| 14146 |
2021-10-28 09:38
|
 1.xls b1de71a7369b8398d18708df20890588
VirusTotal Malware Check memory unpack itself suspicious process Tofsee Interception |
|
2
www.bitly.com(67.199.248.15) - mailcious
67.199.248.15 - mailcious
|
1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
|
4.4 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14147 |
2021-10-28 09:57
|
 1.xls b1de71a7369b8398d18708df20890588
VirusTotal Malware Check memory unpack itself suspicious process Interception |
|
1
www.bitly.com(67.199.248.14) - mailcious
|
|
|
3.8 |
|
25 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14148 |
2021-10-28 10:13
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14149 |
2021-10-28 10:15
|
 1027_6830345414.doc 3f4f3c6d33b34fa28fca54d9accad2d1
VBA_macro Generic Malware MSOffice File RWX flags setting unpack itself |
|
|
|
|
2.0 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14150 |
2021-10-28 10:21
|
 protocol-1581603754.xls e7d9cf47cf81353bf431ff5dab10a747
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://cabalasgov.com.br/OC3zbnSCG/j.html
https://guatec.com.br/NwnJ4ODx/j.html
https://site.advancertv.com/VbUzCCQo/j.html
|
6
guatec.com.br(162.241.2.103)
cabalasgov.com.br(162.241.2.146)
site.advancertv.com(108.179.252.108)
162.241.2.146 - mailcious
162.241.2.103 - mailcious
108.179.252.108
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14151 |
2021-10-28 10:23
|
 protocol-1581218734.xls 2644388eeb78aad6173cd72d3d3efb78
Downloader MSOffice File RWX flags setting unpack itself suspicious process Tofsee |
3
https://cabalasgov.com.br/OC3zbnSCG/j.html
https://guatec.com.br/NwnJ4ODx/j.html
https://site.advancertv.com/VbUzCCQo/j.html
|
6
guatec.com.br(162.241.2.103)
site.advancertv.com(108.179.252.108)
cabalasgov.com.br(162.241.2.146)
162.241.2.146 - mailcious
162.241.2.103 - mailcious
108.179.252.108
|
2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
3.6 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14152 |
2021-10-28 10:24
|
 0001.xll be014ff519969d32929b19cd3be0c0d1
Generic Malware Malicious Library UPX PE File OS Processor Check PE32 DLL VirusTotal Malware PDB Remote Code Execution |
|
|
|
|
2.0 |
|
38 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14153 |
2021-10-28 10:24
|
 user4.tx.ps1 af2bec1985c781dc79389c9d63b6d8c5
Generic Malware Antivirus VirusTotal Malware Check memory unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key DDNS |
|
1
user1.redirectme.net(0.0.0.0)
|
1
ET POLICY DNS Query to DynDNS Domain *.redirectme .net
|
|
2.6 |
|
12 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14154 |
2021-10-28 10:30
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File unpack itself |
|
|
|
|
1.6 |
|
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14155 |
2021-10-28 10:56
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14156 |
2021-10-28 11:00
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14157 |
2021-10-28 11:02
|
 1027_4830311122.doc 24e1900dfa4cdf71e11dd3f60874d87f
VBA_macro Generic Malware MSOffice File Vulnerability unpack itself |
|
|
|
|
2.2 |
|
|
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14158 |
2021-10-28 11:07
|
 rundll32.exe 72e7be10798c5a7c59972edb0a24f1d6
PWS .NET framework Generic Malware AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself |
7
http://www.kangrungao.com/fqiq/?RRH=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&rVBxDv=S0GhCN - rule_id: 7035
http://www.kangrungao.com/fqiq/?RRH=c0qy46zMNJWMlIfJWvLWas23i13YCpczqQVz26IikTOu0V/FV9kYBe5yW824zHJtR/JIW+qz&rVBxDv=S0GhCN
http://www.esyscoloradosprings.com/fqiq/?RRH=KZhYdxsCK4fJ4m+EpksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+YHOsqPeAHgrxeW9DyCb&rVBxDv=S0GhCN - rule_id: 6444
http://www.hillcresthomegroup.com/fqiq/?RRH=e8IUz+kyOysVBZlQ7dDPCxDZEZgLUw6RtmKaFnpypWcRg6rSNETXHzLpDmYSKaMDSlUjICSm&rVBxDv=S0GhCN
http://www.eclecticrenaissancewoman.com/fqiq/?RRH=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&rVBxDv=S0GhCN - rule_id: 7032
http://www.eclecticrenaissancewoman.com/fqiq/?RRH=r0/ZbJtj1KlrPUtj6ktEAad/47kkdxrfw2ceKfpFhpDkJU8+thj5a8jyelsFbI6qHEc9DomI&rVBxDv=S0GhCN
http://www.benisano.com/fqiq/?RRH=1FzMW+0+OiUuFtKwwdX+18qfmmqzzEGxfDkpxhvrj8NPxWXEAOb928cDHixNpwT1SnXUPxEA&rVBxDv=S0GhCN
|
12
www.eclecticrenaissancewoman.com(74.220.199.6)
www.benisano.com(154.55.180.142)
www.quicksticks.community() - mailcious
www.esyscoloradosprings.com(108.167.135.122) - mailcious
www.kangrungao.com(101.32.31.22)
www.hillcresthomegroup.com(3.33.152.147)
www.creationslazzaroni.com()
108.167.135.122 - mailcious
15.197.142.173
74.220.199.6 - mailcious
101.32.31.22
154.55.180.142
|
2
SURICATA HTTP unable to match response to request
ET MALWARE FormBook CnC Checkin (GET)
|
3
http://www.kangrungao.com/fqiq/
http://www.esyscoloradosprings.com/fqiq/
http://www.eclecticrenaissancewoman.com/fqiq/
|
7.8 |
M |
11 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14159 |
2021-10-28 11:08
|
 vbc.exe 947b72694e25a2fefcfadd3aeec7c0a1
NSIS Generic Malware Malicious Library UPX PE File PE32 DLL Emotet VirusTotal Malware Code Injection Check memory Creates executable files unpack itself AppData folder |
|
|
|
|
4.2 |
|
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 14160 |
2021-10-28 11:09
|
 .lsass.exe e87b10b098df8ff5906cb1154c78e83d
PWS .NET framework Generic Malware Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE File PE32 .NET EXE FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Checks Bios Detects VirtualBox suspicious process AppData folder WriteConsoleW VMware anti-virtualization Windows ComputerName Cryptographic key Software |
2
http://www.sphereexit.com/hs3h/?9r4l2=ovK17NR+9UX7Wpmyb0m8pcwlJANqg10H8ylO7nt8vOE6H521ypgFn5bRG3W409ePSOHLsSyF&EhU4Nv=gdM0vL4XuV
http://www.humaneeventmedia.com/hs3h/?9r4l2=C5Ykd5kOry65PbOFGBx9fIRVdBd3KKqqEB0SHZZ373IzmVOef987l4sShIxoMNnjViBaDvNR&EhU4Nv=gdM0vL4XuV
|
4
www.humaneeventmedia.com(74.220.199.6)
www.sphereexit.com(198.54.117.216)
74.220.199.6 - mailcious
198.54.117.212 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
15.0 |
|
32 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|