Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
1	2024-05-31 07:42	5.exe 58f255cdde1639cac205467621bfcb70 Emotet NSIS Malicious Library UPX PE File DllRegisterServer dll PE32 MZP Format CAB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files installed browsers check Browser ComputerName DNS		3			3.0	M		ZeroCERT

2	2022-08-13 20:43	WW.exe 1b4fc049d71cc0d02f977f371d551a38 RAT PWS .NET framework PhysicalDrive Generic Malware UPX Malicious Library Admin Tool (Sysinternals etc ...) Downloader Malicious Packer Antivirus Confuser .NET AntiDebug AntiVM PE32 PE File MSOffice File OS Processor Check .NET EXE PNG Format PE64 Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency RecordBreaker Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Auto service Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee Mars Stealer Stealer Windows Exploit Browser Email ComputerName Firmware DNS Cryptographic key Software crashed	12 Keyword trend analysis Info http://193.56.146.177/ http://apps.identrust.com/roots/dstrootcax3.p7c http://45.159.248.173/3137953174.zip http://45.159.248.173/1571 http://45.159.248.173/ https://raw.githubusercontent.com/BardBax/xyi/main/Task24Watch.exe - rule_id: 20726 https://dl.uploadgram.me/62f0d0bc546feh?raw https://github.com/BardBax/xyi/blob/main/xmrig.exe?raw=true - rule_id: 20727 https://github.com/BardBax/xyi/blob/main/Task24Watch.exe?raw=true - rule_id: 20724 https://github.com/BardBax/xyi/raw/main/xmrig.exe - rule_id: 20728 https://github.com/BardBax/xyi/raw/main/Task24Watch.exe - rule_id: 20725 https://raw.githubusercontent.com/BardBax/xyi/main/xmrig.exe - rule_id: 20729	20 Info github.com(52.78.231.108) - mailcious iplogger.org(148.251.234.83) - mailcious dl.uploadgram.me(176.9.247.226) - malware insttaller.com(185.191.229.101) apps.identrust.com(119.207.65.137) raw.githubusercontent.com(185.199.108.133) - malware xmr-eu2.nanopool.org(51.15.55.100) - mailcious 148.251.234.83 193.56.146.177 185.199.110.133 - malware 176.113.115.146 185.191.229.101 23.206.175.225 195.54.170.157 - mailcious 45.159.248.173 51.15.55.100 176.9.247.226 - malware 62.204.41.144 - mailcious 103.89.90.61 - mailcious 20.200.245.247	10 Info ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET INFO Dotted Quad Host ZIP Request ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) ET MALWARE Win32/RecordBreaker CnC Checkin ET MALWARE Win32/Kryptik.HQAF Checkin ET MALWARE Arkei/Vidar/Mars Stealer Variant ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response	6 Info https://raw.githubusercontent.com/BardBax/xyi/main/Task24Watch.exe https://github.com/BardBax/xyi/blob/main/xmrig.exe?raw=true https://github.com/BardBax/xyi/blob/main/Task24Watch.exe?raw=true https://github.com/BardBax/xyi/raw/main/xmrig.exe https://github.com/BardBax/xyi/raw/main/Task24Watch.exe https://raw.githubusercontent.com/BardBax/xyi/main/xmrig.exe	24.0	M	42	ZeroCERT

3	2022-08-03 09:56	11.exe 70de51ca375c085e9f7ff666d7860673 RAT PWS .NET framework Gen1 Gen2 Malicious Library UPX Confuser .NET Malicious Packer AntiDebug AntiVM PE32 PE File OS Processor Check .NET EXE MSOffice File PNG Format DLL JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency RecordBreaker suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder sandbox evasion anti-virtualization installed browsers check Tofsee Mars Stealer Stealer Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed	15 Keyword trend analysis Info http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://apps.identrust.com/roots/dstrootcax3.p7c http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll http://45.159.248.53/1571 http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://45.159.248.53/3916964505.zip http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://77.73.132.84/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://77.73.132.84/ - rule_id: 20954 http://45.159.248.53/ http://77.73.132.84/4ff6a9e5b37738bf80a9e30f1146d356 https://dl.uploadgram.me/62e89a313d68ch?raw	13 Info dl.uploadgram.me(176.9.247.226) - malware apps.identrust.com(221.161.198.8) insttaller.com(185.191.229.101) iplogger.org(148.251.234.83) - mailcious 31.41.244.134 - mailcious 148.251.234.83 45.159.248.53 182.162.106.33 - malware 185.191.229.101 195.54.170.157 176.9.247.226 - malware 77.73.132.84 - mailcious 103.89.90.61 - mailcious	14 Info ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure ET MALWARE Win32/RecordBreaker CnC Checkin ET MALWARE Win32/Kryptik.HQAF Checkin ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING Suspicious User-Agent (record) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Dotted Quad Host ZIP Request ET MALWARE Arkei/Vidar/Mars Stealer Variant ET HUNTING Possible Generic Stealer Sending System Information ET HUNTING Possible Generic Stealer Sending a Screenshot	1	17.8	M	34	ZeroCERT

