121 |
2021-09-19 10:55
|
n.wbk f001c279ed34264cd5bd0acf4987cec1 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
|
3
107.180.56.180 - malware 172.67.176.114 - malware 198.46.199.171 - malware
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
122 |
2021-09-18 19:43
|
diagram-308.doc 1af9caa901bb14e513e6863e1d201f61 VBA_macro Generic Malware MSOffice File unpack itself |
|
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
123 |
2021-09-18 19:43
|
diagram-303.doc 9848d167cd2ad39d503a07b4fbd5bc80 VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.4 |
|
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
124 |
2021-09-17 11:15
|
diagram-125.doc 7bfc3adf08b35a9f9316a2ede16bb297 VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
125 |
2021-09-17 11:08
|
diagram-118.doc 4cf2a06cb2d3e70ce6bf9cc716e0cbaf VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
126 |
2021-09-17 11:08
|
diagram-116.doc ed7013efeb9d004aba9b9a5daa757261 VBA_macro Generic Malware MSOffice File exploit crash unpack itself Exploit crashed |
|
|
|
|
2.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
127 |
2021-09-17 11:05
|
diagram-114.doc 876b64688a3e91ca83a24cbe82bc77b5 VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
128 |
2021-09-17 09:54
|
invoice.wbk dba69da87a497561022dff1ec7b1631c Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious 185.251.89.230 103.155.80.150 - malware
|
13
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd4/fre.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
129 |
2021-09-17 09:52
|
dsf.wbk b173278a101f7c26ea90d923613fcbba Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://103.155.80.150/kfc/vbc.exe http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious 185.251.89.230 103.155.80.150 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
130 |
2021-09-15 09:57
|
diagram-171.doc bfa9d4b7bcf5820e663d338e9921d1f8 VBA_macro Generic Malware MSOffice File unpack itself |
5
https://ghapan.com/Kdg73onC3oQ/090921.html
https://gruasingenieria.pe/LUS1NTVui6/090921.html
https://yoowi.net/tDzEJ8uVGwdj/130921.html
https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
https://lotolands.com/JtaTAt4Ej/130921.html
|
5
ghapan.com(136.243.74.161)
gruasingenieria.pe(192.185.17.114)
yoowi.net(210.211.111.87)
chaturanga.groopy.com(143.95.80.83)
lotolands.com(198.54.124.27)
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
131 |
2021-09-15 09:57
|
diagram-170.doc 62f8ccb8d886cf7762527c6492723f45 VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
5
https://ghapan.com/Kdg73onC3oQ/090921.html
https://gruasingenieria.pe/LUS1NTVui6/090921.html
https://yoowi.net/tDzEJ8uVGwdj/130921.html
https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
https://lotolands.com/JtaTAt4Ej/130921.html
|
5
ghapan.com(136.243.74.161)
gruasingenieria.pe(192.185.17.114)
yoowi.net(210.211.111.87)
chaturanga.groopy.com(143.95.80.83)
lotolands.com(198.54.124.27)
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
132 |
2021-09-15 09:32
|
d.wbk cfd3682c2cf1f604af25f77e9ac3fc84 RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed |
1
http://www.fact-about.com/m8g0/?EzuxZl=CJjkS1LluJdyCrC/wWSSdZmBbPjhWleK8FTZxyZzjK5W/DntwLv4XF/Fx0jov/ipugt5t8Pp&anX=TXFxrpEH_FZt
|
4
www.fact-about.com(146.148.189.222) www.corbvalperu.com() 146.148.189.222 198.46.199.161 - malware
|
8
ET INFO Executable Download from dotted-quad Host ET MALWARE Possible Malicious Macro DL EXE Feb 2016 ET MALWARE Possible Malicious Macro EXE DL AlphaNumL ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
133 |
2021-09-15 09:23
|
f.wbk e98b2039d50f2482200d688766f9789f RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://www.kkcindia.com/by65/?xVJtG4Th=PU+Ve4UAPi5Re9LLGDxmdgil374yQ6xwqpxATmSGSVF17+prnoHkx+dFYOe/+U0+Br20Y6Ns&1bw=L6Adp0nXjfjLdR2p
|
4
www.seniorlivingukhomes.com() www.kkcindia.com(209.99.40.222) 209.99.40.222 - mailcious 198.46.199.161 - malware
|
7
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
134 |
2021-09-14 07:36
|
recp_21000989.wbk d22ba5af380fe520c038a458e12483fa RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.155.80.150/ssl/vbc.exe http://checkvim.com/fd4/fre.php
|
3
checkvim.com(164.132.216.38) - mailcious 164.132.216.38 103.155.80.150
|
12
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
135 |
2021-09-13 18:33
|
.---------------..------------... a5fedf6b6cb4f47640a5f2d8e36d09e7 RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Tofsee Windows Exploit Advertising Google DNS crashed Downloader |
4
http://136.243.159.53/~element/page.php?id=429 http://23.95.85.181/http/vbc.exe https://doc-00-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/44otpfku4m84nv2baa4uts53scs88sf5/1631525475000/14552286414405439806/*/1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_?e=download https://drive.google.com/uc?export=download&id=1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_
|
6
doc-00-1c-docs.googleusercontent.com(142.250.196.97) drive.google.com(142.250.199.110) - mailcious 172.217.25.238 - mailcious 136.243.159.53 23.95.85.181 172.217.161.161 - suspicious
|
13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
5.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|