Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
9256	2024-01-19 08:04	room.exe b716baea0866421f013912e77e5db815 EnigmaProtector Malicious Library UPX Malicious Packer Code injection Socket ScreenShot Steal credential DNS AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check Browser Info Stealer Malware download FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader	13 Keyword trend analysis Info http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://109.107.182.3/cost/nika.exe http://109.107.182.3/cost/vimu.exe https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MrYoqgbP9QAW3euB1trnjW3nzVsSX4zXyxia8fKwg7xPv0o6RkXvohF4lTm5X6bsfBNbeyg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-939002500%3A1705618756630130 https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp1e75G1gW0DiCO0dOvUf1sNyw_eYkTsegr2M0TGYOboAyXMt2zZ3wpHZodY7fybxG3b4LbZ2w https://accounts.google.com/ https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?biSL3A https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png	14 Info ipinfo.io(34.117.186.192) ssl.gstatic.com(142.250.76.131) db-ip.com(104.26.5.15) accounts.google.com(64.233.187.84) www.google.com(142.250.76.132) 193.233.132.62 - mailcious 104.26.4.15 185.215.113.68 - malware 142.251.222.3 34.117.186.192 142.250.199.100 142.251.8.84 154.92.15.189 - mailcious 109.107.182.3 - mailcious	12 Info ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	2	23.8	M		ZeroCERT

9257	2024-01-19 08:05	conhost.exe 9c477f0a3dc97e81cd2a76e339b38c7c AgentTesla UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger		2	4		11.0	M		ZeroCERT

9258	2024-01-19 08:07	conhost.exe db2097a73708c43f88d3fd6d7a017b13 Generic Malware .NET framework(MSIL) Antivirus PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed		3	4		9.8	M		ZeroCERT

9259	2024-01-19 15:00	Adobe_acrobat_installer.exe e2cb17fc7f799e6c39fdbe4aa2c8c06e AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell Telegram PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger		4	6 Info ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Telegram API Domain in DNS Lookup ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)		14.2		32	guest

9260	2024-01-19 18:19	vimu.exe 520050ab79ad5b13e6de5d3d7941d4d2 Malicious Packer UPX Anti_VM PE32 PE File Malware download Malware AutoRuns MachineGuid buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW IP Check Tofsee Windows RisePro ComputerName DNS crashed	1 Keyword trend analysis	5	5		7.0			ZeroCERT

9261	2024-01-20 18:19	zonak.exe d1d8db81157f989532108d62c64cbc33 Amadey Malicious Packer UPX Malicious Library Anti_VM AntiDebug AntiVM PE32 PE File .NET EXE MSOffice File OS Processor Check DLL ZIP Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader	21 Keyword trend analysis Info http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://109.107.182.3/cost/vimu.exe - rule_id: 39038 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://109.107.182.3/cost/nika.exe - rule_id: 39037 http://185.215.113.68/mine/livak.exe http://www.maxmind.com/geoip/v2.1/city/me http://109.107.182.3/cost/go.exe - rule_id: 39025 http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp0MB1Kt9JRng3yyk_pct8ZP3zuC3fBqZFRXuexVmEhTR_dTxy42kBpfUijZBBTyoL_snfrEWg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S487216895%3A1705742046920610 https://accounts.google.com/generate_204?vBMMBg https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3-cnxAB265cMjA870JRwXCWmEackG0gZBWgg8enHGTomo63RZ5p2GNDc8fgTCQ6vFgzSFjkw https://lizotel.pt/temp/322321.exe https://lizotel.pt/temp/crypted.exe https://lizotel.pt/temp/legnew.exe	17 Info db-ip.com(172.67.75.166) lizotel.pt(185.240.248.84) www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.145.235) 108.177.125.84 142.250.207.67 104.18.146.235 104.26.4.15 185.215.113.68 - malware 172.217.25.4 - suspicious 34.117.186.192 185.240.248.84 193.233.132.62 - mailcious 109.107.182.3 - mailcious	18 Info ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET INFO TLS Handshake Failure ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey Bot Activity (POST)	7	19.6	M		ZeroCERT

9262	2024-01-22 12:32	rty45.exe c5431ed88227d6f2e201da982db63f38 Malicious Packer UPX PE File PE64 VirusTotal Malware PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution	1 Keyword trend analysis	3	1		3.0		46	ZeroCERT

9263	2024-01-22 12:35	rty27.exe 90ab18d69c8c28f797acf90b61d656df Malicious Packer UPX PE File PE64 PDB MachineGuid unpack itself Check virtual network interfaces Tofsee Remote Code Execution	1 Keyword trend analysis	3	1		1.8			ZeroCERT

