Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
9271	2023-10-28 11:51	timeSync.exe a666eac4d7ffb6c00bbc79b627e1c660 Malicious Library UPX PE File PE32 OS Processor Check VirusTotal Malware unpack itself					1.6		29	ZeroCERT

9272	2023-10-27 19:47	북한최고인민회의 결과.lnk cc96ba45dd2b6a6d7aa300d77e49c095 Generic Malware Downloader Antivirus HWP PS PostScript Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P Hide_URL AntiDebug AntiVM Lnk Format MSOffice VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process AppData folder WriteConsoleW Tofsee Windows ComputerName Cryptographic key		2	2		11.2		28	guest

9273	2023-10-27 18:04	cred64.dll 1c27631e70908879e1a5a8f3686e0d46 Amadey Browser Login Data Stealer Malicious Library UPX PE File DLL PE64 OS Processor Check Browser Info Stealer FTP Client Info Stealer VirusTotal Malware Cryptocurrency wallets Cryptocurrency PDB MachineGuid Malicious Traffic Checks debugger unpack itself Windows utilities sandbox evasion human activity check installed browsers check Windows Browser DNS Software	2 Keyword trend analysis	1		1	7.8		49	ZeroCERT

9274	2023-10-27 18:04	clip64.dll ceffd8c6661b875b67ca5e4540950d8b Amadey Malicious Library UPX PE File DLL PE32 OS Processor Check VirusTotal Malware PDB Malicious Traffic Checks debugger unpack itself DNS	2 Keyword trend analysis	1		1	3.8		49	ZeroCERT

9275	2023-10-27 17:05	xlammexpoittt.vbs 9595077ef106c2510f73d0132ea81155 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName DNS Cryptographic key	4 Keyword trend analysis	6	2		10.2		5	ZeroCERT

9276	2023-10-27 17:04	cleanupdate.exe c9aa05e75a369370955cf71b12a2121a Browser Login Data Stealer Amadey Hide_EXE Malicious Library UPX Http API ScreenShot HTTP Code injection Internet API AntiDebug AntiVM PE File PE32 .NET EXE JPEG Format DLL PE64 OS Processor Check Browser Info Stealer Malware download Amadey FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware Cryptocurrency wallets Cryptocurrency AutoRuns suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities suspicious process AppData folder sandbox evasion WriteConsoleW installed browsers check Windows Browser Email ComputerName DNS Cryptographic key Software	4 Keyword trend analysis	2	5		20.0	M	23	ZeroCERT

9277	2023-10-27 17:03	HTMLXLAMieBrowser.dOC baeaa0fda1df43a65dc12777327db43b MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic exploit crash unpack itself Tofsee Exploit DNS crashed	3 Keyword trend analysis	6	3		4.0	M	28	ZeroCERT

9278	2023-10-27 13:28	rumpe.jpg.exe 85fa49d81d22418534ded291306be57d Malicious Library UPX .NET DLL PE File DLL PE32 OS Processor Check VirusTotal Malware PDB					1.4		27	ZeroCERT

9279	2023-10-27 13:24	obm.txt.exe 697ebf34888a6672c7ade14701fe2c00 AgentTesla Malicious Library UPX PE File PE32 .NET EXE Browser Info Stealer Email Client Info Stealer suspicious privilege Check memory Checks debugger unpack itself Browser Email ComputerName crashed					2.6			ZeroCERT

