1 |
2021-03-17 16:46
|
test.doc 08868145d5d7e0cf46eb6eb749569121 unpack itself |
|
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
2021-03-19 09:28
|
55ec600e4e6500e080c5.doc d40ee9c8e2047bf8391d45ff1b067dda Vulnerability VirusTotal Malware Code Injection Check memory Creates executable files unpack itself Windows utilities suspicious process malicious URLs WriteConsoleW Windows ComputerName DNS |
|
1
greenwoodgrace.website() - mailcious
|
|
|
8.0 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3 |
2021-04-18 10:36
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(104.21.8.30) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 66.96.230.225 - malware 172.67.156.186 - mailcious 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4 |
2021-04-19 10:22
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(104.21.8.30) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 104.21.8.30 66.96.230.225 - malware 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5 |
2021-04-19 13:53
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(172.67.156.186) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 104.21.8.30 66.96.230.225 - malware 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6 |
2021-04-20 16:01
|
참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4 VBA_macro Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.8 |
|
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
2021-04-20 16:13
|
a268e9e152c260a0e80431aa8d6df1... a58394937da9d3adb33e948058fde4e9 VBA_macro Vulnerability VirusTotal Malware Malicious Traffic unpack itself Tofsee |
5
http://rsimadinah.com/wp-content/16qT/ - rule_id: 1014 http://insvat.com/wp-admin/Dw/ - rule_id: 1010 http://blogs.g2gtechnologies.com/blogs/v/ - rule_id: 1011 http://pattayastore.com/visio-network-1hmpp/j5/ - rule_id: 1013 https://tenmoney.business/wp-content/nhW/ - rule_id: 1015
|
14
blogs.g2gtechnologies.com(208.91.199.15) - malware sureoptimize.com(142.93.247.242) - malware tenmoney.business(172.67.156.186) - mailcious pattayastore.com(202.183.165.89) - malware rsimadinah.com(66.96.230.225) - malware insvat.com(185.42.104.77) - malware littleindiadirectory.com(18.141.196.101) - malware 185.42.104.77 - malware 208.91.199.15 - malware 202.183.165.89 142.93.247.242 66.96.230.225 - malware 172.67.156.186 - mailcious 18.141.196.101 - malware
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
5
http://rsimadinah.com/wp-content/16qT/ http://insvat.com/wp-admin/Dw/ http://blogs.g2gtechnologies.com/blogs/v/ http://pattayastore.com/visio-network-1hmpp/j5/ https://tenmoney.business/wp-content/nhW/
|
4.8 |
M |
50 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8 |
2021-04-20 18:07
|
참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4 VBA_macro VBMacro Convert Image File Vulnerability VirusTotal Malware unpack itself DNS |
|
|
|
|
4.4 |
|
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9 |
2021-04-20 18:12
|
참가신청서양식.doc ed9aa858ba2c4671ca373496a4dd05d4 VBA_macro Convert Image File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.8 |
|
30 |
r0d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
2021-04-29 16:21
|
IvGRnMiDzgderQQteqNjNgKoIYqaLW... e301bc81ee1ef7a1bd3549865719d839 RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit crashed |
|
2
idmquick.xyz(45.61.136.72) - mailcious 45.61.136.72 - mailcious
|
|
|
3.4 |
M |
17 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
11 |
2021-04-29 16:23
|
cccc.dot a29a9ab928e578957fed4fb8c67b1e4dMalware download Vulnerability VirusTotal Malware Malicious Traffic exploit crash unpack itself Exploit DNS crashed Downloader |
1
http://23.95.122.25/cccc/vbc.exe
|
1
|
2
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
|
|
4.4 |
M |
31 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
2021-04-29 22:28
|
.......dot befeeec69e0be81ba319c172e8f266d5 AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Tofsee Windows Exploit Trojan DNS crashed Downloader |
4
http://amrp.tw/chud/gate.php http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe https://update.googleapis.com/service/update2 https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
|
5
edgedl.me.gvt1.com(34.104.35.123) amrp.tw(35.247.234.230) - mailcious 34.104.35.123 35.247.234.230 - mailcious 103.147.184.209 - malware
|
18
ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
|
|
5.0 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
2021-04-30 09:11
|
v.dot c9c4c73fb74dc85539d7cc51b2d2b9c6 AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://107.172.130.145/bh/vbc.exe http://eyecos.ga/chang/gate.php - rule_id: 1185
|
3
eyecos.ga(35.247.234.230) - mailcious 107.172.130.145 - malware 35.247.234.230 - mailcious
|
16
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE Trojan Generic - POST To gate.php with no referer ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.ga Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO DNS Query for Suspicious .ga Domain ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://eyecos.ga/chang/gate.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
2021-04-30 09:31
|
reg.dot d0c491b8eb3ea8f00a93af05ef1b8945 AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
3
http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:d96d86f3-ac35-41f2-9523-f4e50073f2f3 http://192.168.56.103:5357/da8ea474-550f-433d-b444-54d2081d1d24/ http://192.168.56.103:2869/upnphost/udhisapi.dll?content=uuid:2d284ad3-5648-4376-8360-b0559e35418f
|
1
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
15 |
2021-04-30 17:58
|
s.dot f62c1d955d66e2f33ed7f3abe9a44690 Loki RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
2
http://meirback.co.uk/Bn1/fre.php - rule_id: 1119
http://107.172.130.145/bh/svch.exe
|
3
meirback.co.uk(104.21.8.2) - mailcious 172.67.156.147 - mailcious
107.172.130.145 - malware
|
12
ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://meirback.co.uk/Bn1/fre.php
|
5.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|