO Search Crawler Probe
ET SCAN DirBuster Web App Scan in Progress ET SCAN Paros Proxy Scanner Detected
ET SCAN Behavioral Unusually fast outbound Telnet Connections,
ET SCAN Suspicious User-Agent inbound (bot)
Potential Scan or Brute Force
ET SCAN Watchfire AppScan Web App Vulnerability Scanner ET SCAN DEBUG Method Request with Command
ET SCAN bsqlbf Brute Force SQL Injection ET SCAN Cisco Torch TFTP Scan
ET SCAN Cisco Torch IOS HTTP Scan ET SCAN Httprint Web Server Fingerprint Scan
ET SCAN Wapiti Web Server Vulnerability Scan ET SCAN Tomcat Auth Brute Force attempt (admin)
ET SCAN Tomcat Auth Brute Force attempt (tomcat) ET SCAN Tomcat Auth Brute Force attempt (manager)
ET SCAN Smap VOIP Device Scan ET SCAN Core-Project Scanning Bot UA Detected
ET SCAN Hmap Webserver Fingerprint Scan ET SCAN Sqlmap SQL Injection Scan
ET SCAN NNG MS02-039 Exploit False Positive Generator - May
ET SCAN Voiper Toolkit Torturer Scan
Conceal A Genuine Attack
ET SCAN Acunetix Version 6 Crawl/Scan Detected ET SCAN Voiper Fuzzing Scan
ET SCAN Sipvicious Scan ET SCAN Sipp SIP Stress Test Detected
ET SCAN Sipsak SIP scan ET SCAN Stompy Web Application Session Scan
ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan
ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan ET SCAN Wikto Scan
ET SCAN Httprecon Web Server Fingerprint Scan ET SCAN WSFuzzer Web Application Fuzzing
ET SCAN Wikto Backend Data Miner Scan ET SCAN SIP erase_registrations/add registrations attempt
ET SCAN sipscan probe ET SCAN SQLix SQL Injection Vector Scan
ET SCAN Mini MySqlatOr SQL Injection Scanner ET SCAN SQLNinja MSSQL Version Scan
ET SCAN SQLNinja MSSQL XPCmdShell Scan ET SCAN SQLNinja MSSQL User Scan
ET SCAN SQLNinja MSSQL Database User Rights Scan ET SCAN SQLNinja MSSQL Authentication Mode Scan
ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using
ET SCAN SQLNinja Attempt To Create xp_cmdshell Session
sp_configure
ET SCAN Automated Injection Tool User-Agent (AutoGetColumn) ET SCAN WebShag Web Application Scan Detected
ET SCAN Toata Scanner User-Agent Detected ET SCAN Tomcat admin-admin login credentials
ET SCAN Tomcat admin-blank login credentials ET SCAN Tomcat upload from external source
ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint
ET SCAN Modbus Scanning detected
Scan
ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap
ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)
Scripting Engine)
ET SCAN Possible jBroFuzz Fuzzer Detected ET SCAN SQLBrute SQL Scan Detected
ET SCAN Asp-Audit Web Scan Detected ET SCAN Grendel Web Scan - Default User Agent Detected
ET SCAN Grendel-Scan Web Application Security Scan Detected ET SCAN Grabber.py Web Scan Detected
ET SCAN Absinthe SQL Injection Tool HTTP Header Detected ET SCAN NMAP -sS window 1024
ET SCAN NMAP -sS window 3072 ET SCAN NMAP -sS window 4096
ET SCAN Unusually Fast 403 Error Messages, Possible Web
ET SCAN Acunetix Version 6 (Free Edition) Scan Detected
Application Scan
ET SCAN Multiple NBTStat Query Responses to External Destination, ET SCAN NBTStat Query Response to External Destination, Possible
Possible Automated Windows Network Enumeration Windows Network Enumeration
ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for
ET SCAN SQL Power Injector SQL Injection User Agent Detected
Off-line Analysis
ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND ET SCAN WITOOL SQL Injection Scan
ET SCAN Default Mysqloit User Agent Detected - Mysql Injection ET SCAN Possible Mysqloit Operating System Fingerprint/SQL
Takover Tool Injection Test Scan Detected
ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible ET SCAN Unusually Fast 404 Error Messages (Page Not Found),
Web Application Scan Possible Web Application Scan/Directory Guessing Attack
ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL
ET SCAN Tomcat Web Application Manager scanning
Injection Scanner
ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely
Scanner Scan
ET SCAN SQL Injection Attempt (Agent uil2pn) ET SCAN pangolin SQL injection tool
ET SCAN Amap TCP Service Scan Detected ET SCAN Amap UDP Service Scan Detected
ET SCAN Non-Allowed Host Tried to Connect to MySQL Server ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt
ET SCAN Springenwerk XSS Scanner User-Agent Detected ET SCAN ICMP @hello request Likely Precursor to Scan
ET SCAN Multiple FTP Root Login Attempts from Single Source - ET SCAN Multiple FTP Administrator Login Attempts from Single
Possible Brute Force Attempt Source - Possible Brute Force Attempt
ET SCAN ICMP Delphi Likely Precursor to Scan ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan
ET SCAN ZmEu exploit scanner ET SCAN Open-Proxy ScannerBot (webcollage-UA)
ET SCAN Suspicious inbound to MSSQL port 1433 ET SCAN Suspicious inbound to Oracle SQL port 1521
ET SCAN Suspicious inbound to mySQL port 3306 ET SCAN Suspicious inbound to mSQL port 4333
ET SCAN Suspicious inbound to PostgreSQL port 5432 ET SCAN Skipfish Web Application Scan Detected
ET SCAN crimscanner User-Agent detected ET SCAN Skipfish Web Application Scan Detected (2)
ET SCAN WhatWeb Web Application Fingerprint Scanner Default
ET SCAN w3af Scan In Progress ARGENTINA Req Method
User-Agent Detected

364 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SCAN HZZP Scan in Progress calc in Headers ET SCAN Netsparker Default User-Agent
ET SCAN Netsparker Scan in Progress ET SCAN HTTP GET invalid method case
ET SCAN HTTP POST invalid method case ET SCAN HTTP HEAD invalid method case
ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check
ET SCAN HTTP OPTIONS invalid method case
Detected
ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent
ET SCAN Malformed Packet SYN FIN
Detected
ET SCAN Malformed Packet SYN RST ET SCAN w3af Scan Remote File Include Retrieval
ET SCAN Nikto Scan Remote File Include Retrieval ET SCAN Hydra User-Agent
ET SCAN Sipvicious User-Agent Detected (friendly-scanner) ET SCAN Possible WafWoof Web Application Firewall Detection Scan
ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)
ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected ET SCAN Inspathx Path Disclosure Scan
ET SCAN Medusa User-Agent ET SCAN DirBuster Scan in Progress
ET SCAN DotDotPwn User-Agent ET SCAN Havij SQL Injection Tool User-Agent Outbound
ET SCAN Metasploit WMAP GET len 0 and type ET SCAN RatProxy in-use
ET SCAN Goatzapszu Header from unknown Scanning Tool ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)
ET SCAN Havij SQL Injection Tool User-Agent Inbound ET SCAN OpenVAS User-Agent Inbound
ET SCAN Possible SQLMAP Scan ET SCAN Possible SQLMAP Scan
ET SCAN ZmEu Scanner User-Agent Inbound ET SCAN Internal Dummy Connection User-Agent Inbound
ET SCAN Potential muieblackcat scanner double-URI and HTTP library ET SCAN DominoHunter Security Scan in Progress
ET SCAN Vega Web Application Scan ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)
ET SCAN libwww-perl GET to // with specific HTTP header ordering
ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)
without libwww-perl User-Agent
ET SCAN Apache mod_deflate DoS via many multiple byte Range
ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt
values
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential
ET SCAN McAfee/Foundstone Scanner Web Scan
Scan or Infection (Outbound)
ET SCAN Positive Technologies XSpider Security Scanner User-Agent
ET SCAN NMAP SQL Spider Scan
(PTX)
ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 ET SCAN Apache mod_proxy Reverse Proxy Exposure 2
ET SCAN Gootkit Scanner User-Agent Inbound ET SCAN FHScan core User-Agent Detect
ET SCAN Arachni Scanner Web Scan ET SCAN critical.io Scan
ET SCAN w3af User-Agent 2 ET SCAN HTExploit Method
ET SCAN Brutus Scan Outbound ET SCAN Nessus Netbios Scanning
ET SCAN SFTP/FTP Password Exposure via sftp-config.json ET SCAN MYSQL MySQL Remote FAST Account Password Cracking
ET SCAN JCE Joomla Scanner ET SCAN Simple Slowloris Flooder
ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin
ET SCAN Non-Malicious SSH/SSL Scanner on the run
scanning
ET SCAN Arachni Web Scan ET SCAN SipCLI VOIP Scan - TCP
ET SCAN SipCLI VOIP Scan ET SCAN NETWORK Outgoing Masscan detected
ET SCAN NETWORK Incoming Masscan detected ET SCAN FOCA uri
ET SCAN NMAP SIP Version Detect OPTIONS Scan ET SCAN NMAP SIP Version Detection Script Activity
ET SCAN Hikvision DVR attempted Synology Recon Scan ET SCAN NMAP OS Detection Probe
ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress -
Set Response
ET SCAN Internet Scanning Project HTTP scan ET SCAN Chroot-apache0day Unknown Web Scanner User Agent
ET SCAN SSH BruteForce Tool with fake PUTTY version ET SCAN Acunetix Accept HTTP Header detected scan in progress
ET SCAN H.323 Scanning device ET SCAN Nmap NSE Heartbleed Request
ET SCAN Nmap NSE Heartbleed Response ET SCAN Xenu Link Sleuth Scanner Outbound
ET SCAN abdullkarem Wordpress PHP Scanner ET SCAN Possible Scanning for Vulnerable JBoss
ET SCAN COMMIX Command injection scan attempt ET SCAN MySQL Malicious Scanning 1
ET SCAN MySQL Malicious Scanning 2 ET SCAN MySQL Malicious Scanning 3
ET SCAN Acunetix scan in progress acunetix_wvs_security_test in
ET SCAN Redis SSH Key Overwrite Probing
http_uri
ET SCAN Acunetix scan in progress acunetix variable in http_uri ET SCAN MS Terminal Server Traffic on Non-standard Port
ET SCAN Possible Nmap User-Agent Observed ET SCAN struts-pwn User-Agent
ET SCAN NYU Internet Census UA Inbound ET SCAN HP Enterprise VAN SDN Controller
ET SCAN ntop-ng Authentication Bypass via Session ID Guessing ET SCAN HID VertX and Edge door controllers discover
ET SCAN Geutebrueck re_porter 7.8.974.20 Information Disclosure ET SCAN Hikvision IP Camera 5.4.0 Information Disclosure
ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet ET SCAN Hello Peppa! Scan Activity
ET SCAN External Host Probing for ChromeCast Devices ET SCAN Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Mirai Variant User-Agent (Inbound)

