Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
8986	2023-10-27 10:54	ngone.vbs bb1a98b873c6fbebb5c2bab804fbe831 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

8987	2023-10-27 10:56	don.vbs 049cbf1fa6fb0b213b5d6aace06efbd9 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

8988	2023-10-27 10:58	ngown.vbs 74558dda2ee55f1223e34b0e18411764 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6	M	5	ZeroCERT

8989	2023-10-27 12:25	File.7z 3c62d34e99c4d0766c6a30aff0ff00d4 PrivateLoader Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser Trojan DNS Downloader	55 Keyword trend analysis Info http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rHs0an9bdrTIaDtaE0Df9rlg.exe&platform=0009&osver=5&isServer=0 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://194.169.175.233/setup.exe - rule_id: 37614 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://howardwood.top/e9c345fc99a4e67e.php - rule_id: 37562 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-20.userapi.com/c237331/u825067038/docs/d49/2fa5bb09a502/PL_Client.bmp?extra=hoE_PGrrkY5d2NqippbG-UTIRwu_h48s7-Mi86qburxYxYP2a4nfRxp8kaKBiRxuro79vWtZxNk0QuVAV280jjii1nd_0ovq3qK0e2f0q64HOWQQ6l8DT724JVMNbiPaXVLRXVti3oXOXSvj6A https://vk.com/doc825067038_675084444?hash=k5PecVfBQzPaee7oBSXUMlbMI8WyGwsz9sC7fI90JQs&dl=KIXZTpWuxh6zhpZ3P1E5BeGpD6wWJ27NEZ8qKC46TGL&api=1&no_preview=1#good https://www.google.com/favicon.ico https://sun6-23.userapi.com/c909518/u52355237/docs/d59/1bb094138bd6/d432j89adg.bmp?extra=uZ0kz3xyyLQRpHyiIUVDgzVuc8ISnjGwzHU3Zj5l6-kOEBCA2aVwbMUmknHcD5WrU8GfP7b98J-VdksDqOUosQfPqiGhAbCxWrH-Idsh_1XZ-Z0T00Y9APKnURqnh4Q2r8vMm2YUqVDohxSj https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://vk.com/doc825067038_675120414?hash=ofV8tZWtQDknSObErFUq2rnV3Esz6p3eJRLOo5yZ3Bg&dl=3JL9LytHzeNyclBz9CDzoiw11Ovw4rTGzbKz11MEPvw&api=1&no_preview=1#1 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzdzet-5bFdLPdUq1j1uDurwe6kz_lHlw7J7WHjbFlxuWq7DWllN0DrN9yErviFid87F_Tyrw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1207139751%3A1698376547583620 https://sun6-22.userapi.com/c909218/u52355237/docs/d42/5ea1ce9e9941/WWW11_32.bmp?extra=ytZfQv4RrE3t_njKlOfujRBbAbSsxpWTLHad68C6dj6dfnRUGMYwA5OymD16HSt28U1ha3InbqaN3PeokRDsnMPVFZj8LjDGWM_FUjVdq1bZYMxrIHBkE9qZnO3K1PZLO5_oK1_vX6oi9fyX https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://sun6-23.userapi.com/c909618/u52355237/docs/d9/623cc18b4685/tmvwr.bmp?extra=5WUKP60iriNLZAh7S4FosuziGQcjWCkFZZ4x7xp8sOkXLhbwvbH5419WeD9RJCKirsxra8PHrHOD5PoaLYO4q-OZRkssRi22_oLTccilnyFnSWLZiks4PJxdOyEvR3dhcPSVd4aQv4cBG1g9 https://experiment.pw/setup294.exe - rule_id: 37436 https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1 https://accounts.google.com/ https://vk.com/doc825067038_675107888?hash=p1edxhMap9ebzzyYu0bwG8SRx7fNg9lc730omI4QiGL&dl=7VNr97gwpMxX5zCHlKbDwt20Nh6MmLxWO6FX8g4zAqL&api=1&no_preview=1#s6 https://sso.passport.yandex.ru/push?uuid=a0c92fe7-42c2-4613-b8b7-fa00a304410a&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://accounts.google.com/generate_204?YDaA_g https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909618/u825067038/docs/d56/53e217f03c63/s6d7rtfygiftu57e8r6tfjgcfxdsreturyit.bmp?extra=iGkHoDjsILLIjBMdJJUo6FgOpO-KtPGICJdjT4FoefBp4bB2jgAGKbjdQXtnA_ThsSCU5i5bS3Lg6d6Y6Wf4CrjFyErGfuQ_v5XoImwRYBfYh-JyYGa34C7_VJ6Qs-x-Dt8GVlJ3J5XGCr-W3w https://sun6-22.userapi.com/c909328/u825067038/docs/d10/fd086603287f/red.bmp?extra=zYTCTjDurMXD3dgkI5bHy3cXnZBNncN4I8n51Y9hk8bLzF3Dv1aePJ8XfT539FOwfZjMjTIKqvS07bnzor215dPE1aiIH1IuV444DOz8_yaiOt5TK6-4XGc9sUBOTdmW7tFv7qTLjhBAWTg-TQ https://sun6-21.userapi.com/c235031/u825067038/docs/d20/a29a3db0069e/fresh1.bmp?extra=1dRSa-0TgJXqa93p4EbSQk90rNhKUH9so_jMimdjR_fNC7yh-U0RyUPFHhbKcUIbyspnMp2_-SsDdNtn56RI5ilXyOziZCizDJ2AoOkqCch-5X1wkTeC416YOe_GFTo7wCHGV03e__SBLuJNdQ https://api.2ip.ua/geo.json