106 |
2021-10-13 09:44
|
Macro test.doc b60b59d191a6ec82bcd34bbf3798777e VBA_macro Generic Malware Antivirus MSOffice File VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key |
1
|
2
orange.com(90.84.180.167) 90.84.180.167
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
9.8 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
107 |
2021-10-08 11:54
|
Code_of_Conduct_2021.doc 8d1454096bc0e82042437d911d695a2c Malicious Packer MSOffice File Vulnerability unpack itself |
|
|
|
|
1.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
108 |
2021-10-07 13:47
|
Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58 RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
109 |
2021-10-07 13:40
|
Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58 RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
110 |
2021-10-07 13:32
|
Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58 RTF File doc VirusTotal Malware Malicious Traffic buffers extracted DNS |
1
http://45.14.226.221/cdfe/Fack.jpg - rule_id: 6066
|
1
|
|
1
http://45.14.226.221/cdfe/Fack.jpg
|
4.0 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
111 |
2021-10-07 11:23
|
1006_2966063104581.doc 67b70c2d6a5191471273ee016ed9bb64 VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.8 |
|
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
112 |
2021-10-07 09:17
|
fd.wbk 6ce9da18e576af395cf59dd98ec43ea1 Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://checkvim.com/fd4/fre.php - rule_id: 5139 http://103.167.90.177/0789/vbc.exe
|
3
checkvim.com(82.202.194.8) - mailcious 82.202.194.8 103.167.90.177
|
13
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
113 |
2021-10-06 16:14
|
1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267 VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
114 |
2021-10-06 15:54
|
1005_1662882485744.doc 1d1284db499feb490f85a3f99463a267 VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
Kim.GS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
115 |
2021-10-06 14:28
|
Update of the OFFICE PACK.doc 614679aaac8791504e5885c9c4e97b58 RTF File doc VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting DNS |
1
http://45.14.226.221/cdfe/Fack.jpg
|
1
|
|
|
4.4 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
116 |
2021-10-06 13:34
|
gyty.wbk 9f33914979fc685f81ab79066877d01c RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself suspicious TLD Windows Exploit DNS crashed Downloader |
28
http://www.wandawallinbristow.com/p08r/ http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf http://www.minisoshop.com/p08r/ http://www.oarlary.xyz/p08r/ http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf http://www.tasteofgadsdencounty.com/p08r/ http://www.happinessfashionline.com/p08r/ http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf http://www.110cy.top/p08r/ http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf http://www.tradeplay.net/p08r/ http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf - rule_id: 5950 http://www.shopmoly.com/p08r/ http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf http://www.apeironnature.com/p08r/ http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf http://www.blinglj.com/p08r/ http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf http://www.xaudix.com/p08r/ http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf http://www.puremicrodosing.com/p08r/ - rule_id: 5950 http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf http://www.standunitedforamerica.us/p08r/ http://www.tamaracastrillejo.com/p08r/
|
28
www.tradeplay.net(172.67.128.125) www.happinessfashionline.com(100.24.208.97) www.minisoshop.com(3.223.115.185) www.bgcs.online() www.puremicrodosing.com(91.184.0.100) www.apeironnature.com(34.102.136.180) www.shopmoly.com(128.199.158.128) www.xaudix.com(182.50.132.242) www.blinglj.com(23.227.38.74) www.110cy.top(156.241.132.45) www.tasteofgadsdencounty.com(34.102.136.180) www.tamaracastrillejo.com(104.21.42.37) www.standunitedforamerica.us(34.102.136.180) www.wandawallinbristow.com(192.249.119.170) www.oarlary.xyz(104.21.34.240) 128.199.158.128 156.241.132.45 34.102.136.180 - mailcious 100.24.208.97 182.50.132.242 - mailcious 192.249.119.170 198.12.107.117 - malware 3.223.115.185 - mailcious 172.67.155.197 172.67.166.87 104.21.2.9 23.227.38.74 - mailcious 91.184.0.100 - mailcious
|
11
ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE FormBook CnC Checkin (GET) ET INFO HTTP Request to a *.top domain ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Request to .XYZ Domain with Minimal Headers ET HUNTING Request to .TOP Domain with Minimal Headers
|
2
http://www.puremicrodosing.com/p08r/ http://www.puremicrodosing.com/p08r/
|
5.8 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
117 |
2021-10-04 11:59
|
invoice.wbk a77137852cc21108b4b4d23b82fa52a5 RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://202.55.132.141/11882/vbc.exe http://checkvim.com/ga15/fre.php
|
3
checkvim.com(85.192.56.106) - mailcious 85.192.56.106 202.55.132.141
|
11
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Fake 404 Response ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
118 |
2021-10-02 17:05
|
converter.dot 5f8f3c3d90fc96688c9adaa3f0c96889 VBA_macro Generic Malware MSOffice File unpack itself |
|
|
|
|
0.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
119 |
2021-09-23 09:19
|
sdf.wbk 5a90386e6f0f0e9b7f60409fdcfcb597 Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://checkvim.com/fd11/fre.php - rule_id: 4723
http://103.140.251.93/swim/vbc.exe
|
3
checkvim.com(5.180.136.169) - mailcious 103.140.251.93 - mailcious
5.180.136.169
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET INFO Executable Download from dotted-quad Host ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot Fake 404 Response ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd11/fre.php
|
5.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
120 |
2021-09-23 08:52
|
fdsf.wbk 46502e94750a8fbfb089c90229998f3f Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://checkvim.com/fd11/fre.php - rule_id: 4723 http://103.140.251.93/team/vbc.exe
|
3
checkvim.com(5.180.136.169) - mailcious 103.140.251.93 - mailcious 5.180.136.169
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd11/fre.php
|
5.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|