Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
8791	2021-05-26 09:34	IMG_085_163_771.exe 719fad1c99b366347fabab8b752a1826 AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	4	4		9.2	M	15	ZeroCERT

8792	2021-05-26 09:32	ahk.jpg 4a5f8a1e40fb9eab2b8bd55efbe61a83 Gen2 Antivirus PE File OS Processor Check PE32 VirusTotal Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	2 Keyword trend analysis	2	1		7.2	M	26	ZeroCERT

8793	2021-05-26 09:26	ConsoleApp1.exe 17b32d5270a778baa555f13bb3c25b14 AsyncRAT backdoor Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check Tofsee OskiStealer Stealer Windows Browser Email ComputerName Trojan DNS Downloader Password	11 Keyword trend analysis	4	15 Info ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO TLS Handshake Failure SURICATA TLS invalid record type SURICATA TLS invalid record/traffic SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile		13.4	M	22	ZeroCERT

8794	2021-05-26 09:07	Document%20093250.xls 662ed1aced50cad399d305467f290fea VBA_macro MSOffice File VirusTotal Malware Checks debugger WMI unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Windows ComputerName DNS crashed	1 Keyword trend analysis	3	1		8.0		20	ZeroCERT

8795	2021-05-26 09:00	PL_175_063_107.exe e2f9e8c9bc0c758d98ee96ff0779076c AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces VMware IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	4	4		9.2		13	ZeroCERT

8796	2021-05-26 08:58	IMG_078_36_110.exe 7991a1408bbb33e32dab67230cb4a0ff AsyncRAT backdoor SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	4	4		8.0		17	ZeroCERT

8797	2021-05-25 10:22	http://176.111.174.74/ACC.exe 1b566412e52165a3ef457cc7dd0ecfba AgentTesla AsyncRAT backdoor PWS .NET framework Malicious Library DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Hijack Network Code injection Http API Internet API Steal credential ScreenShot Downloader P2P persistence VirusTotal Malware Code Injection Malicious Traffic Creates executable files exploit crash unpack itself Windows utilities AppData folder malicious URLs Tofsee Windows Exploit DNS crashed		1	6 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure		6.0	M	26	Kim.GS

8798	2021-05-24 09:17	ehn410274214523502210vlbxohwp4 bc5d3090b4ec7ece19ce132d14c0e111 VBA_macro MSOffice File VirusTotal Malware Malicious Traffic unpack itself Tofsee DNS	8 Keyword trend analysis Info https://an9news.com/aokhf/XPXV7/ https://www.17geci.com/vi2w6/Z5i/ https://rubycityvietnam.com/wp-admin/1c0NVtp/ https://lami-jo.com/wp-admin/VMeklEt/ http://vayvontinchap5s.com/vayvon5s.com/YH3mx/ http://jiamini.us-east-1.elasticbeanstalk.com/static/P1Vcv/ http://wach8.com/cgi-bin/5JyZcRU/ http://stopnote.vhostgo.com/?host=wach8.com&refer=	14 Info an9news.com(34.102.136.180) - malware www.17geci.com() - malware jiamini.us-east-1.elasticbeanstalk.com(23.22.53.61) - malware rubycityvietnam.com(45.252.248.29) - malware vayvontinchap5s.com() - malware wach8.com(218.247.67.211) - malware stopnote.vhostgo.com(116.140.34.68) lami-jo.com(35.209.32.159) - malware 23.22.53.61 - malware 218.247.67.211 - malware 34.102.136.180 - mailcious 116.140.34.68 45.252.248.29 - mailcious 35.209.32.159	3		4.4	M	41	ZeroCERT

8799	2021-05-23 10:55	Setup.exe d69ad8d2f432e57d4f5ecf5d7e7f9300 Emotet AsyncRAT backdoor PWS .NET framework Gen1 Glupteba BitCoin Generic Malware Anti_VM VMProtect AntiDebug AntiVM PE File PE32 DLL .NET DLL .NET EXE GIF Format OS Processor Check PE64 Browser Info Stealer VirusTotal Malware Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic unpack itself Windows utilities Collect installed applications Check virtual network interfaces AppData folder AntiVM_Disk sandbox evasion VMware IP Check VM Disk Size Check installed browsers check Tofsee Ransomware GameoverP2P Zeus Windows Browser ComputerName Trojan Banking Amazon DNS Cryptographic key crashed keylogger	28 Keyword trend analysis Info http://ol.gamegame.info/report7.4.php http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xuqczuydmga4p4c.exe http://reportyuwt4sbackv97qarke3.com/sCTMqVJusfff2DEP/eYzrrbN8esV7bvgC http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/xYW2RW5ePv.exe http://iw.gamegame.info/report7.4.php http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/PicturesLab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/i-record.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/Widgets/Picture-Lab.exe http://global-sc-ltd.com/EbBkqVdkm4Ebeb_EXes_nhQRrZqYVKhyGK8YF2zAUuC3J/C_Blazer_Sha/I-Record.exe http://87.251.71.193// - rule_id: 1393 http://uyg5wye.2ihsfa.com/api/fbtime - rule_id: 1396 http://www.google.com/ http://ipinfo.io/ip http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/f3kmkuwbdpgytdc5.exe http://ip-api.com/json/?fields=8198 http://ipinfo.io/country http://ip-api.com/json/ http://uyg5wye.2ihsfa.com/api/?sid=214117&key=0f51bef1ab2ad0b2ca0fa6f125359da2 - rule_id: 1396 https://iplogger.org/18hh57 https://ipqualityscore.com/api/json/ip/gp65l99h87k3l1g0owh8fr8v99dme/175.208.134.150 https://www.facebook.com/ https://api.ip.sb/geoip https://connectini.net/Series/SuperNitou.php https://news-systems.xyz/?user=barret2 https://news-systems.xyz/?user=barret1 https://iplogger.org/1Hpxd7 https://ipinfo.io/country https://c.pycharm3.ru/SystemServiceModelConfigurationExtensionsSection61947	39 Info news-systems.xyz(104.21.33.129) iw.gamegame.info(104.21.21.221) www.google.com(216.58.197.228) c.pycharm3.ru(217.107.34.191) b92d17fa-9c17-4007-a5f7-b87033b86cc2.s3.us-east-2.amazonaws.com(52.219.106.138) - malware email.yg9.me(198.13.62.186) google.com(172.217.25.78) uyg5wye.2ihsfa.com(88.218.92.148) - mailcious ol.gamegame.info(104.21.21.221) global-sc-ltd.com(199.188.201.83) connectini.net(162.0.210.44) ipinfo.io(34.117.59.81) limesfile.com(198.54.126.101) ip-api.com(208.95.112.1) www.facebook.com(157.240.215.35) api.ip.sb(172.67.75.172) iplogger.org(88.99.66.31) - mailcious reportyuwt4sbackv97qarke3.com(162.0.220.187) ipqualityscore.com(104.26.2.60) 87.251.71.193 - mailcious 162.0.220.187 52.219.84.224 216.58.197.196 - suspicious 88.218.92.148 - malware 104.26.3.60 198.13.62.186 104.21.33.129 - mailcious 199.188.201.83 157.240.215.35 88.99.66.31 - mailcious 104.21.21.221 162.0.210.44 34.117.59.81 217.107.34.191 - mailcious 198.54.126.101 216.58.197.206 - mailcious 208.95.112.1 172.67.200.215 104.26.13.31	10 Info ET POLICY External IP Lookup ip-api.com ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) ET POLICY PE EXE or DLL Windows file download HTTP ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set ET POLICY Possible External IP Lookup ipinfo.io ET POLICY Executable served from Amazon S3 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SURICATA HTTP unable to match response to request	3	25.2	M	35	ZeroCERT

