Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
7981	2023-10-06 09:36	d9e1c3_0ec2df3125b34e10ad269f8... 5e63744a4fad5be640aa0a7a2e444a3d Generic Malware Antivirus VirusTotal Malware Check memory unpack itself WriteConsoleW Windows Cryptographic key					1.4		3	ZeroCERT

7982	2023-10-06 08:03	foto3553.exe 53ffe4a2e5ff91672c96597ebece2470 RedLine stealer Gen1 Emotet RedLine Infostealer SmokeLoader Amadey Generic Malware UltraVNC Malicious Library UPX Antivirus .NET framework(MSIL) Confuser .NET Malicious Packer Admin Tool (Sysinternals etc ...) ScreenShot PWS AntiDebug AntiVM PE File PE32 Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Email Client Info Stealer Malware powershell Microsoft AutoRuns PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities Disables Windows Security Collect installed applications powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Tofsee Stealc Stealer Windows Update Exploit Browser Email ComputerName Remote Code Execution DNS Cryptographic key Software crashed Downloader	34 Keyword trend analysis Info http://5.42.92.211/loghub/master - rule_id: 36282 http://77.91.124.1/theme/index.php https://facebook.com/security/hsts-pixel.gif?c=3.2.5 https://www.facebook.com/favicon.ico https://accounts.google.com/generate_204?qq0oQg https://www.facebook.com/login https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://accounts.google.com/generate_204?zRkItw https://static.xx.fbcdn.net/rsrc.php/v3/yd/l/0,cross/kwzs_5FMU9g.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhcLz_cnXDIXvz3QIMY97r1jrsQOAnIw1tmulVERc2o6bSWlDbcLriBPSZgdPt1S1cy1gKwoqw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1912069806%3A1696546479888140 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://fbsbx.com/security/hsts-pixel.gif?c=5 https://connect.facebook.net/security/hsts-pixel.gif https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhe5IhkTCdrQCA1yPVmt1oDA_voOW_A_ZqyCLTPdvHyGXJzE-RO7xy3BTH2BA1gxFU3WhShv https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhdK1mkizJfifk30A2wUFICseNNCEjJIeVPM5FdrF5tEWuvZIe1OSLr4tRhi1BGsuGKKyagnGg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S2064279959%3A1696546472842958 https://accounts.google.com/ https://static.xx.fbcdn.net/rsrc.php/v3/yF/l/0,cross/LSAcIwftMnp.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yc/l/0,cross/1FPNULrhhBJ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yU/r/O7nelmd9XSI.png https://static.xx.fbcdn.net/rsrc.php/v3/yx/l/0,cross/dSpVEafK7Ja.css?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcDvrRvELv2YHAoIozHL4ARKVAwdXih1YzNwd9N0tcW7AThR1PqnPYFBUHlbxzCE9fKQvd2Mg https://fbcdn.net/security/hsts-pixel.gif?c=2.5 https://static.xx.fbcdn.net/rsrc.php/v3/yT/l/0,cross/g5qw7MkrAMe.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/ya/l/0,cross/QeMN1LLnAEZ.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/yI/r/4aAhOWlwaXf.svg https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AYZoVhemK6vxa5aVksbZqVqKrPQQwbOqA9SxEdxfxB3QOQidRlZmc0xXtRUEuzzNGlhNobYw0k8Y_g&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S906761759%3A1696546534329684 https://static.xx.fbcdn.net/rsrc.php/v3/yL/r/C7x9HQY1590.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/generate_204?qMW9GQ https://static.xx.fbcdn.net/rsrc.php/v3/yX/l/0,cross/3YxNg1jSEBd.css?_nc_x=Ij3Wp8lg5Kz https://static.xx.fbcdn.net/rsrc.php/v3/yS/r/4Gbx36-Nu9e.js?_nc_x=Ij3Wp8lg5Kz https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhdyfADyPcA7yLXC6h_tQmdvglNolQT6NRsBxSOYAOP9cQ5q7sygQlUcHMx3zc8TEcngtPmlTw https://static.xx.fbcdn.net/rsrc.php/v3/yB/r/Y0L6f5sxdIV.png https://static.xx.fbcdn.net/rsrc.php/v3/yk/l/0,cross/mZN0_xqSmFF.css?_nc_x=Ij3Wp8lg5Kz	18 Info ssl.gstatic.com(172.217.25.163) www.facebook.com(157.240.215.35) fbsbx.com(157.240.215.35) www.google.com(142.250.206.228) static.xx.fbcdn.net(157.240.215.14) fbcdn.net(157.240.215.35) accounts.google.com(172.217.25.173) connect.facebook.net(157.240.215.14) facebook.com(157.240.215.35) 142.251.130.4 142.251.130.13 157.240.215.14 77.91.124.55 - mailcious 77.91.68.52 - mailcious 77.91.124.1 - malware 157.240.215.35 5.42.92.211 - mailcious 172.217.24.67	20 Info ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO PS1 Powershell File Request ET INFO Executable Download from dotted-quad Host ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	1	26.8	M		ZeroCERT