https://vk.com/doc825067038_675098543?hash=fDGebbbbT59ZXUS0aTzHqJh9k55SUFqRxrdzJALVzSP&dl=VyQDbVL7k7q0VT6QORxGuLdfGzZ7nqAOWUJBLGBju7c&api=1&no_preview=1#test22 https://vk.com/doc825067038_675096729?hash=qSZS9aM0ivWNtijm1zaWyzA7J0bEJfI7RF562vpg2qP&dl=Di89rUJwazaYzfGe5B8jQKQ6f8sDEfxK1AwIneVf478&api=1&no_preview=1#redcl https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywG5Ca3_U5z3i17rpBqe5XQmjKFOYO0l9YmCbXIH8Z7L2QC49OAi4jslnwM1-fvL4i20vS36Q https://sun6-20.userapi.com/c235031/u825067038/docs/d50/da83a607ce58/file261023.bmp?extra=oZYPM_XOV2yUnI1OIkqXvssiCX90LOMpdatPJ3Mo-Iy7KPl61syaohofhhshJ3MqAGzAGOOjyd2hns--mq7Yi8XIYXFJZP2JkQdW10m1262TpjTS9wualsTezDU7MTljJq1XP6azEUjxwVkt_Q https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909418/u825067038/docs/d26/484476cefcda/crypted.bmp?extra=xKumbx-TTXs_1he4_Ei0XOGCQ7hjCAmh0Tfxiar8m_-yHzKu8fpiKEbsBT6lBgNyPmwVvmrnWrMWcYvr0uDWeewVVOX6C76OSOO6saJLa-Sb0UvH22ikkXipev0DFE-_kzKEApKnwBDNKESMfw https://neuralshit.net/8b54e3f23ea4df83b44da9add06c973d/7725eaa6592c80f8124e769b4e8a07f7.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716	91 Info neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) roberthamilton.top(37.139.129.88) - malware vanaheim.cn(84.201.152.220) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious yandex.ru(77.88.55.88) dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(23.40.45.69) api.2ip.ua(104.21.65.24) iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(172.67.167.220) - malware ssl.gstatic.com(142.250.207.99) howardwood.top(37.139.129.88) - mailcious iplogger.com(148.251.234.93) - mailcious zexeq.com(123.213.233.131) - malware octocrabs.com(172.67.200.10) - mailcious www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.146.235) vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 148.251.234.93 - mailcious 87.240.132.78 - mailcious 84.201.152.220 104.18.145.235 148.251.234.83 93.186.225.194 - mailcious 172.67.167.220 - malware 185.225.75.171 - mailcious 77.91.124.1 - malware 62.122.184.92 - mailcious 193.233.255.73 - mailcious 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 104.21.34.37 - phishing 62.217.160.2 142.250.204.109 83.97.73.44 171.22.28.226 - malware 142.250.76.132 171.22.28.221 - malware 34.117.59.81 104.21.21.189 142.250.199.67 77.88.55.60 104.244.42.65 - suspicious 104.26.8.59 142.250.66.100 37.139.129.88 - mailcious 172.67.134.35 - malware 213.180.204.24 77.91.124.86 176.113.115.135 - mailcious 190.141.134.150 176.113.115.136 - mailcious 185.172.128.69 - malware 45.143.201.238 - mailcious 172.67.75.166 194.169.175.233 - malware 94.142.138.131 - mailcious 94.142.138.113 - mailcious 91.215.85.209 - mailcious 23.67.53.17 23.40.45.69 95.142.206.3 - mailcious 176.113.115.84 - mailcious 172.67.139.220 95.142.206.0 - mailcious 80.66.75.4 - mailcious 45.15.156.229 - mailcious 146.59.70.14 - malware 194.169.175.234 23.45.53.206 95.142.206.2 - mailcious 87.240.132.72 - mailcious 80.66.75.77 - mailcious 109.107.182.2 - malware 95.142.206.1 - mailcious 171.22.28.213 - malware	42 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a .pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 SURICATA Applayer Mismatch protocol both directions ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a .top domain ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Packed Executable Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	23 Info http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/tracemap.php http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://194.169.175.233/setup.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://94.142.138.131/api/firegate.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://howardwood.top/e9c345fc99a4e67e.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://experiment.pw/setup294.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe	6.8	M		ZeroCERT

