Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
43591	2024-03-24 13:59	sarra.exe cb6ca7a54ebb767d3d996fde3d6b20bb Amadey Themida Packer Generic Malware Admin Tool (Sysinternals etc ...) Malicious Library UPX Malicious Packer Antivirus Anti_VM AntiDebug AntiVM PE File PE32 MSOffice File ZIP Format OS Processor Check Lnk Format GIF Format DLL PE64 Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency powershell AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Checks Bios Collect installed applications Detects VirtualBox Detects VMWare powershell.exe wrote suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW VMware anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Windows Exploit Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader	16 Keyword trend analysis Info http://193.233.132.56/Pneh2sXQk0/index.php http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll http://193.233.132.62:57893/hera/amadka.exe - rule_id: 39491 http://www.maxmind.com/geoip/v2.1/city/me http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll http://193.233.132.167/cost/go.exe http://193.233.132.167/lend/lumma21.exe https://www.google.com/favicon.ico https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/_/bscframe https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&ifkv=ARZ0qKKZ5yLw91CeXZgf6l3nIZ3R1Ri0N7zkeLQ91IYy93V6HIEFRBR3xUlg9T_5GyHFxbOd4i67&passive=true&service=youtube&uilel=3&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1845397159%3A1711255787052476 https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Dko%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=ko&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKKjgyHg6fMmr6lxYRHxyoe5wXVroRpHBfaB59EVywFVFeAi3uitzW1gGA6ffBNDx0ObflIffQ https://www.youtube.com/account https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://accounts.google.com/generate_204?RhQsIg	18 Info db-ip.com(104.26.5.15) www.google.com(142.250.207.100) www.youtube.com(142.250.196.142) - mailcious ssl.gstatic.com(142.250.196.131) ipinfo.io(34.117.186.192) accounts.google.com(64.233.188.84) www.maxmind.com(104.18.146.235) 142.250.66.100 104.18.145.235 104.26.4.15 216.58.200.238 193.233.132.74 193.233.132.62 - mailcious 34.117.186.192 108.177.97.84 216.58.203.67 193.233.132.56 - malware 193.233.132.167 - malware	16 Info ET INFO Executable Download from dotted-quad Host SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET MALWARE RisePro CnC Activity (Inbound) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	1	29.0	M	29	ZeroCERT

43592	2024-03-24 14:00	lummalg.exe 04df085b57814d1a1accead4e153909e Craxs RAT Generic Malware PE File .NET EXE PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself WriteConsoleW ComputerName					2.8	M	34	ZeroCERT

43593	2024-03-24 14:00	ISetup3.exe 46cb065381895196cf6c887ea1c38aa6 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution					2.0	M	34	ZeroCERT

43594	2024-03-24 14:02	kissmydearuarereallysweetforme... cf97df47c7e054abfa506a0f7d5cc20d MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted					2.6	M	31	ZeroCERT

43595	2024-03-24 14:02	djdjdje1939_crypted_EASY.exe d27ac79a31d3b896630513670235991b Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself crashed					2.2	M	54	ZeroCERT

43596	2024-03-24 14:03	riviera_tour_sochi.pdf.exe 5bcfa8f37baca2ce16991579bbcd6637 Client SW User Data Stealer browser info stealer NSIS Generic Malware Themida Packer Google Chrome User Data Downloader Malicious Library UPX Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code Browser Info Stealer VirusTotal Malware AutoRuns Code Injection Check memory Checks debugger Creates shortcut Creates executable files exploit crash unpack itself Checks Bios Detects VirtualBox Detects VMWare AppData folder malicious URLs VMware anti-virtualization installed browsers check Windows Exploit Browser Firmware crashed					12.4	M	41	ZeroCERT

43597	2024-03-24 14:04	kissherwithlotoflovetoundersta... 61ebc536a8018c94dd5ec0dbe911dce1 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted RWX flags setting exploit crash Exploit DNS crashed		1			5.2	M	30	ZeroCERT

43598	2024-03-24 14:05	america.vbs c2d1123deff869fb763cbfe7ec1d8ff9 Generic Malware Antivirus Hide_URL PowerShell VirusTotal Malware VBScript powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process Tofsee Windows ComputerName Cryptographic key Dropper	2 Keyword trend analysis	5	2		10.0	M	6	ZeroCERT

43599	2024-03-24 14:06	baran.exe 90d15f28eeafb9aec92021da5ef95099 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself					2.0	M	32	ZeroCERT

43600	2024-03-24 14:07	Build.exe 2b74fd898c6ca79faa64f3d9cae268d4 Generic Malware Malicious Library UPX Antivirus PE File PE32 OS Processor Check ftp .NET EXE VirusTotal Cryptocurrency Miner Malware Cryptocurrency Telegram suspicious privilege MachineGuid Malicious Traffic Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key crashed CoinMiner	1 Keyword trend analysis	11 Info t.me(149.154.167.99) - mailcious relative-national-gibbon.ngrok-free.app(18.177.53.48) github.com(20.200.245.247) - mailcious steamcommunity.com(104.76.78.101) - mailcious xmr.2miners.com(162.19.139.184) - mailcious 149.154.167.99 - mailcious 5.75.221.51 104.75.41.21 - mailcious 162.19.139.184 - mailcious 18.177.60.68 20.200.245.247 - malware	7 Info ET INFO TLS Handshake Failure ET POLICY Cryptocurrency Miner Checkin SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET INFO Observed Telegram Domain (t .me in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) ET INFO Observed DNS Query to *.ngrok Domain (ngrok .app)		9.6	M	57	ZeroCERT

43601	2024-03-24 14:08	ISetup6.exe 816f37f278af644bf55369c30b6b59ba Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution					2.0	M	34	ZeroCERT

43602	2024-03-24 14:09	americaisveryniceplaceforkisst... 9b02d303ef9ba87d855551bd4a541105 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware RWX flags setting exploit crash Exploit DNS crashed		2			4.8	M	32	ZeroCERT

43603	2024-03-24 14:11	anki.exe e990d75ee17deb0ad3a5c6ac25d66ad5 Malicious Library UPX PE File PE32 DLL VirusTotal Malware AppData folder					1.4	M	28	ZeroCERT

43604	2024-03-24 14:11	ISetup5.exe 5d7d22a6259d24baa5fe96e51a84a178 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself Remote Code Execution					2.0	M	34	ZeroCERT

43605	2024-03-24 14:15	ankiWinthisbeautifulmomentwith... 129ac441a02f8ecf7f6d4a14135c4bdb MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Windows Exploit Advertising Google DNS crashed	2 Keyword trend analysis	5	6 Info ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)		5.4	M	38	ZeroCERT