Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
10111	2024-06-14 18:42	hecto.doc dd2d12d4f427963b4334a6f1061a252b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware exploit crash unpack itself Tofsee Exploit DNS crashed	1 Keyword trend analysis	3	5 Info ET DNS Query to a *.top domain - Likely Hostile ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1 ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING Possible COVID-19 Domain in SSL Certificate M2		4.0	M	27	ZeroCERT

10112	2024-06-15 08:12	Appendix.jpg.lnk b8be125e6f496b0d5856fd4c2b59d778 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Interception	3 Keyword trend analysis	4	1	1	4.6			ZeroCERT

10113	2024-06-15 08:12	Bio Data Form.jpg.lnk e10c8df203a7a195a44ee629fcf0c756 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting unpack itself Check virtual network interfaces suspicious process Tofsee Interception	3 Keyword trend analysis	4	1	1	5.2			ZeroCERT

10114	2024-06-15 08:13	Dispatch of the APC HMLTV tech... 73a0170ea882989f6ffc3b4726a3ee56 Generic Malware AntiDebug AntiVM GIF Format Lnk Format Code Injection Check memory buffers extracted Creates shortcut RWX flags setting Check virtual network interfaces suspicious process Tofsee Interception	3 Keyword trend analysis	4	1	1	4.8			ZeroCERT

10115	2024-06-15 08:30	amadka.exe 5a12fd39ea2482c5ef29e1ca1fe5c083 Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Themida Packer Malicious Library UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Http API PWS Code injection Anti_VM AntiDebug AntiVM PE File PE32 P Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Cryptocurrency Miner Malware powershell Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Detects VMWare powershell.exe wrote Check virtual network interfaces suspicious process AppData folder malicious URLs suspicious TLD WriteConsoleW VMware anti-virtualization IP Check human activity check installed browsers check Tofsee Stealer Windows Exploit Browser RisePro ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner	12 Keyword trend analysis Info http://185.172.128.19/b2c2c1.exe http://185.172.128.19/NewKindR.exe http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://147.45.47.155/ku4Nor9/index.php http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/ http://77.91.77.81/lend/servoces64.exe https://d1i94yju6i4l9g.cloudfront.net/setup.exe https://db-ip.com/demo/home.php?s=175.208.134.152	24 Info xmr-eu1.nanopool.org(146.59.154.106) - mailcious db-ip.com(104.26.4.15) kmsandallapp.ru(31.31.198.35) - mailcious d1i94yju6i4l9g.cloudfront.net(18.244.65.58) ipinfo.io(34.117.186.192) x1.i.lencr.org(23.52.33.11) pastebin.com(104.20.3.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(163.172.171.111) - mailcious 182.162.106.33 - malware 51.15.89.13 147.45.47.126 - mailcious 163.172.154.142 - mailcious 18.244.65.161 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 34.117.186.192 147.45.47.155 - malware 77.91.77.81 - mailcious 31.31.198.35 - mailcious 104.26.5.15 172.67.19.24 - mailcious 185.215.113.67 - mailcious	22 Info ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	3	28.4	M		ZeroCERT

10116	2024-06-16 10:04	ey.exe ceb1b42233ced601bf691ffa63a305a9 Generic Malware Malicious Packer Malicious Library UPX DllRegisterServer dll PE File PE32 MZP Format OS Processor Check JPEG Format DLL VirusTotal Malware AutoRuns suspicious privilege Creates executable files unpack itself AppData folder sandbox evasion Tofsee Windows Advertising Google ComputerName DNS DDNS crashed keylogger	3 Keyword trend analysis Info http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download	9	2		8.4	M	67	ZeroCERT

10117	2024-06-16 10:09	lenin.exe 93896624af562420c457d547b73dd197 Malicious Packer PE File PE32 ZIP Format Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns MachineGuid Check memory buffers extracted unpack itself Windows utilities Collect installed applications suspicious process AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Browser RisePro Email ComputerName DNS Software crashed	1 Keyword trend analysis	5	9 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound)		13.8	M	41	ZeroCERT