8990	2023-10-27 17:03	HTMLXLAMieBrowser.dOC baeaa0fda1df43a65dc12777327db43b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed	3 Keyword trend analysis	6	3		4.0	M	28	ZeroCERT

8991	2023-10-27 17:05	xlammexpoittt.vbs 9595077ef106c2510f73d0132ea81155 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key	4 Keyword trend analysis	6	2		10.2		5	ZeroCERT

8992	2023-10-27 19:47	북한최고인민회의 결과.lnk cc96ba45dd2b6a6d7aa300d77e49c095 Generic Malware Downloader Antivirus HWP PS PostScript Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM Lnk Format MSOffice VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key		2	2		11.2		28	guest

8993	2023-10-28 12:38	HTMLIEbrowserHistoryClean.doc 5ad1dfb31daa5015f4fdc8af08b50ae9 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed		2	3		2.8	M	30	ZeroCERT

8994	2023-10-28 12:39	HTMLDesginbrowser.vbs b32067242d7b194386069c8cf33741df VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0		5	ZeroCERT

8995	2023-10-28 12:41	audiodgse.exe bbf6104b2b2953e63d98daf9c6fec2b1 LokiBot UPX .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Browser Email ComputerName DNS Software crashed		2	4		10.6	M	41	ZeroCERT

8996	2023-10-28 12:42	HTMLIEBrowserHistory.vbs 56238116f5d9877c000e6431306d0071 VirusTotal Malware wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		2.0	M	1	ZeroCERT

8997	2023-10-28 12:43	HTMLDesginBrowserInternet.dOC c6f17e9d8c72950b1100f1ab9c3ab77d MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed		2	3		2.6	M	26	ZeroCERT

8998	2023-10-28 12:44	Yqmx.vbs 3575c1d07813dd220063c02c664d1827 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6	M	5	ZeroCERT

8999	2023-10-28 12:49	HTMLxlaIEbrowser.dOC 2dd55c2a09a20b395c4034c934651113 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic RWX flags setting exploit crash Tofsee Exploit DNS crashed	3 Keyword trend analysis	6	3		4.0	M	29	ZeroCERT

9000	2023-10-28 12:51	HTMLIEBrowserHistorycleaner.dO... 1276da2350d722faf931038319ea6613 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Tofsee Exploit crashed		2	3		2.8	M	30	ZeroCERT

First
Previous
591
592
593
594
595
596
597
598
599
600
Next
Last
Total : 10,173cnts

Submissions

bb1a98b873c6fbebb5c2bab804fbe831

049cbf1fa6fb0b213b5d6aace06efbd9

74558dda2ee55f1223e34b0e18411764

3c62d34e99c4d0766c6a30aff0ff00d4

baeaa0fda1df43a65dc12777327db43b

9595077ef106c2510f73d0132ea81155

cc96ba45dd2b6a6d7aa300d77e49c095

5ad1dfb31daa5015f4fdc8af08b50ae9

b32067242d7b194386069c8cf33741df

bbf6104b2b2953e63d98daf9c6fec2b1

56238116f5d9877c000e6431306d0071

c6f17e9d8c72950b1100f1ab9c3ab77d

3575c1d07813dd220063c02c664d1827

2dd55c2a09a20b395c4034c934651113

1276da2350d722faf931038319ea6613

View

Insert

Alert