Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
44761	2024-05-31 07:42	5.exe 58f255cdde1639cac205467621bfcb70 Emotet NSIS Malicious Library UPX PE File DllRegisterServer dll PE32 MZP Format CAB suspicious privilege Check memory Checks debugger Creates shortcut Creates executable files installed browsers check Browser ComputerName DNS		3			3.0	M		ZeroCERT

44762	2024-05-31 07:42	fileosn.exe 84bf36993bdd61d216e83fe391fcc7fd RedLine stealer RedlineStealer Malicious Library .NET framework(MSIL) UPX PE File .NET EXE PE32 OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications Check virtual network interfaces installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed	1 Keyword trend analysis	3	7 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	1	8.0	M		ZeroCERT

44763	2024-05-31 07:44	alex.exe ebc2640384e061203dcf9efb12a67cd9 Generic Malware Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware PDB unpack itself crashed					2.4	M	57	ZeroCERT

44764	2024-05-31 07:47	setup.exe 08063da816c5db77ce64807c4ec2f7e8 NPKI Generic Malware Malicious Library Antivirus AntiDebug AntiVM PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios powershell.exe wrote suspicious process WriteConsoleW anti-virtualization Windows ComputerName Cryptographic key					12.0	M	37	ZeroCERT

44765	2024-05-31 07:49	ADServices.exe 0c2564813f2b9fc088cfb6938214d3cb Malicious Library PE File .NET EXE PE32 VirusTotal Malware Check memory Checks debugger unpack itself crashed					2.2	M	60	ZeroCERT

44766	2024-05-31 07:52	well.exe 861859a608c8769febf142e752abb057 Client SW User Data Stealer browser info stealer Generic Malware Google Chrome User Data Downloader Malicious Library UPX Http API PWS Code injection Create Service Socket DGA ScreenShot Escalate priviledges Steal credential Sniff Audio HTTP DNS BitCoin I Browser Info Stealer Code Injection Check memory Checks debugger exploit crash unpack itself malicious URLs installed browsers check Exploit Browser crashed					5.4	M		ZeroCERT