9264	2024-01-22 12:39	build.exe 57935225dcb95b6ed9894d5d5e8b46a8 RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX Malicious Library Malicious Packer Antivirus PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed	3 Keyword trend analysis	3	9 Info ET MALWARE RedLine Stealer - CheckConnect Response ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound ET MALWARE Redline Stealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SURICATA HTTP unable to match response to request		9.2		62	ZeroCERT

9265	2024-01-22 12:45	RisePro_1.4_oCtFry7ogY0hng063r... 1c8918482b9cd613ba75ab7a16463e18 Generic Malware Malicious Library Malicious Packer UPX PE32 PE File OS Processor Check ZIP Format PNG Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted Windows utilities Disables Windows Security Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed	1 Keyword trend analysis	5	7 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity)		13.2	M	14	ZeroCERT

9266	2024-01-23 08:04	face.exe b367a4da8177d0be7638599aad1caa9b Amadey Generic Malware NSIS Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Anti_VM AntiDebug AntiVM PE32 PE File PNG Format OS Processor Check DLL .NET EXE ZIP Format MZP Format JPEG Format BMP Format CHM Format Browser Info Stealer Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Update Exploit Browser RisePro Email ComputerName DNS Software crashed Downloader	19 Keyword trend analysis Info http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://109.107.182.3/cost/vimu.exe - rule_id: 39038 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://109.107.182.3/cost/nika.exe - rule_id: 39037 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/go.exe - rule_id: 39025 http://185.215.113.68/mine/amer.exe - rule_id: 39024 http://185.215.113.68/theme/index.php - rule_id: 38935 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp19ppAsRv2o6lyozUloXtl2vtHTQ_Z5hQtp6-dWz_Yb_d5Sog8ygYecStquNLy1xgWdXfMz&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-955853393%3A1705964159222861 https://www.google.com/favicon.ico https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?dNjB8g https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp0prvDtaojbUs_fFiN9b9CD7hkEJ1nHDhTfd9vIUqM3YxyI4uMpGixUZhaFGRKzHsJvSPCU https://i.alie3ksgaa.com/sta/imagd.jpg	23 Info db-ip.com(104.26.4.15) www.google.com(142.250.76.132) ssl.gstatic.com(142.250.207.99) www.fleefight.it(94.177.48.37) - malware ipinfo.io(34.117.186.192) i.alie3ksgaa.com(154.92.15.189) - mailcious accounts.google.com(64.233.188.84) 193.233.132.62 - mailcious 216.58.200.227 94.177.48.37 - malware 87.251.77.166 - mailcious 104.26.4.15 173.194.174.84 185.215.113.68 - malware 185.172.128.19 - mailcious 185.172.128.90 - mailcious 34.117.186.192 142.251.220.68 61.111.58.35 - malware 185.172.128.53 - malware 154.92.15.189 - mailcious 185.172.128.109 - malware 109.107.182.3 - mailcious	19 Info ET MALWARE [ANY.RUN] RisePro TCP (Token) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Packed Executable Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	8 Info http://185.215.113.68/theme/Plugins/clip64.dll http://109.107.182.3/cost/vimu.exe http://185.215.113.68/theme/Plugins/cred64.dll http://109.107.182.3/cost/nika.exe http://185.172.128.90/cpa/ping.php http://109.107.182.3/cost/go.exe http://185.215.113.68/mine/amer.exe http://185.215.113.68/theme/index.php	25.8	M		ZeroCERT

9267	2024-01-23 14:15	PrivateCheat.exe 92d5541274a80650bf7fc9d40f2be865 Generic Malware Downloader Malicious Library UPX MPRESS Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE32 PE File OS Processor C VirusTotal Malware PDB Code Injection Creates executable files AppData folder suspicious TLD Tofsee ComputerName Remote Code Execution crashed		2	1		5.4	M	28	ZeroCERT

9268	2024-01-23 14:19	IEbrowserUpdates.vbs b188e3740962ca8e83f9a86ab3889c9f VirusTotal Malware wscript.exe payload download Tofsee	2 Keyword trend analysis	2	2		2.6	M	3	ZeroCERT

9269	2024-01-23 14:50	http://www.amazon.ca f0d918f20a6893435e7ed9012fffbce2 Downloader Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Hijack Network Sniff Audio HTTP DNS Code injection Internet API persistence FTP KeyLogger P2P AntiDebug AntiVM icon MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities malicious URLs Tofsee Windows Exploit DNS crashed	4 Keyword trend analysis	6	2		4.2			guest

9270	2024-01-24 07:58	dd.exe cce53392d805e6fbfdbccf4527d53c26 AgentTesla Generic Malware .NET framework(MSIL) Antivirus PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger		2	4		13.6		38	ZeroCERT