136 |
2021-09-09 21:10
|
detalhes_atualizacao.doc a02cfacbf32e9ff66464de27faa58543 VBA_macro Generic Malware Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
10.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
137 |
2021-09-06 18:18
|
Users-Progress-072021-1.doc d60b6a8310373c9b84e6760c24185535 Generic Malware VBA_macro Admin Tool (Sysinternals etc ...) Malicious Packer MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
3.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
138 |
2021-09-06 08:42
|
0902_6686864155.doc b4095bc22ff3f27dd088852a49338c08 Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
4
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
http://ditrismale.ru/8/forum.php
http://clatrommon.ru/8/forum.php
|
8
api.ipify.org(50.16.185.207)
clatrommon.ru(46.148.26.93) - mailcious
ditrismale.ru(176.105.252.131) - mailcious
asinvotheir.com(185.230.91.127) - mailcious 46.148.26.93 - mailcious
176.105.252.131 - mailcious
50.16.239.65
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
10.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
139 |
2021-09-06 08:39
|
0831_3314378773.doc ca29d350e363b21d507ba30cb65413ce Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
4
http://api.ipify.org/
http://buichely.com/8/forum.php
http://gratimen.ru/8/forum.php
http://waliteriter.ru/8/forum.php
|
8
gratimen.ru(176.105.252.131) - mailcious
waliteriter.ru(46.148.26.93) - mailcious
api.ipify.org(50.16.244.183)
buichely.com(185.230.91.127) - mailcious 23.21.76.7
46.148.26.93 - mailcious
176.105.252.131 - mailcious
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
9.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
140 |
2021-09-03 09:44
|
0902_7424105065.doc 952ff03c89221d84c80a8414ca66be9c Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
|
4
api.ipify.org(50.16.244.183)
asinvotheir.com(185.230.91.127) - mailcious 50.16.235.219
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
141 |
2021-09-03 09:42
|
0902_3251513311.doc ddf9b6207844d5b0bb83b88ecef0560a Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
|
4
api.ipify.org(54.235.91.189)
asinvotheir.com(185.230.91.127) - mailcious 54.225.219.20
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
142 |
2021-09-03 09:39
|
0902_1465137480.doc f79439b84bf0fc6cf84274fb94fe9b40 Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
143 |
2021-09-03 09:00
|
inv_1123.wbk 2a468f175032ed01e5d4fecd511b8b0f RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/icici/vbc.exe
|
3
img.neko.airforce(167.172.239.151) - mailcious 167.172.239.151 - mailcious
23.95.122.90 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO TLS Handshake Failure
|
|
5.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
144 |
2021-09-02 18:21
|
who_template.doc 3657586d8555593012bfd7420d488be4 Generic Malware VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself DNS |
1
http://appmedicine.whoint.cf/data/aini.down
|
1
appmedicine.whoint.cf() - phishing
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
145 |
2021-09-02 09:19
|
..-.-...................------... 98a92918a128f1f26d552bb3aaab2a61 RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
19
