| 12766 |
2021-09-24 12:00
|
0923_193403215579.doc b1c839e4851a11464066e93937199d11
VBA_macro Generic Malware MSOffice File GIF Format VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://api.ipify.org/
http://theergin.com/8/forum.php
|
4
theergin.com(91.214.71.26) - mailcious
api.ipify.org(54.243.45.255)
50.16.244.183
91.214.71.26 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
|
8.8 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12767 |
2021-09-24 12:02
|
0923_1108167054640.doc d997cf0c333f156e501aef7d5f2409ae
hancitor VBA_macro Generic Malware MSOffice File GIF Format VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://theergin.com/8/forum.php - rule_id: 5510
http://api.ipify.org/
|
4
theergin.com(91.214.71.26) - mailcious
api.ipify.org(54.235.247.117)
50.19.104.221
91.214.71.26 - mailcious
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://theergin.com/8/forum.php
|
8.0 |
M |
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12768 |
2021-09-24 12:05
|
0923_690278402563.doc e8e1dde40267664d096d602fcf1fb785
hancitor VBA_macro Generic Malware MSOffice File GIF Format VirusTotal Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://theergin.com/8/forum.php - rule_id: 5510
http://api.ipify.org/
|
4
theergin.com(91.214.71.26) - mailcious
api.ipify.org(23.21.173.155)
91.214.71.26 - mailcious
50.16.216.118
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://theergin.com/8/forum.php
|
8.8 |
M |
16 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12769 |
2021-09-24 12:07
|
0923_4173005610193.doc 37ff685c5b4f85962cdf1867a24c1ecc
hancitor VBA_macro Generic Malware MSOffice File GIF Format Malware Malicious Traffic Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting unpack itself Check virtual network interfaces IP Check ComputerName |
2
http://theergin.com/8/forum.php - rule_id: 5510
http://api.ipify.org/
|
4
theergin.com(91.214.71.26) - mailcious
api.ipify.org(50.16.235.219)
91.214.71.26 - mailcious
54.235.247.117
|
1
ET POLICY External IP Lookup api.ipify.org
|
1
http://theergin.com/8/forum.php
|
7.4 |
M |
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12770 |
2021-09-24 12:10
|
 specification-1210302809.xls 030db7c607937a266f322e1a075f63d8
MSOffice File VirusTotal Malware RWX flags setting unpack itself suspicious process Tofsee |
3
https://elitekhatsacco.co.ke/s6OkhAya/day.html
https://sukmabali.com/rwZiioLFaG/day.html
https://lfzombiegames.com/P8BJd4OW/day.html
|
6
lfzombiegames.com(172.96.186.147) - mailcious
sukmabali.com(103.253.212.72) - mailcious
elitekhatsacco.co.ke(162.241.169.16) - mailcious
162.241.169.16 - mailcious
172.96.186.147
103.253.212.72 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.0 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12771 |
2021-09-24 12:12
|
 specification-1216995372.xls 1792fb151473098d01ac9989ac7c0040
MSOffice File VirusTotal Malware ICMP traffic RWX flags setting unpack itself suspicious process Tofsee |
3
https://elitekhatsacco.co.ke/s6OkhAya/day.html
https://sukmabali.com/rwZiioLFaG/day.html
https://lfzombiegames.com/P8BJd4OW/day.html
|
6
lfzombiegames.com(172.96.186.147) - mailcious
sukmabali.com(103.253.212.72) - mailcious
elitekhatsacco.co.ke(162.241.169.16) - mailcious
162.241.169.16 - mailcious
172.96.186.147
103.253.212.72 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.8 |
|
9 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12772 |
2021-09-24 16:45
|
 specification-1696062090.xls b18faf6bc59505ac36fb11d6ce6131d2
MSOffice File VirusTotal Malware RWX flags setting unpack itself suspicious process Tofsee |
3
https://elitekhatsacco.co.ke/s6OkhAya/day.html
https://sukmabali.com/rwZiioLFaG/day.html
https://lfzombiegames.com/P8BJd4OW/day.html
|
6
lfzombiegames.com(172.96.186.147) - mailcious
sukmabali.com(103.253.212.72) - mailcious
elitekhatsacco.co.ke(162.241.169.16) - mailcious
162.241.169.16 - mailcious
172.96.186.147 - mailcious
103.253.212.72 - mailcious
|
4
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.2 |
|
12 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12773 |
2021-09-24 17:06
|
 eresizebar.png 544c2478d26f9c59a9d371efe305ebf9
Malicious Library PE File PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://184.74.99.214/lip124/TEST22-PC_W617601.F4BBDFF83BB3215DF35372D119FD13B3/5/file/
|
5
128.201.76.252 - mailcious
46.99.175.217 - mailcious
