| 8221 |
2021-05-21 10:22
|
 run.exe e57416e1935a33a9f173da150d8daa05
Gen1 Gen2 PE File PE32 OS Processor Check DLL Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AppData folder AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
8
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D
http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D
http://43.129.230.36/System1.dll
http://139.155.178.173:888/NetSyst96.dll
http://43.129.230.36/8908.exe
http://139.155.178.173:888/360diao.exe
https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
|
6
users.qzone.qq.com(58.250.136.113) - mailcious
ocsp.dcocsp.cn(163.181.22.230)
43.129.230.36 - malware
58.250.136.113
139.155.178.173
47.246.59.231 - malware
|
10
ET INFO Executable Download from dotted-quad Host
ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET INFO Dotted Quad Host DLL Request
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
|
|
10.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8222 |
2021-05-21 10:23
|
 PO%2006336801.xls f9288646e623a8a8f0fa5ff5f6b5e3d6
VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee |
10
https://greystonestructural.com/1y3dVMa45GFqjA.php
https://langgal.coop.np/0KafeflIy.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://marbiadesign.com/css/fonts/INVRhwduUaFS.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://superbeli.com/fMn3tApyS5wbJU.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://pratikmetals.com/system/database/drivers/pdo/subdrivers/FVTsLgQ1vriNlv.php
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
|
20
greystonestructural.com(107.180.3.18)
marbiadesign.com(192.185.52.136) - mailcious
pratikmetals.com(199.79.62.17) - mailcious
iminnovator.com(192.185.139.153) - mailcious
specs2go.shawalzahid.com(158.69.144.71) - mailcious
fotounirii.ro(89.35.173.76) - mailcious
welcometotheafterdeath.com(192.254.234.250) - mailcious
langgal.coop.np(192.185.110.229)
superbeli.com(103.31.135.171) - mailcious
lojamusic.com.br(162.241.2.234) - mailcious
192.185.139.153 - mailcious
192.254.234.250 - mailcious
103.31.135.171 - mailcious
107.180.3.18
192.185.52.136 - mailcious
192.185.110.229
199.79.62.17 - mailcious
89.35.173.76 - mailcious
162.241.2.234 - mailcious
158.69.144.71 - mailcious
|
2
ET INFO TLS Handshake Failure
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8223 |
2021-05-21 10:37
|
 vbc.exe 102d327574963061daf3b844bfbd9dd0
PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8224 |
2021-05-21 11:03
|
 360diao.exe 1973e37ebcef7d29735098244afe84c7
Gen1 Gen2 PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger RWX flags setting unpack itself AppData folder sandbox evasion Browser Remote Code Execution DNS |
|
|
|
|
5.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8225 |
2021-05-21 11:03
|
 8908.exe 671042cc66b28c17d9d2dd2ccf0cba18
Gen2 Gen1 PE File OS Processor Check PE32 DLL Checks debugger unpack itself AppData folder sandbox evasion Browser Remote Code Execution |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8226 |
2021-05-21 11:16
|
 run.exe 63a11a44eeb7ee8c76f834d4435f4af3
PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
1
http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET INFO Executable Download from dotted-quad Host
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET INFO Dotted Quad Host DLL Request
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8227 |
2021-05-21 11:17
|
 Sep.exe cfef44177015e086c53b9a45b803e1fd
PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
2
http://139.155.178.173:888/8908.exe
http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic
ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102
ET INFO Dotted Quad Host DLL Request
|
|
9.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8228 |
2021-05-21 11:47
|
 0520_3174350754728.doc 1ffb14acaddc1c6b1c560a322db6214d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
4
api.ipify.org(54.235.175.90)
vaethemanic.com(2.56.10.123) - mailcious
2.56.10.123 - mailcious
23.21.48.44
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8229 |
2021-05-21 11:50
|
 0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
4
api.ipify.org(23.21.76.253)
vaethemanic.com(2.56.10.123) - mailcious
2.56.10.123 - mailcious
54.225.222.160
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8230 |
2021-05-21 12:36
|
 ................................. 7d216963eff2efe2b5aa60ffdcaa5627
RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://107.174.224.211/cdrive/vbc.exe - rule_id: 1477
|
1
107.174.224.211 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://107.174.224.211/cdrive/vbc.exe
|
4.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8231 |
2021-05-21 13:22
|
 0520_3249595264310.doc 4042525360b5e5321acfc75828fd6287
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
api.ipify.org(23.21.48.44)
tembovewinated.ru(185.10.45.99) - mailcious
prournauseent.ru(176.9.248.145) - mailcious
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
23.21.76.253
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8232 |
2021-05-21 13:29
|
 0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
prournauseent.ru(176.9.248.145) - mailcious
tembovewinated.ru(185.10.45.99) - mailcious
api.ipify.org(54.225.157.230)
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
50.16.192.84
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8233 |
2021-05-21 13:39
|
 0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
api.ipify.org(54.235.175.90)
tembovewinated.ru(185.10.45.99) - mailcious
prournauseent.ru(176.9.248.145) - mailcious
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
54.221.236.13
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8234 |
2021-05-21 13:42
|
 0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
api.ipify.org(54.225.157.230)
tembovewinated.ru(185.10.45.99) - mailcious
prournauseent.ru(176.9.248.145) - mailcious
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
54.221.236.13
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8235 |
2021-05-21 14:24
|
 0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d
Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478
http://api.ipify.org/
|
8
api.ipify.org(54.225.165.85)
tembovewinated.ru(185.10.45.99) - mailcious
prournauseent.ru(176.9.248.145) - mailcious
vaethemanic.com(2.56.10.123) - mailcious
176.9.248.145 - mailcious
2.56.10.123 - mailcious
185.10.45.99 - mailcious
50.19.242.215
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|