365 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN Zmap User-Agent (Inbound)


ET SCAN Dark Nexus IoT Variant User-Agent (Inbound) ET SCAN Tomato Router Default Credentials (admin:admin)
ET SCAN Tomato Router Default Credentials (root:admin) ET SCAN ELF/Mirai User-Agent Observed (Inbound)
ET SCAN Polaris Botnet User-Agent (Inbound) ET SCAN Polaris Botnet User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN JAWS Webserver Unauthenticated Shell Command
ET SCAN ELF/Mirai Variant User-Agent (Inbound)
Execution
ET SCAN Observed Suspicious UA (Callstranger Vulnerability ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan
Checker) (CVE-2020-12695)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN Zmap User-Agent (Outbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN ELF/Mirai Variant User-Agent (Inbound) ET SCAN ELF/Mirai Variant User-Agent (Inbound)
ET SCAN WordPress Scanner Performing Multiple Requests to
ET SCAN ELF/Mirai Variant User-Agent (Inbound)
Windows Live Writer XML
ET SCAN Generic IDBTE4M Exploit Scanner (Outbound) ET SCAN Generic IDBTE4M Exploit Scanner (Inbound)
ET SCAN DNS Query for allports.exposed ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)
ET SCAN Yandex Webcrawler User-Agent (YandexBot) ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)
ET SCAN Bing Webcrawler User-Agent (BingBot) ET SCAN Naver Webcrawler User-Agent (Naver.me)
ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound ET SCAN OpenVASVT RCE Test String in HTTP Request Outbound
ET SCAN Exabot Webcrawler User Agent ET SCAN AOL Webcrawler User-Agent
ET SCAN Baidu Spider Webcrawler User Agent - inbound ET SCAN FTPSync Settings Disclosure Attempt
ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound ET SCAN WordPress HelloThinkCMF Scan
ET SCAN RDP Connection Attempt from Nmap ET SCAN Web Scanner - Fuzz Faster U Fool (Inbound)
ET SCAN LeakIX Inbound User-Agent GPL SCAN Finger Account Enumeration Attempt
GPL SCAN Finger Search Query GPL SCAN Finger Root Query
GPL SCAN Finger Null Request GPL SCAN Finger Probe 0 Attempt
GPL SCAN cybercop redirection GPL SCAN Finger Redirection Attempt
GPL SCAN cybercop query GPL SCAN Finger 0 Query
GPL SCAN Finger . query GPL SCAN adm scan
GPL SCAN PING Delphi-Piette Windows GPL SCAN ISS Pinger
GPL SCAN Nemesis v1.1 Echo GPL SCAN PING NMAP
GPL SCAN icmpenum v1.1.1 GPL SCAN superscan echo
GPL SCAN webtrends scanner GPL SCAN Broadscan Smurf Scanner
GPL SCAN PING CyberKit 2.2 Windows GPL SCAN PING Sniffer Pro/NetXRay network scan
GPL SCAN same SRC/DST GPL SCAN loopback traffic
GPL SCAN rusers query UDP GPL SCAN myscan
GPL SCAN ssh-research-scanner GPL SCAN cybercop os probe
GPL SCAN NULL GPL SCAN SYN FIN
GPL SCAN XMAS GPL SCAN cybercop os PA12 attempt
GPL SCAN cybercop os SFU12 probe GPL SCAN nmap TCP
GPL SCAN nmap fingerprint attempt GPL SCAN Webtrends Scanner UDP Probe
GPL SCAN sensepost.exe command shell attempt GPL SCAN cybercop scan
GPL SCAN nessus 1.X 404 probe GPL SCAN cybercop os probe
GPL SCAN whisker HEAD/./ GPL SCAN nmap XMAS
GPL SCAN Finger Version Query GPL SCAN SSH Version map attempt
GPL SCAN NetGear router default password login attempt admin/
GPL SCAN SolarWinds IP scan attempt
password
GPL SCAN nessus 2.x 404 probe GPL SCAN Finger / execution attempt
emerging-shellcode.rules Hide
ET SHELLCODE x86 PexFnstenvMov/Sub Encoder ET SHELLCODE x86 Alpha2 GetEIPs Encoder
ET SHELLCODE x86 Countdown Encoder ET SHELLCODE x86 PexAlphaNum Encoder
ET SHELLCODE x86 PexCall Encoder ET SHELLCODE x86 JmpCallAdditive Encoder
ET SHELLCODE Possible UTF-8 encoded Shellcode Detected ET SHELLCODE Possible UTF-16 encoded Shellcode Detected
ET SHELLCODE Bindshell2 Decoder Shellcode ET SHELLCODE Rothenburg Shellcode
ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode ET SHELLCODE Adenau Shellcode
ET SHELLCODE Mainz/Bielefeld Shellcode ET SHELLCODE Wuerzburg Shellcode
ET SHELLCODE Schauenburg Shellcode ET SHELLCODE Koeln Shellcode
ET SHELLCODE Lichtenfels Shellcode ET SHELLCODE Mannheim Shellcode
ET SHELLCODE Berlin Shellcode ET SHELLCODE Leimbach Shellcode
ET SHELLCODE Aachen Shellcode ET SHELLCODE Furth Shellcode
ET SHELLCODE Langenfeld Shellcode ET SHELLCODE Bonn Shellcode

366 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SHELLCODE Siegburg Shellcode ET SHELLCODE Plain1 Shellcode


ET SHELLCODE Plain2 Shellcode ET SHELLCODE Bindshell1 Decoder Shellcode
ET SHELLCODE Bindshell1 Decoder Shellcode (UDP) ET SHELLCODE Plain2 Shellcode (UDP)
ET SHELLCODE Plain1 Shellcode (UDP) ET SHELLCODE Siegburg Shellcode (UDP)
ET SHELLCODE Bonn Shellcode (UDP) ET SHELLCODE Langenfeld Shellcode (UDP)
ET SHELLCODE Furth Shellcode (UDP) ET SHELLCODE Aachen Shellcode (UDP)
ET SHELLCODE Leimbach Shellcode (UDP) ET SHELLCODE Berlin Shellcode (UDP)
ET SHELLCODE Mannheim Shellcode (UDP) ET SHELLCODE Lichtenfels Shellcode (UDP)
ET SHELLCODE Koeln Shellcode (UDP) ET SHELLCODE Schauenburg Shellcode (UDP)
ET SHELLCODE Wuerzburg Shellcode (UDP) ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)
ET SHELLCODE Adenau Shellcode (UDP) ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)
ET SHELLCODE Rothenburg Shellcode (UDP) ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)
ET SHELLCODE METASPLOIT BSD Bind shell ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)
ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3) ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)
ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5) ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)
ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2) ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)
ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2) ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)
ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4) ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)
ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric
Encoded 1) Encoded 2)
ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric
Encoded 3) Encoded 4)
ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric
ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)
Encoded 5)
ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive
2) Encoded)
ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1) ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)
ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub
ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)
Encoded 1)
ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded
1) 2)
ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded
3) 4)
ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1) ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)
ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1) ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)
ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric
ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)
Encoded 1)
ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric
Encoded 2) Encoded 3)
ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive
Encoded 1) Encoded 1)
ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)
ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)
ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded
ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)
2)
ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2) ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)
ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4) ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)
ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC
2) Encoded 1)
ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded
Encoded 2) 3)
ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected ET SHELLCODE Possible Call with No Offset UDP Shellcode
ET SHELLCODE Possible Call with No Offset TCP Shellcode ET SHELLCODE Possible Call with No Offset UDP Shellcode
ET SHELLCODE Possible Call with No Offset TCP Shellcode ET SHELLCODE Possible Call with No Offset UDP Shellcode
ET SHELLCODE Possible Call with No Offset TCP Shellcode ET SHELLCODE Possible Call with No Offset UDP Shellcode
ET SHELLCODE Possible UTF-8 %u90 NOP SLED ET SHELLCODE Possible UTF-16 %u9090 NOP SLED
ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte
ET SHELLCODE Possible Encoded %90 NOP SLED
Function to Build Shellcode
ET SHELLCODE Possible Unescape Encoded Content With Split String ET SHELLCODE Possible Unescape Encoded Content With Split String
Obfuscation Obfuscation 2
ET SHELLCODE Common 0a0a0a0a Heap Spray String ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String
ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray
ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String
String
ET SHELLCODE Common 0c0c0c0c Heap Spray String ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray
ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String
String

367 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SHELLCODE UTF-8/16 Encoded Shellcode ET SHELLCODE Unescape Variable %u Shellcode