7983	2023-10-06 08:03	rus.exe fa89b094ca8c9caaa69758e0c0385d5e Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware PDB Code Injection buffers extracted					7.4	M		ZeroCERT

7984	2023-10-06 08:01	mstsc.exe 65c7d9e822c9f2b8291202128644e825 Malicious Library UPX PE File PE32 OS Processor Check PDB DNS		1			2.6	M		ZeroCERT

7985	2023-10-06 08:00	Wblxhuaksujvhq.exe c7fcb915a272045036e5d8e0de23fd5a Malicious Library UPX PE File PE32 MZP Format RWX flags setting unpack itself Tofsee Interception crashed		2	1		2.4	M		ZeroCERT

7986	2023-10-06 07:59	nano.exe 501bd8c4a18e386f240b6d77d388cbb3 Malicious Library UPX AntiDebug AntiVM PE File PE32 OS Processor Check Malware download Malware PDB Code Injection Malicious Traffic buffers extracted unpack itself Stealc Browser DNS	1 Keyword trend analysis	1	2	1	7.6	M		ZeroCERT

7987	2023-10-06 07:58	trafico.exe 5aac2b17c8da70fd4386a66974d5206c Malicious Library PE File PE32					0.6	M		ZeroCERT

7988	2023-10-06 07:58	legend.exe ef2de4a8a06f86867f6e460e88919515 NSIS Malicious Library UPX PE File PE32 OS Processor Check Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer AutoRuns suspicious privilege Check memory Checks debugger Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName DNS Software crashed		2	4		6.6	M		ZeroCERT

7989	2023-10-06 07:56	audiodg.exe b04c242731d9afd15433f4e2d8049f35 .NET framework(MSIL) PE File PE32 .NET EXE Check memory Checks debugger unpack itself					1.2	M		ZeroCERT

7990	2023-10-06 07:54	EpPDrE.exe 85d3d194ec107f5b92a7d9e6a9d06ef0 Generic Malware Malicious Library UPX Malicious Packer Anti_VM PE File PE64 OS Processor Check crashed					0.2	M		ZeroCERT

7991	2023-10-06 07:54	HTML.exe b080010f26154310dc09d7154d6a898c LokiBot Admin Tool (Sysinternals etc ...) .NET framework(MSIL) PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW IP Check Tofsee Windows Browser Email ComputerName DNS Cryptographic key Software crashed		2	4		11.8	M		ZeroCERT

7992	2023-10-06 07:52	vlc.exe e30cd25b2b31a0c5f19f9c3f5818b242 RedLine stealer UPX AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer RedLine Malware download FTP Client Info Stealer Malware Microsoft suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed		1	6 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response)		9.8	M		ZeroCERT

7993	2023-10-06 07:52	dorime.exe a889a7cca1cbb0680532b62569d9e362 LokiBot UPX .NET framework(MSIL) Socket PWS DNS AntiDebug AntiVM PE File PE32 .NET EXE OS Processor Check Browser Info Stealer LokiBot Malware download FTP Client Info Stealer Email Client Info Stealer Malware c&c Buffer PE suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself malicious URLs installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software	1 Keyword trend analysis	1	5 Info ET MALWARE LokiBot User-Agent (Charon/Inferno) ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 ET MALWARE LokiBot Request for C2 Commands Detected M1 ET MALWARE LokiBot Request for C2 Commands Detected M2		12.4	M		ZeroCERT

7994	2023-10-06 07:49	audiodg.exe fca38d9f17a13f01c024777d8b81ccf4 PWS SMTP KeyLogger AntiDebug AntiVM PE File PE32 .NET EXE Browser Info Stealer FTP Client Info Stealer Email Client Info Stealer PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Browser Email ComputerName Software crashed					9.6	M		ZeroCERT

7995	2023-10-06 07:49	2-3-0_2023-10-05_14-14.exe 56e563840a12f6725c08c20577b1e1fe Malicious Library UPX PE File PE32 OS Processor Check PDB					0.6	M		ZeroCERT