| 136 |
2021-09-09 21:10
|
 detalhes_atualizacao.doc a02cfacbf32e9ff66464de27faa58543
VBA_macro Generic Malware Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut RWX flags setting unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
10.0 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 137 |
2021-09-06 18:18
|
 Users-Progress-072021-1.doc d60b6a8310373c9b84e6760c24185535
Generic Malware VBA_macro Admin Tool (Sysinternals etc ...) Malicious Packer MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
3.0 |
|
36 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 138 |
2021-09-06 08:42
|
 0902_6686864155.doc b4095bc22ff3f27dd088852a49338c08
Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
4
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
http://ditrismale.ru/8/forum.php
http://clatrommon.ru/8/forum.php
|
8
api.ipify.org(50.16.185.207)
clatrommon.ru(46.148.26.93) - mailcious
ditrismale.ru(176.105.252.131) - mailcious
asinvotheir.com(185.230.91.127) - mailcious
46.148.26.93 - mailcious
176.105.252.131 - mailcious
50.16.239.65
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
10.0 |
|
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 139 |
2021-09-06 08:39
|
 0831_3314378773.doc ca29d350e363b21d507ba30cb65413ce
Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
4
http://api.ipify.org/
http://buichely.com/8/forum.php
http://gratimen.ru/8/forum.php
http://waliteriter.ru/8/forum.php
|
8
gratimen.ru(176.105.252.131) - mailcious
waliteriter.ru(46.148.26.93) - mailcious
api.ipify.org(50.16.244.183)
buichely.com(185.230.91.127) - mailcious
23.21.76.7
46.148.26.93 - mailcious
176.105.252.131 - mailcious
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
9.2 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 140 |
2021-09-03 09:44
|
 0902_7424105065.doc 952ff03c89221d84c80a8414ca66be9c
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
|
4
api.ipify.org(50.16.244.183)
asinvotheir.com(185.230.91.127) - mailcious
50.16.235.219
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 141 |
2021-09-03 09:42
|
 0902_3251513311.doc ddf9b6207844d5b0bb83b88ecef0560a
Generic Malware VBA_macro MSOffice File GIF Format VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://asinvotheir.com/8/forum.php
|
4
api.ipify.org(54.235.91.189)
asinvotheir.com(185.230.91.127) - mailcious
54.225.219.20
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.2 |
M |
22 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 142 |
2021-09-03 09:39
|
 0902_1465137480.doc f79439b84bf0fc6cf84274fb94fe9b40
Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 143 |
2021-09-03 09:00
|
 inv_1123.wbk 2a468f175032ed01e5d4fecd511b8b0f
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/icici/vbc.exe
|
3
img.neko.airforce(167.172.239.151) - mailcious
167.172.239.151 - mailcious
23.95.122.90 - mailcious
|
8
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
|
|
5.2 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 144 |
2021-09-02 18:21
|
 who_template.doc 3657586d8555593012bfd7420d488be4
Generic Malware VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself DNS |
1
http://appmedicine.whoint.cf/data/aini.down
|
1
appmedicine.whoint.cf() - phishing
|
1
ET INFO DNS Query for Suspicious .cf Domain
|
|
2.8 |
|
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 145 |
2021-09-02 09:19
|
 ..-.-...................------... 98a92918a128f1f26d552bb3aaab2a61
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
19
http://www.hfhwssc.com/24ng/ - rule_id: 4597
http://www.ptpatennis.com/24ng/
http://www.getzlppi.com/24ng/
http://www.jjyzscl.com/24ng/
http://www.emmymorrow.xyz/24ng/?TZ=MpsKsbuj3plW3zxxgPetNSfc39jzCcaN6Okb8XXwEkEAsEoFXdXIJgm+0gMt/BsRuN2GbYWJ&mvHtT=Y2J0irR8DZUtWbf
http://198.12.127.217/hsbc/vbc.exe