ET SHELLCODE Unescape Variable Unicode Shellcode ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt
ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt
ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt
ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray
ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt
Attempt
ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt
ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray
ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt
Attempt
ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely
ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b
Malicious Heap Spray Attempt
ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d
ET SHELLCODE Hex Obfuscated JavaScript NOP SLED ET SHELLCODE Unescape Hex Obfuscated Content
ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap
ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141
Spray 0a0a0a0a
ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap
Spray 0b0b0b0b Spray 0c0c0c0c
ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP
Spray 0d0d0d0d SLED
ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap
ET SHELLCODE Unicode UTF-8 Heap Spray Attempt
Spray 41414141
ET SHELLCODE Unicode UTF-16 Heap Spray Attempt ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray
ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray ET SHELLCODE Possible UTF-16 u9090 NOP SLED
ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/
ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode
sh) Shellcode
ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode ET SHELLCODE Execve(/bin/sh) Shellcode
GPL SHELLCODE SGI NOOP GPL SHELLCODE SGI NOOP
GPL SHELLCODE AIX NOOP GPL SHELLCODE Digital UNIX NOOP
GPL SHELLCODE HP-UX NOOP GPL SHELLCODE HP-UX NOOP
GPL SHELLCODE sparc NOOP GPL SHELLCODE sparc NOOP
GPL SHELLCODE sparc NOOP GPL SHELLCODE sparc setuid 0
GPL SHELLCODE x86 NOOP GPL SHELLCODE x86 setgid 0
GPL SHELLCODE x86 setuid 0 GPL SHELLCODE x86 stealth NOOP
GPL SHELLCODE Linux shellcode GPL SHELLCODE x86 0x90 unicode NOOP
GPL SHELLCODE MSSQL shellcode attempt GPL SHELLCODE ssh CRC32 overflow /bin/sh
GPL SHELLCODE ssh CRC32 overflow NOOP GPL SHELLCODE x86 inc ebx NOOP
GPL SHELLCODE x86 0xEB0C NOOP GPL SHELLCODE x86 0x71FB7BAB NOOP
GPL SHELLCODE x86 0x71FB7BAB NOOP unicode GPL SHELLCODE x86 0x90 NOOP unicode
emerging-smtp.rules Hide
ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer
ET SMTP Potential Exim HeaderX with run exploit attempt
Overflow Attempt
ET SMTP Abuseat.org Block Message ET SMTP Spamcop.net Block Message
ET SMTP Sophos.com Block Message ET SMTP Sorbs.net Block Message
ET SMTP Robtex.com Block Message ET SMTP EXE - ZIP file with .pif filename inside
ET SMTP Incoming SMTP Message with Possibly Malicious MIME
ET SMTP Possible ComputerCop Log Transmitted via SMTP
Epilogue 2016-05-13 (BadEpilogue)
ET SMTP Message Containing search-ms URI With subquery ET SMTP Message Containing search-ms URI With crumb location
Parameter In Message Body - Possible NTLM Hash Leak Attempt Parameter In Message Body - Possible NTLM Hash Leak Attempt
ET SMTP Message Containing Windows Performance Analyzer URI In
GPL SMTP SMTP relaying denied
Message Body - Possible NTLM Hash Leak Attempt
GPL SMTP ehlo cybercop attempt GPL SMTP expn cybercop attempt
GPL SMTP RCPT TO overflow GPL SMTP expn decode
GPL SMTP expn root GPL SMTP vrfy decode
GPL SMTP OUTBOUND bad file attachment GPL SMTP vrfy root
GPL SMTP expn *@ GPL SMTP EXPN overflow attempt
GPL SMTP AUTH LOGON brute force attempt GPL SMTP MAIL FROM overflow attempt
emerging-snmp.rules Hide
ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port
ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port
ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port
ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden
Read/Write Community String ILMI Read/Write Community String ILMI
ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden
Read/Write Community String cable-docsis Read/Write Community String cable-docsis
ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-
ET SNMP Samsung Printer SNMP Hardcode RW Community String
COPY)

368 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET SNMP missing community string attempt 1 ET SNMP missing community string attempt 2
ET SNMP missing community string attempt 3 ET SNMP missing community string attempt 4
GPL SNMP SNMP trap Format String detected GPL SNMP SNMP NT UserList
GPL SNMP SNMP community string buffer overflow attempt GPL SNMP public access udp
GPL SNMP public access tcp GPL SNMP private access udp
GPL SNMP private access tcp GPL SNMP Broadcast request
GPL SNMP broadcast trap GPL SNMP request udp
GPL SNMP request tcp GPL SNMP trap udp
GPL SNMP trap tcp GPL SNMP community string buffer overflow attempt with evasion
GPL SNMP PROTOS test-suite-trap-app attempt GPL SNMP null community string attempt
GPL SNMP missing community string attempt
emerging-sql.rules Show
emerging-telnet.rules Hide
ET TELNET External Telnet Attempt To Cisco Device With No Telnet
ET TELNET External Telnet Login Prompt from Cisco Device
Password Set (Automatically Dissalowed Until Password Set)
ET TELNET busybox MIRAI hackers - Possible Brute Force Attack ET TELNET busybox ECCHI hackers - Possible Brute Force Attack
ET TELNET busybox MEMES Hackers - Possible Brute Force Attack GPL TELNET TELNET login failed
GPL TELNET TELNET access GPL TELNET Telnet Root not on console
GPL TELNET root login GPL TELNET Bad Login
emerging-tftp.rules Hide
ET TFTP Outbound TFTP Write Request ET TFTP Outbound TFTP Data Transfer
ET TFTP Outbound TFTP ACK ET TFTP Outbound TFTP Error Message
ET TFTP Outbound TFTP Read Request ET TFTP TFTPGUI Long Transport Mode Buffer Overflow
ET TFTP Outbound TFTP Data Transfer with Cisco config ET TFTP Outbound TFTP Data Transfer With Cisco Config 2
GPL TFTP Put GPL TFTP parent directory
GPL TFTP root directory GPL TFTP MISC TFTP32 Get Format string attempt
GPL TFTP GET Admin.dll GPL TFTP GET nc.exe
GPL TFTP GET shadow GPL TFTP GET passwd
GPL TFTP Get GPL TFTP GET filename overflow attempt
GPL TFTP NULL command attempt GPL TFTP PUT filename overflow attempt
emerging-tor.rules Show
emerging-user_agents.rules Hide
ET USER_AGENTS Suspicious User Agent (agent) ET USER_AGENTS SideStep User-Agent
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET USER_AGENTS Metafisher/Goldun User-Agent (z)
ET USER_AGENTS 2search.org User Agent (2search) ET USER_AGENTS Suspicious User Agent (Autoupdate)
ET USER_AGENTS Suspicious User-Agent - Possible Trojan
ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)
Downloader (ver18/ver19 etc)
ET USER_AGENTS User Agent Containing http Suspicious - Likely
ET USER_AGENTS Suspicious User-Agent (Updater)
Spyware/Trojan
ET USER_AGENTS Suspicious User-Agent (update) ET USER_AGENTS Suspicious User-Agent (Updater)
ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2) ET USER_AGENTS Suspicious User-Agent outbound (bot)
ET USER_AGENTS WebHack Control Center User-Agent Outbound
ET USER_AGENTS Suspicious User-Agent (MSIE)
(WHCC/)
ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by
ET USER_AGENTS Suspicious User-Agent (Snatch-System)
downloaders
ET USER_AGENTS KKtone Suspicious User-Agent (KKTone) ET USER_AGENTS Suspicious User-Agent (MyAgent)
ET USER_AGENTS Suspicious User-Agent (Huai_Huai) ET USER_AGENTS Dialer-967 User-Agent
ET USER_AGENTS Matcash or related downloader User-Agent
ET USER_AGENTS Suspicious User-Agent (MYURL)
Detected
ET USER_AGENTS Downloader User-Agent Detected (Windows
ET USER_AGENTS Suspicious User-Agent (006)
Updates Manager|3.12|...)
ET USER_AGENTS Downloader User-Agent Detected (ld) ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)
ET USER_AGENTS Win32/Feebs.kw Worm User-Agent Detected ET USER_AGENTS Tear Application User-Agent Detected
ET USER_AGENTS User-agent DownloadNetFile Win32.small.hsh ET USER_AGENTS Cashpoint.com Related checkin User-Agent
downloader (inetinst)
ET USER_AGENTS Cashpoint.com Related checkin User-Agent
ET USER_AGENTS Suspicious User-Agent (HTTP_CONNECT_)
(okcpmgr)
ET USER_AGENTS Suspicious User-Agent (API-Guide test program)
ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)
Used by Several trojans
ET USER_AGENTS Suspicious User-Agent - Possible Trojan ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader
Downloader (WinInet) Shell
ET USER_AGENTS User-Agent (single dash) ET USER_AGENTS Suspicious User-Agent (downloader)
ET USER_AGENTS Suspicious User-Agent - Possible Trojan
ET USER_AGENTS User-Agent (Unknown)
Downloader (https)
ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop
ICS)) v.1.1 account verification)

369 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET USER_AGENTS Suspicious User-Agent (Version 1.23) ET USER_AGENTS User-Agent (Internet Explorer)