44767	2024-05-31 08:18	amers.exe f55d40b74d38f0fcea654437183a7b1e Amadey Emotet HermeticWiper Gen1 RedLine stealer RedlineStealer NPKI SmokeLoader Generic Malware UltraVNC PhysicalDrive Suspicious_Script_Bin EnigmaProtector NSIS Buhtrap Group Downloader Malicious Library Antivirus UPX Malicious Packer Admin Tool (Sy Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Cryptocurrency Miner Malware powershell Microsoft Buffer PE AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files ICMP traffic RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications Auto service Detects VMWare Check virtual network interfaces suspicious process AppData folder malicious URLs AntiVM_Disk sandbox evasion WriteConsoleW VMware China Firewall state off anti-virtualization IP Check VM Disk Size Check human activity check installed browsers check PrivateLoader Tofsee Ransomware GameoverP2P Zeus Stealer Windows Browser Advertising ComputerName Trojan Banking Firmware DNS Cryptographic key Software crashed CoinMiner	37 Keyword trend analysis Info http://85.192.56.26/api/flash.php http://147.45.47.70/lend/lumma1234.exe http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=BA320C501D0312BEC018E22653081CCD&p2p=1&t_id=360TS_Setup.exe&tads=14824882&tdl=103774176&tds=14571280&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|23,HttpNum\|18,DnFailCount\|22,FStatus\|1,P2SS\|103774176,P2PS\|0,PDMode\|3&tfl=103774176&tp=t&tst=1&ttdl=103774176&ttm=7219&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://185.172.128.69/download.php?pub=inte http://sd.p.360safe.com/AC05282966EF28F0BC58DFBBE2E9591EF2A43BD6.trt http://85.192.56.26/api/bing_release.php http://147.45.47.70/lend/file300un.exe http://5.42.66.10/download/123p.exe http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIaE8ANQABAACIxljg%2Bs3AO%2B0eWhzT0CCPWqvYqoW%2FAXsYCkM61lI%2BjOdsVPZofosJfkCESIQRWuogw%2Bxnis1yNTX%2BrFjUu6Agqzr7kjY%2FLdgky7wDkGwc1XBOmQC4lKBxt2mIp6Ntq%2FaVMIjGmvkz3VZAnrlTdRwC6RQbG5%2BLDjWJ1p%2FmKxXWoNNk700GNXR5xGTIwsxCwki4zsrmGoivJ0Qf9A45nkrMHdSG6RZfjTMCiFDkqsBk4iHajyAb4j%2F2JtKI4HfOJwBZ%2FBSRCThuwwfgVUkxwGsXYg37lTWkQgNdiCixMwoCkb770r4G4gQUR0%2FBAdU%2BEJinoJ3yydoquYw3e5hR%2BBmWS4tWrUz0bl9LrJXnrP5CcdiAJ3ITPstRbLsmxqf4VDOts1Z75JuBm6GmmA0kf4X7RZvIf2F8Ir5P0kmgaCKCvEm9ndsRxV5dZ%2F72AxQrWWc%3D http://147.45.47.70/lend/swizzzz.exe http://x1.i.lencr.org/ http://fleur-de-lis.sbs/jhgfd http://147.45.47.70/lend/fileosn.exe http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=9&dt=7&size=103774176&ds=14824882.29 http://147.45.47.149:54674/shop/kino.exe http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab http://185.172.128.19/ghsdh39s/index.php - rule_id: 38300 http://185.172.128.19/Newoff.exe - rule_id: 39892 http://147.45.47.70/lend/gold.exe http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=153 http://judgecaption.hair/load/download.php?c=1002 http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1103.exe http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=656&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|6,FStatus\|1,P2SS\|656,P2PS\|0,PDMode\|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS http://judgecaption.hair/load/download.php?c=1001 http://147.45.47.70/lend/33333.exe http://147.45.47.70/tr8nomy/index.php http://apps.identrust.com/roots/dstrootcax3.p7c https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe https://fleur-de-lis.sbs/jhgfd https://db-ip.com/demo/home.php?s= https://dj1a9dwix5pje.cloudfront.net/load/ddl.php?c=1001 https://bitbucket.org/qwizzi/tt522222/downloads/GroceryExtensive.exe - rule_id: 39693 https://pastebin.com/raw/E0rY26ni - rule_id: 37702 https://fleur-de-lis.sbs/post/File_294/setup294.exe https://orion.ts.360.com/installapp?c=&ch=WW.Marketator.CPI20230405&sch=0&ver=11.0.0.1103&lan=en&os=6.1-x64&mid=3b96717f137ac716bab250f817240788&time=1717128845&checksum=7B01354214C41247269FE750 https://yip.su/RNWPd.exe - rule_id: 37623 https://dj1a9dwix5pje.cloudfront.net/load/loader-1001.exe	77 Info free.360totalsecurity.com(54.192.175.109) db-ip.com(104.26.4.15) sd.p.360safe.com(13.225.129.154) lop.foxesjoy.com(104.21.66.124) - malware fleur-de-lis.sbs(172.67.213.39) ipinfo.io(34.117.186.192) gigapub.ma(51.75.247.100) yip.su(172.67.169.89) - mailcious st.p.360safe.com(54.77.42.29) iup.360safe.com(54.230.61.95) s.360safe.com(54.255.136.181) xmr-eu1.nanopool.org(54.37.137.114) - mailcious monoblocked.com(45.130.41.108) - malware download.winzip.com(23.43.165.155) dj1a9dwix5pje.cloudfront.net(18.64.13.95) int.down.360safe.com(18.244.61.79) x1.i.lencr.org(23.35.220.247) f000.backblazeb2.com(104.153.233.177) - mailcious bitbucket.org(104.192.141.1) - malware zeph-eu2.nanopool.org(51.68.137.186) - mailcious orion.ts.360.com(82.145.215.152) f.123654987.xyz(37.221.125.202) api64.ipify.org(104.237.62.213) api.myip.com(172.67.75.163) tr.p.360safe.com(54.76.174.118) judgecaption.hair(194.54.164.123) pastebin.com(104.20.3.235) - mailcious vk.com(87.240.132.67) - mailcious 54.230.61.65 94.232.45.38 - malware 54.77.42.29 104.20.3.235 - malware 54.230.61.95 64.185.227.155 104.26.5.15 18.244.61.37 172.67.169.89 185.215.113.67 - mailcious 77.91.77.33 - malware 34.117.186.192 185.172.128.19 - mailcious 147.45.47.149 18.244.61.79 51.195.138.197 5.42.66.47 - mailcious 18.64.13.203 54.230.61.39 54.230.61.34 91.202.233.232 - mailcious 45.130.41.108 - malware 172.67.19.24 - mailcious 104.153.233.177 - mailcious 51.75.247.100 54.255.136.181 18.244.61.7 23.52.33.11 194.54.164.123 - malware 13.225.129.190 104.21.66.124 - malware 37.221.125.202 185.172.128.69 - malware 5.42.66.10 - malware 104.192.141.1 - mailcious 172.67.213.39 121.254.136.9 104.26.9.59 54.76.174.118 54.192.175.109 18.244.61.49 82.145.215.156 87.240.132.78 - mailcious 185.172.128.82 - malware 185.172.128.159 - malware 23.43.165.153 85.192.56.26 147.45.47.70 - malware 51.15.65.182 - mailcious	33 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 23 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET DROP Spamhaus DROP Listed Traffic Inbound group 33 ET INFO Microsoft net.tcp Connection Initialization Activity ET INFO Packed Executable Download ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET DROP Spamhaus DROP Listed Traffic Inbound group 1 ET INFO TLS Handshake Failure ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false) ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true) ET MALWARE Amadey Bot Activity (POST) ET DNS Query for .su TLD (Soviet Union) Often Malware Related ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org) SURICATA Applayer Mismatch protocol both directions ET MALWARE Private Loader Related Activity (GET) ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner) ET MALWARE Suspected PrivateLoader Activity (POST) ET DROP Spamhaus DROP Listed Traffic Inbound group 14	5	40.8	M	41	ZeroCERT

