Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
31	2023-02-14 08:48	cent.exe 3da349c11f4815d16c5c8a9eae9947ea Gen1 Emotet Ave Maria WARZONE RAT RAT PWS .NET framework Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE32 CAB PE File OS Processor Check DLL PE64 .NET EXE Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	9 Keyword trend analysis Info http://62.204.41.245/ti/truno.exe http://62.204.41.5/Bu58Ngs/index.php - rule_id: 26665 http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll - rule_id: 26688 http://62.204.41.88/9vdVVVjsw/index.php - rule_id: 26384 http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll - rule_id: 26690 http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll - rule_id: 26687 http://62.204.41.251/lebro.exe - rule_id: 26767 http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll - rule_id: 26689 http://62.204.41.245/ni/notru.exe	6	9 Info ET DROP Dshield Block Listed Source group 1 ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	7 Info http://62.204.41.5/Bu58Ngs/index.php http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll http://62.204.41.88/9vdVVVjsw/index.php http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll http://62.204.41.251/lebro.exe http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll	18.6	M		ZeroCERT

32	2023-02-14 17:57	notru.exe 346bf9980e9ec9cc393bbf01d92808d3 Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4			ZeroCERT

33	2023-02-15 09:53	hala.exe 8542daf9a7b04983cc2cee97f287b21c Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			11.6	M	41	ZeroCERT

34	2023-02-15 09:57	notru.exe c2792781513e8455b23de90dbb235fc8 Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4	M		ZeroCERT

35	2023-02-15 10:41	truno.exe f4e86f6586378db49f0718ca5062e7fe Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4	M		ZeroCERT

36	2023-02-15 10:43	igla.exe 4504bbda9dc1c703d63552fff058214b Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			8.2	M		ZeroCERT

37	2023-02-16 10:19	inga.exe 1c382794cfb6206d7245e9af8d99dda9 Gen1 Emotet RAT PWS .NET framework Malicious Library UPX PE32 CAB PE File OS Processor Check .NET EXE Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			11.0			ZeroCERT

38	2023-02-16 19:02	inga.exe 4a1d546046bb76031cf2eb0c75bd2acd Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			10.4	M		ZeroCERT

39	2023-02-19 03:50	f5epi_setup.exe 22b63909d4cc5f67c8b890492cdba72f Gen1 Emotet Malicious Library UPX PE32 CAB PE File VirusTotal Malware AutoRuns PDB Check memory Checks debugger buffers extracted Creates executable files unpack itself AntiVM_Disk VM Disk Size Check Windows Remote Code Execution					3.8		1	guest

40	2023-02-19 14:12	truno.exe ccd617daafb9c50ea779358c9a35ee03 Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		3			10.4	M		ZeroCERT

41	2023-02-19 14:12	notru.exe 0f383a69481a4861bba329565f912e1f Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			11.8	M	40	ZeroCERT

42	2023-02-19 14:13	lenta.exe f64ad03bab3a22101b9d12ea62cbdf38 RedLine stealer[m] Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) AntiDebug AntiVM PE32 CAB PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	4 Keyword trend analysis	6	8 Info ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request ET DROP Dshield Block Listed Source group 1 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)		21.0	M		ZeroCERT

43	2023-02-19 14:13	inga.exe b30bcaad523513a6b44e33dc35b0997d Gen1 Emotet RAT PWS .NET framework Malicious Library UPX PE32 CAB PE File OS Processor Check .NET EXE Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege MachineGuid Check memory Checks debugger WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.6	M		ZeroCERT

44	2023-02-19 14:13	cent.exe 72ae1bcbf0f8853939bbeb509fb02a06 PWS[m] RedLine stealer[m] Gen1 Emotet Ave Maria WARZONE RAT SmokeLoader RAT RedLine Stealer PWS .NET framework Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) Confuser .NET SMTP AntiDebug AntiVM PE32 CAB PE File OS Processor Ch Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	11 Keyword trend analysis Info http://193.233.20.15/dF30Hn4m/Plugins/clip64.dll http://79.110.62.167/link/agent.exe http://193.233.20.16/ti/truno.exe http://193.233.20.15/dF30Hn4m/Plugins/cred64.dll http://62.204.41.88/9vdVVVjsw/index.php - rule_id: 26384 http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll - rule_id: 26690 http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll - rule_id: 26689 http://193.233.20.15/dF30Hn4m/index.php http://62.204.41.88/lend/Underglaze.exe http://62.204.41.245/lebro.exe https://transfer.sh/get/gDPPY0/main.ps1	10	13 Info ET INFO Executable Download from dotted-quad Host ET DROP Dshield Block Listed Source group 1 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Amadey CnC Check-In ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET INFO Dotted Quad Host DLL Request ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	21.8	M		ZeroCERT

45	2023-02-20 09:38	egor.exe 28bed3034caa4ce9aa82ab90499d9121 Gen1 Emotet Malicious Library UPX PE32 CAB PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			8.2			ZeroCERT