http://www.inanavcifitnessclub.com/24ng/?TZ=7B/mxEe684X+Fe8GJ5WQJKEToqxOKLoYRHSlnqT22Suhy7fkAEyyqsV6IsAMnECK+ppvVgFJ&mvHtT=Y2J0irR8DZUtWbf
http://www.brightstarqr.com/24ng/?TZ=8v1BaeXDdHouIcyDdFDGzu6REvBUz6OB3JNjO8R+mAtpk36d8yYIQhxbWZgde9Q6oLtpMRoQ&mvHtT=Y2J0irR8DZUtWbf
http://www.softouchcomputer.com/24ng/?TZ=fXBeYi2KYDeGue3GyybylYEREpAt73UzBLGgjKY/A8hX8o3UYaJp/MnPYrs1PjdYe+TTzooN&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4598
http://www.jjyzscl.com/24ng/?TZ=EaDH/+1mOmQ7aWJI7AX+IlzBUQKYpCjIvrNurEm81n5vQYPM3XYWZDGTjMXv7Z9O/YqAJJxc&mvHtT=Y2J0irR8DZUtWbf
http://www.hfhwssc.com/24ng/?TZ=tUr3L7F+3PGvEFcZd+SfWB+iCUteo8w/ToAKorOuAJitLd2/Au6xWCIPWaoTHGtlxQq11mO7&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4597
http://www.joycekayiba.com/24ng/?TZ=CabvNxLtXK7AxhBdYJap/g8mwsQmgWak8myj7hdi5lEds/kVRqaawrDB55LgJdOF0Pe0hBMQ&mvHtT=Y2J0irR8DZUtWbf - rule_id: 4595
http://www.softouchcomputer.com/24ng/ - rule_id: 4598
http://www.inanavcifitnessclub.com/24ng/
http://www.emmymorrow.xyz/24ng/
http://www.brightstarqr.com/24ng/
http://www.joycekayiba.com/24ng/ - rule_id: 4595
http://www.getzlppi.com/24ng/?TZ=L5LGxFrJmFFW7+IY9g8iVUirVSu4fjeQj90+j0oTYvKK8rEJklo6J2dxJua7XjT6OpHJ/fPt&mvHtT=Y2J0irR8DZUtWbf
http://www.ptpatennis.com/24ng/?TZ=EgM9f4N/TTbc7wy+9K504atXnuYtNAxq+K5G2bjH3yNZBGKx+fYzE5a0kKWfzvBOG3xTHkvq&mvHtT=Y2J0irR8DZUtWbf
|
16
www.emmymorrow.xyz(75.2.18.233)
www.brightstarqr.com(54.157.58.70)
www.softouchcomputer.com(209.99.40.222)
www.hfhwssc.com(101.32.215.239)
www.ptpatennis.com(34.102.136.180)
www.joycekayiba.com(209.99.40.222)
www.getzlppi.com(34.102.136.180)
www.inanavcifitnessclub.com(209.99.40.222)
www.jjyzscl.com(104.252.232.119)
101.32.215.239 - mailcious
104.252.232.119
209.99.40.222 - mailcious
34.102.136.180 - mailcious
54.162.128.250
198.12.127.217
75.2.18.233 - mailcious
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
|
6
http://www.hfhwssc.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.hfhwssc.com/24ng/
http://www.joycekayiba.com/24ng/
http://www.softouchcomputer.com/24ng/
http://www.joycekayiba.com/24ng/
|
5.4 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 146 |
2021-09-02 07:54
|
 invoice.wbk dd2f7b986cc840b4c4f9b03def8fcadd
RTF File doc AntiDebug AntiVM Malware download Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed Downloader |
1
http://23.95.122.90/hsbc/vbc.exe
|
3
img.neko.airforce(167.172.239.151)
167.172.239.151
23.95.122.90
|
8
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 147 |
2021-09-01 14:18
|
 0831_8300668682.doc 25d3ac93606e135f18e4e96887fa3a44
hancitor Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://buichely.com/8/forum.php - rule_id: 4748
http://api.ipify.org/
|
4
api.ipify.org(54.235.88.121)
buichely.com(185.230.91.127) - mailcious
54.235.247.117
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://buichely.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 148 |
2021-09-01 14:15
|
 0831_4532643085.doc f25c56cf3b503d96df86b4bb2c39f479
Generic Malware VBA_macro MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://buichely.com/8/forum.php
|
4
api.ipify.org(54.225.219.20)
buichely.com(185.230.91.127) - mailcious
50.19.119.155
185.230.91.127 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 149 |
2021-09-01 14:14
|
 0831_4435052411.doc 004b4634de3991a6de6a2c756a83e6ff
Generic Malware VBA_macro MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 150 |
2021-09-01 07:41
|
 p.wbk 9d2cc34c3b6319a79a8c32881c8759ec
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Tofsee Windows Exploit DNS Cryptographic key crashed |
1
http://192.3.122.133/Pman/win767.exe
|
3
pomf.lain.la(198.244.149.184)
167.114.3.98
192.3.122.133 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
|
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|