IOC Report
SBAFLA TeamCALL marcia.main__ (lo).msg

loading gif

Files

File Path
Type
Category
Malicious
SBAFLA TeamCALL marcia.main__ (lo).msg
CDFV2 Microsoft Outlook Message
initial sample
malicious
C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs
Composite Document File V2 Document, Cannot read section info
dropped
malicious
C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst
Microsoft Outlook email folder (>=2003)
dropped
malicious
C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin
ASCII text, with very long lines (65536), with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C9133CE7-819D-41F5-9574-BE9873051092
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db
SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal
SQLite Write-Ahead Log, version 3007000
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres
data
modified
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6788252A.dat
PNG image data, 1334 x 550, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5CDC9F25-2014-45E2-8226-259FFE99C17A}.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732134295747013900_24E81801-333B-4186-961E-002732A96AE6.log
ASCII text, with very long lines (859), with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732134295747861100_24E81801-333B-4186-961E-002732A96AE6.log
data
dropped
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241120T1524550500-6956.etl
data
modified
C:\Users\user\AppData\Local\Temp\~DF11452DC757FBA597.TMP
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 19:25:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 19:25:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 19:25:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 19:25:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 19:25:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
dropped
Chrome Cache Entry: 104
gzip compressed data, from Unix, original size modulo 2^32 190271
dropped
Chrome Cache Entry: 105
gzip compressed data, from Unix, original size modulo 2^32 449980
downloaded
Chrome Cache Entry: 107
gzip compressed data, from Unix, original size modulo 2^32 113378
downloaded
Chrome Cache Entry: 108
gzip compressed data, original size modulo 2^32 3651
dropped
Chrome Cache Entry: 109
ASCII text, with no line terminators
downloaded
Chrome Cache Entry: 110
gzip compressed data, from Unix, original size modulo 2^32 26681
downloaded
Chrome Cache Entry: 111
PNG image data, 305 x 174, 8-bit/color RGBA, non-interlaced
downloaded
Chrome Cache Entry: 112
gzip compressed data, from Unix, original size modulo 2^32 142365
dropped
Chrome Cache Entry: 113
PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
downloaded
Chrome Cache Entry: 114
gzip compressed data, from Unix, original size modulo 2^32 15768
downloaded
Chrome Cache Entry: 115
gzip compressed data, from Unix, original size modulo 2^32 3600
downloaded
Chrome Cache Entry: 121
JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 1527x872, components 3
dropped
Chrome Cache Entry: 122
gzip compressed data, from Unix, original size modulo 2^32 407099
downloaded
Chrome Cache Entry: 123
JSON data
dropped
Chrome Cache Entry: 124
gzip compressed data, original size modulo 2^32 1864
dropped
Chrome Cache Entry: 127
HTML document, ASCII text
downloaded
Chrome Cache Entry: 129
GIF image data, version 89a, 352 x 3
downloaded
Chrome Cache Entry: 130
gzip compressed data, original size modulo 2^32 513
downloaded
Chrome Cache Entry: 93
MS Windows icon resource - 6 icons, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 24x24 with PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
downloaded
Chrome Cache Entry: 94
gzip compressed data, from Unix, original size modulo 2^32 57443
downloaded
Chrome Cache Entry: 99
GIF image data, version 89a, 352 x 3
dropped
There are 38 hidden files, click here to show them.

URLs

Name
IP
Malicious
http://safrareal.com.br/favicon.ico
191.252.128.160
malicious
https://microsoft-microsoft-microsoft-microsoft-microsoft.almajapharma.com/common/login
malicious
https://microsoft-microsoft-microsoft-microsoft-microsoft.almajapharma.com/?no=bWFyY2lhLm1haW5Ac2JhZmxhLmNvbQ==$&sso_reload=true
malicious
http://safrareal.com.br/yoya/peaed1yfcu5lrni4alggwoyea1eixud6hafuq/bWFyY2lhLm1haW5Ac2JhZmxhLmNvbQ==$
https://microsoft-microsoft-microsoft-microsoft-microsoft.almajapharma.com/?no=bWFyY2lhLm1haW5Ac2JhZmxhLmNvbQ==$

Domains

Name
IP
Malicious
microsoft-microsoft-microsoft-microsoft-microsoft.almajapharma.com
209.38.225.84
malicious
l1ve.almajapharma.com
209.38.225.84
www.google.com.kw
142.250.181.99
f1e241f6-a55f19a1.almajapharma.com
209.38.225.84
05548fe0-a55f19a1.almajapharma.com
209.38.225.84
09122261-a55f19a1.almajapharma.com
209.38.225.84
19124626-a55f19a1.almajapharma.com
209.38.225.84
www.google.com
172.217.21.36
d63b3b3c-a55f19a1.almajapharma.com
209.38.225.84
0e36e665-a55f19a1.almajapharma.com
209.38.225.84
safrareal.com.br
191.252.128.160
25ea7021-a55f19a1.almajapharma.com
209.38.225.84
There are 2 hidden domains, click here to show them.

IPs

IP
Domain
Country
Malicious
209.38.225.84
l1ve.almajapharma.com
United States
malicious
52.113.194.132
unknown
United States
172.217.19.206
unknown
United States
172.217.19.227
unknown
United States
1.1.1.1
unknown
Australia
172.217.17.46
unknown
United States
172.217.17.35
unknown
United States
192.168.2.16
unknown
unknown
20.189.173.12
unknown
United States
191.252.128.160
safrareal.com.br
Brazil
74.125.205.84
unknown
United States
239.255.255.250
unknown
Reserved
52.109.32.97
unknown
United States
2.19.126.160
unknown
European Union
172.217.19.170
unknown
United States
172.217.21.36
www.google.com
United States
142.250.181.99
www.google.com.kw
United States
52.109.76.243
unknown
United States
There are 8 hidden IPs, click here to show them.