| 49216 |
2021-01-21 21:16
|
MY3T75Y0.doc 33425baec40ffec9695e2d9e6462a57b
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/x58zt4q/bbgr0x8sjg7ue8/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49217 |
2021-01-21 18:53
|
M1ENYQY6BF14.doc 62d1f2d3c2937f042b37ea4ec133b416
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/btmg3f/f1h3/k8i2bxk1b2e8/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49218 |
2021-01-21 18:53
|
lCO3wMuD.html.doc 3f50f8a6beb3d3fb0814743d7d1d6afb
VirusTotal Malware unpack itself malicious URLs |
|
|
|
|
2.0 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49219 |
2021-01-21 18:49
|
kWuP.html.exe d32908e4d32c94a8781f21ce2626dc13
Dridex VirusTotal Malware Buffer PE PDB suspicious privilege MachineGuid Code Injection Checks debugger buffers extracted Creates executable files RWX flags setting unpack itself AppData folder Tofsee Nymaim ComputerName DNS |
|
5
actes-etatcivil.com(160.153.129.221)
www.ramazanyildiz.net(5.180.185.204)
ankarakreatif.com(5.180.185.204)
160.153.129.221 - mailcious
5.180.185.204
|
5
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
10.4 |
M |
17 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49220 |
2021-01-21 18:48
|
L22RP27Q7KUKJ5.doc 9fd577ef5be9b1fea11778c35a441b99
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
1
http://12.175.220.98/9i08q0mt4ae/2t5sywrrmxeurtlif8r/ - rule_id: 220
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
1
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49221 |
2021-01-21 18:34
|
Invoice_180360.xls 4bc306fa5912af1812d9232b6f1c540e
Dridex TrickBot VirusTotal Malware Malicious Traffic unpack itself malicious URLs Kovter Windows DNS |
1
|
3
ayeyi.biz(66.96.147.105) - mailcious
66.96.147.105 - mailcious
77.220.64.40
|
4
ET INFO Observed DNS Query to .biz TLD
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
|
|
4.0 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49222 |
2021-01-21 18:34
|
GK32VVNG1S.doc 203c21854f83f1aa654e763bb362b1e7
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49223 |
2021-01-21 18:26
|
GGKBUL.doc 108c290cc4e46cf7e010c26305603ad1
Vulnerability VirusTotal Malware Malicious Traffic unpack itself malicious URLs Windows DNS |
|
3
trendmoversdubai.com(162.220.163.44) - malware
12.175.220.98 - mailcious
162.220.163.44 - malware
|
3
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET INFO EXE - Served Attached HTTP
|
|
5.2 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49224 |
2021-01-21 18:25
|
couragenewest.scr 25cda0c5f9c41c44a27ced157d6cb8f1
VirusTotal Malware Check memory Checks debugger unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.4 |
M |
42 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49225 |
2021-01-21 18:14
|
c3du5tw.zip.exe 1a1d1c363b8fa960fa01c5aa2e3a125e
Malware download Dridex TrickBot VirusTotal Malware PDB MachineGuid Malicious Traffic Checks debugger unpack itself Collect installed applications installed browsers check Kovter Browser ComputerName DNS crashed |
1
|
1
|
2
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
|
|
6.4 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49226 |
2021-01-21 18:14
|
aha.exe b178fc8566f18398e001006fe1cde29c
VirusTotal Malware AutoRuns Creates executable files Windows crashed |
|
1
|
|
|
2.6 |
M |
62 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49227 |
2021-01-21 15:05
|
winlog.exe 90b32183f0e74bffe92861a7dbaba835
VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs DNS |
18
http://www.fantasypickem.com/hvu9/?jPj8q=Klh8&t8o4n4p=Ro5d0bVJZ9vtXHSz7nSIBcoQnxDt8lXTV9CqParB64ePknPhfFkcunKvj/JeYOOMS6PF87Ri
http://www.fantasypickem.com/hvu9/
http://www.ralph-jones-home-plans.com/hvu9/?t8o4n4p=0UafUbvOiFj0xMxeJeml9L0ViqtEPshBV8gPR7dtEN/7WDVdxKP1+wU98y9hKLv8cdPC8jOE&jPj8q=Klh8
http://www.wesolvit.net/hvu9/?t8o4n4p=xxhCH1v8Im0PqWC11lkqh8J//TcHp1zaC/oNZxP0I/5b2b5OHUPZBbTtW0ZhL/Uj5pBH/0WE&jPj8q=Klh8
http://www.electrumwitged.download/hvu9/?jPj8q=Klh8&t8o4n4p=BSc2NW046tOM82H5S5Pn47daWFOSnhYLdBdBO9KQoBPCwgybmLBjSzmXxK3oTHFfo54KxAeo
http://www.secundaria209emilianozapata.com/hvu9/?jPj8q=Klh8&t8o4n4p=XUrZaHbCsIeAJ1RG8aIXToeqvdGXt7OpIBv0Yo5BwiqC4knZZwrAHpfI8CJhMTKhhZF3+115
