| 13831 |
2021-10-20 15:51
|
 biz-1433968740.xls 4121502a64172a96d0e50adea4a49a5d
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee DNS |
4
http://x1.i.lencr.org/
https://meettrust.in/aMZID8gQ/u.html
https://aqissarafood.com.my/eAu610rn3w8V/u.html
https://radiocaca.top/RVDXQ4D7cWU6/u.html
|
8
meettrust.in(192.185.129.109)
aqissarafood.com.my(103.27.74.73)
x1.i.lencr.org(104.74.211.103)
radiocaca.top(103.221.220.15)
104.74.168.254
192.185.129.109 - malware
103.27.74.73
103.221.220.15 - mailcious
|
5
ET INFO TLS Handshake Failure
ET DNS Query to a *.top domain - Likely Hostile
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
|
|
4.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13832 |
2021-10-20 16:03
|
 DDoS attack Evidence.js 7b0538a53e8abe965a532c1ea466ac67
Generic Malware Antivirus AntiDebug AntiVM VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Check virtual network interfaces suspicious process suspicious TLD WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://moseronado.top/333g100/index.php
|
1
|
1
ET DNS Query to a *.top domain - Likely Hostile
|
|
10.0 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13833 |
2021-10-20 16:30
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.0 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13834 |
2021-10-20 16:35
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File Vulnerability VirusTotal Malware unpack itself |
|
|
|
|
3.0 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13835 |
2021-10-20 17:05
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13836 |
2021-10-20 17:08
|
 1019_7169909343268.doc 4e062eb96bf086392a2a33f0f2dd7e69
VBA_macro Generic Malware MSOffice File VirusTotal Malware unpack itself |
|
|
|
|
2.4 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13837 |
2021-10-20 17:09
|
 biz-1431840176.xls b0cca0af3bbafeae72288f34a065de04
Downloader MSOffice File Check memory unpack itself suspicious process suspicious TLD Tofsee DNS |
1
|
8
meettrust.in(192.185.129.109) - mailcious
aqissarafood.com.my(103.27.74.73) - mailcious
x1.i.lencr.org(104.74.168.254)
radiocaca.top(103.221.220.15) - mailcious
104.76.75.146
103.27.74.73 - mailcious
208.91.197.91 - mailcious
103.221.220.15 - mailcious
|
4
ET DNS Query to a *.top domain - Likely Hostile
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13838 |
2021-10-20 17:13
|
 biz-1431840176.xls b0cca0af3bbafeae72288f34a065de04
Downloader KeyLogger ScreenShot AntiDebug AntiVM MSOffice File Code Injection unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13839 |
2021-10-20 17:36
|
 csrss.exe 3d6ae742ec7b2d75583674e68eb36c83
Malicious Library UPX PE File OS Processor Check PE32 VirusTotal Malware PDB unpack itself Remote Code Execution |
|
|
|
|
2.0 |
M |
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13840 |
2021-10-20 17:38
|
 vbc.exe 73fe142254abec3aeaef375f0564d40a
NSIS Malicious Library UPX PE File PE32 DLL FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder |
13
http://www.caffeiny.com/kqna/?GFNl=/STjzQyNMBearyUbGha0kbvlvZ+XKPyeS+XuwOFlk5E7OzqCtoQRiHyTBU0aBvHeRKpACBp2&OH2LRV=YVIXx4dp
http://www.lowestfars.com/kqna/?GFNl=1zCkIHfMCYY5O/FxHBP+OF0kQW6XC9lYHGpHjTtqNHHv/wSuGduKfYb1fj6APC6feAzGuLcz&OH2LRV=YVIXx4dp
http://www.facetofacewith.com/kqna/?GFNl=PeXUNRBzWcryXXSI2NVMVXg+mLiheTzLRpyqlDxU843yly7wQ7gwUXyhf0XDvNpMpT2dSlCe&OH2LRV=YVIXx4dp
http://www.gratitudeland.com/kqna/?GFNl=IVdY3CvIYo9KzjpPCV4V1YKYcmgBkczyN/XlE7carAyFA9E+23LHf6/wDJYA6pWe4zRkRj1R&OH2LRV=YVIXx4dp
http://www.midatlanticbath.com/kqna/?GFNl=ggB/CL/KYRtKG6XlF3MzMphhLgqrG506l6vnNW5K6bJVc8waEANRFYYD3RhOV4cBkcToPXaa&OH2LRV=YVIXx4dp
http://www.globalmarineserv.com/kqna/?GFNl=OcQswr2RSap8Tqs4oU4ZFsiLsHswYX19Q+tKNUlPXhjH/8KnGfVJ0KkYssvjpVDRe7cJzP2E&OH2LRV=YVIXx4dp
http://www.unlimitedrehab.com/kqna/?GFNl=cFNgKBTbA1svsN6cC8/+W5UTP+1BdxdtTipUKJnf15V+/a8Yee6hrfZJvGg98qTC6E/a5FqG&OH2LRV=YVIXx4dp
http://www.candypalette.com/kqna/?GFNl=gfz7SykQtqnvqGHDVt9Sq/sQwFu3mmkE3P7hoh5mXhnlze04JbT/9GbgDzlkmDUFL9Oz3qhg&OH2LRV=YVIXx4dp
http://www.tigerstarmatka.com/kqna/?GFNl=WsqGZAQros6YqmWTBX4NfZ/s8YWhGwfZXTAI3K43qiDXPWL+08MoNe9ItI/4zkDRJBUw3EwW&OH2LRV=YVIXx4dp
