Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
17386	2023-06-02 18:55	Password_2022_Installer.rar 255ec60f26fc08b0b1a3ef793ad33bfb PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Lumma Stealer DNS	1 Keyword trend analysis	1	2		3.8			ZeroCERT

17387	2023-06-02 18:51	Password_2022_Installer.rar 255ec60f26fc08b0b1a3ef793ad33bfb PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM suspicious privilege Check memory Checks debugger unpack itself					1.6			ZeroCERT

17388	2023-06-02 18:46	rh2605.exe ed5185618f3583ea107d1aa500e729f6								ZeroCERT

17389	2023-06-02 18:43	File_pass1234.7z 63e2ad5f5f1466a924b0c77048dcc60a Redline PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealer Windows DNS	17 Keyword trend analysis Info http://77.91.68.62/DSC01491/fotocr06.exe - rule_id: 33774 http://hugersi.com/dl/6523.exe - rule_id: 32660 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://85.208.136.10/api/firegate.php - rule_id: 32663 http://77.91.68.62/wings/game/index.php - rule_id: 33726 http://77.91.68.62/DSC01491/foto148.exe - rule_id: 33773 http://www.maxmind.com/geoip/v2.1/city/me http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779 http://85.208.136.10/api/tracemap.php - rule_id: 32662 https://vk.com/doc800513317_661831941?hash=kC1U4OLCAYMUhVtMfoutYSzDrY3EsJWFVrzp6QPGPus&dl=7914u1IpemjZrAZ1e75d2G0XzBQ90WsmERXsgDjYTgL&api=1&no_preview=1 https://vk.com/doc791620691_664833875?hash=u7gA1WPz7GZN7R6AsWfNRszp1EhXac8b6J8qQmORXow&dl=ZMktHzYCzZ9XDvxi97D73YkXsVJJPzzGWy3sWU7JhpD&api=1&no_preview=1 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://sun6-21.userapi.com/c240331/u800513317/docs/d20/68fdb46e6c52/PMp123a.bmp?extra=NpfI2Dmo18FSvnw9T36Up24KS6_b4xAj555TPlBXx7f1gghfzgQxuitnRimxvAErJEpvGtGIoG-YQq9vQBMSizlupZ5BBN9Y1OQO1yi9XJumXNbdQfkbjdQgwb0ahuj6CKQIfHe1nBetrUbQww https://vk.com/doc791620691_664710492?hash=j27Vxz0stfSxJXNlzmz602vSgZ0IXBoi9ZZq9syJVkT&dl=Sw3eQffdQH4eEi2robhrPmVXjMf9ExmZT9V02woFQ2k&api=1&no_preview=1#WW1 https://sun6-23.userapi.com/c235031/u791620691/docs/d33/5cee3fee83b0/WWW1.bmp?extra=9MQFCK9sy0BlFTB0sDmDo892U3wcsqjQnbA_GeW4BLqu0c4KbVa9EBsGMmrM-FhmMiMKZ9rfwHYcXuZqLdVeGZ569kTZQFDf0i9x8EWY85Oc_HUbGDkUIAnfe6_Mfqlaw7ngI48-yWqJWkEN2Q https://sun6-21.userapi.com/c237331/u791620691/docs/d45/31ee3e720154/cloudcosmic.bmp?extra=7z5X_rDygaQP6H7Cl38-7ZanPu_gKgnhQsLZRY0P7SEoIOS9yMw8BKCKqA4tAV0SehxJBNY1gbAR9slw-KYeFhQRbmfIN0uHZPcqXd4VaKR2ssoYGNtLN1_pk3ei4N5cLYakfcK3tEPYrXTNqA	32 Info db-ip.com(104.26.4.15) iplis.ru(148.251.234.93) - mailcious hugersi.com(91.215.85.147) - malware ji.jahhaega2qq.com(172.67.182.87) - malware sun6-21.userapi.com(95.142.206.1) - mailcious sun6-23.userapi.com(95.142.206.3) ipinfo.io(34.117.59.81) www.maxmind.com(104.17.214.67) api.db-ip.com(104.26.4.15) iplogger.org(148.251.234.83) - mailcious vk.com(87.240.132.72) - mailcious 148.251.234.93 - mailcious 77.91.68.62 - malware 83.97.73.128 - malware 91.215.85.147 - malware 87.240.129.133 - mailcious 104.26.5.15 83.97.73.127 - mailcious 172.67.75.166 157.254.164.98 - mailcious 34.117.59.81 172.67.182.87 - malware 148.251.234.83 45.12.253.74 - malware 95.214.25.234 - malware 104.17.214.67 45.15.156.229 - mailcious 95.142.206.3 163.123.143.4 - mailcious 95.142.206.1 - mailcious 85.208.136.10 - mailcious 176.113.115.239 - malware	18 Info ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Download from dotted-quad Host ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	8 Info http://77.91.68.62/DSC01491/fotocr06.exe http://hugersi.com/dl/6523.exe http://45.15.156.229/api/tracemap.php http://85.208.136.10/api/firegate.php http://77.91.68.62/wings/game/index.php http://77.91.68.62/DSC01491/foto148.exe http://ji.jahhaega2qq.com/m/p0aw25.exe http://85.208.136.10/api/tracemap.php	7.6	M		ZeroCERT

