Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
7846	2021-05-04 11:13	700223.exe 0f1616761218cc9712dcd268f4bb2d3f AsyncRAT backdoor PWS .NET framework AgentTesla AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer VirusTotal Malware malicious URLs Browser ComputerName crashed		1			2.8	M	44	ZeroCERT

7847	2021-05-04 11:15	p.exe ee0a1ec859b753abc30847157d81f37c PE File PE32 VirusTotal Malware AutoRuns PDB Disables Windows Security Firewall state off Windows Tor DNS crashed	1 Keyword trend analysis	3	2		6.8	M	45	ZeroCERT

7848	2021-05-04 11:15	rtd0t1.exe 080f3430fa1c166d755ade6b9f21f08f PWS Loki AsyncRAT backdoor .NET framework AgentTesla DNS Socket AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory malicious URLs installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	2	7 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response	1	8.4	M	39	ZeroCERT

7849	2021-05-04 11:18	LFI_874_103_116.exe 090148a4d527120eaaa7d5d2f0aa5bf1 AsyncRAT backdoor PWS .NET framework AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 DLL OS Processor Check JPEG Format Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Email ComputerName DNS Password	9 Keyword trend analysis	1	6 Info ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	2	12.6	M	44	ZeroCERT

7850	2021-05-04 11:21	46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware Buffer PE AutoRuns PDB Malicious Traffic buffers extracted Creates executable files Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS Cryptographic key	5 Keyword trend analysis Info http://193.11.164.243:9030/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z http://23.129.64.201/tor/status-vote/current/consensus.z - rule_id: 1277 http://api.wipmania.com/ http://185.215.113.93/cc22 http://185.215.113.93/cc11 - rule_id: 1276	11	19 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET TOR Known Tor Exit Node Traffic group 74 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 ET COMPROMISED Known Compromised or Hostile Host Traffic group 109 ET INFO Executable Download from dotted-quad Host SURICATA HTTP gzip decompression failed ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P TOR 1.0 Server Key Retrieval ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225	2	12.6	M	38	ZeroCERT

7851	2021-05-04 11:22	Ihxpuxr.exe 015f45de6bf81ded8c921435c471d087 AsyncRAT backdoor AgentTesla Gen1 AntiDebug AntiVM .NET EXE PE File PE32 JPEG Format DLL OS Processor Check Browser Info Stealer Malware download Vidar VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency suspicious privilege MachineGuid Malicious Traffic Check memory WMI Creates executable files unpack itself Windows utilities Collect installed applications suspicious process AppData folder malicious URLs AntiVM_Disk WriteConsoleW anti-virtualization VM Disk Size Check installed browsers check OskiStealer Stealer Windows Browser Tor Email ComputerName DNS Password	10 Keyword trend analysis Info http://205.185.120.57/3.jpg http://205.185.120.57/1.jpg http://205.185.120.57/2.jpg http://205.185.120.57/6.jpg http://205.185.120.57/4.jpg http://205.185.120.57/7.jpg http://205.185.120.57/main.php - rule_id: 1232 http://205.185.120.57/5.jpg http://launcher.worldofwarcraft.com/alert http://205.185.120.57/ - rule_id: 1233	4	7 Info ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588 ET POLICY Data POST to an image file (jpg) ET HUNTING Suspicious EXE Download Content-Type image/jpeg ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)	2	11.8	M	14	ZeroCERT

7852	2021-05-04 11:24	Upafbvbme.exe 386e843ddabe44f203acc35788b5c749 AsyncRAT backdoor PWS .NET framework AgentTesla SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Malicious Traffic Check memory Checks debugger unpack itself Check virtual network interfaces malicious URLs IP Check Tofsee Windows Browser Tor Email ComputerName DNS Cryptographic key DDNS Software crashed	2 Keyword trend analysis	5	5 Info ET INFO DYNAMIC_DNS Query to *.dyndns. Domain ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225 ET POLICY External IP Lookup - checkip.dyndns.org ET POLICY DynDNS CheckIp External IP Address Server Response SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)		9.0	M	38	ZeroCERT