ET USER_AGENTS Suspicious User-Agent (App4) ET USER_AGENTS Suspicious User-Agent (Mozilla-web)
ET USER_AGENTS Suspicious User-Agent (INSTALLER) ET USER_AGENTS Suspicious User-Agent (IEMGR)
ET USER_AGENTS Suspicious User-Agent (GOOGLE) ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)
ET USER_AGENTS Suspicious User-Agent (RBR) ET USER_AGENTS Otwycal User-Agent (Downing)
ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer) ET USER_AGENTS Suspicious User-Agent (Installer)
ET USER_AGENTS Suspicious User-Agent (QQ) ET USER_AGENTS Suspicious User-Agent (TestAgent)
ET USER_AGENTS Suspicious User-Agent (SERVER2_03) ET USER_AGENTS Suspicious User-Agent (WinProxy)
ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1) ET USER_AGENTS Suspicious User-Agent (up2dash updater)
ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD) ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)
ET USER_AGENTS Suspicious User-Agent (chek) ET USER_AGENTS Suspicious User-Agent (IE)
ET USER_AGENTS Suspicious User-Agent (AutoHotkey) ET USER_AGENTS Suspicious User-Agent (WebForm 1)
ET USER_AGENTS Suspicious User-Agent (opera) ET USER_AGENTS Suspicious User-Agent (Zilla)
ET USER_AGENTS Suspicious User-Agent (contains loader) ET USER_AGENTS Suspicious User-Agent (123)
ET USER_AGENTS Suspicious User-Agent (angel) ET USER_AGENTS Suspicious User-Agent (Accessing)
ET USER_AGENTS Suspicious User-Agent (ISMYIE) ET USER_AGENTS Suspicious User-Agent (InetURL)
ET USER_AGENTS Suspicious User-Agent (ErrCode) ET USER_AGENTS Suspicious User-Agent (svchost)
ET USER_AGENTS Suspicious User-Agent (ReadFileURL) ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)
ET USER_AGENTS Suspicious User-Agent (Inet_read) ET USER_AGENTS Suspicious User-Agent (CFS Agent)
ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD) ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)
ET USER_AGENTS Suspicious User-Agent (HTTP Downloader) ET USER_AGENTS Suspicious User-Agent (HttpDownload)
ET USER_AGENTS Suspicious User-Agent (Download App) ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)
ET USER_AGENTS Suspicious User-Agent (hacker) ET USER_AGENTS Suspicious User-Agent (ieguideupdate)
ET USER_AGENTS Suspicious User-Agent (adsntD) ET USER_AGENTS Suspicious User-Agent (dwplayer)
ET USER_AGENTS Suspicious User-Agent (ieagent) ET USER_AGENTS Suspicious User-Agent (antispyprogram)
ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5) ET USER_AGENTS Suspicious User-Agent (msIE 7.0)
ET USER_AGENTS Suspicious User-Agent (AVP2006IE) ET USER_AGENTS Suspicious User-Agent (winlogon)
ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request) ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)
ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun) ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)
ET USER_AGENTS Suspicious User-Agent Detected (Compatible) ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)
ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND
v3.221) Program/1.0)
ET USER_AGENTS Suspicious User Agent (FTP) ET USER_AGENTS Suspicious User-Agent (checkonline)
ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0) ET USER_AGENTS Kangkio User-Agent (lsosss)
ET USER_AGENTS Suspicious User-Agent (miip) ET USER_AGENTS Suspicious User-Agent (Mozil1a)
ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457
ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)
related)
ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj
ET USER_AGENTS Suspicious User-Agent (Yandesk)
related)
ET USER_AGENTS Suspicious User-Agent pricers.info related (section) ET USER_AGENTS Suspicious User-Agent (HELLO)
ET USER_AGENTS Suspicious User-Agent (IE/1.0) ET USER_AGENTS Suspicious User Agent (BlackSun)
ET USER_AGENTS Suspicious User-Agent (runUpdater.html) ET USER_AGENTS Suspicious User-Agent (runPatch.html)
ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-
ET USER_AGENTS Suspicious User-Agent (Poker)
Clicker
ET USER_AGENTS Suspicious User-Agent (Loands) - Possible Trojan ET USER_AGENTS Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen
Downloader GET Request Trojan Downloader GET Request
ET USER_AGENTS Suspicious User-Agent filled with System Details - ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan
GET Request Downloader GET Request
ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible
ET USER_AGENTS User-Agent (_TEST_)
Trojan Downloader GET Request
ET USER_AGENTS Suspicious User-Agent (INet) ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))
ET USER_AGENTS User-Agent (STEROID Download) ET USER_AGENTS Suspicious User-Agent (Sme32)
ET USER_AGENTS Suspicious User-Agent (XXX) Often Sony Update
ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)
Related
ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent
ET USER_AGENTS Suspicious User-Agent (My Session)
TALWinHttpClient
ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot) ET USER_AGENTS Suspicious User-Agent (FaceCooker)
ET USER_AGENTS badly formatted User-Agent string (no closing
ET USER_AGENTS Suspicious User-Agent (lineguide)
parenthesis)
ET USER_AGENTS Suspicious User-Agent (InTeRNeT) ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)
ET USER_AGENTS Suspicious User Agent (AskInstallChecker) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET USER_AGENTS Suspicious User-Agent (InfoBot) ET USER_AGENTS Suspicious User Agent (ScrapeBox)
ET USER_AGENTS Suspicious User Agent (GabPath) ET USER_AGENTS Suspicious User Agent no space
ET USER_AGENTS Suspicious Win32 User Agent ET USER_AGENTS Suspicious User-Agent (Our_Agent)
ET USER_AGENTS suspicious user-agent (REKOM) ET USER_AGENTS Si25f_302 User-Agent
ET USER_AGENTS Suspicious User-Agent Moxilla ET USER_AGENTS Suspicious User-Agent VCTestClient

370 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate ET USER_AGENTS Suspicious User-Agent (Presto)


ET USER_AGENTS Suspicious User-Agent (VMozilla) ET USER_AGENTS Suspicious User-Agent Im Luo
ET USER_AGENTS Lowercase User-Agent header purporting to be
ET USER_AGENTS Suspicious User-Agent Sample
MSIE
ET USER_AGENTS Suspicious User-Agent Mozilla/3.0 ET USER_AGENTS suspicious User Agent (Lotto)
ET USER_AGENTS Suspicious User-Agent String
ET USER_AGENTS suspicious user agent string (changhuatong)
(AskPartnerCobranding)
ET USER_AGENTS suspicious user agent string (CholTBAgent) ET USER_AGENTS Suspicious user agent (mdms)
ET USER_AGENTS Suspicious user agent (asd) ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0
ET USER_AGENTS Suspicious User-Agent Fragment (WORKED) ET USER_AGENTS MacShield User-Agent Likely Malware
ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound
ET USER_AGENTS Binget PHP Library User Agent Outbound ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound
ET USER_AGENTS PyCurl Suspicious User Agent Outbound ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound
ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected
ET USER_AGENTS Ufasoft bitcoin Related User-Agent ET USER_AGENTS Suspicious User-Agent _updater_agent
ET USER_AGENTS Suspicious User-Agent (GUIDTracker) ET USER_AGENTS Downloader User-Agent HTTPGET
ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution
ET USER_AGENTS Suspicious User-Agent (MadeByLc)
Win32)
ET USER_AGENTS Suspicious User-Agent (windsoft) ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)
ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution
ET USER_AGENTS Suspicious User-Agent (FULLSTUFF)
Win32)
ET USER_AGENTS Suspicious User-Agent (NateFinder) ET USER_AGENTS Suspicious User-Agent (webfile)
ET USER_AGENTS Suspicious User-Agent (DARecover) ET USER_AGENTS Suspicious User-Agent (adlib)
ET USER_AGENTS Unknown - Java Request - gt 60char hex-ascii ET USER_AGENTS Suspicious User-Agent (DownloadMR)
ET USER_AGENTS User-Agent (ChilkatUpload) ET USER_AGENTS Suspicious user agent (Google page)
ET USER_AGENTS FOCA User-Agent ET USER_AGENTS MtGox Leak wallet stealer UA
ET USER_AGENTS Suspicious User-Agent (hi) ET USER_AGENTS Suspicious User-Agent (HardCore Software For)
ET USER_AGENTS MSF Meterpreter Default User Agent ET USER_AGENTS WildTangent User-Agent (WT Games App)
ET USER_AGENTS BLEXBot User-Agent ET USER_AGENTS Microsoft Edge on Windows 10 SET
ET USER_AGENTS Go HTTP Client User-Agent ET USER_AGENTS Suspicious User-Agent (=Mozilla)
ET USER_AGENTS VPNFilter Related UA (Gemini/2.0) ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)
ET USER_AGENTS MSIL/Peppy User-Agent ET USER_AGENTS VPNFilter Related UA (curl53)
ET USER_AGENTS Suspicious User-Agent (Windows XP) ET USER_AGENTS Suspicious User-Agent (Windows 8)
ET USER_AGENTS Suspicious User-Agent (Windows 10) ET USER_AGENTS Suspicious User-Agent (Windows 7)
ET USER_AGENTS WinRM User Agent Detected - Possible Lateral
ET USER_AGENTS Suspicious UA Observed (IEhook)
Movement
ET USER_AGENTS Peppy/KeeOIL Google User-Agent (google/dance) ET USER_AGENTS Peppy/KeeOIL User-Agent (ekeoil)
ET USER_AGENTS Suspicious User-Agent (SomeTimes) ET USER_AGENTS SFML User-Agent (libsfml-network)
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite) ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)
ET USER_AGENTS ESET Installer ET USER_AGENTS Aria2 User-Agent
ET USER_AGENTS Node XMLHTTP User-Agent ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-
ET USER_AGENTS Suspicious UA Observed (YourUserAgent)
Agent
ET USER_AGENTS Observed Suspicious UA (Hello, World) ET USER_AGENTS Observed Suspicious UA (Hello-World)
ET USER_AGENTS Fake Mozilla User-Agent String Observed (M0zilla) ET USER_AGENTS Suspicious UA Observed (Ave, Caesar!)
ET USER_AGENTS Observed Suspicious UA (zwt) ET USER_AGENTS Observed Suspicious UA (My Agent)
ET USER_AGENTS Suspicious Custom Firefox UA Observed (Firefox...) ET USER_AGENTS Suspicious UA Observed (Quick Macros)
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)
ET USER_AGENTS Observed Suspicious UA (Chrome) ET USER_AGENTS Observed Suspicious UA (Absent)
ET USER_AGENTS Steam HTTP Client User-Agent ET USER_AGENTS Steam HTTP Client User-Agent
ET USER_AGENTS Observed Suspicious UA (IExplorer 34) ET USER_AGENTS Suspicious User Agent (reqwest/)
ET USER_AGENTS Observed Suspicious UA (Client) ET USER_AGENTS Observed Suspicious UA (system_file/2.0)
ET USER_AGENTS Observed Suspicious UA (DxD) ET USER_AGENTS ABBCCoin Activity Observed
ET USER_AGENTS Suspicious User-Agent (VB OpenUrl) ET USER_AGENTS Observed Suspicious UA (\xa4)
ET USER_AGENTS Observed Suspicious UA (easyhttp client) ET USER_AGENTS Observed Suspicious UA (xPCAP)
ET USER_AGENTS Suspicious User Agent (explorersvc) ET USER_AGENTS Suspicious User Agent (KtulhuBrowser)
ET USER_AGENTS Observed Suspicious UA (Http-connect) ET USER_AGENTS Shadowcoin Cryptocurrency UA Observed
ET USER_AGENTS Willowcoin Cryptocurrency UA Observed ET USER_AGENTS Observed Malicious CASPER/Mirai UA
ET USER_AGENTS Observed Suspicious UA (PhoneMonitor) ET USER_AGENTS BeeMovie Related Activity
ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5) ET USER_AGENTS Possible QBot User-Agent
ET USER_AGENTS Suspicious User-Agent (MSIE) ET USER_AGENTS Observed Suspicious UA (CODE)
ET USER_AGENTS Observed Suspicious UA (grab) ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed
ET USER_AGENTS Observed Suspicious UA (justupdate) ET USER_AGENTS Observed Suspicious UA (.NET Framework Client)
ET USER_AGENTS Observed Suspicious UA (cctv.mtv) ET USER_AGENTS Suspicious User-Agent (cso)
ET USER_AGENTS Suspicious User-Agent (firefox) ET USER_AGENTS Suspicious User-Agent (chrome)

