8221 |
2021-05-21 10:22
|
run.exe e57416e1935a33a9f173da150d8daa05 Gen1 Gen2 PE File PE32 OS Processor Check DLL Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AppData folder AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
8
http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHv1Dj%2BciPJEWH5JNtwL5Y07mRqwQUxBF%2BiECGwkG%2FZfMa4bRTQKOr7H0CEArIzKqFYmE3jrS4gQrE3QI%3D http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678 http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAh%2BGPuPqpJ%2B6HYKDYmC9RI%3D http://43.129.230.36/System1.dll http://139.155.178.173:888/NetSyst96.dll http://43.129.230.36/8908.exe http://139.155.178.173:888/360diao.exe https://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
|
6
users.qzone.qq.com(58.250.136.113) - mailcious ocsp.dcocsp.cn(163.181.22.230) 43.129.230.36 - malware 58.250.136.113 139.155.178.173 47.246.59.231 - malware
|
10
ET INFO Executable Download from dotted-quad Host ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible)) ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server ET MALWARE Backdoor family PCRat/Gh0st CnC traffic ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET INFO Dotted Quad Host DLL Request ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP
|
|
10.6 |
|
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8222 |
2021-05-21 10:23
|
PO%2006336801.xls f9288646e623a8a8f0fa5ff5f6b5e3d6 VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee |
10
https://greystonestructural.com/1y3dVMa45GFqjA.php
https://langgal.coop.np/0KafeflIy.php
https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php
https://marbiadesign.com/css/fonts/INVRhwduUaFS.php
https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php
https://superbeli.com/fMn3tApyS5wbJU.php
https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php
https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php
https://pratikmetals.com/system/database/drivers/pdo/subdrivers/FVTsLgQ1vriNlv.php
https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php
|
20
greystonestructural.com(107.180.3.18)
marbiadesign.com(192.185.52.136) - mailcious
pratikmetals.com(199.79.62.17) - mailcious
iminnovator.com(192.185.139.153) - mailcious
specs2go.shawalzahid.com(158.69.144.71) - mailcious
fotounirii.ro(89.35.173.76) - mailcious
welcometotheafterdeath.com(192.254.234.250) - mailcious
langgal.coop.np(192.185.110.229)
superbeli.com(103.31.135.171) - mailcious
lojamusic.com.br(162.241.2.234) - mailcious 192.185.139.153 - mailcious
192.254.234.250 - mailcious
103.31.135.171 - mailcious
107.180.3.18
192.185.52.136 - mailcious
192.185.110.229
199.79.62.17 - mailcious
89.35.173.76 - mailcious
162.241.2.234 - mailcious
158.69.144.71 - mailcious
|
2
ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
3.6 |
|
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8223 |
2021-05-21 10:37
|
vbc.exe 102d327574963061daf3b844bfbd9dd0 PE File PE32 VirusTotal Malware Check memory RWX flags setting unpack itself DNS |
|
|
|
|
2.6 |
|
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8224 |
2021-05-21 11:03
|
360diao.exe 1973e37ebcef7d29735098244afe84c7 Gen1 Gen2 PE File OS Processor Check PE32 DLL VirusTotal Malware Checks debugger RWX flags setting unpack itself AppData folder sandbox evasion Browser Remote Code Execution DNS |
|
|
|
|
5.6 |
|
52 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8225 |
2021-05-21 11:03
|
8908.exe 671042cc66b28c17d9d2dd2ccf0cba18 Gen2 Gen1 PE File OS Processor Check PE32 DLL Checks debugger unpack itself AppData folder sandbox evasion Browser Remote Code Execution |
|
|
|
|
3.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8226 |
2021-05-21 11:16
|
run.exe 63a11a44eeb7ee8c76f834d4435f4af3 PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
1
http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET INFO Executable Download from dotted-quad Host ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server ET MALWARE Backdoor family PCRat/Gh0st CnC traffic ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET INFO Dotted Quad Host DLL Request
|
|
10.0 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8227 |
2021-05-21 11:17
|
Sep.exe cfef44177015e086c53b9a45b803e1fd PE File PE32 OS Processor Check Malware download VirusTotal Open Directory Malware GhostRAT AutoRuns Check memory Checks debugger Creates executable files RWX flags setting unpack itself Detects VMWare AntiVM_Disk sandbox evasion VMware VM Disk Size Check Windows Exploit Browser RAT Backdoor Trojan DNS crashed |
2
http://139.155.178.173:888/8908.exe http://139.155.178.173:888/System1.dll
|
1
139.155.178.173 - malware
|
9
ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server ET MALWARE Backdoor family PCRat/Gh0st CnC traffic ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 ET INFO Dotted Quad Host DLL Request
|
|
9.0 |
M |
55 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8228 |
2021-05-21 11:47
|
0520_3174350754728.doc 1ffb14acaddc1c6b1c560a322db6214d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
4
api.ipify.org(54.235.175.90) vaethemanic.com(2.56.10.123) - mailcious 2.56.10.123 - mailcious 23.21.48.44
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8229 |
2021-05-21 11:50
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
4
api.ipify.org(23.21.76.253) vaethemanic.com(2.56.10.123) - mailcious 2.56.10.123 - mailcious 54.225.222.160
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8230 |
2021-05-21 12:36
|
................................. 7d216963eff2efe2b5aa60ffdcaa5627 RTF File doc AntiDebug AntiVM Malware download VirusTotal Malware MachineGuid Malicious Traffic Checks debugger exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://107.174.224.211/cdrive/vbc.exe - rule_id: 1477
|
1
107.174.224.211 - mailcious
|
6
ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://107.174.224.211/cdrive/vbc.exe
|
4.8 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8231 |
2021-05-21 13:22
|
0520_3249595264310.doc 4042525360b5e5321acfc75828fd6287 Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(23.21.48.44) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 23.21.76.253
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8232 |
2021-05-21 13:29
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
prournauseent.ru(176.9.248.145) - mailcious tembovewinated.ru(185.10.45.99) - mailcious api.ipify.org(54.225.157.230) vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 50.16.192.84
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.8 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8233 |
2021-05-21 13:39
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(54.235.175.90) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 54.221.236.13
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8234 |
2021-05-21 13:42
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(54.225.157.230) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 54.221.236.13
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8235 |
2021-05-21 14:24
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(54.225.165.85) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 50.19.242.215
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|