216.166.148.187 - mailcious
184.74.99.214 - mailcious
65.152.201.203 - mailcious
|
3
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
ET CNC Feodo Tracker Reported CnC Server group 10
|
|
6.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12774 |
2021-09-24 17:07
|
 escrow.exe 4568267da235d998580cfd9d8b828715
UPX Admin Tool (Sysinternals etc ...) Malicious Library DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Internet API FTP ScreenShot Http API Steal credential Downloader P2P AntiDebug AntiVM PE File PE32 Emotet VirusTotal Malware Buffer PE AutoRuns Code Injection buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName crashed |
3
https://l5celg.sn.files.1drv.com/y4miF6XlED8SY5--LgS44ahEhDcYCFwMTUFKt2cmNHEgwJC3dqKFsQUhuZ46dpQaoIwHZ9KrpMep0rTZkQKeIKr3PZ5VY_INk0UmRCYL9Fuve_Yapbe60tK7jScYNy1Diy91sotH3hSU3uEuESB1dR0pXlM2-y46BCMiXPgUnjHMhiUL6snOzGjoSuvMFM7tYUHYBSIwPEsZwIMl7BeBoMmvw/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21164&authkey=ANROjRWx1nqVZnY
https://l5celg.sn.files.1drv.com/y4mLv-GqBjhaOB-mLJQgnVgkJCnpmMVYtpQjObQnaZ2ICEvU_3slIlmM8hKoW6fzonHpOKQj9HLBz9pb93NCO-pwHLbMUwkj2_g8d-Aei7CkflN5HcEdHSyc0HTOihKZZ_mpA1Nxy9Rc64DBQqnSkxz0WCtr49llNeElSJ-6Gtwio1lzIg6B36LMbCy2OD_H-_Z-c6mpVGqdMQEpgm4NsDO7w/Ykpsyzzdkhppcdowwcfwlzpgevpatcf?download&psid=1
|
6
onedrive.live.com(13.107.42.13) - mailcious
l5celg.sn.files.1drv.com(13.107.42.12)
trapboijiggy.dvrlists.com(31.3.152.100)
13.107.42.13 - mailcious
13.107.42.12 - malware
31.3.152.100
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
10.6 |
M |
33 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12775 |
2021-09-24 17:08
|
 esmallruby.png 33e5dbee2d872b34c54665cf0404520e
Malicious Library PE File PE32 Dridex TrickBot Malware Report suspicious privilege MachineGuid Malicious Traffic buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://186.4.193.75/tot152/TEST22-PC_W617601.3BBA0CFF68E3F779B5F041BB34213194/5/kps/
|
3
186.4.193.75
184.74.99.214 - mailcious
179.42.137.107
|
3
ET CNC Feodo Tracker Reported CnC Server group 10
ET POLICY Signed TLS Certificate with md5WithRSAEncryption
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
|
|
6.2 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12776 |
2021-09-24 17:08
|
 nscvhost.exe 341e63d0f0934ba186bd27a5e43ede35
Generic Malware Malicious Library PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
20 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12777 |
2021-09-24 17:10
|
 eflyairplane.png b164522e8070207393f280857dcc06f4
Malicious Library PE File PE32 suspicious privilege buffers extracted ICMP traffic unpack itself Check virtual network interfaces suspicious process ComputerName DNS crashed |
|
4
186.4.193.75
45.181.207.156
179.42.137.108
179.42.137.106
|
|
|
6.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12778 |
2021-09-24 17:11
|
 i8u7hjdc.exe 61d5e32562d1c70daf0a3112f7888258
NPKI Generic Malware Malicious Packer UPX Anti_VM Malicious Library Antivirus PE64 PE File VirusTotal Malware powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key |
|
|
|
|
8.4 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12779 |
2021-09-24 17:14
|
 lv.exe e154389e7b2797d043b65d94a6ff9889
NPKI Gen1 Emotet Gen2 Themida Packer Generic Malware Malicious Library Anti_VM UPX Malicious Packer DGA DNS Socket Create Service Sniff Audio Escalate priviledges KeyLogger Code injection HTTP Hijack Network Internet API FTP ScreenShot Http API Steal cred VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities AppData folder malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check Windows crashed |
|
1
|
|
|
7.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 12780 |
2021-09-24 17:14
|
 6789568764240821.exe b105bec27851dabe21e1cf1c56bfda0e
PWS .NET framework email stealer BitCoin Generic Malware Admin Tool (Sysinternals etc ...) ScreenShot Steal credential DNS SMTP KeyLogger Code injection AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces malicious URLs AntiVM_Disk IP Check VM Disk Size Check Windows Browser Email ComputerName Cryptographic key |
1
http://whatismyipaddress.com/
|
4
whatismyipaddress.com(104.16.154.36)
ftp.vn-gpack.org(66.70.204.222)
104.16.154.36
66.70.204.222 - malware
|
1
SURICATA Applayer Detect protocol only one direction
|
|
14.0 |
M |
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|