371 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET USER_AGENTS Suspected Mekotio User-Agent


ET USER_AGENTS Suspected Mekotio User-Agent (MyCustomUser)
(4M5yC6u4stom5U8se3r)
ET USER_AGENTS Suspicious User-Agent (boostsoftware-urlexists) ET USER_AGENTS Microsoft Malware Protection User-Agent Observed
ET USER_AGENTS Microsoft Windows Vista UA - Commonly Abused ET USER_AGENTS Suspicious User-Agent (Installed OK)
ET USER_AGENTS Suspicious User-Agent (Fire-Cloud) ET USER_AGENTS Suspicious HttpSocket User-Agent Observed
ET USER_AGENTS Suspicious User-Agent Simple Bot ET USER_AGENTS Suspicious User-Agent (aaaa)
ET USER_AGENTS Suspicious User-Agent (Collection Info) ET USER_AGENTS Suspicious User-Agent (HaxerMen)
ET USER_AGENTS Non-standard User-Agent (PATCHER) ET USER_AGENTS Observed Suspicious User-Agent (altera forma)
ET USER_AGENTS Observed Malicious User-Agent (Brute Force
ET USER_AGENTS WaterDropX PRISM UA Observed
Attacks)
ET USER_AGENTS Observed Malicious User-Agent (Brute Force
ET USER_AGENTS sysWeb User-Agent
Attacks)
ET USER_AGENTS Suspicious User-Agent (REBOL) ET USER_AGENTS Suspicious User-Agent (USERAGENT)
ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0) ET USER_AGENTS Suspicious User-Agent (Microsoft-ATL-Native/9.00)
ET USER_AGENTS Suspicious User-Agent (urlRequest) ET USER_AGENTS Suspicious User-Agent (test-upload)
ET USER_AGENTS Suspicious User-Agent (dBrowser CallGetResponse) ET USER_AGENTS Suspicious User-Agent (example/1.0)
ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore) ET USER_AGENTS Suspicious User-Agent (ItIsMe)
ET USER_AGENTS Suspicious User-Agent (HTTP-Test-Program) ET USER_AGENTS Observed Malicious User-Agent (CobaltStrike)
ET USER_AGENTS Observed Bumblebee Loader User-Agent
ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)
(bumblebee)
ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom) ET USER_AGENTS Suspicious User-Agent (Windows Explorer)
ET USER_AGENTS DanaBot Specific UA Observed ET USER_AGENTS Suspicious User-Agent (kath)
ET USER_AGENTS Suspicious User-Agent (56) ET USER_AGENTS ErbiumStealer UA Observed
ET USER_AGENTS Suspicious User-Agent (Hello World) ET USER_AGENTS Suspicious User-Agent (RestoroMainExe)
ET USER_AGENTS Suspicious User-Agent (Testing) ET USER_AGENTS Suspicious User-Agent (xfilesreborn)
ET USER_AGENTS Discord Bot User-Agent Observed (DiscordBot) ET USER_AGENTS Suspicious User-Agent (RT/1.0)
ET USER_AGENTS Observed Uclient User-Agent ET USER_AGENTS Observed Malicious VBS Related UA
ET USER_AGENTS Microsoft Office Existence Discovery User-Agent ET USER_AGENTS Observed DonotGroup Related UA (Chrome Edge)
ET USER_AGENTS Observed Donot Group UA (Mozilla FireFox) ET USER_AGENTS Win32/FakeAV InternetSecurityGuard User-Agent
ET USER_AGENTS Suspicious User Agent (Zadanie) ET USER_AGENTS Kimsuky CnC Checkin User-Agent
ET USER_AGENTS Seetrol Client Remote Administration Tool User-
ET USER_AGENTS Observed Reconnaissance Related UA
Agent
ET USER_AGENTS Observed Suspicious User-Agent
ET USER_AGENTS Observed Suspicious User-Agent (inflammable)
(JWrapperDownloader)
emerging-voip.rules Hide
ET VOIP SIP UDP Softphone INVITE overflow ET VOIP INVITE Message Flood TCP
ET VOIP REGISTER Message Flood TCP ET VOIP Multiple Unauthorized SIP Responses TCP
ET VOIP MultiTech SIP UDP Overflow ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking
ET VOIP Asterisk Register with no URI or Version DOS Attempt ET VOIP INVITE Message Flood UDP
ET VOIP REGISTER Message Flood UDP ET VOIP Multiple Unauthorized SIP Responses UDP
ET VOIP Possible Modified Sipvicious OPTIONS Scan ET VOIP Modified Sipvicious Asterisk PBX User-Agent
ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper ET VOIP Possible Misuse Call from Cisco ooh323
ET VOIP Possible Misuse Call from MERA RTU ET VOIP Q.931 Call Setup - Inbound
ET VOIP H.323 in Q.931 Call Setup - Inbound GPL VOIP SIP INVITE message flooding
GPL VOIP SIP 401 Unauthorized Flood GPL VOIP SIP 407 Proxy Authentication Required Flood
GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt
emerging-web_client.rules Hide
ET WEB_CLIENT IE process injection iexplore.exe executable
ET WEB_CLIENT Attempt to execute VBScript code
download
ET WEB_CLIENT Stealth attempt to execute Javascript code ET WEB_CLIENT Stealth attempt to execute VBScript code
ET WEB_CLIENT Stealth attempt to access SHELL#=#= ET WEB_CLIENT Javascript execution with expression eval
ET WEB_CLIENT Javascript execution with expression eval hex ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection
ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit
ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory
MoBB#6 copy
ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)
ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow
ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)
attempt
ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection
attempt Vulnerability
ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely
SQL Injection Attacks Related SQL Injection Attacks Related
ET WEB_CLIENT Internet Explorer javascript onUnload http spliting ET WEB_CLIENT Internet Explorer javascript onUnload http spliting
attempt (body) attempt (img)
ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting
attempt (body) attempt

372 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer


ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
Memory Corruption Attempt
ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source) ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)
ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source) ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)
ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data
ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
Format Remote Security Bypass Attempt
ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation
ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt
(.ass) File Request flowbit set
ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation ET WEB_CLIENT Possible Internet Explorer srcElement Memory
Remote Code Execution Attempt Corruption Attempt
ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection
Overflow Attempt Attempt
ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution
Obfuscation Attempt Attempt
ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action
ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile
Remote Code Execution Attempt
ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method
ET WEB_CLIENT Malvertising drive by kit encountered - Loading...
Remote Code Execution Attempt
ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing
ET WEB_CLIENT PDF Containing Windows Commands Downloaded
Attempt
ET WEB_CLIENT Possible PDF Launch Function Remote Code
ET WEB_CLIENT Likely Malicious PDF Containing StrReverse
Execution Attempt with Name Representation Obfuscation
ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation
Protection System Attempt
ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer
ET WEB_CLIENT Driveby bredolab hidden div served by nginx
Overflow Attempt
ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share
ET WEB_CLIENT PROPFIND Flowbit Set
Possible DLL Preloading Exploit Attempt
ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin
ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt
Theft Attempt
ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring
Possibly Related to Remote Code Execution Attempt Memory Corruption Attempt
ET WEB_CLIENT Possible Adobe CoolType Smart INdependent ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code
Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt Execution Attempt
ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid
ET WEB_CLIENT PDF With eval Function - Possibly Hostile
Pointer Remote Code Execution Attempt
ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype ET WEB_CLIENT PDF Name Representation Obfuscation of Action
ET WEB_CLIENT PDF Name Representation Obfuscation of
ET WEB_CLIENT PDF Name Representation Obfuscation of Type
EmbeddedFile
ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript ET WEB_CLIENT PDF Name Representation Obfuscation of URL
ET WEB_CLIENT PDF Name Representation Obfuscation of JS ET WEB_CLIENT PDF Name Representation Obfuscation of Pages
ET WEB_CLIENT PDF Name Representation Obfuscation of ET WEB_CLIENT Firefox Plugin Parameter
OpenAction EnsureCachedAttrParamArrays Remote Code Execution Attempt
ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution
corruption Attempt Attempt
ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object
ET WEB_CLIENT Java Web Start Command Injection (.jar)
Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt
ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property
ID Memory Pointer Information Disclosure Attempt Memory Corruption Attempt
ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote
in PDF in Order to Run Code Code Execution Attempt
ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption ET WEB_CLIENT Firefox Interleaving document.write and appendChild
(POC SPECIFIC) Overflow (POC SPECIFIC)
ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory
ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect
Corruption Attempt
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding
Encoding
ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding
ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of
Denial of Service Service
ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of
ET WEB_CLIENT Hex Obfuscation of document.write % Encoding
Service
ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8
ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding
Encoding
ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8
ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow
Encoding
ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase
Execution Attempt Parameters Flowbits Set