http://www.pushmetop.com/hvu9/
http://www.clinicemdad.com/hvu9/
http://www.darkphi.club/hvu9/
http://www.vkreditoff.online/hvu9/?jPj8q=Klh8&t8o4n4p=MT1ehMBoRatcOVa7mN40N85q6TlmFXTeShk511ueV+7XjM9BlYo/agsceRhDHmO3/zmAX/W/
http://www.ralph-jones-home-plans.com/hvu9/
http://www.clinicemdad.com/hvu9/?jPj8q=Klh8&t8o4n4p=bxJWQ9n3hMIy4+14vCB8r508rRnALCKfVUw9QiUhv+4YdYdYm8sRL5TEg/96uuBoQQXzUh9j
http://www.pushmetop.com/hvu9/?t8o4n4p=KUbtZXz8twfnHnZpQDZLEsfBQdVFAeEO/QksFwfDycDoj9yhbY8iWNT8vVx5jk/VDPPKwIUU&jPj8q=Klh8
http://www.darkphi.club/hvu9/?t8o4n4p=lRjXipBH1R39nAz9RqJSv3p5y5t93SkU05kQmpsFKVErByd5lEsUKARBGGkToh74DM2a6J5J&jPj8q=Klh8
http://www.secundaria209emilianozapata.com/hvu9/
http://www.electrumwitged.download/hvu9/
http://www.vkreditoff.online/hvu9/
http://www.wesolvit.net/hvu9/
|
17
www.pushmetop.com(34.102.136.180)
www.secundaria209emilianozapata.com(68.70.164.28)
www.wesolvit.net(34.102.136.180)
www.electrumwitged.download(190.115.18.132)
www.clinicemdad.com(94.130.181.29)
www.fantasypickem.com(205.201.132.26)
www.ralph-jones-home-plans.com(35.172.94.1)
www.darkphi.club(198.37.123.61)
www.vkreditoff.online(87.236.16.91)
198.37.123.61
87.236.16.91
68.70.164.28 - malware
190.115.18.132
34.102.136.180 - mailcious
100.24.208.97
205.201.132.26
94.130.181.29
|
|
|
9.8 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49228 |
2021-01-21 15:00
|
8Fgs94kCRPbmo12Q.dll 3e1249e4d0b0b61d493da93139b9f3a4
VirusTotal Malware |
|
|
|
|
1.2 |
M |
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49229 |
2021-01-21 14:58
|
vbc.exe 97faa09b0517cd09dc1ce63d8779d2ec
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself malicious URLs Windows ComputerName crashed |
|
|
|
|
10.0 |
M |
40 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 49230 |
2021-01-21 14:56
|
Setup.exe 4a465ede8d11113aed687052778a9a3d
VirusTotal Malware Buffer PE Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself AppData folder malicious URLs VMware IP Check Tofsee Windows ComputerName Amazon DNS |
11
http://reports.adexpertsmedia.com/rest/trackinstall/?advId=84&offerId=173&campaignId=&ip=175.208.134.150&country=KR×tamp=2021-01-2119:33:03&key=igvepVwh9JsqWbYAf2CRhvt2cqZauh2l
http://99ee6261-b333-4998-8256-14e87061e63c.s3.amazonaws.com/Download/Versium.exe
http://ipinfo.io/country
http://ipinfo.io/ip
http://reports.adexpertsmedia.com/rest/trackinstall?advId=84&offerId=173&campaignId=&ip=175.208.134.150&country=KR×tamp=2021-01-2119:33:03&key=igvepVwh9JsqWbYAf2CRhvt2cqZauh2l
https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150
https://script.google.com/macros/s/AKfycbxo8pDhkDuQffM-X47tbalyWHSqwTbYA5--nDOA83Y4arvmvHk/exec
https://script.googleusercontent.com/macros/echo?user_content_key=zDgqK7aYO8uBW7ILX8cPdHddc3YFHfeVwW0NxR5SQM9MaMnuG6bKSWXpenGuW3TAZ0hBLSrjjn4ewU11up60raUkZ9ow1dGOm5_BxDlH2jW0nuo2oDemN9CCS2h10ox_1xSncGQajx_ryfhECjZEnIuBhk-KeykwubxUfEJ6zx0XYr6OEeuRqLLTd5ClhyQ3LLuokR1p_PlVh5YR3Cd2zhdIug5zkO6q&lib=M9ChrXOfJuPsIjPCXSiG3bE17J_BaZEX1
https://script.googleusercontent.com/macros/echo?user_content_key=0RbTPmS3PHvVSYGhxgeXClNEjw7hgb2dwkq7d-YIriC9-zBDhpvl4XE3vNqFKRvGF9XVO0QQPMapfIiyYgVswGE4mjcDCSCDm5_BxDlH2jW0nuo2oDemN9CCS2h10ox_1xSncGQajx_ryfhECjZEnIuBhk-KeykwubxUfEJ6zx0XYr6OEeuRqLLTd5ClhyQ3LLuokR1p_PlVh5YR3Cd2zhdIug5zkO6q&lib=M9ChrXOfJuPsIjPCXSiG3bE17J_BaZEX1
https://ipinfo.io/country
https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?ip=175.208.134.150&loc=KR&app=Versium_Research&payoutcents=2.5&ver=11.5
|
12
reports.adexpertsmedia.com(95.216.1.203)
99ee6261-b333-4998-8256-14e87061e63c.s3.amazonaws.com(52.217.46.188) - malware
script.googleusercontent.com(172.217.25.225)
ipinfo.io(216.239.38.21)
script.google.com(172.217.175.238)
ipqualityscore.com(172.67.72.12)
52.217.12.140
95.216.1.203
216.239.36.21 - suspicious
172.217.31.238 - suspicious
172.67.72.12
172.217.24.65
|
6
ET POLICY Possible External IP Lookup ipinfo.io
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
ET POLICY Executable served from Amazon S3
ET POLICY PE EXE or DLL Windows file download HTTP
|
|
9.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|