8800	2021-05-23 10:46	kakashi_cry.exe 62c59ba0375eebf49b4d80c290e69646 AsyncRAT backdoor PWS .NET framework .NET EXE PE File PE32 Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Check virtual network interfaces suspicious process Tofsee Windows	1 Keyword trend analysis	3	1		6.4			ZeroCERT

8801	2021-05-23 10:23	hbggg.exe e6f6fd13001b8df1af345df56caba5de Gen2 Emotet PE File OS Processor Check PE32 Browser Info Stealer VirusTotal Malware PDB Malicious Traffic Check memory Creates executable files Check virtual network interfaces AppData folder IP Check Tofsee Browser Remote Code Execution DNS	5 Keyword trend analysis	8	2	2	7.0	M	50	ZeroCERT

8802	2021-05-23 10:13	BBSbacket.exe e19f8b76b5a0c4959fcb41fe5b46ad80 AsyncRAT backdoor PWS .NET framework BitCoin AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Collect installed applications Check virtual network interfaces suspicious TLD installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed	3 Keyword trend analysis	5	2	1	11.8	M	30	ZeroCERT

8803	2021-05-21 16:34	ConsoleApp19.exe ccf10dc1a6d121efdf9c28443a56e8b7 AsyncRAT backdoor Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	4	4		17.0	M	18	ZeroCERT

8804	2021-05-21 16:33	ConsoleApp9.exe 0f938ac4802642b34cc7105fb04c32ac AsyncRAT backdoor AgentTesla Ave Maria WARZONE RAT Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process malicious URLs WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	4	4		17.6	M	21	ZeroCERT

8805	2021-05-21 10:23	PO%2006336801.xls f9288646e623a8a8f0fa5ff5f6b5e3d6 VBA_macro MSOffice File VirusTotal Malware ICMP traffic unpack itself Tofsee	10 Keyword trend analysis Info https://greystonestructural.com/1y3dVMa45GFqjA.php https://langgal.coop.np/0KafeflIy.php https://specs2go.shawalzahid.com/wp-includes/sodium_compat/src/Core/Base64/gRC1QXli.php https://marbiadesign.com/css/fonts/INVRhwduUaFS.php https://welcometotheafterdeath.com/pixelmonkey.com.au/saeadventures/wp-includes/Text/Diff/0hDhEI2E.php https://superbeli.com/fMn3tApyS5wbJU.php https://fotounirii.ro/wp-content/plugins/under-construction-page/themes/000webhost/EYZWDFGxTaDjbR.php https://lojamusic.com.br/lojamusic.com.br/sitebuilder/IWu1s3chQoaXq.php https://pratikmetals.com/system/database/drivers/pdo/subdrivers/FVTsLgQ1vriNlv.php https://iminnovator.com/index_files/yVoSMJ3GBq7lzW5.php	20 Info greystonestructural.com(107.180.3.18) marbiadesign.com(192.185.52.136) - mailcious pratikmetals.com(199.79.62.17) - mailcious iminnovator.com(192.185.139.153) - mailcious specs2go.shawalzahid.com(158.69.144.71) - mailcious fotounirii.ro(89.35.173.76) - mailcious welcometotheafterdeath.com(192.254.234.250) - mailcious langgal.coop.np(192.185.110.229) superbeli.com(103.31.135.171) - mailcious lojamusic.com.br(162.241.2.234) - mailcious 192.185.139.153 - mailcious 192.254.234.250 - mailcious 103.31.135.171 - mailcious 107.180.3.18 192.185.52.136 - mailcious 192.185.110.229 199.79.62.17 - mailcious 89.35.173.76 - mailcious 162.241.2.234 - mailcious 158.69.144.71 - mailcious	2		3.6		23	ZeroCERT