| 32971 |
2022-03-30 09:56
|
shp_778.doc 9c8a32a51063bf0216afc4477f897a62
MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://198.23.174.107/778/vbc.exe
|
1
198.23.174.107 - mailcious
|
7
ET INFO Executable Download from dotted-quad Host
ET MALWARE MSIL/GenKryptik.FQRH Download Request
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.4 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32972 |
2022-03-30 09:31
|
 UX4uAkEF_mly3l-jeKbm5VNwoPkAnP... bf5309d3536cb55f8a052ad35576866f
Malicious Library PE File PE64 VirusTotal Malware crashed |
|
|
|
|
0.8 |
|
6 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32973 |
2022-03-30 09:29
|
shp_778.doc 9c8a32a51063bf0216afc4477f897a62
RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit crashed |
|
|
|
|
3.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32974 |
2022-03-30 09:28
|
 POqJKcxiIzRb a6d09f5a2f3db9a5b75f38ebb3d152e0
Emotet Gen2 Gen1 Malicious Packer Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
38
103.70.28.102 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
201.94.166.162 - mailcious
185.8.212.130 - mailcious
206.189.28.199 - mailcious
5.9.116.246 - mailcious
187.84.80.182 - mailcious
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
58.227.42.236 - mailcious
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
172.104.251.154 - mailcious
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
158.69.222.101 - mailcious
138.197.109.175 - mailcious
129.232.188.93 - mailcious
79.143.187.147 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
45.176.232.125 - mailcious
131.100.24.231 - mailcious
185.157.82.211 - mailcious
167.99.115.35 - mailcious
103.43.46.182 - mailcious
153.126.146.25 - mailcious
189.126.111.200 - mailcious
51.254.140.238 - mailcious
192.99.251.50 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 20
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32975 |
2022-03-30 09:27
|
 3933338074.xls 33359d166fbabd653dcdb6bb53d35cd4
Excel with Emotet Emotet Gen2 Gen1 MS_Excel_Hidden_Macro_Sheet Malicious Packer Malicious Library UPX MSOffice File OS Processor Check DLL PE32 PE File Malware download Dridex TrickBot Malware Report AutoRuns Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Kovter Windows Exploit ComputerName DNS crashed |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://dsinformaticos.com/_private/f36Yl/
http://dougveeder.com/cgi-bin/xJ91ZttGRioQ7IUL/
|
46
e-fistik.com(185.216.113.92)
dsinformaticos.com(217.172.77.110)
dougveeder.com(192.252.144.38)
apps.identrust.com(119.207.65.152)
103.70.28.102 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
201.94.166.162 - mailcious
185.8.212.130 - mailcious
58.227.42.236 - mailcious
5.9.116.246 - mailcious
187.84.80.182 - mailcious
103.75.201.2 - mailcious
185.216.113.92
197.242.150.244 - mailcious
159.8.59.82 - mailcious
217.172.77.110
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
23.53.228.10
189.232.46.161 - mailcious
172.104.251.154 - mailcious
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
158.69.222.101 - mailcious
138.197.109.175 - mailcious
192.252.144.38
129.232.188.93 - mailcious
79.143.187.147 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
206.189.28.199 - mailcious
45.176.232.125 - mailcious
131.100.24.231 - mailcious
185.157.82.211 - mailcious
167.99.115.35 - mailcious
103.43.46.182 - mailcious
153.126.146.25 - mailcious
189.126.111.200 - mailcious
51.254.140.238 - mailcious
192.99.251.50 - mailcious
|
13
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 12
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 19
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
|
|
9.4 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32976 |
2022-03-30 09:25
|
 vbc.exe efd638102b94041f24a6b614a46e0f70
Malicious Library UPX Admin Tool (Sysinternals etc ...) PE32 PE File Emotet VirusTotal Malware AutoRuns Code Injection buffers extracted RWX flags setting unpack itself Windows RCE crashed |
1
http://ars9095genesh.com/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv/Izqntwyxutbanbjksfuazfsxdqbthcr
|
2
ars9095genesh.com(52.74.83.175)
52.74.83.175
|
|
|
6.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32977 |
2022-03-30 09:23
|
 dhmax.exe 943cae40ccc382396e53d1a5463fe64e
Malicious Library UPX PE32 PE File FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself DNS |
5