4	2022-07-31 13:53	JOB.exe c0ea08a163298e0493d9cb9d9f6881d1 RAT PWS .NET framework Malicious Library UPX Confuser .NET Admin Tool (Sysinternals etc ...) Malicious Packer AntiDebug AntiVM PE32 PE File MSOffice File OS Processor Check .NET EXE PNG Format JPEG Format Browser Info Stealer Malware download FTP Client Info Stealer Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process sandbox evasion WriteConsoleW anti-virtualization installed browsers check Tofsee Mars Stealer Stealer Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed	12 Keyword trend analysis Info http://146.19.247.187/ - rule_id: 20751 http://62.204.41.126/ http://146.19.247.187/1571 - rule_id: 20756 http://146.19.247.187/1571 http://146.19.247.187/5587879545.zip http://91.242.229.63/0926682109.zip http://91.242.229.63/1557 - rule_id: 20752 http://91.242.229.63/1557 http://62.204.41.126/1521 - rule_id: 20754 http://62.204.41.126/1521 http://91.242.229.63/ - rule_id: 20750 http://62.204.41.126/9051825815.zip	13 Info transfer.sh(144.76.136.153) - malware iplogger.org(148.251.234.83) - mailcious 146.19.247.187 - mailcious 148.251.234.83 91.242.229.63 - malware 185.87.149.167 - mailcious 31.41.244.134 - mailcious 62.204.41.144 - mailcious 45.182.189.196 - mailcious 62.204.41.126 - malware 144.76.136.153 - mailcious 103.89.90.61 - mailcious 185.199.224.90 - mailcious	9 Info ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Dotted Quad Host ZIP Request ET INFO TLS Handshake Failure ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET MALWARE Arkei/Vidar/Mars Stealer Variant ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)	5	20.6	M	48	ZeroCERT

5	2022-07-27 09:06	EU.exe f052acab310330627d5e20b1107b9d76 RAT PWS .NET framework Malicious Library UPX Confuser .NET Admin Tool (Sysinternals etc ...) Malicious Packer AntiDebug AntiVM PE32 PE File OS Processor Check .NET EXE PNG Format MSOffice File JPEG Format Browser Info Stealer Password Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications sandbox evasion anti-virtualization installed browsers check Tofsee Stealer Windows Exploit Browser Email ComputerName DNS Cryptographic key Software crashed	8 Keyword trend analysis	12	6		18.8	M	43	ZeroCERT

6	2022-07-18 10:05	1.exe 8a2467bc20879ad5029d61f2801fbc38 RAT PWS .NET framework Emotet UPX Malicious Library Confuser .NET AntiDebug AntiVM PE32 PE File MSOffice File PNG Format OS Processor Check .NET EXE JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications Check virtual network interfaces AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed	2 Keyword trend analysis	13 Info t.me(149.154.167.99) - mailcious n106831.hostde20.fornex.host(5.187.6.45) c.im(172.67.155.17) iplogger.org(148.251.234.83) - mailcious 149.154.167.99 - mailcious 148.251.234.83 104.21.80.230 193.106.191.253 - mailcious 194.36.177.77 31.41.244.134 - mailcious 5.187.6.45 65.108.20.182 103.89.90.61 - mailcious	4		14.2	M	41	ZeroCERT

7	2022-07-18 09:45	namdoitntn.exe ce2126d6ce78ff9697fb56967d1b8774 PWS[m] RedLine stealer[m] RAT Emotet UPX Malicious Library AntiDebug AntiVM PE32 PE File .NET EXE PNG Format MSOffice File JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications human activity check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed		3	4		16.8	M	36	ZeroCERT

8	2022-07-18 09:45	22.exe 2f7dfe9a88a2197d3c36c5427778585c RAT PWS .NET framework AgentTesla(IN) Emotet UPX Malicious Library Confuser .NET Malicious Packer AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check .NET EXE MSOffice File JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed		6	4		14.8	M	35	ZeroCERT

9	2022-07-18 09:44	tag12312341.exe 01e48b3b61d25f3a10a7dc0a06e4eb17 PWS[m] RedLine stealer[m] RAT Emotet UPX Malicious Library AntiDebug AntiVM PE32 PE File PNG Format MSOffice File JPEG Format Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Collect installed applications AntiVM_Disk VM Disk Size Check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS Cryptographic key Software crashed		4	4		15.4	M	35	ZeroCERT

10	2022-07-18 09:36	vidar.exe a6a51c63436cab71241f89451ebe0ac8 Emotet UPX Malicious Library AntiDebug AntiVM PE32 PE File PNG Format MSOffice File JPEG Format OS Processor Check VirusTotal Malware suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities human activity check installed browsers check Tofsee Windows Exploit Browser ComputerName DNS crashed	1 Keyword trend analysis	6	4		11.0		50	ZeroCERT

