Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
6106	2024-01-26 09:12	agodzx.exe b29fbc48ad3305f4dcab0be3145682a6 AgentTesla Malicious Library .NET framework(MSIL) UPX PWS SMTP KeyLogger AntiDebug AntiVM PE32 PE File .NET EXE OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Buffer PE AutoRuns suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed	2 Keyword trend analysis	7	6 Info ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET INFO TLS Handshake Failure ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY External IP Lookup ip-api.com SURICATA Applayer Detect protocol only one direction		15.4	M	42	ZeroCERT

6107	2024-01-26 09:11	rost.exe 2f9214f932a930a4cdff2b48a3a8eded RedLine stealer Amadey RedLine Infostealer RedlineStealer UltraVNC Generic Malware NSIS Hide_EXE Malicious Packer Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) .NET framework(MSIL) ScreenShot PWS Anti_VM AntiDebug AntiVM PE Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Cryptocurrency Miner Malware Cryptocurrency wallets Cryptocurrency Microsoft AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files RWX flags setting unpack itself Windows utilities Disables Windows Security Checks Bios Collect installed applications suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW anti-virtualization IP Check VM Disk Size Check installed browsers check Tofsee Ransomware Stealer Windows Update Browser RisePro Email ComputerName DNS Cryptographic key Software crashed Downloader CoinMiner	28 Keyword trend analysis Info http://109.107.182.3/cost/niks.exe http://109.107.182.3/lego/MRK.exe http://109.107.182.3/lego/alex.exe - rule_id: 39110 http://109.107.182.3/lego/moto.exe - rule_id: 39111 http://109.107.182.3/lego/rdx1122.exe - rule_id: 39118 http://185.215.113.68/theme/Plugins/cred64.dll - rule_id: 38948 http://109.107.182.3/cost/networa.exe http://185.215.113.68/mine/stan.exe - rule_id: 39114 http://109.107.182.3/lego/installs.exe http://109.107.182.3/lego/crypted.exe - rule_id: 39115 http://109.107.182.3/cost/ko.exe http://185.215.113.68/mine/amers.exe http://185.172.128.90/cpa/ping.php?substr=seven&s=ab - rule_id: 38981 http://109.107.182.3/cost/vinu.exe http://185.215.113.68/theme/Plugins/clip64.dll - rule_id: 38951 http://185.172.128.109/syncUpd.exe - rule_id: 39052 http://185.172.128.19/latestrocki.exe - rule_id: 39054 http://109.107.182.3/lego/2024.exe - rule_id: 39120 http://185.215.113.68/theme/index.php - rule_id: 38935 https://www.google.com/favicon.ico https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://db-ip.com/demo/home.php?s=175.208.134.152 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1cKQEpRqzJgd1mJyXaQDg8g6EPaDZyF3Iq1LCz13B1O_GRb-DpHv1Q3bMHBt1iGhMePExXmg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-435268675%3A1706227291300357 https://accounts.google.com/_/bscframe https://accounts.google.com/ https://accounts.google.com/generate_204?Gfi3rg https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3H8r8UWuhQ6m2JhTn_UJWtMXXOP18B2sMD6q0yM1EirdCpLoeYafxU7OnBJOlDJRzgLznF https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png	22 Info db-ip.com(172.67.75.166) pool.hashvault.pro(142.202.242.43) - mailcious www.google.com(142.250.76.132) ssl.gstatic.com(142.250.76.131) ipinfo.io(34.117.186.192) accounts.google.com(142.250.157.84) 94.156.67.230 195.20.16.103 - mailcious 5.42.64.33 - mailcious 104.26.4.15 185.215.113.68 - malware 185.172.128.19 - mailcious 141.95.211.148 - mailcious 142.251.170.84 142.250.66.36 216.58.203.67 193.233.132.62 - mailcious 185.172.128.90 - mailcious 34.117.186.192 185.172.128.109 - malware 109.107.182.3 - mailcious 125.253.92.50	25 Info SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE [ANY.RUN] RisePro TCP (Token) ET MALWARE Suspected RisePro TCP Heartbeat Packet ET MALWARE [ANY.RUN] RisePro TCP (External IP) ET MALWARE [ANY.RUN] RisePro TCP (Activity) ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Family Activity (Response) ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) ET HUNTING Download Request Containing Suspicious Filename - Crypted	12 Info http://109.107.182.3/lego/alex.exe http://109.107.182.3/lego/moto.exe http://109.107.182.3/lego/rdx1122.exe http://185.215.113.68/theme/Plugins/cred64.dll http://185.215.113.68/mine/stan.exe http://109.107.182.3/lego/crypted.exe http://185.172.128.90/cpa/ping.php http://185.215.113.68/theme/Plugins/clip64.dll http://185.172.128.109/syncUpd.exe http://185.172.128.19/latestrocki.exe http://109.107.182.3/lego/2024.exe http://185.215.113.68/theme/index.php	32.2	M	38	ZeroCERT

6108	2024-01-26 09:10	Schellingianism.exe e778bb2a5cf80db389e541958d9c3bf2 Malicious Library UPX PE32 PE File DLL VirusTotal Malware Check memory Creates executable files unpack itself AppData folder Ransomware					2.8	M	16	ZeroCERT

6109	2024-01-26 09:10	conhost.exe b90adcc386503d5864f6df6bfaa3409b .NET framework(MSIL) PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key					3.0		34	ZeroCERT

6110	2024-01-26 09:09	user13.exe d252ce47e96b7cf75c6be209eff61072 Generic Malware Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check VirusTotal Malware					0.4	M	4	ZeroCERT

6111	2024-01-26 09:07	Atqumy.exe dade3d1f204511b49e65d585685a8b1f Hide_EXE .NET framework(MSIL) UPX PE32 PE File .NET EXE OS Processor Check VirusTotal Malware suspicious privilege Check memory Checks debugger unpack itself Windows ComputerName Cryptographic key					2.8	M	23	ZeroCERT

6112	2024-01-26 09:05	musicc.exe 8c737832e41951697322de7005e2771b Process Kill Malicious Library FindFirstVolume CryptGenKey UPX PE32 PE File Device_File_Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces IP Check Browser Email ComputerName DNS crashed	1 Keyword trend analysis	8	3		7.2		27	ZeroCERT

6113	2024-01-26 09:05	fsdfsfsfs.exe b2f3f214e959043b7a6b623b82c95946 PE32 PE File .NET EXE VirusTotal Malware PDB Check memory Checks debugger unpack itself					2.2	M	24	ZeroCERT

6114	2024-01-26 09:04	Setup.exe 2522036524378a539e696724ed56a5a4 Malicious Library Malicious Packer UPX PE File PE64 OS Processor Check Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware Check memory buffers extracted Creates shortcut unpack itself Collect installed applications IP Check installed browsers check Tofsee Browser Email ComputerName Trojan Banking DNS		3	6 Info ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt SURICATA Applayer Protocol detection skipped ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO TLS Handshake Failure		11.6	M	28	ZeroCERT

6115	2024-01-25 16:36	vLnNHh.exe 3cf7e35d135707c3c8db1e571b28f191 AntiDebug AntiVM MSOffice File Code Injection RWX flags setting exploit crash unpack itself Windows utilities Tofsee Windows Exploit DNS crashed		2	2		3.8			ZeroCERT

6116	2024-01-25 16:34	grace.exe bc2b81ee5871a2af529ba6d695e656c6 Process Kill Malicious Library FindFirstVolume CryptGenKey UPX PE32 PE File Device_File_Check OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed keylogger		4	5		10.0		32	ZeroCERT

6117	2024-01-25 16:32	Rehman_GROUP_RFQ.vbs 181f9015b54b57a4175e9c4584751d57 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	4	2		9.2		13	ZeroCERT

6118	2024-01-25 14:30	Order_Information.url 7f4085aab74f2da761e65d5fb41fd40f AntiDebug AntiVM URL Format MSOffice File Code Injection RWX flags setting unpack itself Windows utilities Tofsee Windows DNS	1 Keyword trend analysis	1	2		4.4			ZeroCERT

6119	2024-01-25 14:01	statement_trans_24_01_2024.lnk 6e9db0f67fedf5f6ee30d92e86581cce Generic Malware task schedule AntiDebug AntiVM Lnk Format GIF Format VirusTotal Malware AutoRuns Code Injection Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities suspicious process WriteConsoleW Windows ComputerName	1 Keyword trend analysis				4.6		8	ZeroCERT

6120	2024-01-25 13:56	조선 시장 물가 분석(신의주).hwp... e26422ba7e1eed4481e9389806e798c3 HWP PS PostScript MSOffice File Lnk Format GIF Format VirusTotal Malware Checks debugger Creates shortcut Creates executable files					1.6		15	ZeroCERT