http://www.lezfilm.com/sh30/?C0D=KvCOCF3hyrLJWwSSBxeI9ST1Um705GzlEvnTDjrmr5uafHfybe5I6lSrP1J3uLVeuIxEQ+2S&RZ3=dhrxPvmP40_xNR2
http://www.suparna.life/sh30/?C0D=eF3MX8i04ulhW7Yijl8OTz5vd1YnValzrD6KnCnb09zi+6R8cdVgHbYf9wPGo+blVFCY+DTA&RZ3=dhrxPvmP40_xNR2
http://www.divinecanna.store/sh30/?C0D=rfZYFeSW2WVXI+KDQxvB/Ip3mpnkQJq7xFitM51iL8XjSU3uXfZvSndCl4pqTIdDYlqvaNMa&RZ3=dhrxPvmP40_xNR2
http://www.nataliawebdev.com/sh30/?C0D=dg4JkcCK199pSZUKHJy61pOeIAv1aL4mncxbLG1M6Azll4RIE9rGYEwHXJKdStKQGnX9mHxu&RZ3=dhrxPvmP40_xNR2
http://www.mmwavesolved.com/sh30/?C0D=XgUi462JNLMrNVf67Qj3HhWrehtDbGh1qXUp79RSictYqRQA1636/3MTYyGkQoIU55iaZJ0o&RZ3=dhrxPvmP40_xNR2
|
9
www.divinecanna.store(104.21.93.6)
www.mmwavesolved.com(3.64.163.50)
www.nataliawebdev.com(66.235.200.146)
www.lezfilm.com(34.102.136.180)
www.suparna.life(34.102.136.180)
3.64.163.50 - mailcious
34.102.136.180 - mailcious
66.235.200.146 - malware
172.67.201.218
|
3
ET INFO Observed DNS Query to .life TLD
ET MALWARE FormBook CnC Checkin (GET)
ET INFO HTTP Request to Suspicious *.life Domain
|
|
5.8 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32978 |
2022-03-30 09:21
|
 18828003913961386761.xls b9b9c3971b89c4872d4929c2c1444998
Excel with Emotet Emotet Gen2 Gen1 MS_Excel_Hidden_Macro_Sheet Malicious Packer Malicious Library UPX MSOffice File OS Processor Check DLL PE32 PE File Malware download Dridex TrickBot Malware Report AutoRuns Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Auto service suspicious process AntiVM_Disk sandbox evasion VM Disk Size Check Tofsee Kovter Windows Exploit ComputerName DNS crashed |
4
http://apps.identrust.com/roots/dstrootcax3.p7c
http://dsinformaticos.com/_private/f36Yl/
http://dougveeder.com/cgi-bin/xJ91ZttGRioQ7IUL/
https://e-fistik.com/ajax/PnA23/
|
44
e-fistik.com(185.216.113.92)
dsinformaticos.com(217.172.77.110)
dougveeder.com(192.252.144.38)
apps.identrust.com(119.207.65.152)
103.70.28.102 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
201.94.166.162 - mailcious
185.8.212.130 - mailcious
58.227.42.236 - mailcious
5.9.116.246 - mailcious
187.84.80.182 - mailcious
103.75.201.2 - mailcious
185.216.113.92
197.242.150.244 - mailcious
217.172.77.110
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
172.104.251.154 - mailcious
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
158.69.222.101 - mailcious
138.197.109.175 - mailcious
23.206.175.43
192.252.144.38
129.232.188.93 - mailcious
79.143.187.147 - mailcious
151.106.112.196 - mailcious
159.8.59.82 - mailcious
159.65.88.10 - mailcious
206.189.28.199 - mailcious
45.176.232.125 - mailcious
131.100.24.231 - mailcious
185.157.82.211 - mailcious
167.99.115.35 - mailcious
103.43.46.182 - mailcious
153.126.146.25 - mailcious
189.126.111.200 - mailcious
51.254.140.238 - mailcious
192.99.251.50 - mailcious
|
13
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 2
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 5
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 19
ET CNC Feodo Tracker Reported CnC Server group 4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2
ET INFO EXE - Served Attached HTTP
|
|
9.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32979 |
2022-03-30 08:56
|
 T5qXAR8p5 8308537ddc1d48fc80c5bbb69f51a3d3
Emotet Gen2 Gen1 Malicious Packer Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
39
103.70.28.102 - mailcious
188.44.20.25 - mailcious
212.24.98.99 - mailcious
201.94.166.162 - mailcious
185.8.212.130 - mailcious
5.9.116.246 - mailcious
187.84.80.182 - mailcious
103.75.201.2 - mailcious
104.215.84.159 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
58.227.42.236 - mailcious
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
172.104.251.154 - mailcious
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193 - mailcious
160.16.142.56 - mailcious
158.69.222.101 - mailcious
138.197.109.175 - mailcious
129.232.188.93 - mailcious
79.143.187.147 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
206.189.28.199 - mailcious
45.176.232.125 - mailcious
131.100.24.231 - mailcious
185.157.82.211 - mailcious
167.99.115.35 - mailcious
103.43.46.182 - mailcious
153.126.146.25 - mailcious
189.126.111.200 - mailcious
51.254.140.238 - mailcious
192.99.251.50 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
5.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32980 |
2022-03-30 08:54
|
 STC.exe b933b611ce9fad4e6ea2a50a45388039
