Submissions - ZeroBOX

Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player	Etc
1	2023-09-06 14:14	WWW14_n.exe e8e7a7c1a9b0aba35338c2de4d4bd0af PrivateLoader Amadey RedLine Infostealer RedLine stealer Generic Malware Malicious Library UPX VMProtect .NET framework(MSIL) Confuser .NET Malicious Packer PWS SMTP AntiDebug AntiVM PE File PE64 OS Processor Check PE32 .NET EXE DLL wget Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Check virtual network interfaces suspicious process AppData folder sandbox evasion WriteConsoleW anti-virtualization IP Check installed browsers check PrivateLoader Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	24 Keyword trend analysis Info http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.9.74.80/super.exe - rule_id: 36063 http://230809204625331.nes.dtf99.top/f/fikim0809331.exe - rule_id: 36062 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://45.9.74.80/ummaa.exe - rule_id: 36186 http://red.mk/netTime.exe - rule_id: 36187 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://apps.identrust.com/roots/dstrootcax3.p7c http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://www.maxmind.com/geoip/v2.1/city/me http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://45.9.74.80/toolspub2.exe - rule_id: 36066 https://preconcert.pw/setup294.exe - rule_id: 36162 https://sun6-23.userapi.com/c909618/u44017378/docs/d58/7bf5e3bbbea6/Synapse.bmp?extra=mzMMk3WSUR9nXjlWZ6cDWS8uZXnpeH5HFoj4k-neSMlSwedoZanNxQoG3h1Fl180ZYqPy_dIeBEOfQRiGTKUc2qv1mDlwQ6hq_BjfKmI04Adw-GHSVg0utmIeVwn4vFkEZ55FEGR_EeCU6su https://psv4.userapi.com/c235131/u44017378/docs/d5/fdcd3504e8e2/red.bmp?extra=jTIQRXaPDO1NXMmXQzzFrL0w8M0Aux3xQ53jP9K5Av5remAWM4J7b2bi3isiBFlCsp9FQNBSHuz3j5e9qdLEiiiGgHwS2dsPjt2cu0sirG6iWFSzreqm7rUEnldpiXUhrfN3QUEmNd-PGjtX https://api.myip.com/ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909618/u44017378/docs/d36/4045d7e5e2af/PL_Client.bmp?extra=41RYXiYdonWnWPYwQIzl_E40YzLt9e-a585sYDB48TJ1guOgXM82khcH113VcyDUy1qRwuEub4FUsSEnl5OfhF82khtCO4eGvfgR1-OEX6MePbBwAaiux-eLDXjut3NIRQnlEpVeZ_pbxMeI https://psv4.userapi.com/c909328/u44017378/docs/d1/0a7c8509d5a4/setup.bmp?extra=P2d8Fo57PDhjSbNAarsgzs7s47HfESup6nA9QPs2Jx9jlMkoKc6DXgshHhytmelgvUOzcd0WK42AeucPRw8quv3aFraVcKsYb_UHW5Cd0JUYBJDa80M3IYxPpdUAHDMFCB4T3ofEtFx6cwIp https://sun6-21.userapi.com/c235131/u44017378/docs/d58/b5d7bd164765/tmvwr.bmp?extra=MOoJ_YAgLF-1um3Me5WawUQVtSpNdXdk4O4HjEHIoEJYoGofA_i-K7joq0CWxFxZ_12PJ_jQLkx1WwKPGJ02adtFNG4_nnXRhcuoM-7EcVqjywc84Edq559VzCTblgn2fgdwqBZ5N-BoxmH6 https://sun6-21.userapi.com/c909628/u44017378/docs/d11/1a3013098cbf/WWW1.bmp?extra=xgcuwlyssMW5fhehD936AqhRSGL9n6WAhvJJzjwcFZ3WMiE8xWxO3qKhr9_8jnDUTj1l3e5eKgd9DPl2hGHNRQsMstXoksgW-4kZoEzSOKif1Txq8vuSgC4s2KKLAdrZ_tDy6XI04Nl-lgHm https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36188 https://psv4.userapi.com/c909328/u44017378/docs/d20/504a645fbcf0/3c8fttmg7n06dp.bmp?extra=nwBZ3AcWEYYSVAyNH3mk248SL5RSBNJDVe69N37eANsig_2_ecdHjz4OT6WcpyvVgAKIctZPELhQbJdVOBqe4OR66kMAtIyuFDxX2XlhP2KRT5d0TVgW8q7aU98EF1IW99b0I6cDT-cHsiy9	42 Info preconcert.pw(172.67.197.101) - malware 230809204625331.nes.dtf99.top(94.156.35.76) - malware db-ip.com(104.26.5.15) psv4.userapi.com(87.240.190.76) api.db-ip.com(172.67.75.166) api.myip.com(104.26.8.59) www.maxmind.com(104.18.146.235) iplis.ru(148.251.234.93) - mailcious ironhost.io(172.67.193.129) ipinfo.io(34.117.59.81) sergejbukotko.com(104.21.59.53) - malware sun6-23.userapi.com(95.142.206.3) sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(93.186.225.194) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious red.mk(141.95.126.89) - malware 148.251.234.93 - mailcious 95.142.206.0 - mailcious 104.18.145.235 172.67.197.101 104.26.5.15 179.43.158.2 208.67.104.60 - mailcious 87.240.190.76 176.123.9.85 - mailcious 193.42.32.118 - mailcious 172.67.75.166 172.67.193.129 172.67.75.163 34.117.59.81 172.67.214.144 - malware 141.95.126.89 - malware 45.9.74.80 - malware 94.142.138.131 - mailcious 185.225.73.32 - mailcious 45.15.156.229 - mailcious 95.142.206.3 95.142.206.1 - mailcious 23.67.53.17 87.240.132.78 - mailcious 185.225.74.51 - mailcious 87.240.132.72 - mailcious	27 Info ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET DNS Query to a .pw domain - Likely Hostile SURICATA TLS invalid record type SURICATA TLS invalid record/traffic ET INFO TLS Handshake Failure ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer Activity (Response) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) ET DNS Query to a .top domain - Likely Hostile ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a *.top domain ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	13 Info http://94.142.138.131/api/firegate.php http://45.9.74.80/super.exe http://230809204625331.nes.dtf99.top/f/fikim0809331.exe http://45.15.156.229/api/tracemap.php http://45.9.74.80/ummaa.exe http://red.mk/netTime.exe http://45.15.156.229/api/firegate.php http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://45.9.74.80/toolspub2.exe https://preconcert.pw/setup294.exe https://sergejbukotko.com/7725eaa6592c80f8124e769b4e8a07f7.exe	24.4	M	44	ZeroCERT

First
1
Last
Total : 1cnts