http://www.surfsolutions.info/kqna/?GFNl=dcnZeOVVJSfvUaco8qQNZ9XrhbJ3we+xyEUMa9yoWpEuWq2eXXPIXA5TkXgJFjsZU/Pq8NER&OH2LRV=YVIXx4dp
http://www.publicyazilim.com/kqna/?GFNl=dFrlS2l6Li5DGfafNkfe9QOrXwTG+WFHgmJ24ihxQTN3FrlEXBXr0CXukKrPa6aNFySxrST0&OH2LRV=YVIXx4dp
http://www.companyintelcloud.com/kqna/?GFNl=i87PhLMCdOyavfe8oe3DoVk+8hYSao8t8gBpFSFV3/RERuMX7oVU6SWWtdnlVjPYz2f2GpRC&OH2LRV=YVIXx4dp
http://www.meggisiegert.com/kqna/?GFNl=hfZ862mxRIeJidQqdd8aIL9GgrYgW2e5BMIURab2fcg5ookX2qmzIsDvlSNuYbByVPhkgpDv&OH2LRV=YVIXx4dp
|
27
www.facetofacewith.com(109.68.33.25)
www.tigerstarmatka.com(51.81.73.1)
www.edfnu.com()
www.midatlanticbath.com(208.91.197.27)
www.gratitudeland.com(216.58.220.115)
www.publicyazilim.com(94.138.198.5)
www.caffeiny.com(156.67.73.75)
www.companyintelcloud.com(45.138.216.23)
www.lowestfars.com(154.210.71.198)
www.meggisiegert.com(162.241.24.110)
www.surfsolutions.info(138.201.145.141)
www.candypalette.com(216.194.173.79)
www.globalmarineserv.com(138.128.160.186)
www.unlimitedrehab.com(52.58.78.16)
216.194.173.79
109.68.33.25
156.67.73.75
172.217.31.243
52.58.78.16 - mailcious
208.91.197.27 - mailcious
162.241.24.110
138.201.145.141
138.128.160.186 - mailcious
94.138.198.5
45.138.216.23
51.81.73.1
154.210.71.198
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
5.8 |
M |
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13841 |
2021-10-20 17:38
|
 leApp14.exe a395af3db4f82f425bba5f5c27ef6a8e
RAT Generic Malware PE File PE32 .NET EXE VirusTotal Malware Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Tofsee ComputerName |
1
http://apps.identrust.com/roots/dstrootcax3.p7c
|
4
apps.identrust.com(119.207.65.74)
store2.gofile.io(31.14.69.10) - mailcious
31.14.69.10 - mailcious
121.254.136.57
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
2.8 |
|
15 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13842 |
2021-10-20 17:39
|
 eresizebar.png a10f6a8bf27612bc7f83054b99ebbed3
Emotet Gen1 Malicious Library UPX PE File OS Processor Check PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://179.189.229.254/lip138/TEST22-PC_W617601.FBB23899BD0B7BABA5FAD933B34B1531/5/file/
|
5
46.99.175.217 - mailcious
46.99.175.149 - mailcious
179.189.229.254 - mailcious
60.51.47.65 - mailcious
62.99.79.77 - mailcious
|
4
ET CNC Feodo Tracker Reported CnC Server group 9
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET CNC Feodo Tracker Reported CnC Server group 18
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13843 |
2021-10-20 17:41
|
 loader4.exe 4f9a6937b1bb97f14cf0bac59fbde3a8
NSIS Malicious Library UPX PE File PE32 DLL Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software |
1
http://63.250.40.204/~wpdemo/file.php?search=745675 - rule_id: 6600
|
1
63.250.40.204 - mailcious
|
6
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
|
1
http://63.250.40.204/~wpdemo/file.php
|
11.0 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13844 |
2021-10-20 17:41
|
 vbc.exe 9a092f3515d0d124eada8025f048dcb8
RAT PWS .NET framework Generic Malware PE File PE32 .NET EXE VirusTotal Malware Report Check memory Checks debugger unpack itself DNS |
|
2
179.189.229.254 - mailcious
46.99.175.217 - mailcious
|
2
ET CNC Feodo Tracker Reported CnC Server group 18
ET CNC Feodo Tracker Reported CnC Server group 9
|
|
2.6 |
M |
23 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 13845 |
2021-10-20 17:43
|
 etooltipred.png e7893203387ae95e0444edc49d02d155
Emotet Gen1 Malicious Library UPX PE File OS Processor Check PE32 Dridex TrickBot Malware Report suspicious privilege Malicious Traffic buffers extracted unpack itself Check virtual network interfaces suspicious process Kovter ComputerName DNS crashed |
1
https://179.189.229.254/top138/TEST22-PC_W617601.B5C653B8A7DDB8DBB90F7D1D7B3BFDF9/5/file/
|
6
128.201.76.252 - mailcious
46.99.175.149 - mailcious
179.189.229.254 - mailcious
185.56.175.122 - mailcious
65.152.201.203 - mailcious
62.99.79.77 - mailcious
|
5
ET CNC Feodo Tracker Reported CnC Server group 4
ET CNC Feodo Tracker Reported CnC Server group 10
ET CNC Feodo Tracker Reported CnC Server group 9
ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
|
|
6.8 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|