popup

Report - invc_009030009.wbk

RTF File doc
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.10.18 17:58 Machine s1_win7_x6401
Filename invc_009030009.wbk
Type Rich Text Format data, unknown version
AI Score Not founds Behavior Score
4.0
ZERO API file : clean
VT API (file)
md5 ea27c453801a76553e850c260b6a288b
sha256 6a63e0f1a5b6452177c765321511e6c1363eba770d21d88adf5e067860f93ee1
ssdeep 384:T5feL1cEWAaJYAp85iOoh/O15+NEbXBJBLntuQpVcbxh3a4iU2ScUYU8oEJSYScn:TkLvSp8/eEl7YQ8r1iU0UNE5
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice An application raised an exception which may be indicative of an exploit crash
notice Creates hidden or system file
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice RTF file has an unknown version
notice Sends data using the HTTP POST Method
info One or more processes crashed

Rules (1cnts)

Level Name Description Collection
info Rich_Text_Format_Zero Rich Text Format Signature Zero binaries (upload)

Network (60cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.safebookkeeping.com/mxnu/?ytsDIrP=Dinuu19hFboSFju1K0HZ6EbcdDMO+ZnQ9sDSjm9DAS1j/pnpew28zT8+4dAfvZHXXiVk+x1O&JlM=tnt48PpXYxvL
whois
US DREAMHOST-AS 208.113.163.16 clean
http://www.tbrhc.com/mxnu/
whois
HK CNSERVERS 154.208.173.145 clean
http://www.normandia.pro/mxnu/?ytsDIrP=kHN/hbjK4OzLmo333toUUHv3cKFKy5bivtfKIua2AYmutZDuFn6HD/HyblDUos2+bUTS6mEe&JlM=tnt48PpXYxvL
whois
US ASN-GIGENET 70.32.1.32 clean
http://www.whitebot.xyz/mxnu/?ytsDIrP=mJKlLoR4AxZK/RYIFKAo0UiVtoPyzBJ6SQAFXLfvSOBYEGo1cqGoAX7CRK1QxANrckFntybM&JlM=tnt48PpXYxvL
whois
DE Linode, LLC 172.104.153.244 clean
http://www.jellyice-tr.com/mxnu/?ytsDIrP=2jYCrBsbpe7TX9aPhZM9pCxr75im0gQU84tPJTFdoXWJ8jmtmSvNbVsQgFqr9XIl+R+lpCoE&JlM=tnt48PpXYxvL
whois
US CLOUDFLARENET 172.67.173.247 6480 mailcious
http://www.revgeek.com/mxnu/?ytsDIrP=LFHT7yJDHTG5j2x991585jkXyYBkZkjzIUaPFc8bTKfmXG7pnxx1T4PiHIQyjDj8X+wed1XV&JlM=tnt48PpXYxvL
whois
HK ICIDC NETWORK 156.234.138.23 clean
http://www.historyofcambridge.com/mxnu/
whois
US AMAZON-AES 3.223.115.185 clean
http://www.whitebot.xyz/mxnu/
whois
DE Linode, LLC 172.104.153.244 clean
http://www.normandia.pro/mxnu/
whois
US ASN-GIGENET 70.32.1.32 clean
http://www.brandonhistoryandinfo.com/mxnu/
whois
US GOOGLE 34.102.136.180 6478 mailcious
http://www.naplesconciergerealty.com/mxnu/
whois
US GOOGLE 34.102.136.180 6394 mailcious
http://www.onehigh.club/mxnu/
whois
US CONFLUENCE-NETWORK-INC 209.99.64.33 6391 mailcious
http://www.onehigh.club/mxnu/?ytsDIrP=52TJ8f0Vxw2BzXpbfWSfaWlDTRlua2mq3mQuHpcP7nL3PE2hO33OHCZ6ItQZVKuqvI9FSTzz&JlM=tnt48PpXYxvL
whois
US CONFLUENCE-NETWORK-INC 209.99.64.33 6391 mailcious
http://www.naplesconciergerealty.com/mxnu/?ytsDIrP=hecv2sMFcvsyFIpzJOhZbtwMh1SG6St5/U1aPglBFWownzq2qPNpvMi/ho6Sg43JWpVw027R&JlM=tnt48PpXYxvL
whois
US GOOGLE 34.102.136.180 6394 mailcious
http://www.brandonhistoryandinfo.com/mxnu/?ytsDIrP=TBa+b5mpCdI4y/h180Pl2gJXBklETz7DPBwfCQzHJDv5/wBYQn0JU1W1LmmZ4xHxKrhvcr9L&JlM=tnt48PpXYxvL
whois
US GOOGLE 34.102.136.180 6478 mailcious
http://www.desongli.com/mxnu/
whois
US PEGTECHINC 108.186.180.79 clean
http://www.safebookkeeping.com/mxnu/
whois
US DREAMHOST-AS 208.113.163.16 clean
http://www.sattaking-gaziabad.xyz/mxnu/?ytsDIrP=UvUEtIev0LW0Fj9rimgEuaxF8o8Q3PSD9GE10acJUnczNTSiUTsn1kpqflxWWG28G9vjgVED&JlM=tnt48PpXYxvL
whois
LT Hostinger International Limited 185.28.21.80 clean
http://www.historyofcambridge.com/mxnu/?ytsDIrP=83rAwycDMUEJxLGVulxgJoLHCAQKcanhrm8XweUEKHeaWBLa77jLvzg0UgbAuk5RNaMObh69&JlM=tnt48PpXYxvL