http://www.hfhwssc.com/24ng/ - rule_id: 4597 http://www.ptpatennis.com/24ng/ http://www.getzlppi.com/24ng/ http://www.jjyzscl.com/24ng/ http://www.emmymorrow.xyz/24ng/?TZ=MpsKsbuj3plW3zxxgPetNSfc39jzCcaN6Okb8XXwEkEAsEoFXdXIJgm+0gMt/BsRuN2GbYWJ&mvHtT=Y2J0irR8DZUtWbf http://198.12.127.217/hsbc/vbc.exe http://www.inanavcifitnessclub.com/24ng/?TZ=7B/mxEe684X+Fe8GJ5WQJKEToqxOKLoYRHSlnqT22Suhy7fkAEyyqsV6IsAMnECK+ppvVgFJ&mvHtT=Y2J0irR8DZUtWbf http://www.brightstarqr.com/24ng/?TZ=8v1BaeXDdHouIcyDdFDGzu6REvBUz6OB3JNjO8R+mAtpk36d8yYIQhxbWZgde9Q6oLtpMRoQ&mvHtT=Y2J0irR8DZUtWbf http://www.softouchcomputer.com/24ng/?TZ=fXBeYi2KYDeGue3GyybylYEREpAt73UzBLGgjKY/A8hX8o3UYaJp/MnPYrs1PjdYe+TTzooN&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4598 http://www.jjyzscl.com/24ng/?TZ=EaDH/+1mOmQ7aWJI7AX+IlzBUQKYpCjIvrNurEm81n5vQYPM3XYWZDGTjMXv7Z9O/YqAJJxc&mvHtT=Y2J0irR8DZUtWbf http://www.hfhwssc.com/24ng/?TZ=tUr3L7F+3PGvEFcZd+SfWB+iCUteo8w/ToAKorOuAJitLd2/Au6xWCIPWaoTHGtlxQq11mO7&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4597 http://www.joycekayiba.com/24ng/?TZ=CabvNxLtXK7AxhBdYJap/g8mwsQmgWak8myj7hdi5lEds/kVRqaawrDB55LgJdOF0Pe0hBMQ&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4595 http://www.softouchcomputer.com/24ng/ - rule_id: 4598 http://www.inanavcifitnessclub.com/24ng/ http://www.emmymorrow.xyz/24ng/ http://www.brightstarqr.com/24ng/ http://www.joycekayiba.com/24ng/ - rule_id: 4595 http://www.getzlppi.com/24ng/?TZ=L5LGxFrJmFFW7+IY9g8iVUirVSu4fjeQj90+j0oTYvKK8rEJklo6J2dxJua7XjT6OpHJ/fPt&mvHtT=Y2J0irR8DZUtWbf http://www.ptpatennis.com/24ng/?TZ=EgM9f4N/TTbc7wy+9K504atXnuYtNAxq+K5G2bjH3yNZBGKx+fYzE5a0kKWfzvBOG3xTHkvq&mvHtT=Y2J0irR8DZUtWbf
|
16
www.emmymorrow.xyz(75.2.18.233) www.brightstarqr.com(54.157.58.70) www.softouchcomputer.com(209.99.40.222) www.hfhwssc.com(101.32.215.239) www.ptpatennis.com(34.102.136.180) www.joycekayiba.com(209.99.40.222) www.getzlppi.com(34.102.136.180) www.inanavcifitnessclub.com(209.99.40.222) www.jjyzscl.com(104.252.232.119) 101.32.215.239 - mailcious 104.252.232.119 209.99.40.222 - mailcious 34.102.136.180 - mailcious 54.162.128.250 198.12.127.217 75.2.18.233 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.hfhwssc.com/24ng/ http://www.softouchcomputer.com/24ng/ http://www.hfhwssc.com/24ng/ http://www.joycekayiba.com/24ng/ http://www.softouchcomputer.com/24ng/ http://www.joycekayiba.com/24ng/
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
146 |
2021-09-02 07:54
|
invoice.wbk dd2f7b986cc840b4c4f9b03def8fcadd RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/hsbc/vbc.exe
|
3
img.neko.airforce(167.172.239.151) 167.172.239.151 23.95.122.90
|
8
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
147 |
2021-09-01 14:18
|
0831_8300668682.doc 25d3ac93606e135f18e4e96887fa3a44 hancitor Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://buichely.com/8/forum.php - rule_id: 4748 http://api.ipify.org/
|
4
api.ipify.org(54.235.88.121) buichely.com(185.230.91.127) - mailcious 54.235.247.117 185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://buichely.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
148 |
2021-09-01 14:15
|
0831_4532643085.doc f25c56cf3b503d96df86b4bb2c39f479 Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://buichely.com/8/forum.php
|
4
api.ipify.org(54.225.219.20)
buichely.com(185.230.91.127) - mailcious 50.19.119.155
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
149 |
2021-09-01 14:14
|
0831_4435052411.doc 004b4634de3991a6de6a2c756a83e6ff Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
150 |
2021-09-01 07:41
|
p.wbk 9d2cc34c3b6319a79a8c32881c8759ec RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed |
1
http://192.3.122.133/Pman/win767.exe
|
3
pomf.lain.la(198.244.149.184) 167.114.3.98 192.3.122.133 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Executable Download from dotted-quad Host ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|