Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
76	2023-03-24 09:39	LitPay.exe 3951f8ad7e0e7682fc0d9d13c9a503c5 Gen1 Emotet UPX Malicious Library CAB PE64 PE File .NET EXE PE32 VirusTotal Malware AutoRuns PDB suspicious privilege Check memory Checks debugger Creates executable files unpack itself AppData folder Windows Remote Code Execution Cryptographic key crashed					4.6		23	ZeroCERT

77	2023-03-27 10:23	foto0169.exe 2a8355fa97a9ff869abb1e12d6fc70f1 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			8.2	M		ZeroCERT

78	2023-03-30 16:43	lega.exe 1a5f749669d8b3a12463fdf8b7cc3f83 RedLine stealer[m] Gen1 Emotet PWS .NET framework RAT NPKI RedLine Stealer Generic Malware UPX Malicious Library Antivirus Malicious Packer Admin Tool (Sysinternals etc ...) Confuser .NET SMTP PWS[m] AntiDebug AntiVM CAB PE32 PE File OS Processor Check .N Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Browser Email ComputerName Remote Code Execution Trojan DNS Cryptographic key Software crashed Downloader	11 Keyword trend analysis Info http://193.233.20.36/joomla/index.php http://193.233.20.36/lend/123dsss.exe http://193.233.20.36/lend/Tarlatan.exe http://193.233.20.36/lend/Gmeyad.exe http://185.246.221.126/bins/2023.exe.exe http://185.246.221.126/bins/w.exe http://193.233.20.36/lend/tmpBEB8.tmp.exe http://193.233.20.36/joomla/Plugins/cred64.dll http://193.233.20.36/joomla/Plugins/clip64.dll https://bitcoin.org/bin/bitcoin-core-22.0/bitcoin-22.0-win64-setup.exe https://download.electrum.org/4.3.4/electrum-4.3.4-setup.exe	13 Info downloads.exodus.com(104.18.18.218) bitcoin.org(172.67.40.154) download.electrum.org(104.21.89.144) 185.246.221.126 - mailcious 193.233.20.36 - malware 176.113.115.145 172.67.40.154 212.87.204.93 - mailcious 199.115.193.116 66.42.108.195 - mailcious 172.67.160.221 45.33.6.223 104.18.19.218	10 Info ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host DLL Request ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile		24.6	M	36	ZeroCERT

79	2023-04-02 08:52	foto0169.exe e162570e19e5b7b60bdea41e4aee9b46 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			8.2			ZeroCERT

80	2023-04-02 15:30	fotocr.exe 3a11872274727385e77e57a186565536 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4			ZeroCERT

81	2023-04-03 08:26	photo_007.exe cd863c532d8b7fb02cfe7ad045c9d032 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	5 Keyword trend analysis	2	6 Info ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request		16.0	M		ZeroCERT

82	2023-04-03 08:45	foto0189.exe f40b9e44108344b258417dd2c1056490 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			8.2			ZeroCERT

83	2023-04-03 08:49	fotocr12.exe c1d020b73ceac78a6206c7203996683c Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4	M		ZeroCERT

84	2023-04-05 08:42	fotocr14.exe 2dcb47fdf1d84aeb14d68a2c1b901ac1 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4			ZeroCERT

85	2023-04-05 08:51	foto0145.exe c70824476e0f90af3097eaf9467c0924 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			8.2	M		ZeroCERT

86	2023-04-10 09:30	foto0154.exe 1fdd7be5eb45c613ba6239edb83ab7ea Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			8.2	M		ZeroCERT

87	2023-04-10 09:31	photo_112.exe a67bb51b119a575bc5fbac95df8429c7 Gen1 Emotet UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	2 Keyword trend analysis	2	6 Info ET MALWARE Amadey CnC Check-In ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Dotted Quad Host DLL Request		15.4	M		ZeroCERT

88	2023-04-10 09:31	foto0154.exe 3565091a7c8d8606dd54a6d9a28de337 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		2			8.2	M		ZeroCERT

89	2023-04-10 09:39	lega.exe d21ed39f2754e2d9f681828a60d0c3c0 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE32 PE File OS Processor Check DLL Browser Info Stealer Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader	5 Keyword trend analysis	7	14 Info ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Amadey CnC Check-In ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) ET INFO Packed Executable Download ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO Dotted Quad Host DLL Request	1	16.0	M		ZeroCERT

90	2023-04-10 09:49	fotocr17.exe 9354e489234efc07b0ad81163fd58f35 Gen1 Emotet UPX Malicious Library CAB PE32 PE File Browser Info Stealer FTP Client Info Stealer AutoRuns PDB suspicious privilege Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Disables Windows Security Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed		1			10.4	M		ZeroCERT