44768	2024-05-31 10:05	Qwsyldgxfuefxl.bat 3e942e68cf16c51d836d7762eaa2085d Gen1 Generic Malware Suspicious_Script_Bin Downloader Malicious Library Malicious Packer UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName DNS Cryptographic key DDNS crashed		4	4		8.0	M		ZeroCERT

44769	2024-05-31 10:05	Emuxedlljrbbjp.bat a33d1bcae258475e7ec293f1abf928e5 Gen1 Generic Malware Suspicious_Script_Bin Downloader Malicious Library Malicious Packer UPX Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Tofsee Interception Windows ComputerName DNS Cryptographic key DDNS crashed		4	4		7.8	M	9	ZeroCERT

44770	2024-05-31 10:05	sarra.exe be49ac418959705d20f029634d85040f Anti_VM PE File PE32 Malware download VirusTotal Malware AutoRuns MachineGuid Checks debugger unpack itself Windows utilities Checks Bios Detects VMWare suspicious process WriteConsoleW VMware anti-virtualization IP Check Tofsee Windows RisePro ComputerName DNS crashed	1 Keyword trend analysis	5	5		9.6	M	39	ZeroCERT

44771	2024-05-31 10:06	buildjudit.exe c09ff1273b09cb1f9c7698ed147bf22e Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus Anti_VM PE64 PE File DLL OS Processor Check ftp wget Check memory Creates executable files unpack itself					2.0	M		ZeroCERT

44772	2024-05-31 10:07	NimDllPayload.dll 9b18a8a5506ae514acbeb369f3b9e9e0 UPX PE64 PE File DLL VirusTotal Malware Check memory crashed					1.0	M	12	ZeroCERT

44773	2024-05-31 10:08	reverse_http.ps1 01afbe1110a8dc2eb754291bd28685a5 Generic Malware Antivirus VirusTotal Malware Check memory Checks debugger RWX flags setting unpack itself ComputerName crashed					3.2	M	34	ZeroCERT

44774	2024-05-31 10:08	buildjudit.exe cc7933b503e061ddde7158e108f19cc3 Gen1 Generic Malware Malicious Library UPX Malicious Packer Antivirus Anti_VM PE64 PE File DLL OS Processor Check ftp wget VirusTotal Malware Check memory Creates executable files unpack itself					3.2	M	56	ZeroCERT

44775	2024-05-31 10:10	ReflectiveDll_poc.dll 5c71c670dbfa86ec09cd4cf344e53686 PE64 PE File DLL VirusTotal Malware Checks debugger					0.6	M	5	ZeroCERT