Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
17296	2023-06-08 11:28	File_pass1234.7z 66448293af6065ecbcfb9038e202d4b6 PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Malware Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows Trojan DNS	20 Keyword trend analysis Info http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.9.74.6/2.exe http://hugersi.com/dl/6523.exe - rule_id: 32660 http://116.203.166.22/ http://83.97.73.130/gallery/photo250.exe http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://116.203.166.22/3a85713b3d5d1b920c3b568392c6a89a http://www.maxmind.com/geoip/v2.1/city/me http://208.67.104.60/api/tracemap.php - rule_id: 28876 http://194.169.175.124:3002/ - rule_id: 34039 http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779 http://116.203.166.22/files.zip https://sun6-21.userapi.com/c909218/u228185173/docs/d49/e831690feb01/2poy.bmp?extra=ZTKGWIUO1EhJHS9mBKTB5OY_pmLAAMImPXHiT8UJiR3RZ3XvH8dUl5B8ZhhL5uQfGdbY_68Y9cXLOeOHTbvIpkuBtx_Es_exgotwdrhEgC99AyhTxEANoBLOGc8T0e2MA9BH1JwwtuddiJLhFw https://steamcommunity.com/profiles/76561199511129510 https://vk.com/doc228185173_661224258?hash=vCiUkZVIOFAXqjET3WDU8hdIjjzYstZfhGTRT7qdWhH&dl=GcYUtutpXzkbwR15ZQIkqE7aWmquwiggKIZSr0u1iDL&api=1&no_preview=1#2poy https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://sun6-23.userapi.com/c235031/u228185173/docs/d2/6433426ed486/buddha.bmp?extra=6LBz6bFJP2-IdzuvTEcxMA-WOL_NETdpYpWfPHpcpnJO_fK2G8I2LGf5NDZU1vgcZXWumoS1qS0l4T5WQmzflIHG0Tb3MArA1unEteMfBEo-FUejxbatU0IJb2aUtBaBHOI4eWgU-ph3IRtzWQ https://vk.com/doc228185173_661187707?hash=E8KBAj0mrQKeVeg1mQqulf9QwzUSNijpeZUdZZRHzOH&dl=e9WRikYkxObWVd60tMcOvsySjPuuoC81YCrbzvtmzA0&api=1&no_preview=1#WW1 https://sun6-20.userapi.com/c240331/u228185173/docs/d10/4b7a72f85de2/WWW1.bmp?extra=jl1aQfFxyg4nmTCmMKFT4qVnPEeE4J5ujDPJmG42gqNuqOxDjDsctdEVNXFT167Kd1O3vinZl4a5LemWEra7pYXKwK8bkDHxNHj77AxY1nCnL7K3jLVDIAHuUFq7Y747JGSUFQvpSMkF_ZUBfA	39 Info sun6-23.userapi.com(95.142.206.3) db-ip.com(104.26.5.15) iplis.ru(148.251.234.93) - mailcious hugersi.com(91.215.85.147) - malware steamcommunity.com(104.100.64.90) - mailcious ji.jahhaega2qq.com(172.67.182.87) - malware iplogger.org(148.251.234.83) - mailcious t.me(149.154.167.99) - mailcious sun6-21.userapi.com(95.142.206.1) - mailcious ipinfo.io(34.117.59.81) www.maxmind.com(104.17.215.67) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) vk.com(87.240.132.67) - mailcious 148.251.234.93 - mailcious 104.17.215.67 87.240.137.164 - mailcious 91.215.85.147 - malware 23.198.103.114 104.26.5.15 208.67.104.60 - mailcious 194.169.175.124 - mailcious 149.154.167.99 - mailcious 172.67.75.166 116.203.166.22 157.254.164.98 - mailcious 34.117.59.81 148.251.234.83 45.12.253.74 - malware 94.142.138.131 - mailcious 185.81.68.115 83.97.73.130 147.135.231.58 - mailcious 163.123.143.4 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 95.142.206.3 45.9.74.6 104.21.18.146	18 Info ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO EXE - Served Attached HTTP ET DROP Spamhaus DROP Listed Traffic Inbound group 40 ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET INFO Observed Telegram Domain (t .me in TLS SNI) ET INFO TLS Handshake Failure ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET INFO Dotted Quad Host ZIP Request ET POLICY IP Check Domain (iplogger .org in TLS SNI)	6	6.2	M		ZeroCERT

17297	2023-06-08 11:15	final.docm ea8f8a4cd85177248a08490f05d1b555 VBA_macro ZIP Format Word 2007 file format(docx) VirusTotal Malware exploit crash unpack itself Exploit crashed					3.8		37	ZeroCERT