Generic Malware Malicious Packer Malicious Library UPX OS Processor Check PE32 PE File VirusTotal Malware Check memory Windows DNS DDNS keylogger |
|
2
harveyautos110.ddns.net(104.215.84.159) - mailcious
104.215.84.159 - mailcious
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
3.0 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32981 |
2022-03-30 07:46
|
 m d2a98352ab04ddb94abcf6a85d71d2a8
Emotet Gen2 Gen1 Malicious Packer Malicious Library UPX OS Processor Check DLL PE32 PE File Dridex TrickBot VirusTotal Malware Report Checks debugger ICMP traffic RWX flags setting unpack itself sandbox evasion Kovter ComputerName RCE DNS |
|
38
103.70.28.102
188.44.20.25 - mailcious
212.24.98.99 - mailcious
201.94.166.162
185.8.212.130 - mailcious
206.189.28.199
5.9.116.246 - mailcious
187.84.80.182
103.75.201.2 - mailcious
197.242.150.244 - mailcious
159.8.59.82 - mailcious
58.227.42.236 - mailcious
101.50.0.91 - mailcious
1.234.21.73 - mailcious
203.114.109.124 - mailcious
119.193.124.41 - mailcious
189.232.46.161 - mailcious
172.104.251.154
45.176.232.124 - mailcious
1.234.2.232 - mailcious
134.122.66.193
160.16.142.56
158.69.222.101 - mailcious
138.197.109.175
129.232.188.93 - mailcious
79.143.187.147 - mailcious
151.106.112.196 - mailcious
107.182.225.142 - mailcious
159.65.88.10 - mailcious
45.176.232.125
131.100.24.231 - mailcious
185.157.82.211 - mailcious
167.99.115.35 - mailcious
103.43.46.182 - mailcious
153.126.146.25 - mailcious
189.126.111.200 - mailcious
51.254.140.238 - mailcious
192.99.251.50 - mailcious
|
9
ET CNC Feodo Tracker Reported CnC Server group 5
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET INFO TLS Handshake Failure
ET CNC Feodo Tracker Reported CnC Server group 14
ET CNC Feodo Tracker Reported CnC Server group 20
ET CNC Feodo Tracker Reported CnC Server group 12
ET CNC Feodo Tracker Reported CnC Server group 2
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 19
|
|
6.4 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32982 |
2022-03-30 07:31
|
 putty.exe e98774bee4ed490089f6c63b6c676112
RAT Malicious Packer PE File PE64 VirusTotal Malware Check memory Checks debugger unpack itself crashed |
|
|
|
|
2.8 |
|
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32983 |
2022-03-30 03:53
|
https://00f74ba44b39217d048f63...
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
1
https://00f74ba44b39217d048f63139c00a05bf7e4c321fa-apidata.googleusercontent.com/download/storage/v1/b/monorail-prod.appspot.com/o/26%2Fattachments%2Fc700ee47-ea4d-4825-a67e-ef785f011ccc?jk=AFshE3WISc6KUUROchtFWBLiXPL5I-jjFZLBCdo7tKjwjEd8jk7UUfO1mh2ePlaDeHNIX3u2_dRpMZFxBiV4Co2JplAG3mFEQIUEzxEJvQeHC-H1nqFppeUmjjkLljKCObh0oHaMNis7D8W9ejkDBczi-GWETgNXwdx_Nk9IFKt4timzOdXN6qwX7oUk9cLmeNEmnWZ2LNrappCwqqAqju4L9d3dPEt5LNi_H3xk2C5O15YGGB3wsTa5J6OAWealKPfl3xbRDnjjWYanfUITFgM6fHEQxBCrrXp5fjEt1pqPlhO2VKyzop-1obpZuUTkkqYN6wCnoXGicGCt6qc3CtU5ywTkTnOwXx9_iCIMhpO2stQgJJHQsAZYs-MV447dk7pJMNMqNq3iUJi3fioEAzh7tv1-KSHaxLGFjxvfMOyLRL07F1042clhjA7z2GdfJE18iBHyfknJsZgmQLe05wnMmwYgFhXUmvk1BBxrJcaoo5smpVdsGrcBgjY2CF5h-4sPjN6xcBrO18DaFZWJlSOqsGBLTe78LRfKQlYKH7HJzZbrCD7Zw5rJ_J3-jMv_wN8LojBm5S6JFFWL7904_Yswqt72vZ_9XALddm0w9hlFZGngOwHwFINe0QGo807IL7298PTUcOio8vdI8ylpmSjbV5DSkBouRhQrviXuxx92xN8e38VZH8D8TthDCsaEstB27-RVL2DlGL9XWNOftLZ5f_yAfpjasic7C-379SH-QAk41VXWSDDBPuqHKGSziEGV5Ld8Va9gsOdV
|
2
00f74ba44b39217d048f63139c00a05bf7e4c321fa-apidata.googleusercontent.com(142.250.196.97)
142.250.196.129 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32984 |
2022-03-30 01:42
|
https://pbs.twimg.com/profile_... 537b0d945f6625eb5e9bc1171b2d5d40
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
pbs.twimg.com(192.229.237.96)
192.229.237.101
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
4.8 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 32985 |
2022-03-30 01:42
|
https://cmsreg.dto.kemkes.go.i... d85e82376efe2404aa99a01422f2ce77
PWS[m] Create Service DGA Socket ScreenShot DNS Internet API Code injection Hijack Network Sniff Audio HTTP Steal credential KeyLogger P2P Downloader Escalate priviledges persistence FTP Http API AntiDebug AntiVM PNG Format MSOffice File JPEG Format Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed |
|
2
cmsreg.dto.kemkes.go.id(34.101.136.249)
34.101.136.249
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
Greytroya
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|