11	2022-07-18 09:32	F0geI.exe de7f65eb86210a7be6f62dfdab90a900 Emotet UPX Malicious Library Code injection AntiDebug AntiVM PE32 PE File PNG Format MSOffice File OS Processor Check JPEG Format Malware download VirusTotal Malware RecordBreaker Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic RWX flags setting exploit crash unpack itself Windows utilities WriteConsoleW installed browsers check Tofsee Windows Exploit Browser ComputerName DNS crashed	1 Keyword trend analysis	3	6 Info ET POLICY IP Check Domain (iplogger .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/RecordBreaker CnC Checkin ET MALWARE Win32/Kryptik.HQAF Checkin ET INFO TLS Handshake Failure		14.6	M	48	ZeroCERT

12	2021-10-26 09:43	FastPC.exe 575dfecf7e2f126bd44b67256f066794 RAT Gen1 Gen2 PWS .NET framework Emotet Generic Malware Antivirus Malicious Library UPX Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Escalate priviledges AntiDebug AntiVM PE File PE32 PNG Format .NET EXE DLL OS Processor Check PE64 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Malware AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder suspicious TLD sandbox evasion WriteConsoleW human activity check installed browsers check Tofsee GameoverP2P Zeus Windows Browser ComputerName Trojan Banking Amazon DNS Cryptographic key Software crashed Downloader	3 Keyword trend analysis	17 Info papwli.pw(111.90.146.149) mybrowserinfo.com(104.21.9.4) user.maskvpn.org(98.126.176.51) duzlwewk2uk96.cloudfront.net(54.192.175.191) source7.boys4dayz.com(172.67.148.61) apps.identrust.com(119.207.65.153) vpn.maskvpn.org(98.126.176.53) www.microsoft.com(23.201.37.168) 99.86.144.74 104.21.33.188 67.198.134.186 172.67.130.202 23.206.175.43 111.90.146.149 - malware 3.17.66.208 98.126.176.51 98.126.176.53	8 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Executable served from Amazon S3 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET DNS Query to a .pw domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a .pw domain		16.8		32	ZeroCERT

13	2021-10-07 16:44	Setup12.exe f80a018bd3f70c14370944063f413f73 RAT Gen2 Emotet Generic Malware UPX Malicious Library ASPack PE File PE32 .NET EXE PE64 OS Processor Check Browser Info Stealer VirusTotal Malware suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check installed browsers check Browser ComputerName DNS	3 Keyword trend analysis	11 Info guidereviews.bar() - mailcious onepremiumstore.bar() auto-repair-solutions.bar() premium-s0ftwar3875.bar(35.205.61.67) ip-api.com(208.95.112.1) staticimg.youtuuee.com(45.136.151.102) - mailcious 162.0.214.42 - phishing 35.205.61.67 - mailcious 162.0.210.44 - mailcious 208.95.112.1 45.136.151.102 - mailcious	1	2	9.8	M	46	ZeroCERT

14	2021-09-17 10:57	Setup12.exe e0ef2cfe575206c8a60ddba16c3be2f5 Gen2 Emotet UPX Malicious Library ASPack PE File PE32 OS Processor Check PE64 Browser Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut Creates executable files unpack itself Check virtual network interfaces AntiVM_Disk IP Check VM Disk Size Check installed browsers check Tofsee Interception Browser ComputerName DNS crashed	5 Keyword trend analysis	7	2	1	9.6	M	51	ZeroCERT

15	2021-09-12 14:52	SmartPDF.exe e180347578de3564e7dea536a9af509b Emotet NPKI Gen2 Gen1 RAT PWS .NET framework Generic Malware UPX Malicious Library PE File PE32 PE64 OS Processor Check .NET EXE DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk suspicious TLD WriteConsoleW IP Check VM Disk Size Check human activity check installed browsers check Tofsee Windows Browser ComputerName Amazon DNS Cryptographic key Software crashed	9 Keyword trend analysis Info http://ipinfo.io/country http://c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com/SmartPDF.exe http://ipinfo.io/ip https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150 https://jom.diregame.live/userf/2203/gdgame.exe - rule_id: 4962 https://d.dirdgame.live/userf/2203/6c5332b113e6f9bd83980c8858001543.exe https://api.ip.sb/geoip https://ipinfo.io/country https://2no.co/1E2Xu7	19 Info www.svanaturals.com(72.167.225.156) - malware platformsforyoutube.top(193.38.50.104) c115ccef-fcb1-4039-a9a5-8e09a6993f8d.s3.eu-west-2.amazonaws.com(52.95.149.118) - malware api.ip.sb(104.26.12.31) jom.diregame.live(104.21.65.45) - malware ipinfo.io(34.117.59.81) d.dirdgame.live(104.21.59.252) - malware ipqualityscore.com(104.26.2.60) 2no.co(88.99.66.31) - mailcious 172.67.186.79 - malware 72.167.225.156 - malware 104.21.65.45 - malware 88.99.66.31 - mailcious 193.38.50.104 18.118.84.99 34.117.59.81 172.67.72.12 52.95.149.2 104.26.13.31	7 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Executable served from Amazon S3 ET POLICY Possible External IP Lookup ipinfo.io ET POLICY PE EXE or DLL Windows file download HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET DNS Query to a *.top domain - Likely Hostile	1	19.0	M	28	ZeroCERT