Windows Analysis Report SecuriteInfo.com.Exploit.Siggen3.20906.5188.743

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.20906.5188.743 (renamed file extension from 743 to xls)
Analysis ID: 493727
MD5: 7b83b99dace5664b9ab5c0c3882be408
SHA1: 4c4893beca92234c023ee2dfff759e155c643ed3
SHA256: e005a59b0ab458c8a1ab6883e17504382bd72d2e9de8eb99c785de520c258c0c
Tags: xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls Virustotal: Detection: 15% Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls ReversingLabs: Detection: 22%
Multi AV Scanner detection for domain / URL
Source: https://mercanets.com/9DPZqAfZdq5z/key.xml Virustotal: Detection: 6% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 199.79.63.251:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.251.80.22:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.222.225.250:443 -> 192.168.2.22:49169 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 199.79.63.251:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: gillcart.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 199.79.63.251:443

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Cdpmoyhr/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gillcart.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /MeOlE9Xxd/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: geit.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /9DPZqAfZdq5z/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mercanets.comConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 29 Sep 2021 21:38:44 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html;charset=utf-8
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000002.00000002.451936765.0000000004B57000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432788752.0000000004B77000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415998008.0000000004A37000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000002.00000002.451936765.0000000004B57000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432788752.0000000004B77000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415998008.0000000004A37000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000002.00000002.451150137.00000000039E0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432211092.0000000003A00000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415415341.0000000003A10000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000002.00000002.450721197.0000000001C50000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.431900554.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415019465.0000000001DC0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000002.00000002.451936765.0000000004B57000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432788752.0000000004B77000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415998008.0000000004A37000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000002.00000002.451936765.0000000004B57000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432788752.0000000004B77000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415998008.0000000004A37000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000002.00000002.451150137.00000000039E0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432211092.0000000003A00000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415415341.0000000003A10000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000002.00000002.451936765.0000000004B57000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432788752.0000000004B77000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415998008.0000000004A37000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\key[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: gillcart.com
Source: global traffic HTTP traffic detected: GET /Cdpmoyhr/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: gillcart.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /MeOlE9Xxd/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: geit.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /9DPZqAfZdq5z/key.xml HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mercanets.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 199.79.63.251:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.251.80.22:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.222.225.250:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 18 '9 41' I 20 (D PROTECTED VIEW Be careful- files from the 1nterne :cted View.
Source: Screenshot number: 4 Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 18 '9 41' I 20 (D PROTECTED VIEW Be careful- files from the 1nterne :cted View.
Source: Screenshot number: 8 Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Screenshot number: 12 Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Screenshot number: 12 Screenshot OCR: Enable Content (i) SECURITY WARNING Macros have been disabled. Enable Content If you are using a m
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing 0 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless yo
Source: Document image extraction number: 0 Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 1 Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
Yara signature match
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Document contains embedded VBA macros
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls OLE indicator, VBA macros: true
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls Virustotal: Detection: 15%
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls ReversingLabs: Detection: 22%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls OLE indicator, Workbook stream: true
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test Jump to behavior
Source: regsvr32.exe, 00000002.00000002.451672317.0000000004970000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.432587369.0000000004990000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.415814445.0000000004850000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCCCF.tmp Jump to behavior
Source: classification engine Classification label: mal80.expl.winXLS@7/0@3/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: C:\Windows\System32\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 2984 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2632 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 772 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1268 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2252 Thread sleep time: -60000s >= -30000s Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: SecuriteInfo.com.Exploit.Siggen3.20906.5188.xls, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 493727 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 29/09/2021 Architecture: WINDOWS Score: 80 22 Multi AV Scanner detection for domain / URL 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->26 28 3 other signatures 2->28 6 EXCEL.EXE 58 24 2->6         started        process3 dnsIp4 16 mercanets.com 162.222.225.250, 443, 49169 PUBLIC-DOMAIN-REGISTRYUS United States 6->16 18 geit.in 162.251.80.22, 443, 49168 PUBLIC-DOMAIN-REGISTRYUS United States 6->18 20 gillcart.com 199.79.63.251, 443, 49167 PUBLIC-DOMAIN-REGISTRYUS United States 6->20 30 Document exploit detected (UrlDownloadToFile) 6->30 10 regsvr32.exe 6->10         started        12 regsvr32.exe 6->12         started        14 regsvr32.exe 6->14         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.79.63.251
 gillcart.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
162.251.80.22
 geit.in United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
162.222.225.250
 mercanets.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
mercanets.com 162.222.225.250 true
geit.in 162.251.80.22 true
gillcart.com 199.79.63.251 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://geit.in/MeOlE9Xxd/key.xml false
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://gillcart.com/Cdpmoyhr/key.xml false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://mercanets.com/9DPZqAfZdq5z/key.xml true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown