| 106 |
2021-10-13 09:44
|
 Macro test.doc b60b59d191a6ec82bcd34bbf3798777e
VBA_macro Generic Malware Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
2
orange.com(90.84.180.167)
90.84.180.167
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 107 |
2021-10-08 11:54
|
 Code_of_Conduct_2021.doc 8d1454096bc0e82042437d911d695a2c
Malicious Packer MSOffice File Vulnerability unpack itself |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 108 |
2021-10-07 13:47
|
 Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 109 |
2021-10-07 13:40
|
 Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 110 |
2021-10-07 13:32
|
 Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 111 |
2021-10-07 11:23
|
 1006_2966063104581.doc 67b70c2d6a5191471273ee016ed9bb64
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 112 |
2021-10-07 09:17
|
 fd.wbk 6ce9da18e576af395cf59dd98ec43ea1
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://checkvim.com/fd4/fre.php - rule_id: 5139
http://103.167.90.177/0789/vbc.exe
|
3
checkvim.com(82.202.194.8) - mailcious
82.202.194.8
103.167.90.177
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 113 |
2021-10-06 16:14
|
 1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 114 |
2021-10-06 15:54
|
 1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267
VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 115 |
2021-10-06 14:28
|
 Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58
RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting DNS |
1
http://45.14.226.221/cdfe/Fack.jpg
|
1
|
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 116 |
2021-10-06 13:34
|
 gyty.wbk 9f33914979fc685f81ab79066877d01c
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed Downloader |
28
http://www.wandawallinbristow.com/p08r/
http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf
http://www.minisoshop.com/p08r/
http://www.oarlary.xyz/p08r/
http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf
http://www.tasteofgadsdencounty.com/p08r/
http://www.happinessfashionline.com/p08r/
http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf
http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf
http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf
http://www.110cy.top/p08r/
http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf
http://www.tradeplay.net/p08r/
http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf - rule_id: 5950
http://www.shopmoly.com/p08r/
http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf
http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf
http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf
http://www.apeironnature.com/p08r/
http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf
http://www.blinglj.com/p08r/
http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf
http://www.xaudix.com/p08r/
http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf
http://www.puremicrodosing.com/p08r/ - rule_id: 5950
http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf
http://www.standunitedforamerica.us/p08r/
http://www.tamaracastrillejo.com/p08r/
|
28
www.tradeplay.net(172.67.128.125)
www.happinessfashionline.com(100.24.208.97)
www.minisoshop.com(3.223.115.185)
www.bgcs.online()
www.puremicrodosing.com(91.184.0.100)
www.apeironnature.com(34.102.136.180)
www.shopmoly.com(128.199.158.128)
www.xaudix.com(182.50.132.242)
www.blinglj.com(23.227.38.74)
www.110cy.top(156.241.132.45)
www.tasteofgadsdencounty.com(34.102.136.180)
www.tamaracastrillejo.com(104.21.42.37)
www.standunitedforamerica.us(34.102.136.180)
www.wandawallinbristow.com(192.249.119.170)
www.oarlary.xyz(104.21.34.240)
128.199.158.128
156.241.132.45
34.102.136.180 - mailcious
100.24.208.97
182.50.132.242 - mailcious
192.249.119.170
198.12.107.117 - malware
3.223.115.185 - mailcious
172.67.155.197
172.67.166.87
104.21.2.9
23.227.38.74 - mailcious
91.184.0.100 - mailcious
|
11
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to a *.top domain
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET HUNTING Request to .TOP Domain with Minimal Headers
|
2
http://www.puremicrodosing.com/p08r/
http://www.puremicrodosing.com/p08r/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 117 |
2021-10-04 11:59
|
 invoice.wbk a77137852cc21108b4b4d23b82fa52a5
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://202.55.132.141/11882/vbc.exe
http://checkvim.com/ga15/fre.php
|
3
checkvim.com(85.192.56.106) - mailcious
85.192.56.106
202.55.132.141
|
11
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 118 |
2021-10-02 17:05
|
 converter.dot 5f8f3c3d90fc96688c9adaa3f0c96889
VBA_macro Generic Malware MSOffice File unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 119 |
2021-09-23 09:19
|
 sdf.wbk 5a90386e6f0f0e9b7f60409fdcfcb597
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://checkvim.com/fd11/fre.php - rule_id: 4723
http://103.140.251.93/swim/vbc.exe
|
3
checkvim.com(5.180.136.169) - mailcious
103.140.251.93 - mailcious
5.180.136.169
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET INFO Executable Download from dotted-quad Host
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot Fake 404 Response
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd11/fre.php
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 120 |
2021-09-23 08:52
|
 fdsf.wbk 46502e94750a8fbfb089c90229998f3f
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://checkvim.com/fd11/fre.php - rule_id: 4723
http://103.140.251.93/team/vbc.exe
|
3
checkvim.com(5.180.136.169) - mailcious
103.140.251.93 - mailcious
5.180.136.169
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd11/fre.php
|
5.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|