whois
US AMAZON-AES 3.223.115.185 clean
http://www.tbrhc.com/mxnu/?ytsDIrP=dBbPwQ2utUd0Fk1uS+XSFkxz2YTUNCneFR1VLIh1vAwAXkSpHWWkzNznjyqcoekG5m5H1qts&JlM=tnt48PpXYxvL
whois
HK CNSERVERS 154.208.173.145 clean
http://www.desongli.com/mxnu/?ytsDIrP=hZ80obWBB1Dtx9mJDJ/B6KhSbXm9N4IXZ9kDZpitpQpTEQWdqR+8a/o3g7qjE+O8VqYt5r7Y&JlM=tnt48PpXYxvL
whois
US PEGTECHINC 108.186.180.79 clean
http://www.mortgagerates.solutions/mxnu/?ytsDIrP=e40TMWWr6xWVnQ1HwCqLobeJF4L/Z7xCu7/MTKlaRXTCRzwsua34O9neh9w9TPhFkJc6vnSR&JlM=tnt48PpXYxvL
whois
Unknown 64.190.62.111 clean
http://www.ingdalynnia.xyz/mxnu/
whois
DE Contabo GmbH 173.212.200.118 clean
http://www.mortgagerates.solutions/mxnu/
whois
Unknown 64.190.62.111 clean
http://www.closetu.com/mxnu/?ytsDIrP=rJ249TMVQMCwGwXS7eMNhvOWH4SbGXiKs4Vq1JHmstm/5V4DyV8c/XoA/4BgaERVtEbRuzyC&JlM=tnt48PpXYxvL
whois
US AMAZON-AES 3.223.115.185 clean
http://www.sattaking-gaziabad.xyz/mxnu/
whois
LT Hostinger International Limited 185.28.21.80 clean
http://www.revgeek.com/mxnu/
whois
HK ICIDC NETWORK 156.234.138.23 clean
http://www.jellyice-tr.com/mxnu/
whois
US CLOUDFLARENET 172.67.173.247 6480 mailcious
http://www.closetu.com/mxnu/
whois
US AMAZON-AES 3.223.115.185 clean
http://www.ingdalynnia.xyz/mxnu/?ytsDIrP=pfZfepvuuXd3YdzLhx74JhtQE2ZsQUx19b2XlYunhcRs71ErzSq2ECWFO+pn1SXrM1L87AtC&JlM=tnt48PpXYxvL
whois
DE Contabo GmbH 173.212.200.118 clean
http://192.3.110.172/006600066/vbc.exe
whois
US AS-COLOCROSSING 192.3.110.172 clean
www.jellyice-tr.com
whois
US CLOUDFLARENET 104.21.30.231 clean
www.safebookkeeping.com
whois
US DREAMHOST-AS 208.113.163.16 clean
www.closetu.com
whois
US AMAZON-AES 3.223.115.185 clean
www.naplesconciergerealty.com
whois
US GOOGLE 34.102.136.180 clean
www.normandia.pro
whois
US ASN-GIGENET 70.32.1.32 clean
www.historyofcambridge.com
whois
US AMAZON-AES 3.223.115.185 clean
www.onehigh.club
whois
US CONFLUENCE-NETWORK-INC 209.99.64.33 clean
www.brandonhistoryandinfo.com
whois
US GOOGLE 34.102.136.180 clean
www.mortgagerates.solutions
whois
Unknown 64.190.62.111 clean
www.whitebot.xyz
whois
DE Linode, LLC 172.104.153.244 clean
www.desongli.com
whois
US PEGTECHINC 108.186.180.79 clean
www.sattaking-gaziabad.xyz
whois
LT Hostinger International Limited 185.28.21.80 clean
www.tbrhc.com
whois
HK CNSERVERS 154.208.173.145 clean
www.revgeek.com
whois
HK ICIDC NETWORK 156.234.138.23 clean
www.ingdalynnia.xyz
whois
DE Contabo GmbH 173.212.200.118 clean
104.21.30.231
whois
US CLOUDFLARENET 104.21.30.231 clean
108.186.180.79
whois
US PEGTECHINC 108.186.180.79 clean
170.178.168.203
whois
US ST-BGP 170.178.168.203 clean
208.113.163.16
whois
US DREAMHOST-AS 208.113.163.16 clean
185.28.21.80
whois
LT Hostinger International Limited 185.28.21.80 clean
173.212.200.118
whois
DE Contabo GmbH 173.212.200.118 clean
156.234.138.23
whois
HK ICIDC NETWORK 156.234.138.23 clean
172.104.153.244
whois
DE Linode, LLC 172.104.153.244 clean
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
154.208.173.145
whois
HK CNSERVERS 154.208.173.145 clean
192.3.110.172
whois
US AS-COLOCROSSING 192.3.110.172 malware
3.223.115.185
whois
US AMAZON-AES 3.223.115.185 mailcious
64.190.62.111
whois
Unknown 64.190.62.111 mailcious
209.99.64.33
whois
US CONFLUENCE-NETWORK-INC 209.99.64.33 mailcious

Suricata ids

ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Similarity measure (PE file only) - Checking for service failure