17390	2023-06-02 18:40	BandicamScreenRecorder_pass123... 0dd10d786758af063a14efaff9ebf78e PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM Malware download Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Tofsee Stealer Windows DNS	34 Keyword trend analysis Info http://91.202.5.224/rh2605.exe http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://94.130.226.235/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://94.130.226.235/2033a784d8c945410d4233592ea99f71 http://94.130.226.235/ https://www.bandicam.co.kr/favicon.ico https://www.bandicam.co.kr/downloads/ https://www.bandicam.co.kr/style.min.css?20221205 https://wcs.naver.com/m?u=https%3A%2F%2Fwww.bandicam.co.kr%2Fdownloads%2F&e=&wa=s_502950d95e2b&bt=-1&os=Win32&ln=ko&sr=1365x1024&bw=1211&bh=841&c=24&j=Y&jv=1.8&k=Y&ct=lan&cs=utf-8&tl=%25EB%25B0%2598%25EB%2594%2594%25EC%25BA%25A0%2520%25EB%25AC%25B4%25EB%25A3%258C%2520%25EB%258B%25A4%25EC%259A%25B4%25EB%25A1%259C%25EB%2593%259C%253A%2520%25EC%25BB%25B4%25ED%2593%25A8%25ED%2584%25B0%2520%25ED%2599%2594%25EB%25A9%25B4%2520%25EB%25B0%258F%2520%25EB%258F%2599%25EC%2598%2581%25EC%2583%2581%2520%25EB%2585%25B9%25ED%2599%2594%2520%25ED%2594%2584%25EB%25A1%259C%25EA%25B7%25B8%25EB%259E%25A8&vs=0.8.7&nt=1685698468990&EOU https://www.bandicam.co.kr/img/logo_bandicam.png https://www.bandicam.co.kr/img/menu_bg.gif https://www.bandicam.co.kr/img/topmenuicon_bandicam.png https://www.bandicam.co.kr/js/jquery-3.5.1.custom.min.js https://www.bandicam.co.kr/img/icon-windows.png https://www.bandicam.co.kr/downloads/bandicam_kor_3.gif https://www.bandicam.co.kr/img/topmenuicon_bandicut.png https://wcs.naver.net/wcslog.js https://www.bandicam.co.kr/img/img_gs.gif https://www.bandicam.co.kr/img/img_sns_btns.png https://www.bandicam.co.kr/js/jquery-ui.custom.min.js https://www.bandicam.co.kr/js/bootstrap-3.4.1.min.js https://www.bandicam.co.kr/js/jquery.magnific-popup.min.js https://www.bandicam.co.kr/magnific-popup.min.css https://www.bandicam.co.kr/js/acecounter_cts.js https://www.bandicam.co.kr/img/img_flags_2516_43.gif https://www.bandicam.co.kr/img/srch-icon.png https://www.bandicam.co.kr/js/lazysizes.min.js https://www.bandicam.co.kr/js/bootstrap-3.3.2.min.css?20210521 https://www.googletagmanager.com/gtag/js?id=G-55QDT2Q4HQ	12	15 Info ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING Possible Generic Stealer Sending System Information ET HUNTING Possible Generic Stealer Sending a Screenshot		3.8			ZeroCERT