373 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16
Parameters Buffer Overflow Encoding
ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16
ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding
Encoding
ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16
ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
Encoding
ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder
ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set
Buffer Overflow
ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote
ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set
Code Execution
ET WEB_CLIENT eval String.fromCharCode String Which May Be ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array
Malicious Index Remote Code Execution Attempt
ET WEB_CLIENT Possible Malicious String.fromCharCode with
ET WEB_CLIENT Possible % Encoded Iframe Tag
charCodeAt String
ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag
ET WEB_CLIENT Possible # Encoded Iframe Tag ET WEB_CLIENT Hex Obfuscation of document.write # Encoding
ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding
ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding
ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding
ET WEB_CLIENT Hex Obfuscation of unescape % Encoding ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding
ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding ET WEB_CLIENT Hex Obfuscation of substr % Encoding
ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding
ET WEB_CLIENT Hex Obfuscation of eval % Encoding ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding
ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding ET WEB_CLIENT Obfuscated Javascript // ptth
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %
ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)
Encoding
ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u
UTF-8 Encoding UTF-16 Encoding
ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote
ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage
Code Execution Attempt
ET WEB_CLIENT Opera Window.Open document.cloneNode Null ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit
Pointer Deference Attempt Set
ET WEB_CLIENT WindowsLive Imposter Site Landing Page ET WEB_CLIENT Office File With Embedded Executable
ET WEB_CLIENT Likely Redirector to Exploit Page /in/rdrct/rckt/? ET WEB_CLIENT Unknown .ru Exploit Redirect Page
ET WEB_CLIENT Windows Help and Support Center XSS Attempt ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)
ET WEB_CLIENT PDF With Adobe Audition Session File Handling ET WEB_CLIENT PDF With Adobe Audition Session File Handling
Buffer Overflow Flowbit Set Memory Corruption Attempt
ET WEB_CLIENT Download of PDF With Uncompressed Flash Content
ET WEB_CLIENT Download of PDF With Compressed Flash Content
flowbit set
ET WEB_CLIENT Adobe Audition Malformed Session File Buffer
ET WEB_CLIENT Request to malicious info.php drive-by landing
Overflow Attempt
ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI ET WEB_CLIENT Sidename.js Injected Script Served by Local
and cookie WebServer
ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory
Execution Attempt corruption Attempt
ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element
ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt
invalidateSelection Remote Code Execution Attempt
ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream ET WEB_CLIENT cssminibar.js Injected Script Served by Local
Predictor Exploit Attempt WebServer
ET WEB_CLIENT Known Injected Credit Card Fraud Malvertisement ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer
Script Overflow Attempt (CVE-2010-3333)
ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption
Attempt (CVE-2010-3333) Attempt
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing
Attempt Information Disclosure Attempt
ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading ET WEB_CLIENT Wordpress possible Malicious DNS-Requests -
Arbitrary Code Execution Attempt flickr.com.*
ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests -
picasa.com.* blogger.com.*
ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests -
wordpress.com.* img.youtube.com.*
ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - ET WEB_CLIENT Wordpress possible Malicious DNS-Requests -
upload.wikimedia.com.* photobucket.com.*
ET WEB_CLIENT Malicious 1px iframe related to Mass Wordpress ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer
Injections Use-After-Free Memory Corruption Attempt
ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling
ET WEB_CLIENT Phoenix landing page JAVASMB
Memory Corruption Attempt

374 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Lilupophilupop Injected Script Being Served from


ET WEB_CLIENT Lilupophilupop Injected Script Being Served to Client
Local Server
ET WEB_CLIENT PDF With Embedded U3D ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download
ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME ET WEB_CLIENT User-Agent used in Injection Attempts
ET WEB_CLIENT Microsoft Windows Media component specific
ET WEB_CLIENT Likely Driveby Delivered Malicious PDF
exploit
ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap
ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com
Overflow Midi Filename Requested baby.mid
ET WEB_CLIENT Internet Explorer
ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code
CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free
Execution Attempt (CVE-2012-0754)
Attempt
ET WEB_CLIENT Nikjju Mass Injection Compromised Site Served To
ET WEB_CLIENT landing page with malicious Java applet
Local Client
ET WEB_CLIENT Nikjju Mass Injection Internal WebServer
ET WEB_CLIENT FakeAV Landing Page - Viruses were found
Compromised
ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit
ET WEB_CLIENT RedKit - Landing Page Received - applet and code
(CVE-2012-0754)
ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June
(CVE-2012-1875) 2012
ET WEB_CLIENT FoxxySoftware - Landing Page Received -
ET WEB_CLIENT FoxxySoftware - Landing Page
foxxysoftware
ET WEB_CLIENT FoxxySoftware - Landing Page Received - applet and ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized
0px Memory Corruption (CVE-2012-1889)
ET WEB_CLIENT Base64 - Landing Page Received - ET WEB_CLIENT Runforestrun Malware Campaign Infected Website
base64encode(GetOs() Landing Page Obfuscated String JavaScript DGA
ET WEB_CLIENT c3284d Malware Network Compromised Redirect ET WEB_CLIENT c3284d Malware Network Compromised Redirect
(comments 1) (comments 2)
ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and ET WEB_CLIENT Unknown_s=1 - Landing Page - 100HexChar value
applet and applet
ET WEB_CLIENT c3284d Malware Network Compromised Redirect
ET WEB_CLIENT c3284d malware network iframe
(comments 3)
ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized
ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats)
Memory Corruption Attempt (CVE-2012-1889)
ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument
Memory Corruption (CVE-2012-1889) Uninitialized Memory Corruption Attempt
ET WEB_CLIENT Obfuscated Javascript redirecting to badness August ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value
6 2012 and applet
ET WEB_CLIENT Internet Explorer execCommand function Use after
ET WEB_CLIENT Malicious Redirect n.php h=*&s=*
free Vulnerability (CVE-2012-4969)
ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing
ET WEB_CLIENT Microsoft Rich Text File download - SET
page
ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats
ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet
ET WEB_CLIENT Drupal Mass Injection Campaign Inbound
Orange /in.php?q=
ET WEB_CLIENT Drupal Mass Injection Campaign Outbound ET WEB_CLIENT RedKit - Landing Page
ET WEB_CLIENT Injected iframe leading to Redkit Jan 02 2013 ET WEB_CLIENT Malicious iframe
ET WEB_CLIENT Malicious iframe ET WEB_CLIENT Microsoft OLE Compound File With Flash
ET WEB_CLIENT Exploit Specific Uncompressed Flash ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE
(CVE-2013-0634) (CVE-2013-0634)
ET WEB_CLIENT Flash Action Script Invalid Regex (CVE-2013-0634) ET WEB_CLIENT Flash Action Script Invalid Regex (CVE-2013-0634)
ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound
2013 (CVE-2013-1347)
ET WEB_CLIENT Injection - var j=0 ET WEB_CLIENT Sweet Orange Landing Page May 16 2013
ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn= ET WEB_CLIENT Malicious Redirect June 18 2013
ET WEB_CLIENT Fake Adobe Flash Player update warning enticing
ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013
clicks to malware payload
ET WEB_CLIENT Fake Adobe Flash Player malware binary requested ET WEB_CLIENT DRIVEBY Redirection - Wordpress Injection
ET WEB_CLIENT Probable FlimKit Redirect July 10 2013 ET WEB_CLIENT FlimKit Landing July 10 2013
ET WEB_CLIENT Potential Internet Explorer Use After Free ET WEB_CLIENT Potential Internet Explorer Use After Free
(CVE-2013-3163) CVE-2013-3163 2
ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free
ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection
(CVE-2013-3163)
ET WEB_CLIENT JS Browser Based Ransomware ET WEB_CLIENT FlimKit Landing 07/22/13
ET WEB_CLIENT FlimKit Landing 07/22/13 2 ET WEB_CLIENT FlimKit Landing 07/22/13 3
ET WEB_CLIENT FlimKit Landing 07/22/13 4 ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1
ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2 ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3
ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound) ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)

375 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Fake Trojan Dropper purporting to be missing


ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4
application page landing
ET WEB_CLIENT Possible FortDisco Wordpress Brute-force Site list
ET WEB_CLIENT Possible CookieBomb Generic JavaScript Format
download 10+ wp-login.php
ET WEB_CLIENT CookieBomb Generic PHP Format ET WEB_CLIENT CookieBomb Generic HTML Format
ET WEB_CLIENT DRIVEBY Redirection - Forum Injection ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free
ET WEB_CLIENT Microsoft IE Memory Corruption Inbound ET WEB_CLIENT Internet Explorer Memory Corruption Inbound
(CVE-2013-3893) (CVE-2013-3893)
ET WEB_CLIENT Microsoft IE Memory Corruption Inbound
ET WEB_CLIENT Blatantly Evil JS Function
(CVE-2013-3893)
ET WEB_CLIENT Cushion Redirection ET WEB_CLIENT W32/Caphaw DriveBy Campaign Statistic.js
ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html ET WEB_CLIENT Fake MS Security Update (Jar)
ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free ET WEB_CLIENT Unknown Malvertising Related EK Redirect Oct 14
(CVE-2013-3897) 2013
ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising
ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan
ET WEB_CLIENT Magnitude Landing Nov 11 2013
Download
ET WEB_CLIENT DRIVEBY FakeUpdate - URI - /styles/javaupdate.css ET WEB_CLIENT DRIVEBY FakeUpdate - URI - Payload Requested
ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards
ET WEB_CLIENT Browlock Landing Page URI Struct
Packer Script
ET WEB_CLIENT StyX Landing Jan 29 2014 ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014
ET WEB_CLIENT Malicious Redirect 8x8 script tag ET WEB_CLIENT BeEF Cookie Outbound
ET WEB_CLIENT Possible BeEF Default SSL Cert ET WEB_CLIENT Possible BeEF Module in use
ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible
ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322
Mask)
ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19
ET WEB_CLIENT EMET Detection Via XMLDOM
2014
ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014 ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014
ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary
ET WEB_CLIENT Generic HeapSpray Construct
Landing
ET WEB_CLIENT Possible Word RTF Memory Corruption Payload ET WEB_CLIENT Microsoft Rich Text File .RTF File download with
Inbound (CVE-2014-1761) invalid listoverridecount
ET WEB_CLIENT Microsoft Application Crash Report Indicates ET WEB_CLIENT Microsoft Application Crash Report Indicates
Potential VGX Memory Corruption Potential VGX Memory Corruption 2
ET WEB_CLIENT Base64 Encoded Java Value ET WEB_CLIENT Possible Malvertising Redirect URI Struct
ET WEB_CLIENT Sweet Orange WxH redirection ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014
ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto
Overflow CVE-2014-3466 payment code
ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS
ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014
ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename
ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download
detected
ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code
ET WEB_CLIENT Malicious iframe guessing router password 1
detected
ET WEB_CLIENT Malicious iframe guessing router password 2 ET WEB_CLIENT Flashpack Redirect Method 2
ET WEB_CLIENT Upatre redirector GET Sept 29 2014 ET WEB_CLIENT Upatre redirector 29 Sept 2014 - POST
ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014
ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with
ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download
Hurricane Panda IOC
ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows
ET WEB_CLIENT FlashPack Secondary Landing Oct 29
Firewall Warning
ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating
ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png
System Check
ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014 ET WEB_CLIENT Sweet Orange Landing Nov 04 2013
ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle
VBSCRIPT tag error case information disclosure obfuscated CVE-2014-6332
ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle
ET WEB_CLIENT GENERIC Possible IE Memory Corruption
error case information disclosure CVE-2014-6332 Percent Hex
CollectGarbage with DOM Reset
Encode
ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332
attempt multiple redim preserve
ET WEB_CLIENT PDF With Hidden Embedded File ET WEB_CLIENT HanJuan Landing Dec 10 2014
ET WEB_CLIENT Upatre Redirector Dec 16 2014 set ET WEB_CLIENT Upatre Redirector Dec 16 2014
ET WEB_CLIENT Upatre Download Redirection Dec 18 2014 ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015
ET WEB_CLIENT Internet Explorer execCommand function Use after
ET WEB_CLIENT Upatre Redirector Jan 9 2015
free Vulnerability 0day Metasploit 2
ET WEB_CLIENT Upatre Firefox/Chrome Redirector Receiving Payload
ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015
Jan 9 2015

