Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
1	2024-04-12 08:41	random.exe 04444d22b3bfefd4ea745d46267a9690 UPX Anti_VM PE File PE32					0.6	M		ZeroCERT

2	2024-04-10 13:50	1234.exe 5e13199a94cf8664e5bfbe2f68d4738e Generic Malware Malicious Library Malicious Packer UPX Anti_VM PE File PE32 OS Processor Check VirusTotal Malware					1.2	M	56	ZeroCERT

3	2024-04-08 18:27	summa.exe ac2bd577d78e78d8c7207b4176b595d9 Themida Packer Malicious Packer UPX PE File PE32 VirusTotal Malware					1.8	M	40	ZeroCERT

4	2024-04-05 23:41	download.php a8b2bacb6ff3953044d01055f9f84f79 Themida Packer Malicious Packer PE File PE32 VirusTotal Malware					1.4	M	29	ZeroCERT

5	2024-04-03 07:25	sarra.exe 12a586136d1b50eb2bc77a8205e5df52 Themida Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory unpack itself Windows utilities Checks Bios Collect installed applications Detects VMWare suspicious process AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed	1 Keyword trend analysis	5	7 Info ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)		14.4	M	36	ZeroCERT

6	2024-03-24 13:59	sarra.exe cb6ca7a54ebb767d3d996fde3d6b20bb Amadey Themida Packer Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Malicious Packer Antivirus Anti_VM AntiDebug AntiVM PE File PE32 MSOffice File ZIP Format OS Processor Check Lnk Format GIF Format DLL PE64 Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader	16 Keyword trend analysis Info http://193.233.132.56/Pneh2sXQk0/index.php http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll http://193.233.132.62:57893/hera/amadka.exe - rule_id: 39491 http://www.maxmind.com/geoip/v2.1/city/me http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll http://193.233.132.167/cost/go.exe http://193.233.132.167/lend/lumma21.exe https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/_/bscframe https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&ifkv=ARZ0qKKZ5yLw91CeXZgf6l3nIZ3R1Ri0N7zkeLQ91IYy93V6HIEFRBR3xUlg9T_5GyHFxbOd4i67&passive=true&service=youtube&uilel=3&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1845397159%3A1711255787052476 https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKjgyHg6fMmr6lxYRHxyoe5wXVroRpHBfaB59EVywFVFeAi3uitzW1gGA6ffBNDx0ObflIffQ https://www.youtube.com/account https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/generate_204?RhQsIg	18 Info db-ip.com(104.26.5.15) www.google.com(142.250.207.100) www.youtube.com(142.250.196.142) - mailcious ssl.gstatic.com(142.250.196.131) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.146.235) 142.250.66.100 104.18.145.235 104.26.4.15 216.58.200.238 193.233.132.74 193.233.132.62 - mailcious 34.117.186.192 108.177.97.84 216.58.203.67 193.233.132.56 - malware 193.233.132.167 - malware	16 Info ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	1	29.0	M	29	ZeroCERT