Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
22516	2022-12-07 09:49	csrss.exe fc978e8e9d20edf8f2a0c4b157fe1920 Malicious Library UPX PE32 PE File VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself	22 Keyword trend analysis Info http://www.lyonfinancialusa.com/henz/ - rule_id: 23666 http://www.afterdarksocial.club/henz/ - rule_id: 23667 http://www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip http://www.automotiveparts-store.com/henz/ http://www.lopezmodeling.com/henz/?RZ3d8rz8=dpH6BKfQQ0cm5ImeofuKRskABJrBNfLp0vSyI4bn1RZjePkdeS9a/FiQgEdxlvmzsB0l+sQcpRgj8HqvSEXtkBUtM/7b2ek1qpGMuFI=&_FNDOP=wxlLRVvHOBA - rule_id: 23671 http://www.phootka.ru/henz/ - rule_id: 23673 http://www.brennancorps.info/henz/?RZ3d8rz8=P4ST2IJPckjMYpRf2hTG7XGyBDGAy7OOggEf6mHPhnME1yGBMW0exDItYRA37f+XnLyPH15dACF6dKWBGe8FrnsbvwR+k5hXy5NlDxw=&_FNDOP=wxlLRVvHOBA - rule_id: 23670 http://www.seufi.com/henz/?RZ3d8rz8=IBGzHMg16oJNSPrzw250+MvRfpuZJ+UNeLGkgBGOsROhXn3QAnT7j8xX9Jlog+RFk3dGiXHpM08k153fm/VBkqw4m0Htf2ZTok+naIQ=&_FNDOP=wxlLRVvHOBA http://www.lopezmodeling.com/henz/ - rule_id: 23671 http://www.foxwhistle.com/henz/ - rule_id: 23672 http://www.eufidelizo.com/henz/?RZ3d8rz8=wcp3urA+/rGtUuNVdzf16ZeZGpZq4XGXlvUWG7FdGjeYGPzd5j/gkjEzvi43j/MvxviINYayZJCRqWKQvjoVWw+U5Y7ODGkonKNL7W0=&_FNDOP=wxlLRVvHOBA - rule_id: 23665 http://www.lyonfinancialusa.com/henz/?RZ3d8rz8=I97X75yj3reE70KD0H/Cak1oo2zHy9G/KKFZ2xPoakAfOE75REIsiEdUspxqeb3/DlFpoh36cAjqvl85DwXllB7WLme1uHpNnCumkME=&_FNDOP=wxlLRVvHOBA - rule_id: 23666 http://www.afterdarksocial.club/henz/?RZ3d8rz8=8TptbrIX6F4NxrWdTnVKCiNdtmXGEuELv5cUeaX5N5UPFd9Hxy/eCwrx8CSqMIuqYtp16J6ah9tFi3/97BblSlVnUMukTQJmI59ItyY=&_FNDOP=wxlLRVvHOBA - rule_id: 23667 http://www.patrickguarte.com/henz/ - rule_id: 23668 http://www.automotiveparts-store.com/henz/?RZ3d8rz8=l755dn3SV1HJ85bgdYLXX0FitE0O++oBuxO/p/rOD3cyNdqLfUPJLAMkl1O9xhY/fGSw1luYDYlS6H/677nep41+QBgryFqg6K8ooWg=&_FNDOP=wxlLRVvHOBA http://www.patrickguarte.com/henz/?RZ3d8rz8=5p9Ov6C7qce51hIp6nkbqV/d59cDddN77lLEFw6Ufibk2yN56suGmW9SnR2oT5DaW1POG/xMOeVc/Muqlx89dGklgcJInIpBk29/OFI=&_FNDOP=wxlLRVvHOBA - rule_id: 23668 http://www.phootka.ru/henz/?RZ3d8rz8=w1bwPjtuf2ZlKfJJwO+BTMATo3IZhxYr0xwxA7aVeAjkl5kFf+SBsbPh/8ORAg46rPRxP2SAJydpY5hX47JJGDyZCrebhSML6UzwAv0=&_FNDOP=wxlLRVvHOBA - rule_id: 23673 http://www.courdak.info/henz/?RZ3d8rz8=vdyVzLcxoZUoogW6+NKMfwQ5LAGTMZCWuq0zGM5B+O39UoDsvg/hobD3JDgVlVzjVFZes90R2RhtZev/AI+f5OQ7oLMklDSyOnM4EYU=&_FNDOP=wxlLRVvHOBA - rule_id: 23789 http://www.foxwhistle.com/henz/?RZ3d8rz8=jIhXpQA4pSG2yYWBbTjo4KjMDsvsQ9F5uiLrR0YNz1ez7r/FQUV2XPmUrykxRWDvkt62w03aCUUodajM6m+91s+tfqSr6z5AiriQQhU=&_FNDOP=wxlLRVvHOBA - rule_id: 23672 http://www.seufi.com/henz/ http://www.brennancorps.info/henz/ - rule_id: 23670 http://www.courdak.info/henz/ - rule_id: 23789	24 Info www.19t221013d.tokyo() - mailcious www.seufi.com(2.57.90.16) www.lyonfinancialusa.com(206.233.197.135) - mailcious www.afterdarksocial.club(162.214.129.149) - mailcious www.courdak.info(66.29.151.40) - mailcious www.foxwhistle.com(154.22.100.62) - mailcious www.eufidelizo.com(192.185.217.47) - mailcious www.automotiveparts-store.com(162.0.238.93) - mailcious www.brennancorps.info(2.57.90.16) - mailcious www.sqlite.org(45.33.6.223) www.phootka.ru(195.24.68.23) - mailcious www.patrickguarte.com(155.159.61.221) - mailcious www.lopezmodeling.com(192.185.35.86) - mailcious 162.214.129.149 - mailcious 154.22.100.62 - mailcious 195.24.68.23 - malware 192.185.217.47 - mailcious 66.29.151.40 - mailcious 2.57.90.16 - mailcious 45.33.6.223 192.185.35.86 - mailcious 162.0.238.93 - mailcious 206.233.197.135 - mailcious 155.159.61.221 - mailcious	1	17 Info http://www.lyonfinancialusa.com/henz/ http://www.afterdarksocial.club/henz/ http://www.lopezmodeling.com/henz/ http://www.phootka.ru/henz/ http://www.brennancorps.info/henz/ http://www.lopezmodeling.com/henz/ http://www.foxwhistle.com/henz/ http://www.eufidelizo.com/henz/ http://www.lyonfinancialusa.com/henz/ http://www.afterdarksocial.club/henz/ http://www.patrickguarte.com/henz/ http://www.patrickguarte.com/henz/ http://www.phootka.ru/henz/ http://www.courdak.info/henz/ http://www.foxwhistle.com/henz/ http://www.brennancorps.info/henz/ http://www.courdak.info/henz/	4.4	M	34	ZeroCERT

22517	2022-12-07 09:48	lib.hta b31d78c45268cf98eb09a4ce81ab7f60 Generic Malware Antivirus PowerShell powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote suspicious process WriteConsoleW Windows ComputerName Cryptographic key					4.8			ZeroCERT

22518	2022-12-07 09:44	s2lub.exe 2c7867a1749edef10274f3e34b047865 RedLine stealer[m] Malicious Library UPX AntiDebug AntiVM PE32 OS Processor Check PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted ICMP traffic unpack itself Collect installed applications WriteConsoleW installed browsers check Windows Browser ComputerName DNS Cryptographic key Software crashed		56 Info clysma.com() actmin.com() webband.com() 165.160.13.20 - mailcious 61.200.81.23 212.44.102.57 192.64.150.164 172.67.165.62 76.74.184.61 192.241.158.94 65.21.5.58 185.163.45.187 203.210.102.34 3.64.163.50 - mailcious 195.128.140.29 154.213.117.166 - mailcious 62.75.216.107 - mailcious 18.197.121.220 - mailcious 104.37.84.3 164.132.175.106 198.199.101.195 - mailcious 198.185.159.144 - mailcious 104.164.117.233 148.72.176.26 49.212.243.77 - mailcious 79.96.32.254 157.7.107.49 - malware 172.67.160.168 195.5.116.23 49.212.232.113 - mailcious 35.206.109.131 - mailcious 192.99.226.184 211.1.226.67 178.249.70.75 76.223.15.82 23.236.62.147 - mailcious 213.175.217.57 91.220.211.163 52.50.65.32 - suspicious 79.96.161.192 192.124.249.3 205.149.134.32 - mailcious 89.161.136.188 192.124.249.9 - mailcious 93.187.206.66 - mailcious 135.125.108.170 198.49.23.144 - mailcious 192.124.249.13 - mailcious 199.59.243.220 - mailcious 172.67.33.95 202.172.28.187 77.72.4.226 - mailcious 157.7.107.38 - mailcious 5.134.4.115 - mailcious 104.21.8.75 34.224.10.110 - mailcious			13.2	M	35	ZeroCERT

22519	2022-12-07 09:43	lib32.hta f959e6882af46c0c9b31d88d596444df Formbook Generic Malware Antivirus PowerShell Malware powershell suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key	2 Keyword trend analysis	5	6 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO PowerShell NoProfile Command Received In Powershell Stagers ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1 ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1 ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2 ET INFO Powershell Base64 Decode Command Inbound		9.8	M		ZeroCERT

22520	2022-12-07 09:41	.svchost.exe ba017a929db6156f1bf1ddef8d6766c7 PWS[m] RAT PWS .NET framework Generic Malware Antivirus SMTP KeyLogger AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Windows utilities Checks Bios Detects VirtualBox powershell.exe wrote suspicious process WriteConsoleW VMware anti-virtualization Windows Browser Email ComputerName Cryptographic key Software crashed keylogger					17.6	M	22	ZeroCERT

22521	2022-12-07 09:39	shenaka.exe cd97907dfa59649f4a1b346c4e4b8243 Malicious Library UPX PE32 PE File Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed keylogger		2	2		9.0	M	33	ZeroCERT

22522	2022-12-07 09:37	lfjsdk3.exe d1964c1b30d01262eccaee06c600d726 Themida Packer Malicious Library PE File PE64 VirusTotal Malware unpack itself Windows crashed					3.0	M	19	ZeroCERT

22523	2022-12-07 09:34	Fattura_IT9032003.bat 6f6c9bcd7104d5265ebaba45e7ccd463 PWS[m] Formbook Generic Malware Downloader Antivirus Create Service DGA Socket ScreenShot DNS Internet API Code injection Sniff Audio HTTP Steal credential KeyLogger P2P Escalate priviledges FTP Http API AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	1 Keyword trend analysis	2	1		8.0		12	ZeroCERT

22524	2022-12-07 09:26	3_IT02530467861_59_06122022_08... 6d2e558cabf7ca6f0dc0fb8a5262dad5 Generic Malware VBA_macro MSOffice File VirusTotal Malware RWX flags setting unpack itself					1.4		13	ZeroCERT

22525	2022-12-07 09:26	6_IT08171506083_31_06122022_05... 73754273e4f7c0eb246d7ab9807736aa PWS[m] Generic Malware VBA_macro ScreenShot KeyLogger AntiDebug AntiVM MSOffice File VirusTotal Malware Code Injection unpack itself					2.6		10	ZeroCERT

22526	2022-12-07 09:21	csrss.exe 58a93725b592923568ede95c067e81b2 Loki PWS[m] PWS Loki[b] Loki.m Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	1	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response	1	14.4	M	25	ZeroCERT

22527	2022-12-07 09:19	vbc.exe 3374b87be5da25a09046d0b59ccc34c7 RAT PWS .NET framework Generic Malware Antivirus PE32 .NET EXE PE File VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName Cryptographic key					7.8	M	26	ZeroCERT

22528	2022-12-07 09:19	audiodg.exe 69fb5dc2536e4d17b234363780a2adaf Loki PWS[m] PWS Loki[b] Loki.m RAT .NET framework Socket DNS AntiDebug AntiVM PE32 .NET EXE PE File Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	1	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response	1	13.2	M	23	ZeroCERT

22529	2022-12-07 09:18	document_133_invoice_PDF.msi 76bf2b13ab0bdb12c1b8fc474fb9984e Malicious Library ASPack MSOffice File OS Processor Check CAB IcedID Malware download Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself AntiVM_Disk VM Disk Size Check ComputerName	1 Keyword trend analysis	2	1		2.6			guest

22530	2022-12-07 09:17	.win32.exe 54987f615d048a1355bea79033808d2b Malicious Library UPX PE32 OS Processor Check PE File VirusTotal Malware PDB unpack itself RCE DNS		1			2.6	M	28	ZeroCERT