| 1 |
2021-03-17 16:46
|
 test.doc 08868145d5d7e0cf46eb6eb749569121
unpack itself |
|
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
2021-03-19 09:28
|
 55ec600e4e6500e080c5.doc d40ee9c8e2047bf8391d45ff1b067dda
Vulnerability VirusTotal Malware Code Injection Check memory Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
|
1
greenwoodgrace.website() - mailcious
|
|
|
8.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
2021-04-18 10:36
|
 a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9
Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware
sureoptimize.com(142.93.247.242) - malware
tenmoney.business(104.21.8.30) - mailcious
pattayastore.com(202.183.165.89) - malware
rsimadinah.com(66.96.230.225) - malware
insvat.com(185.42.104.77) - malware
littleindiadirectory.com(18.141.196.101) - malware
185.42.104.77 - malware
208.91.199.15 - malware
202.183.165.89
142.93.247.242
66.96.230.225 - malware
172.67.156.186 - mailcious
18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
2021-04-19 10:22
|
 a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9
VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware
sureoptimize.com(142.93.247.242) - malware
tenmoney.business(104.21.8.30) - mailcious
pattayastore.com(202.183.165.89) - malware
rsimadinah.com(66.96.230.225) - malware
insvat.com(185.42.104.77) - malware
littleindiadirectory.com(18.141.196.101) - malware
185.42.104.77 - malware
208.91.199.15 - malware
202.183.165.89
142.93.247.242
104.21.8.30
66.96.230.225 - malware
18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
2021-04-19 13:53
|
 a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9
VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware
sureoptimize.com(142.93.247.242) - malware
tenmoney.business(172.67.156.186) - mailcious
pattayastore.com(202.183.165.89) - malware
rsimadinah.com(66.96.230.225) - malware
insvat.com(185.42.104.77) - malware
littleindiadirectory.com(18.141.196.101) - malware
185.42.104.77 - malware
208.91.199.15 - malware
202.183.165.89
142.93.247.242
104.21.8.30
66.96.230.225 - malware
18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
2021-04-20 16:01
|
 참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4
VBA_macro Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
2021-04-20 16:13
|
 a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9
VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
5
http://rsimadinah.com/wp-content/16qT/ - rule_id: 1014
http://insvat.com/wp-admin/Dw/ - rule_id: 1010
http://blogs.g2gtechnologies.com/blogs/v/ - rule_id: 1011
http://pattayastore.com/visio-network-1hmpp/j5/ - rule_id: 1013
https://tenmoney.business/wp-content/nhW/ - rule_id: 1015
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware
sureoptimize.com(142.93.247.242) - malware
tenmoney.business(172.67.156.186) - mailcious
pattayastore.com(202.183.165.89) - malware
rsimadinah.com(66.96.230.225) - malware
insvat.com(185.42.104.77) - malware
littleindiadirectory.com(18.141.196.101) - malware
185.42.104.77 - malware
208.91.199.15 - malware
202.183.165.89
142.93.247.242
66.96.230.225 - malware
172.67.156.186 - mailcious
18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
http://rsimadinah.com/wp-content/16qT/
http://insvat.com/wp-admin/Dw/
http://blogs.g2gtechnologies.com/blogs/v/
http://pattayastore.com/visio-network-1hmpp/j5/
https://tenmoney.business/wp-content/nhW/
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
2021-04-20 18:07
|
 참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4
VBA_macro VBMacro Convert Image File Vulnerability VirusTotal Malware unpack itself DNS |
|
|
|
|
4.4 |
|
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
2021-04-20 18:12
|
 참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4
VBA_macro Convert Image File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.8 |
|
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
2021-04-29 16:21
|
 IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839
RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious
45.61.136.72 - mailcious
|
|
|
3.4 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
2021-04-29 16:23
|
 cccc.dot a29a9ab928e578957fed4fb8c67b1e4dMalware download Vulnerability VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://23.95.122.25/cccc/vbc.exe
|
1
|
2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
31 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
2021-04-29 22:28
|
 .......dot befeeec69e0be81ba319c172e8f266d5
AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed Downloader |
4
http://amrp.tw/chud/gate.php
http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
https://update.googleapis.com/service/update2
https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
|
5
edgedl.me.gvt1.com(34.104.35.123)
amrp.tw(35.247.234.230) - mailcious
34.104.35.123
35.247.234.230 - mailcious
103.147.184.209 - malware
|
18
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13 |
2021-04-30 09:11
|
 v.dot c9c4c73fb74dc85539d7cc51b2d2b9c6
AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://107.172.130.145/bh/vbc.exe
http://eyecos.ga/chang/gate.php - rule_id: 1185
|
3
eyecos.ga(35.247.234.230) - mailcious
107.172.130.145 - malware
35.247.234.230 - mailcious
|
16
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14 |
2021-04-30 09:31
|
 reg.dot d0c491b8eb3ea8f00a93af05ef1b8945
AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3
http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
1
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 15 |
2021-04-30 17:58
|
 s.dot f62c1d955d66e2f33ed7f3abe9a44690
Loki RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
http://107.172.130.145/bh/svch.exe
|
3
meirback.co.uk(104.21.8.2) - mailcious
172.67.156.147 - mailcious
107.172.130.145 - malware
|
12
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|