17298	2023-06-08 11:08	cleanmgrs.exe 5acd030fa8d6773c21b19a4468727d05 RAT NSIS UPX Malicious Library PE File PE32 GIF Format PNG Format .NET DLL OS Processor Check DLL PE64 VirusTotal Malware Check memory Creates shortcut Creates executable files unpack itself AppData folder					2.8		9	ZeroCERT

17299	2023-06-08 09:28	YY.exe 5a01a667c84893b0ab403b39b3c73b53 AgentTesla RAT browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger ScreenShot AntiDebug AntiVM PE64 PE File Remcos VirusTotal Malware PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself DNS DDNS	1 Keyword trend analysis	6	3		9.4	M	28	ZeroCERT

17300	2023-06-08 09:28	main.exe d24e233cbed550a67e8d56f88632a869 Gen1 Emotet Generic Malware UPX Malicious Library Antivirus CAB PE64 PE File PDB Check memory unpack itself WriteConsoleW Windows RCE Cryptographic key					1.8			ZeroCERT

17301	2023-06-08 09:27	dot.exe 0a8ef8b03ea08b3ef952d7b7cc7f3082 Generic Malware Malicious Packer PE64 PE File VirusTotal Malware unpack itself DNS		1			3.8	M	48	ZeroCERT

17302	2023-06-08 09:26	HH.exe 66108176e22e6f9513a62c76f2185468 AgentTesla browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS[m] Sniff Audio Internet API Escalate priviledges KeyLogger AntiDebug AntiVM PE64 PE File Remcos VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS DDNS		2	3		7.4	M	45	ZeroCERT

17303	2023-06-08 09:26	Dollar.exe 99e770cd68e71c4e1fff20ffbb325624 RAT email stealer Downloader Confuser .NET DNS Code injection PWS[m] Escalate priviledges persistence KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed		1			10.0		45	ZeroCERT

17304	2023-06-08 09:24	sonne.exe f4af549b7d5af2412c9b092cbe5610d1 UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) OS Processor Check PE File PE32 DLL Malware download Amadey Malware AutoRuns PDB Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName DNS	3 Keyword trend analysis	1	7 Info ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)		8.2	M		ZeroCERT

17305	2023-06-08 09:23	clip64.dll a5ed103ec4719a27ab3d3c01dac66f01 UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself					2.0	M	56	ZeroCERT

17306	2023-06-08 09:21	qqqqqqqqq f2d3c60d35d0213760c48cdfddec36dc OS Processor Check ZIP Format VirusTotal Malware DNS		2			1.4	M	20	ZeroCERT

17307	2023-06-08 09:21	metro.exe bbae70e8a90c7dee5fab03c19a86f1bb RedLine stealer[m] UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Buffer PE suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed		1	3		10.6			ZeroCERT

17308	2023-06-08 09:21	combo.exe f693e2f2661b6e5824ccd29e5ba58bb6 PWS .NET framework RAT Downloader Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Report Cryptocurrency wallets Cryptocurrency Telegram AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Ransomware WhiteSnake Stealer Windows Browser Email ComputerName DNS Software	8 Keyword trend analysis Info http://ip-api.com/line?fields=query,country http://129.151.210.129:8082/FMARE_test22%40TEST22-PC_report.wsr http://138.201.197.74:8080/FMARE_test22%40TEST22-PC_report.wsr http://apps.identrust.com/roots/dstrootcax3.p7c http://5.181.12.94/FMARE_test22%40TEST22-PC_report.wsr http://129.151.210.129:8082/pHCVP_test22%40TEST22-PC_report.wsr http://x1.i.lencr.org/ http://r3.i.lencr.org/	17 Info api.telegram.org(149.154.167.220) archive.torproject.org(159.69.63.226) x1.i.lencr.org(104.76.70.102) ip-api.com(208.95.112.1) r3.i.lencr.org(104.76.70.102) 104.76.70.102 167.86.115.218 65.21.49.163 61.111.58.40 149.154.167.220 185.189.159.121 159.69.63.226 138.201.197.74 208.95.112.1 5.181.12.94 129.151.210.129 89.46.80.136	6 Info ET HUNTING Telegram API Domain in DNS Lookup ET INFO TLS Handshake Failure ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) ET POLICY External IP Lookup ip-api.com		14.8	M	49	ZeroCERT

17309	2023-06-08 09:19	SS.exe b682e3dc1f18c1131f75ff8582aa5703 RAT email stealer Downloader Confuser .NET DNS Code injection PWS[m] Escalate priviledges persistence KeyLogger AntiDebug AntiVM PE64 PE File VirusTotal Malware PDB MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself DNS crashed		1			9.0	M	26	ZeroCERT

17310	2023-06-08 09:08	fotod25.exe 16a7613fd06e8be30c74a2392a78fcd4 RedLine stealer[m] Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PWS[m] AntiDebug AntiVM CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName RCE DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	9 Info ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)		22.0	M	42	ZeroCERT