8236 |
2021-05-21 14:28
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(54.243.154.178) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 50.16.192.84
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8237 |
2021-05-21 14:35
|
0520_2812845003972.doc aecae614ceb5f5c3dac0e00c773acb6d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(50.19.242.215) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 54.225.155.255
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8238 |
2021-05-21 15:27
|
0520_3174350754728.doc 1ffb14acaddc1c6b1c560a322db6214d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
api.ipify.org(23.21.76.253) tembovewinated.ru(185.10.45.99) - mailcious prournauseent.ru(176.9.248.145) - mailcious vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 54.235.83.248
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.0 |
M |
10 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8239 |
2021-05-21 16:16
|
0520_3174350754728.doc 1ffb14acaddc1c6b1c560a322db6214d Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
6
tembovewinated.ru(185.10.45.99) - mailcious api.ipify.org(50.16.192.84) vaethemanic.com(2.56.10.123) - mailcious 54.225.157.230 2.56.10.123 - mailcious 185.10.45.99 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
8.4 |
M |
10 |
조광섭
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8240 |
2021-05-21 16:19
|
ConsoleApp12.exe 40caefae9655ee0c0726c76becde4743 PWS Loki[b] Loki[m] AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus DNS AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c powershell suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself suspicious process malicious URLs WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software |
1
http://74.201.28.138/kpi/03/pin.php
|
2
185.10.45.99 - mailcious 74.201.28.138
|
7
ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response
|
|
11.8 |
M |
29 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8241 |
2021-05-21 16:27
|
vg23ty.exe 0f66f5cd6f420f6d386924c0243cc6dc AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
2
http://www.daisy.photos/nke/?b6=h2yM4Zcqyl5zYTLZoZFTdz+q0PzETSYzB1r7CFHsdUVGmTt4pA27lzRJaz2sVEaOyrLDjNmk&DbG=_DKdFj http://www.workseap.com/nke/?DbG=_DKdFj&b6=mhSwXDq/7jOnyGkHqIVBrQNGEBg/J92S9Fu5waQttFlwrCbgrKU5sQr5NLJsPaaf0eNzTs2a
|
3
www.daisy.photos(34.102.136.180) www.workseap.com(34.102.136.180) 34.102.136.180 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8242 |
2021-05-21 16:33
|
ConsoleApp9.exe 0f938ac4802642b34cc7105fb04c32ac AsyncRAT backdoor AgentTesla Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(104.21.19.200) checkip.dyndns.org(131.186.113.70) 162.88.193.70 104.21.19.200
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.6 |
M |
21 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8243 |
2021-05-21 16:34
|
ConsoleApp19.exe ccf10dc1a6d121efdf9c28443a56e8b7 AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed |
2
http://checkip.dyndns.org/ https://freegeoip.app/xml/175.208.134.150
|
4
freegeoip.app(172.67.188.154) checkip.dyndns.org(131.186.113.70) 216.146.43.70 - suspicious 172.67.188.154
|
4
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
17.0 |
M |
18 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8244 |
2021-05-21 16:38
|
vg23ty.exe 0f66f5cd6f420f6d386924c0243cc6dc AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus AntiDebug AntiVM .NET EXE PE File PE32 FormBook Malware download VirusTotal Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key crashed |
1
http://www.blueridgeholisticdental.com/nke/?b6=uV8TJry0ZtzhNvo&9rghd220=beluo/A3x1wk0axcPPYLRI6VL5KZoBZCIza2nCls1jNtqOSK3OGdLiR1PhbzTLTJ4aTYYmbD
|
3
www.blueridgeholisticdental.com(34.102.136.180) www.soqbtiup.icu() 34.102.136.180 - mailcious
|
2
ET INFO DNS Query for Suspicious .icu Domain ET MALWARE FormBook CnC Checkin (GET)
|
|
13.2 |
M |
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8245 |
2021-05-21 17:09
|
0520_565103775327.doc 21d75f519830577395709b9e78bc8971 Hancitor VBA_macro OS Processor Check MSOffice File Vulnerability VirusTotal Malware Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious TLD IP Check ComputerName |
2
http://vaethemanic.com/8/forum.php - rule_id: 1478 http://api.ipify.org/
|
8
prournauseent.ru(176.9.248.145) - mailcious tembovewinated.ru(185.10.45.99) - mailcious api.ipify.org(54.235.83.248) vaethemanic.com(2.56.10.123) - mailcious 176.9.248.145 - mailcious 2.56.10.123 - mailcious 185.10.45.99 - mailcious 50.19.242.215
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://vaethemanic.com/8/forum.php
|
9.2 |
M |
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8246 |
2021-05-23 10:03
|
setup1.exe a4015fd6918ebda49f3119c6851e2f56 PE File PE32 VirusTotal Malware Check memory unpack itself crashed |
|
|
|
|
1.6 |
|
16 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8247 |
2021-05-23 10:04
|
file.exe 208d68b24b8a9d9f9db57f5f7705ecf9 Glupteba PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Windows DNS crashed |
|
|
|
|
3.4 |
|
26 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8248 |
2021-05-23 10:13
|
setup2.exe f7b84bc8e435cc4dd024f66cd53b3609 PE File PE32 VirusTotal Malware Check memory unpack itself DNS crashed |
|
|
|
|
2.2 |
M |
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8249 |
2021-05-23 10:13
|
BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed |
3
http://87.251.71.193// - rule_id: 1393 https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947 https://api.ip.sb/geoip
|
5
c.pycharm3.ru(217.107.34.191) api.ip.sb(172.67.75.172) 104.26.12.31 87.251.71.193 - mailcious 217.107.34.191 - mailcious
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA HTTP unable to match response to request
|
1
|
11.8 |
M |
30 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
8250 |
2021-05-23 10:14
|
22.exe 84a289e78940e188a5d3cd76c99b609e AsyncRAT backdoor PWS .NET framework Malicious Packer DNS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW human activity check Windows ComputerName DNS DDNS |
|
3
freedemboiz.ddns.net(160.152.134.64) - mailcious 199.36.223.34 160.152.134.64
|
1
ET POLICY DNS Query to DynDNS Domain *.ddns .net
|
|
15.0 |
M |
45 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|