10118	2024-06-16 10:18	random.exe 0f2c5d3966f262c04af7eb8cbe26c78a Amadey Gen1 RedLine stealer RedlineStealer Lumma Stealer Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) UPX Downloader Malicious Packer Antivirus .NET framework(MSIL) ScreenShot Anti_VM AntiDebug AntiVM PE File PE32 OS Processor Chec Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Checks Bios Collect installed applications Detects VMWare Check virtual network interfaces AppData folder VMware anti-virtualization installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner	10 Keyword trend analysis Info http://185.172.128.116/Mb3GvQs8/index.php http://185.172.128.116/NewLatest.exe http://185.172.128.116/Mb3GvQs8/index.php?scr=1 http://185.172.128.116/b2c2c1.exe http://77.91.77.81/Kiru9gu/index.php - rule_id: 40037 http://77.91.77.81/lend/monster.exe http://185.172.128.19/FirstZ.exe - rule_id: 39930 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.77.81/lend/setup222.exe http://x1.i.lencr.org/	17 Info xmr-eu1.nanopool.org(51.15.58.224) - mailcious kmsandallapp.ru(31.31.198.35) - mailcious x1.i.lencr.org(23.40.44.214) pastebin.com(104.20.4.235) - mailcious boredombusters.online(104.21.44.95) zeph-eu2.nanopool.org(51.68.137.186) - mailcious 104.20.3.235 - malware 185.172.128.19 - mailcious 23.41.113.9 172.67.198.131 51.15.193.130 77.91.77.81 - mailcious 185.172.128.116 51.68.137.186 - mailcious 31.31.198.35 - mailcious 121.254.136.9 185.215.113.67 - mailcious	17 Info ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET MALWARE Amadey Bot Activity (POST) M1	2	20.0	M	41	ZeroCERT

10119	2024-06-16 10:23	WB.exe 2ca46e1c431bc4a3e5a01921e1e13a50 Emotet Generic Malware Downloader ASPack UPX Malicious Packer Malicious Library Anti_VM AntiDebug AntiVM PE File PE32 DllRegisterServer dll OS Processor Check JPEG Format DLL MZP Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself AppData folder sandbox evasion WriteConsoleW installed browsers check Tofsee Windows Browser Advertising Google ComputerName Remote Code Execution DNS DDNS crashed keylogger	3 Keyword trend analysis Info http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download	13 Info www.dropbox.com(162.125.84.18) - mailcious drive.usercontent.google.com(142.250.206.193) - mailcious freedns.afraid.org(69.42.215.252) docs.google.com(172.217.25.174) - mailcious xred.mooo.com() - mailcious ddos.dnsnb8.net(44.221.84.105) - mailcious 142.250.66.129 44.221.84.105 51.15.193.130 216.58.203.78 38.147.172.248 69.42.215.252 162.125.84.18 - mailcious	2		17.0	M	32	ZeroCERT

10120	2024-06-16 10:27	3-1.exe 0c52be0ed6803e36100228e2b0671b4a Generic Malware Malicious Library ASPack UPX Malicious Packer AntiDebug AntiVM DllRegisterServer dll PE File PE32 OS Processor Check JPEG Format DLL MZP Format VirusTotal Malware Buffer PE AutoRuns suspicious privilege Code Injection Check memory buffers extracted Creates executable files RWX flags setting unpack itself Windows utilities AppData folder sandbox evasion Tofsee Windows Browser Advertising Google ComputerName Remote Code Execution DNS DDNS crashed keylogger	3 Keyword trend analysis Info http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download	12 Info www.dropbox.com(162.125.84.18) - mailcious drive.usercontent.google.com(142.250.207.97) - mailcious freedns.afraid.org(69.42.215.252) docs.google.com(172.217.25.174) - mailcious xred.mooo.com() - mailcious smtp.163.com(103.129.252.45) 103.129.252.45 142.250.66.129 142.251.222.206 38.147.172.248 69.42.215.252 162.125.84.18 - mailcious	3		15.8	M	63	ZeroCERT