376 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015 ET WEB_CLIENT Upatre Redirector Jan 23 2015
ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No
ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO
Seps
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in URLENCODE
ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015 ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015
ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow ET WEB_CLIENT Fake Windows Security Warning - Alert
ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt
ET WEB_CLIENT Fake Windows Security Warning - png
(CVE-2014-8636)
ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1 ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2
ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox
ET WEB_CLIENT Fake AV Phone Scam Landing June 2 2015
Exploit Attempt
ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M1 ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M2
ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3 ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1
ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2 ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M1
ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2 ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3
ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1 ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M2
ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M4 ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M1
ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M2 ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M1
ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M2 ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M3
ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4 ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015
ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M5 ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6
ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M2 ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M4
ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M1 ET WEB_CLIENT Possible Malicious Redirect 8x8 script tag URI struct
ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability
ET WEB_CLIENT Fake AV Phone Scam Landing Sept 21 2015
(CVE-2015-2444)
ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015 ET WEB_CLIENT Evil Redirector Sep 29 2015
ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015 ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen
ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate
ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen
Seen
ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M1 ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2
ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3 ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4
ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1 ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2
ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3 ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5
ET WEB_CLIENT Fake Java Installer Landing Page Oct 21 ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29
ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30 ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30
ET WEB_CLIENT Fake Video Player Update Scam Oct 30 ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2
ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4 ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4
ET WEB_CLIENT Possible vBulletin object injection vulnerability
ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1
Attempt
ET WEB_CLIENT Fake AV Phone Scam Landing Nov 11 ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16
ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16 ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20
ET WEB_CLIENT Possible eDellRoot Rogue Root CA ET WEB_CLIENT Facebook password stealing inject Jan 04
ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M1 ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2
ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1 ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2
ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3 ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016
ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016 ET WEB_CLIENT Evil Redirect Compromised WP Feb 01 2016
ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability
ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1
(CVE-2016-0063)
ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2 ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3
ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4 ET WEB_CLIENT Fake Virus Phone Scam Landing Feb 17
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb
ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26
29
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb
ET WEB_CLIENT Fake AV Phone Scam Domain M1 Mar 3
29
ET WEB_CLIENT Fake AV Phone Scam Domain M2 Mar 3 ET WEB_CLIENT Fake AV Phone Scam Domain M3 Mar 3
ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7 ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8
ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1 ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M2
ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M3 ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 9 M2
ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21
M1 M2
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23
M3
ET WEB_CLIENT Fake AV Phone Scam Mar 23 ET WEB_CLIENT Fake Flash Update Mar 23
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30
M1 M2

377 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Fake AV Phone Scam Landing Apr 1 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 4
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb
ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4
29
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18
M1 M2
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18
M3 M4
ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18
M5 M6
ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10 ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3
ET WEB_CLIENT Tech Support Phone Scam Landing M5 Jun 3 ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3
ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3 ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jun 3
ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016
ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M2 ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M3
ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M4 ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7
ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7 ET WEB_CLIENT Tech Support Phone Scam Landing 2016-07-21 M1
ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2 ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1
ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 29 2016 ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3
ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4 ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016
ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1 ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2
ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3 ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4
ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5 ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1
ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3)
ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2
2016-08-12
ET WEB_CLIENT Tech Support Phone Scam Landing (msg.mp3)
ET WEB_CLIENT Tech Support Phone Scam Landing M1 2016-08-12
2016-08-12
ET WEB_CLIENT Tech Support Phone Scam Landing M2 2016-08-12 ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016
ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016 ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016
ET WEB_CLIENT Microsoft Tech Support Scam M1 2016-09-15 ET WEB_CLIENT Microsoft Tech Support Scam M2 2016-09-15
ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016 ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016
ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jan 20 2017 ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017
ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24
ET WEB_CLIENT Fake AV Phone Scam Landing Feb 2 ET WEB_CLIENT Tech Support Phone Scam Landing Feb 09 2017
ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use
ET WEB_CLIENT Android Fake AV Download Landing Mar 06 2017
(Observed in Magnitude EK)
ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File
ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 09 2017
Execution and Arbitrary File Read (CVE-2017-2361)
ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech
Support Scams M1 Support Scams M2
ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech
Support Scams M3 Support Scams M4
ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech
Support Scams M5 Support Scams M6
ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech
Support Scams M7 Support Scams M8
ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech
ET WEB_CLIENT HTA File Download Flowbit Set
Support Scams M9
ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199
CVE-2017-0199 Request
ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199
ET WEB_CLIENT Office UA FB SET
Request M2
ET WEB_CLIENT Multibrowser Resource Exhaustion observed in Tech
ET WEB_CLIENT Malicious SCF File Inbound
Support Scam
ET WEB_CLIENT Tech Support Phone Scam Landing (warning.mp3)
ET WEB_CLIENT Possible BeEF Module in use
Jan 24 2017
ET WEB_CLIENT BeEF HTTP Get Outbound ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017
ET WEB_CLIENT Microsoft Tech Support Phone Scam M2 Jul 07 2017 ET WEB_CLIENT Microsoft Tech Support Phone Scam M1 Jul 07 2017
ET WEB_CLIENT Microsoft Tech Support Phone Scam M3 Jul 07 2017 ET WEB_CLIENT Apple Tech Support Phone Scam Jul 07 2017
ET WEB_CLIENT Microsoft Tech Support Phone Scam M4 Jul 07 2017 ET WEB_CLIENT Tech Support Scam Landing Jul 19 2017
ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non
SSL SSL
ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non
SSL SSL
ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non
SSL SSL
ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non
ET WEB_CLIENT Tech Support Scam Sep 08 2017
SSL

378 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Download of Multimedia Content flowbit set ET WEB_CLIENT Download of .MOV Content flowbit set
ET WEB_CLIENT Microsoft Tech Support Scam Landing M1 Oct 13 2017 ET WEB_CLIENT Tech Support Phone Scam Landing M1 Oct 16 2016
ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24
ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016
2017
ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24
ET WEB_CLIENT Fake Update/Installer ForceDL Template Nov 03 2017
2017
ET WEB_CLIENT pshell dl/execute primitives in wideb64 1 ET WEB_CLIENT pshell dl/execute primitives in wideb64 2
ET WEB_CLIENT pshell dl/execute primitives in wideb64 3 ET WEB_CLIENT pshell dl/execute primitives in wideb64 4
ET WEB_CLIENT pshell dl/execute primitives in wideb64 5 ET WEB_CLIENT pshell dl/execute primitives in wideb64 6
ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017 ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)
ET WEB_CLIENT PWNJS JS Constructs ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)
ET WEB_CLIENT Google Chrome Credential Stealing via SCF file
ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)
Reflected Request
ET WEB_CLIENT PowerShell call in script 1 ET WEB_CLIENT PowerShell call in script 2
ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ET WEB_CLIENT Microsoft Rich Text File download with vulnerable
ActiveX control flowbit set 1 ActiveX control flowbit set 2
ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted
ActiveX control flowbit set 3 listoverride
ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript
ET WEB_CLIENT Microsoft Excel file download - SET 1
engine (CVE-2017-16393)
ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC
ET WEB_CLIENT Malicious Fake JS Lib Inject
Based)
ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript ET WEB_CLIENT Spectre Exploit Javascript
ET WEB_CLIENT Malicious Chrome Extension Domain Request
ET WEB_CLIENT Tech Support Phone Scam Landing 2018-01-10
(nyoogle .info in DNS Lookup)
ET WEB_CLIENT Malicious Chrome Extension Domain Request ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-
(stickies .pro in DNS Lookup) bookmarks .info in DNS Lookup)
ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12 ET WEB_CLIENT [Deepend Research] BestaBid FakeFlash Redirect
ET WEB_CLIENT [eSentire] Fake Flash Update 2018-07-09 ET WEB_CLIENT Fake Adobe Software Update Landing
ET WEB_CLIENT PolarisOffice Insecure Library Loading ET WEB_CLIENT Tech Support Scam Landing 2018-07-18
ET WEB_CLIENT Fake 404 With Hidden Login Form ET WEB_CLIENT Volexity - JS Sniffer Data Theft Beacon Detected
ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26 ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26
ET WEB_CLIENT Microsoft Tech Support Phone Scam Landing
ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26
2018-09-12
ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1
ET WEB_CLIENT VBscript UAF (CVE-2018-8373)
2018-10-12
ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution
2018-10-12 PoC (CVE-2018-8495)
ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload
ET WEB_CLIENT IE Double Free (CVE-2018-8460)
Attempt (CVE-2018-15961)
ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege
Escalation M1 (Enable Registration) Escalation M2 (Set as Administrator)
ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15 ET WEB_CLIENT Tech Support Scam Landing M2 2019-04-15
ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt -
Inbound (CVE-2019-9978) Leads to RCE/LFI (CVE-2019-3396)
ET WEB_CLIENT JS ShellWindows/AddInProcess Win10
ET WEB_CLIENT Possible JS Credit Card Stealer Inbound
DeviceGuardBypass Inbound
ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page
ET WEB_CLIENT Possible FFSniff Inject Observed
Contents M1
ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page
ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image
Contents M2
ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity ET WEB_CLIENT Great Cannon DDoS JS M1
ET WEB_CLIENT Great Cannon DDoS JS M2 ET WEB_CLIENT Great Cannon DDoS JS M3
ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster
ET WEB_CLIENT Great Cannon DDoS JS M4
Roulette JS Cookie Stealer Exfil Domain
ET WEB_CLIENT Tech Support Scam 2019-11-14 ET WEB_CLIENT Tech Support Scam 2019-11-14
ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster
ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code
Roulette JS Cookie Stealer Exfil Domain
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)