17391	2023-06-02 18:34	ddd.json.ps1 558632789032f0e8cb4f4be1c784ed08 Hide_EXE Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key					1.6	M	16	ZeroCERT

17392	2023-06-02 18:33	Atm_Fradulent_Transaction_Note... 0f721b8721fcf53a2f584d1e14576222 VirusTotal Malware VBScript AutoRuns WMI wscript.exe payload download AntiVM_Disk VM Disk Size Check Windows ComputerName Dropper		2	1		10.0		3	ZeroCERT

17393	2023-06-02 18:29	647935b3df1dc.zip 2e1d77880b713f913c52773045cae78d ZIP Format Malware Malicious Traffic NetSupport	3 Keyword trend analysis	4	3		0.8			ZeroCERT

17394	2023-06-02 17:50	hkcmd.exe 47e139c4d15656a318c89ceab3fd3779 Loki Loki_b Loki_m Formbook Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	1	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Fake 404 Response	1	14.2	M	40	ZeroCERT

17395	2023-06-02 17:48	hkcmd.exe a9ef402dafd9bf3e6ecad54f7a5c5cce Loki Loki_b Loki_m PWS .NET framework Socket DNS PWS[m] AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself suspicious process malicious URLs installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	1	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response	1	13.8	M	23	ZeroCERT

17396	2023-06-02 17:46	ioioioioioioioioioioio%23%23%2... b7317b332d56b95754a97d72aab04605 MS_RTF_Obfuscation_Objects RTF File doc FormBook Malware download VirusTotal Malware Malicious Traffic buffers extracted RWX flags setting exploit crash suspicious TLD Windows Exploit DNS crashed	5 Keyword trend analysis Info http://www.7xwithlove.com/hs95/?DFQh=FEsyfnPPa2w+7CwdFgilHyOzcmfi/nutV7R4VzlheLbxlq0f1Q/R2T+xobBm3SO35hOaA5PO&v4XxH=hDK0LDbh http://ww1.neasamparishcouncil.co.uk/ http://www.hjcyh.top/hs95/?DFQh=veHdkKG+cnEW8XBO+RdGzKP6IcE1bFb25+rl9urMqczOpB7y3gu3kSbNkUR65Uo7B3JmwNzU&v4XxH=hDK0LDbh http://www.neasamparishcouncil.co.uk/hs95/?DFQh=yYc+EqOdCqTl0g9C3mb2l/5tONbYjkLloFYHR7Kcv9AZpB3ZrS2JcC/VodST10LvJHaEdC22&v4XxH=hDK0LDbh http://45.66.230.127/254/INTERNET.exe	11 Info www.7xwithlove.com(23.227.38.74) www.dajichi.asia() www.neasamparishcouncil.co.uk(63.141.242.46) ww1.neasamparishcouncil.co.uk(199.59.243.223) www.hjcyh.top(103.216.153.107) 192.187.111.222 - phishing 63.141.242.45 - mailcious 199.59.243.223 103.216.153.107 23.227.38.74 - mailcious 45.66.230.127 - malware	11 Info ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DNS Query to a .top domain - Likely Hostile ET USER_AGENTS Suspicious User-Agent (Windows Explorer) ET INFO HTTP Request to a .top domain ET MALWARE FormBook CnC Checkin (GET) ET HUNTING Request to .TOP Domain with Minimal Headers SURICATA HTTP unable to match response to request		6.4	M	30	ZeroCERT

17397	2023-06-02 17:46	grace.exe b74a27f1d2f59773c8fc41c831600fe3 Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed					2.2	M	30	ZeroCERT

17398	2023-06-02 17:42	cc.exe db1d5ad95e2020413ca89f274657f3b1 UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself RCE					1.8	M	27	ZeroCERT

17399	2023-06-02 17:40	hkcmd.exe 79796093d175c7811e14b67d670efdfc UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware PDB unpack itself RCE					2.2	M	33	ZeroCERT

17400	2023-06-02 17:38	2.exe 5c3837c38ccbcdd101a0f23550e68443 UPX Malicious Library OS Processor Check PE File PE32 VirusTotal Malware unpack itself RCE					2.0	M	33	ZeroCERT