Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
7426	2023-10-27 17:04	cleanupdate.exe c9aa05e75a369370955cf71b12a2121a Browser Login Data Stealer Amadey Hide_EXE Malicious Library UPX Http API ScreenShot HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL PE64 OS Processor Check Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software	4 Keyword trend analysis	2	5		20.0	M	23	ZeroCERT

7427	2023-10-27 17:03	HTMLXLAMieBrowser.dOC baeaa0fda1df43a65dc12777327db43b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed	3 Keyword trend analysis	6	3		4.0	M	28	ZeroCERT

7428	2023-10-27 13:28	rumpe.jpg.exe 85fa49d81d22418534ded291306be57d Malicious Library UPX .NET DLL PE File DLL PE32 OS Processor Check VirusTotal Malware PDB					1.4		27	ZeroCERT

7429	2023-10-27 13:24	obm.txt.exe 697ebf34888a6672c7ade14701fe2c00 AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed					2.6			ZeroCERT

7430	2023-10-27 12:25	File.7z 3c62d34e99c4d0766c6a30aff0ff00d4 PrivateLoader Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser Trojan DNS Downloader	55 Keyword trend analysis Info http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rHs0an9bdrTIaDtaE0Df9rlg.exe&platform=0009&osver=5&isServer=0 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://194.169.175.233/setup.exe - rule_id: 37614 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://howardwood.top/e9c345fc99a4e67e.php - rule_id: 37562 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-20.userapi.com/c237331/u825067038/docs/d49/2fa5bb09a502/PL_Client.bmp?extra=hoE_PGrrkY5d2NqippbG-UTIRwu_h48s7-Mi86qburxYxYP2a4nfRxp8kaKBiRxuro79vWtZxNk0QuVAV280jjii1nd_0ovq3qK0e2f0q64HOWQQ6l8DT724JVMNbiPaXVLRXVti3oXOXSvj6A https://vk.com/doc825067038_675084444?hash=k5PecVfBQzPaee7oBSXUMlbMI8WyGwsz9sC7fI90JQs&dl=KIXZTpWuxh6zhpZ3P1E5BeGpD6wWJ27NEZ8qKC46TGL&api=1&no_preview=1#good https://www.google.com/favicon.ico https://sun6-23.userapi.com/c909518/u52355237/docs/d59/1bb094138bd6/d432j89adg.bmp?extra=uZ0kz3xyyLQRpHyiIUVDgzVuc8ISnjGwzHU3Zj5l6-kOEBCA2aVwbMUmknHcD5WrU8GfP7b98J-VdksDqOUosQfPqiGhAbCxWrH-Idsh_1XZ-Z0T00Y9APKnURqnh4Q2r8vMm2YUqVDohxSj https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://vk.com/doc825067038_675120414?hash=ofV8tZWtQDknSObErFUq2rnV3Esz6p3eJRLOo5yZ3Bg&dl=3JL9LytHzeNyclBz9CDzoiw11Ovw4rTGzbKz11MEPvw&api=1&no_preview=1#1 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzdzet-5bFdLPdUq1j1uDurwe6kz_lHlw7J7WHjbFlxuWq7DWllN0DrN9yErviFid87F_Tyrw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1207139751%3A1698376547583620 https://sun6-22.userapi.com/c909218/u52355237/docs/d42/5ea1ce9e9941/WWW11_32.bmp?extra=ytZfQv4RrE3t_njKlOfujRBbAbSsxpWTLHad68C6dj6dfnRUGMYwA5OymD16HSt28U1ha3InbqaN3PeokRDsnMPVFZj8LjDGWM_FUjVdq1bZYMxrIHBkE9qZnO3K1PZLO5_oK1_vX6oi9fyX https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://sun6-23.userapi.com/c909618/u52355237/docs/d9/623cc18b4685/tmvwr.bmp?extra=5WUKP60iriNLZAh7S4FosuziGQcjWCkFZZ4x7xp8sOkXLhbwvbH5419WeD9RJCKirsxra8PHrHOD5PoaLYO4q-OZRkssRi22_oLTccilnyFnSWLZiks4PJxdOyEvR3dhcPSVd4aQv4cBG1g9 https://experiment.pw/setup294.exe - rule_id: 37436 https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1 https://accounts.google.com/ https://vk.com/doc825067038_675107888?hash=p1edxhMap9ebzzyYu0bwG8SRx7fNg9lc730omI4QiGL&dl=7VNr97gwpMxX5zCHlKbDwt20Nh6MmLxWO6FX8g4zAqL&api=1&no_preview=1#s6 https://sso.passport.yandex.ru/push?uuid=a0c92fe7-42c2-4613-b8b7-fa00a304410a&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://accounts.google.com/generate_204?YDaA_g https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909618/u825067038/docs/d56/53e217f03c63/s6d7rtfygiftu57e8r6tfjgcfxdsreturyit.bmp?extra=iGkHoDjsILLIjBMdJJUo6FgOpO-KtPGICJdjT4FoefBp4bB2jgAGKbjdQXtnA_ThsSCU5i5bS3Lg6d6Y6Wf4CrjFyErGfuQ_v5XoImwRYBfYh-JyYGa34C7_VJ6Qs-x-Dt8GVlJ3J5XGCr-W3w https://sun6-22.userapi.com/c909328/u825067038/docs/d10/fd086603287f/red.bmp?extra=zYTCTjDurMXD3dgkI5bHy3cXnZBNncN4I8n51Y9hk8bLzF3Dv1aePJ8XfT539FOwfZjMjTIKqvS07bnzor215dPE1aiIH1IuV444DOz8_yaiOt5TK6-4XGc9sUBOTdmW7tFv7qTLjhBAWTg-TQ https://sun6-21.userapi.com/c235031/u825067038/docs/d20/a29a3db0069e/fresh1.bmp?extra=1dRSa-0TgJXqa93p4EbSQk90rNhKUH9so_jMimdjR_fNC7yh-U0RyUPFHhbKcUIbyspnMp2_-SsDdNtn56RI5ilXyOziZCizDJ2AoOkqCch-5X1wkTeC416YOe_GFTo7wCHGV03e__SBLuJNdQ https://api.2ip.ua/geo.json https://vk.com/doc825067038_675098543?hash=fDGebbbbT59ZXUS0aTzHqJh9k55SUFqRxrdzJALVzSP&dl=VyQDbVL7k7q0VT6QORxGuLdfGzZ7nqAOWUJBLGBju7c&api=1&no_preview=1#test22 https://vk.com/doc825067038_675096729?hash=qSZS9aM0ivWNtijm1zaWyzA7J0bEJfI7RF562vpg2qP&dl=Di89rUJwazaYzfGe5B8jQKQ6f8sDEfxK1AwIneVf478&api=1&no_preview=1#redcl https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywG5Ca3_U5z3i17rpBqe5XQmjKFOYO0l9YmCbXIH8Z7L2QC49OAi4jslnwM1-fvL4i20vS36Q https://sun6-20.userapi.com/c235031/u825067038/docs/d50/da83a607ce58/file261023.bmp?extra=oZYPM_XOV2yUnI1OIkqXvssiCX90LOMpdatPJ3Mo-Iy7KPl61syaohofhhshJ3MqAGzAGOOjyd2hns--mq7Yi8XIYXFJZP2JkQdW10m1262TpjTS9wualsTezDU7MTljJq1XP6azEUjxwVkt_Q https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909418/u825067038/docs/d26/484476cefcda/crypted.bmp?extra=xKumbx-TTXs_1he4_Ei0XOGCQ7hjCAmh0Tfxiar8m_-yHzKu8fpiKEbsBT6lBgNyPmwVvmrnWrMWcYvr0uDWeewVVOX6C76OSOO6saJLa-Sb0UvH22ikkXipev0DFE-_kzKEApKnwBDNKESMfw https://neuralshit.net/8b54e3f23ea4df83b44da9add06c973d/7725eaa6592c80f8124e769b4e8a07f7.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716	91 Info neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) roberthamilton.top(37.139.129.88) - malware vanaheim.cn(84.201.152.220) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious yandex.ru(77.88.55.88) dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(23.40.45.69) api.2ip.ua(104.21.65.24) iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(172.67.167.220) - malware ssl.gstatic.com(142.250.207.99) howardwood.top(37.139.129.88) - mailcious iplogger.com(148.251.234.93) - mailcious zexeq.com(123.213.233.131) - malware octocrabs.com(172.67.200.10) - mailcious www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.146.235) vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 148.251.234.93 - mailcious 87.240.132.78 - mailcious 84.201.152.220 104.18.145.235 148.251.234.83 93.186.225.194 - mailcious 172.67.167.220 - malware 185.225.75.171 - mailcious 77.91.124.1 - malware 62.122.184.92 - mailcious 193.233.255.73 - mailcious 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 104.21.34.37 - phishing 62.217.160.2 142.250.204.109 83.97.73.44 171.22.28.226 - malware 142.250.76.132 171.22.28.221 - malware 34.117.59.81 104.21.21.189 142.250.199.67 77.88.55.60 104.244.42.65 - suspicious 104.26.8.59 142.250.66.100 37.139.129.88 - mailcious 172.67.134.35 - malware 213.180.204.24 77.91.124.86 176.113.115.135 - mailcious 190.141.134.150 176.113.115.136 - mailcious 185.172.128.69 - malware 45.143.201.238 - mailcious 172.67.75.166 194.169.175.233 - malware 94.142.138.131 - mailcious 94.142.138.113 - mailcious 91.215.85.209 - mailcious 23.67.53.17 23.40.45.69 95.142.206.3 - mailcious 176.113.115.84 - mailcious 172.67.139.220 95.142.206.0 - mailcious 80.66.75.4 - mailcious 45.15.156.229 - mailcious 146.59.70.14 - malware 194.169.175.234 23.45.53.206 95.142.206.2 - mailcious 87.240.132.72 - mailcious 80.66.75.77 - mailcious 109.107.182.2 - malware 95.142.206.1 - mailcious 171.22.28.213 - malware	42 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a .pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 SURICATA Applayer Mismatch protocol both directions ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a .top domain ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Packed Executable Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	23 Info http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/tracemap.php http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://194.169.175.233/setup.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://94.142.138.131/api/firegate.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://howardwood.top/e9c345fc99a4e67e.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://experiment.pw/setup294.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe	6.8	M		ZeroCERT

7431	2023-10-27 10:58	ngown.vbs 74558dda2ee55f1223e34b0e18411764 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6	M	5	ZeroCERT

7432	2023-10-27 10:56	don.vbs 049cbf1fa6fb0b213b5d6aace06efbd9 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

7433	2023-10-27 10:54	ngone.vbs bb1a98b873c6fbebb5c2bab804fbe831 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

7434	2023-10-27 10:54	bdolsx.vbs 44c457dd13efcd6622b1b6dbab5c1965 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

7435	2023-10-27 10:13	ereeeeeeeeeeeefereFile.vbs 73d2fd40cb82f20bb3d340720da666d0 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	3 Keyword trend analysis	3	1		8.4		3	ZeroCERT

7436	2023-10-27 10:13	obuxu.vbs 136abae59cb3eb697de1c5e20778ecd6 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	3 Keyword trend analysis	3	1		9.0		2	ZeroCERT

7437	2023-10-27 10:12	investorbase64.txt.exe c6bbafd04b4ea3523f5dd3de0f174c3e AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer VirusTotal Email Client Info Stealer Malware Check memory Checks debugger unpack itself Windows Browser Email ComputerName crashed					4.0		58	ZeroCERT

7438	2023-10-27 10:11	co.txt.exe 1712fc8e11670d4dbbb420b385b0db30 Malicious Library UPX Malicious Packer PE File PE32 .NET EXE OS Name Check OS Memory Check OS Processor Check Browser Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed					3.8		51	ZeroCERT

7439	2023-10-27 10:09	bxsdhvfnrn.exe a303a2d627cb8588f3c30ac8b353674c Malicious Library UPX Malicious Packer Antivirus .NET framework(MSIL) PE File PE32 .NET EXE OS Processor Check VirusTotal Malware Check memory Checks debugger unpack itself					2.0		52	ZeroCERT

7440	2023-10-27 10:08	E-FILLING FORM B.bat 252278969fa0d8c1cc719e73b61a76a4 UPX Admin Tool (Sysinternals etc ...) Antivirus PE File PE32 VirusTotal Malware AutoRuns Check memory Creates executable files RWX flags setting unpack itself suspicious process AppData folder WriteConsoleW Windows ComputerName Remote Code Execution crashed					5.0		34	ZeroCERT