10121	2024-06-16 10:36	1234.exe 4d85d7bdb9b2d6163ebc289af01f023d HermeticWiper Generic Malware PhysicalDrive Malicious Packer Malicious Library Downloader UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges PWS Internet API AntiDebug AntiVM PE File PE32 CAB OS Processor Check DllRegisterSer PDB Check memory Creates executable files ICMP traffic unpack itself AppData folder malicious URLs AntiVM_Disk China anti-virtualization VM Disk Size Check Tofsee Windows Remote Code Execution	8 Keyword trend analysis Info http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=653&tdl=653&tds=653&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|6,FStatus\|1,P2SS\|653,P2PS\|0,PDMode\|2&tfl=653&tp=t&tst=1&ttdl=653&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Sam.CPI202405&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=153 http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.Sam.CPI202405&os=6.1&mid=fa7bb520099706f4d9615c3663eacc55&state=9 http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=fa7bb520099706f4d9615c3663eacc55&mod=360Installer.exe&ph=2C4D1463A89D6C425729E1EBD92D9A08&p2p=1&t_id=360TS_Setup.exe&tads=17298256&tdl=103789536&tds=17316439&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|23,HttpNum\|18,DnFailCount\|22,FStatus\|1,P2SS\|103789536,P2PS\|0,PDMode\|3&tfl=103789536&tp=t&tst=1&ttdl=103789536&ttm=6062&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://sd.p.360safe.com/8F105DD2B73CEC44783794041478D929FC616836.trt http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1105.exe https://orion.ts.360.com/installapp?c=&ch=WW.Sam.CPI202405&sch=0&ver=11.0.0.1105&lan=en&os=6.1-x64&mid=fa7bb520099706f4d9615c3663eacc55&time=1718502664&checksum=10FC50695A77DD5E36A7B75A	20 Info sd.p.360safe.com(54.230.169.32) tr.p.360safe.com(54.76.174.118) int.down.360safe.com(54.230.176.104) orion.ts.360.com(82.145.215.156) iup.360safe.com(54.230.61.95) st.p.360safe.com(54.77.42.29) s.360safe.com(54.255.136.181) 54.230.61.65 54.255.136.181 54.230.176.36 54.76.174.118 54.77.42.29 54.230.176.22 54.230.169.19 54.230.61.95 82.145.215.156 54.230.176.105 54.230.176.104 54.230.61.39 54.230.61.34	5 Info ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)		6.6	M		ZeroCERT

10122	2024-06-17 10:24	Taskbar.exe 0ee9a0317342d545c2bfd9e3fbd627f9 Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself Check virtual network interfaces Tofsee Windows Remote Code Execution Cryptographic key		2	1		3.8	M	50	ZeroCERT

10123	2024-06-17 13:29	setup222.exe 8677376c509f0c66d1f02c6b66d7ef90 Downloader PE64 PE File VirusTotal Malware MachineGuid Creates executable files Check virtual network interfaces Tofsee	1 Keyword trend analysis	3	1		3.0	M	32	ZeroCERT

10124	2024-06-17 13:33	NewLatest.exe 07101cac5b9477ba636cd8ca7b9932cb Amadey Generic Malware Malicious Packer Malicious Library UPX PE File PE32 OS Processor Check PE64 Malware download Amadey VirusTotal Cryptocurrency Miner Malware AutoRuns Malicious Traffic Creates executable files unpack itself AppData folder Windows DNS CoinMiner	3 Keyword trend analysis	8	8 Info ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Executable Download from dotted-quad Host ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	3	6.4	M	38	ZeroCERT

10125	2024-06-17 13:43	__x64___setup___x32__.zip 7e05adc41fe0d6484c3cc75893991a2f ZIP Format Malware Malicious Traffic Tofsee	2 Keyword trend analysis	3	1		1.2			ZeroCERT