7853	2021-05-04 13:50	46.exe 0a6569e45a3a38f7168f4c4aa0594627 tor Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic Creates executable files ICMP traffic Disables Windows Security Check virtual network interfaces AppData folder Firewall state off Kovter Windows Tor DNS	5 Keyword trend analysis Info http://api.wipmania.com/ http://185.215.113.93/pepwn.exe - rule_id: 1282 http://185.215.113.93/cc11 - rule_id: 1276 http://86.59.21.38/tor/status-vote/current/consensus.z - rule_id: 1278 http://131.188.40.189:443/tor/server/fp/00dcaeae3e54c32809e7f7cc4bf2a6fc68fc552f+022a5535f42b1a9f9aa755c4eab5f36fef9781d8+023ebbc57beb7f45473b3dc2aa811fb3aaba4466+037bcd0ebdf7db9f3d562da27d463f0f78f1494b+03910f285a33f365838ec66ef2c2ef754d046760+03c3069e814e296eb18776eb61b1ecb754ed89fe+0512fe6be9cca0ed133152e64010b2fba141eb10+0516085d6cac40ed4cdcefdfc5ccf6b00de61ded+07623013c3361fe566b71c8cfcc6483d7587a827+0a2366980a2842d770ef8e136a7da14876360447+0ac4c4d8bca8da7bae6be3fea87442e724353cbf+0b19bbfdc498ccea23027b1d7bd8e20121b95e60+0b37ec8be844f5c20e5b84a885608de0c7dbea47+0c93559d6d7e95b41561424345b0b176fbe66f00+0cf8f3e6590f45d50b70f2f7da6605eca6cd408f+0d5bf9c0b7b3605a610eee2c43aeae366576cbc5.z - rule_id: 1280	12	18 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET POLICY External IP Lookup Attempt To Wipmania ET INFO Executable Download from dotted-quad Host ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 ET P2P TOR 1.0 Server Key Retrieval ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 743 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 578 ET POLICY PE EXE or DLL Windows file download HTTP SURICATA HTTP gzip decompression failed ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET P2P Tor Get Server Request ET POLICY TOR Consensus Data Requested ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 624 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 641 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 723 ET POLICY TLS possible TOR SSL traffic ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140	4	12.4	M	38	r0d

7854	2021-05-04 14:13	p.exe ee0a1ec859b753abc30847157d81f37c Worm Phorpiex PE File PE32 Dridex TrickBot ENERGETIC BEAR VirusTotal Malware AutoRuns PDB Malicious Traffic ICMP traffic Disables Windows Security Check virtual network interfaces Firewall state off Kovter Windows Tor DNS Cryptographic key	4 Keyword trend analysis Info http://api.wipmania.com/ http://94.16.114.105:8080/tor/status-vote/current/consensus.z http://185.215.113.93/cc11 - rule_id: 1276 http://199.58.81.140/tor/server/fp/2ce96a8a1da032664c90f574affbece18a6e8dfc+2ce9be1fc88b9d0fa03f387c9e4f000b5d4b2ae9+2cf4cb359b5763fd60e91651d829d9cdbe7e236f.z	11	11 Info ET POLICY External IP Lookup Attempt To Wipmania ET DROP Spamhaus DROP Listed Traffic Inbound group 24 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185 SURICATA HTTP gzip decompression failed ET P2P Tor Get Server Request ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332 ET POLICY TOR Consensus Data Requested ET TOR Known Tor Exit Node Traffic group 52 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52	1	10.8	M	45	r0d

7855	2021-05-04 18:20	ss.vbs 98f69749329ccb2ee8d69288e04f2332 Antivirus powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key					6.0			ZeroCERT

7856	2021-05-04 18:20	all.bat d4c2856e8c22e984a62bcc8b3fcdc505 AgentTesla Antivirus DGA DNS Socket Create Service Sniff Audio HTTP Escalate priviledges KeyLogger FTP Code injection Http API Internet API Steal credential ScreenShot Downloader P2P AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key		2	3		6.6			ZeroCERT

7857	2021-05-04 18:22	arinzex.exe b61fa321f22d56553ab37916d973cf4e Antivirus SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware powershell suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates shortcut unpack itself Disables Windows Security powershell.exe wrote suspicious process WriteConsoleW Windows Browser Email ComputerName Cryptographic key Software crashed keylogger					13.4	M	18	ZeroCERT

7858	2021-05-04 18:23	win32.exe 62c0acfc18a80a6132a3e8d8baacc90a PE File PE32 DLL OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware c&c suspicious privilege MachineGuid Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk VM Disk Size Check installed browsers check Browser Email ComputerName DNS Software	1 Keyword trend analysis	2	9 Info ET INFO DNS Query for Suspicious .cf Domain ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Checkin ET INFO HTTP POST Request to Suspicious *.cf Domain ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M2 ET MALWARE LokiBot Fake 404 Response		9.2		16	ZeroCERT

7859	2021-05-04 18:24	scr.dll 31980c9b17f61c5f808cb882e41083af DLL PE File PE32 JPEG Format ENERGETIC BEAR VirusTotal Malware Malicious Traffic Checks debugger buffers extracted unpack itself DNS	1 Keyword trend analysis	1	1		4.0	M	39	ZeroCERT

7860	2021-05-04 18:27	Sample.exe ee7c05c530262450d2c5ace98ebbf8bc PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Windows ComputerName					8.0	M	22	ZeroCERT