379 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten
Phishing Domain) Phishing Domain)
ET WEB_CLIENT Microsoft Tech Support Scam 2020-03-24 ET WEB_CLIENT Tech Support Scam 2020-04-10
ET WEB_CLIENT WSO 2.6 Webshell Accessed on External ET WEB_CLIENT WSO 2.5 Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT X-Sec Webshell Accessed on External Compromised ET WEB_CLIENT ALFA TEaM Webshell Accessed on External
Server Compromised Server
ET WEB_CLIENT WSO 4.2.5 Webshell Accessed on External ET WEB_CLIENT WSO 4.2.6 Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Kageyama Webshell Accessed on External ET WEB_CLIENT Generic WSO Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT MINI MO Webshell Accessed on External ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed
Compromised Server on External Compromised Server
ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed ET WEB_CLIENT Anonymous Webshell Accessed on External
on External Compromised Server Compromised Server
ET WEB_CLIENT Generic Mini Webshell Accessed on External ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
Compromised Server External Compromised Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on ET WEB_CLIENT WSO Webshell Password Prompt Accessed on
External Compromised Server External Compromised Server
ET WEB_CLIENT Leaf PHPMailer Accessed on External Server ET WEB_CLIENT Owl PHPMailer Accessed on External Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on ET WEB_CLIENT Generic Webshell Accessed on External
External Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT WSO 2.6 Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic PHP Mailer Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic PHP Mailer Accessed on External ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic PHP Mailer Accessed on External ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic PHP Mailer Accessed on External ET WEB_CLIENT Generic PHP Mailer Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Possible Apache DDos UA Observed (DDos Apache)
ET WEB_CLIENT Leaf PHPMailer Accessed on External Server
Inbound
ET WEB_CLIENT Generic Webshell Accessed on Compromised ET WEB_CLIENT Generic Webshell Accessed on Compromised
External Server External Server
ET WEB_CLIENT Generic Webshell Accessed on Compromised
ET WEB_CLIENT Generic Mailer Accessed on External Server
External Server
ET WEB_CLIENT Generic Mailer Accessed on External Server ET WEB_CLIENT Generic Mailer Check Accessed on External Server
ET WEB_CLIENT Generic Webshell Accessed on External Server ET WEB_CLIENT Generic Webshell Accessed on External Server
ET WEB_CLIENT Generic Webshell Accessed on External Server ET WEB_CLIENT Generic Mailer Accessed on External Server
ET WEB_CLIENT Generic Stolen Credentials Accessed on External ET WEB_CLIENT Generic Stolen Credentials Accessed on External
Server Server
ET WEB_CLIENT Cpanel Cracker Accessed on External Server ET WEB_CLIENT Generic Mailer Accessed on External Server
ET WEB_CLIENT SEO Injection/Fraud DNS Lookup ET WEB_CLIENT SEO Injection/Fraud Domain in DNS Lookup
(count.trackstatisticsss .com) (stat.trackstatisticsss .com)
ET WEB_CLIENT Generic PHP Uploader Accessed on External Server ET WEB_CLIENT Generic Webshell Accessed on External Server
ET WEB_CLIENT Generic Email Spoofing Tool Accessed on External
ET WEB_CLIENT SmailMax PHPMailer Accessed on External Server
Compromised Server
ET WEB_CLIENT Cushion Redirection ET WEB_CLIENT Generic Webshell Accessed on External Server
ET WEB_CLIENT Generic Webshell Accessed on External Server ET WEB_CLIENT Generic Webshell Accessed on External Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server External Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Server ET WEB_CLIENT Generic Mailer Accessed on Internal Server

380 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Predator the Thief Password Prompt Accessed on


ET WEB_CLIENT Generic Mailer Accessed on External Server
External Compromised Server
ET WEB_CLIENT FiercePhish Password Prompt Accessed on External ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
Server External Compromised Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
ET WEB_CLIENT Generic Webshell Accessed on External Server
External Compromised Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on ET WEB_CLIENT Generic Webshell Password Prompt Accessed on
External Compromised Server External Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Server ET WEB_CLIENT Generic Mailer Accessed on External Server
ET WEB_CLIENT Generic Cpanel Cracker Accessed on External
ET WEB_CLIENT Generic Webshell Accessed on External Server
Compromised Server
ET WEB_CLIENT Generic Webshell Password Prompt Accessed on ET WEB_CLIENT Generic Website Ransomnote Accessed on External
External Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External
ET WEB_CLIENT Tech Support Scam Landing 2020-08-19
Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External
ET WEB_CLIENT Tech Support Scam Landing 2020-08-19
Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Compromised Server Server
ET WEB_CLIENT Generic File Upload Accessed on External ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Compromised Server Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Generic Webshell Accessed on External
Server Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Generic Webshell Accessed on External
Server Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Generic Webshell Accessed on External
Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Generic Webshell Accessed on External
Server Compromised Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised
ET WEB_CLIENT Generic Attempted Executable Drop via VBScript
Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster
Server Roulette JS Cookie Stealer Exfil Domain
ET WEB_CLIENT Generic Mailer Accessed on External Compromised
ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (9487d)
Server
ET WEB_CLIENT Generic Uploader Accessed on External ET WEB_CLIENT APT/Hafnium SPORTSBALL Webshell Observed
Compromised Server Outbound
ET WEB_CLIENT Generic Mailer Accessed on External Compromised
ET WEB_CLIENT Leaf PHPMailer Accessed on External Server
Server
ET WEB_CLIENT Generic Mailer Accessed on External Compromised ET WEB_CLIENT Generic Mailer Accessed on External Compromised
Server Server
ET WEB_CLIENT Generic Webshell Accessed on External
ET WEB_CLIENT Exchange Webshell CnC Domain in DNS Lookup
Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Generic Webshell Accessed on External
Compromised Server Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External
ET WEB_CLIENT Tech Support Scam - Windows Firewall M1 2021-08-17
Compromised Server
ET WEB_CLIENT Tech Support Scam - Windows Firewall M2 ET WEB_CLIENT Tech Support Scam - Windows Firewall M3
2021-08-17 2021-08-17
ET WEB_CLIENT Tech Support Scam - Windows Firewall M4 ET WEB_CLIENT Tech Support Scam - Windows Firewall M5
2021-08-17 2021-08-17
ET WEB_CLIENT Generic Webshell Accessed on External
ET WEB_CLIENT Tech Support Scam - Generic Components
Compromised Server

381 of 382 2024-03-01, 14:05


ipfire.localdomain - Intrusion Prevention System https://192.168.222.254:444/cgi-bin/ids.cgi

ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Suspicious PHP UNZIP Tool Accessed on External
Compromised Server Possibly Compromised Server
ET WEB_CLIENT Generic Webshell Accessed on External ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard
Compromised Server Data
ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937) ET WEB_CLIENT [TW] WEBDAV UA
ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible
DiagCab Abuse Attempt DiagCab Abuse Attempt
ET WEB_CLIENT [TW] WEBDAV Requesting Startup Dir ET WEB_CLIENT BeEF Cookie (BEEFHOOK)
ET WEB_CLIENT BeEF Style Request (GET) ET WEB_CLIENT BeEF Framework Comment In Response
ET WEB_CLIENT ALFA TEaM Shell Landing Page ET WEB_CLIENT Observed Hunter Obfuscator Code M1
ET WEB_CLIENT Suspected Credit Card Stealer Related Domain
ET WEB_CLIENT Observed Hunter Obfuscator Code M2
Domain in DNS Lookup (byvlsa .com)
ET WEB_CLIENT PROPFIND Method Xbit Set ET WEB_CLIENT WebDAV Retrieving an .url
ET WEB_CLIENT WebDAV GET Request for .url Flowbit Set ET WEB_CLIENT WebDAV PUT Request for .url Flowbit Set
ET WEB_CLIENT Request for search-ms file extension - Possible NTLM ET WEB_CLIENT Zimbra zauthtoken Value Extraction Script Requested
Hash Leak Attempt Attempt (Inbound)
ET WEB_CLIENT Zimbra zauthtoken Exfil Domain in DNS Lookup ET WEB_CLIENT Observed Zimbra zauthtoken Exfil Domain
(zimbrauser .me) (zimbrauser .me in TLS SNI)
GPL WEB_CLIENT XMLHttpRequest attempt GPL WEB_CLIENT Javascript document.domain attempt
GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt GPL WEB_CLIENT local resource redirection attempt
GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt GPL WEB_CLIENT libpng tRNS overflow attempt
GPL WEB_CLIENT web bug 0x0 gif attempt GPL WEB_CLIENT Microsoft ANI file parsing overflow
GPL WEB_CLIENT winamp .cda file name overflow attempt GPL WEB_CLIENT PNG large image width download attempt
GPL WEB_CLIENT PNG large image height download attempt GPL WEB_CLIENT PNG large colour depth download attempt
GPL WEB_CLIENT Windows Media Player directory traversal via
GPL WEB_CLIENT object type overflow attempt
Content-Disposition attempt
emerging-web_server.rules Show
emerging-web_specific_apps.rules Show
emerging-worm.rules Hide
ET WORM Potential MySQL bot scanning for SQL server ET WORM shell bot perl code download
ET WORM Shell Bot Code Download ET WORM Allaple ICMP Sweep Ping Outbound
ET WORM Allaple ICMP Sweep Reply Inbound ET WORM Allaple ICMP Sweep Ping Inbound
ET WORM Allaple ICMP Sweep Reply Outbound ET WORM SDBot HTTP Checkin
ET WORM Possible Worm Sohanad.Z or Other Infection Request for
ET WORM Win32.Socks.s HTTP Post Checkin
setting.nql
ET WORM Rimecud Worm checkin ET WORM W32/Rimecud /qvod/ff.txt Checkin
ET WORM W32/Rimecud wg.txt Checkin ET WORM W32/Njw0rm CnC Beacon
ET WORM TheMoon.linksys.router 1 ET WORM TheMoon.linksys.router 2
ET WORM TheMoon.linksys.router 3 GPL WORM Slammer Worm propagation attempt OUTBOUND
GPL WORM mydoom.a backdoor upload/execute attempt

Back Apply

IPFire 2.29 (x86_64) - Core-Update 183 IPFire.org • Support the IPFire project with your donation

382 of 382 2024-03-01, 14:05

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy