| 121 |
2021-09-19 10:55
|
 n.wbk f001c279ed34264cd5bd0acf4987cec1
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
|
3
107.180.56.180 - malware
172.67.176.114 - malware
198.46.199.171 - malware
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 122 |
2021-09-18 19:43
|
 diagram-308.doc 1af9caa901bb14e513e6863e1d201f61
VBA_macro Generic Malware MSOffice File unpack itself |
|
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 123 |
2021-09-18 19:43
|
 diagram-303.doc 9848d167cd2ad39d503a07b4fbd5bc80
VBA_macro Generic Malware MSOffice File VirusTotal Malware RWX flags setting unpack itself |
|
|
|
|
2.4 |
|
23 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 124 |
2021-09-17 11:15
|
 diagram-125.doc 7bfc3adf08b35a9f9316a2ede16bb297
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 125 |
2021-09-17 11:08
|
 diagram-118.doc 4cf2a06cb2d3e70ce6bf9cc716e0cbaf
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 126 |
2021-09-17 11:08
|
 diagram-116.doc ed7013efeb9d004aba9b9a5daa757261
VBA_macro Generic Malware MSOffice File exploit crash unpack itself Exploit crashed |
|
|
|
|
2.4 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 127 |
2021-09-17 11:05
|
 diagram-114.doc 876b64688a3e91ca83a24cbe82bc77b5
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 128 |
2021-09-17 09:54
|
 invoice.wbk dba69da87a497561022dff1ec7b1631c
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious
185.251.89.230
103.155.80.150 - malware
|
13
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
|
1
http://checkvim.com/fd4/fre.php
|
5.2 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 129 |
2021-09-17 09:52
|
 dsf.wbk b173278a101f7c26ea90d923613fcbba
Lokibot RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS Cryptographic key crashed Downloader |
2
http://103.155.80.150/kfc/vbc.exe
http://checkvim.com/fd4/fre.php - rule_id: 5139
|
3
checkvim.com(185.251.89.230) - mailcious
185.251.89.230
103.155.80.150 - malware
|
13
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://checkvim.com/fd4/fre.php
|
5.6 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 130 |
2021-09-15 09:57
|
 diagram-171.doc bfa9d4b7bcf5820e663d338e9921d1f8
VBA_macro Generic Malware MSOffice File unpack itself |
5
https://ghapan.com/Kdg73onC3oQ/090921.html
https://gruasingenieria.pe/LUS1NTVui6/090921.html
https://yoowi.net/tDzEJ8uVGwdj/130921.html
https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
https://lotolands.com/JtaTAt4Ej/130921.html
|
5
ghapan.com(136.243.74.161)
gruasingenieria.pe(192.185.17.114)
yoowi.net(210.211.111.87)
chaturanga.groopy.com(143.95.80.83)
lotolands.com(198.54.124.27)
|
|
|
1.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 131 |
2021-09-15 09:57
|
 diagram-170.doc 62f8ccb8d886cf7762527c6492723f45
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
5
https://ghapan.com/Kdg73onC3oQ/090921.html
https://gruasingenieria.pe/LUS1NTVui6/090921.html
https://yoowi.net/tDzEJ8uVGwdj/130921.html
https://chaturanga.groopy.com/7SEZBnhMLW/130921.html
https://lotolands.com/JtaTAt4Ej/130921.html
|
5
ghapan.com(136.243.74.161)
gruasingenieria.pe(192.185.17.114)
yoowi.net(210.211.111.87)
chaturanga.groopy.com(143.95.80.83)
lotolands.com(198.54.124.27)
|
|
|
1.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 132 |
2021-09-15 09:32
|
 d.wbk cfd3682c2cf1f604af25f77e9ac3fc84
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed |
1
http://www.fact-about.com/m8g0/?EzuxZl=CJjkS1LluJdyCrC/wWSSdZmBbPjhWleK8FTZxyZzjK5W/DntwLv4XF/Fx0jov/ipugt5t8Pp&anX=TXFxrpEH_FZt
|
4
www.fact-about.com(146.148.189.222)
www.corbvalperu.com()
146.148.189.222
198.46.199.161 - malware
|
8
ET INFO Executable Download from dotted-quad Host
ET MALWARE Possible Malicious Macro DL EXE Feb 2016
ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 133 |
2021-09-15 09:23
|
 f.wbk e98b2039d50f2482200d688766f9789f
RTF File doc AntiDebug AntiVM FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic Check memory Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://www.kkcindia.com/by65/?xVJtG4Th=PU+Ve4UAPi5Re9LLGDxmdgil374yQ6xwqpxATmSGSVF17+prnoHkx+dFYOe/+U0+Br20Y6Ns&1bw=L6Adp0nXjfjLdR2p
|
4
www.seniorlivingukhomes.com()
www.kkcindia.com(209.99.40.222)
209.99.40.222 - mailcious
198.46.199.161 - malware
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.0 |
M |
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 134 |
2021-09-14 07:36
|
 recp_21000989.wbk d22ba5af380fe520c038a458e12483fa
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit DNS crashed Downloader |
2
http://103.155.80.150/ssl/vbc.exe
http://checkvim.com/fd4/fre.php
|
3
checkvim.com(164.132.216.38) - mailcious
164.132.216.38
103.155.80.150
|
12
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.4 |
|
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 135 |
2021-09-13 18:33
|
 .---------------..------------... a5fedf6b6cb4f47640a5f2d8e36d09e7
RTF File doc AntiDebug AntiVM LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Tofsee Windows Exploit Advertising Google DNS crashed Downloader |
4
http://136.243.159.53/~element/page.php?id=429
http://23.95.85.181/http/vbc.exe
https://doc-00-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/44otpfku4m84nv2baa4uts53scs88sf5/1631525475000/14552286414405439806/*/1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_?e=download
https://drive.google.com/uc?export=download&id=1u_LDPUBD8svIuWN6M_dYDxV9pWS_PZM_
|
6
doc-00-1c-docs.googleusercontent.com(142.250.196.97)
drive.google.com(142.250.199.110) - mailcious
172.217.25.238 - mailcious
136.243.159.53
23.95.85.181
172.217.161.161 - suspicious
|
13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
|
|
5.6 |
|
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|