9280	2023-10-27 12:25	File.7z 3c62d34e99c4d0766c6a30aff0ff00d4 PrivateLoader Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware c&c Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself suspicious TLD IP Check PrivateLoader Tofsee Stealc Stealer Windows Browser Trojan DNS Downloader	55 Keyword trend analysis Info http://171.22.28.226/download/WWW14_64.exe - rule_id: 36907 http://109.107.182.2/race/bus50.exe - rule_id: 37496 http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true - rule_id: 27911 http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rHs0an9bdrTIaDtaE0Df9rlg.exe&platform=0009&osver=5&isServer=0 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://apps.identrust.com/roots/dstrootcax3.p7c http://185.172.128.69/newumma.exe - rule_id: 37499 http://45.15.156.229/api/firegate.php - rule_id: 36052 http://194.169.175.233/setup.exe - rule_id: 37614 http://171.22.28.221/files/Ads.exe - rule_id: 37468 http://94.142.138.113/api/tracemap.php - rule_id: 28877 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://193.42.32.118/api/firegate.php - rule_id: 36458 http://171.22.28.226/download/Services.exe - rule_id: 37064 http://howardwood.top/e9c345fc99a4e67e.php - rule_id: 37562 http://lakuiksong.known.co.ke/netTimer.exe - rule_id: 37358 http://193.42.32.118/api/tracemap.php - rule_id: 36180 http://77.91.124.1/theme/index.php - rule_id: 37040 http://176.113.115.84:8080/4.php - rule_id: 34795 http://193.233.255.73/loghub/master - rule_id: 37500 http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://193.42.32.118/api/firecom.php - rule_id: 36700 http://www.maxmind.com/geoip/v2.1/city/me http://171.22.28.213/3.exe - rule_id: 37068 http://www.google.com/ https://sun6-20.userapi.com/c237331/u825067038/docs/d49/2fa5bb09a502/PL_Client.bmp?extra=hoE_PGrrkY5d2NqippbG-UTIRwu_h48s7-Mi86qburxYxYP2a4nfRxp8kaKBiRxuro79vWtZxNk0QuVAV280jjii1nd_0ovq3qK0e2f0q64HOWQQ6l8DT724JVMNbiPaXVLRXVti3oXOXSvj6A https://vk.com/doc825067038_675084444?hash=k5PecVfBQzPaee7oBSXUMlbMI8WyGwsz9sC7fI90JQs&dl=KIXZTpWuxh6zhpZ3P1E5BeGpD6wWJ27NEZ8qKC46TGL&api=1&no_preview=1#good https://www.google.com/favicon.ico https://sun6-23.userapi.com/c909518/u52355237/docs/d59/1bb094138bd6/d432j89adg.bmp?extra=uZ0kz3xyyLQRpHyiIUVDgzVuc8ISnjGwzHU3Zj5l6-kOEBCA2aVwbMUmknHcD5WrU8GfP7b98J-VdksDqOUosQfPqiGhAbCxWrH-Idsh_1XZ-Z0T00Y9APKnURqnh4Q2r8vMm2YUqVDohxSj https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F https://accounts.google.com/_/bscframe https://vk.com/doc825067038_675120414?hash=ofV8tZWtQDknSObErFUq2rnV3Esz6p3eJRLOo5yZ3Bg&dl=3JL9LytHzeNyclBz9CDzoiw11Ovw4rTGzbKz11MEPvw&api=1&no_preview=1#1 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzdzet-5bFdLPdUq1j1uDurwe6kz_lHlw7J7WHjbFlxuWq7DWllN0DrN9yErviFid87F_Tyrw&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-1207139751%3A1698376547583620 https://sun6-22.userapi.com/c909218/u52355237/docs/d42/5ea1ce9e9941/WWW11_32.bmp?extra=ytZfQv4RrE3t_njKlOfujRBbAbSsxpWTLHad68C6dj6dfnRUGMYwA5OymD16HSt28U1ha3InbqaN3PeokRDsnMPVFZj8LjDGWM_FUjVdq1bZYMxrIHBkE9qZnO3K1PZLO5_oK1_vX6oi9fyX https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png https://sun6-23.userapi.com/c909618/u52355237/docs/d9/623cc18b4685/tmvwr.bmp?extra=5WUKP60iriNLZAh7S4FosuziGQcjWCkFZZ4x7xp8sOkXLhbwvbH5419WeD9RJCKirsxra8PHrHOD5PoaLYO4q-OZRkssRi22_oLTccilnyFnSWLZiks4PJxdOyEvR3dhcPSVd4aQv4cBG1g9 https://experiment.pw/setup294.exe - rule_id: 37436 https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1 https://accounts.google.com/ https://vk.com/doc825067038_675107888?hash=p1edxhMap9ebzzyYu0bwG8SRx7fNg9lc730omI4QiGL&dl=7VNr97gwpMxX5zCHlKbDwt20Nh6MmLxWO6FX8g4zAqL&api=1&no_preview=1#s6 https://sso.passport.yandex.ru/push?uuid=a0c92fe7-42c2-4613-b8b7-fa00a304410a&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue https://accounts.google.com/generate_204?YDaA_g https://dzen.ru/?yredirect=true https://sun6-20.userapi.com/c909618/u825067038/docs/d56/53e217f03c63/s6d7rtfygiftu57e8r6tfjgcfxdsreturyit.bmp?extra=iGkHoDjsILLIjBMdJJUo6FgOpO-KtPGICJdjT4FoefBp4bB2jgAGKbjdQXtnA_ThsSCU5i5bS3Lg6d6Y6Wf4CrjFyErGfuQ_v5XoImwRYBfYh-JyYGa34C7_VJ6Qs-x-Dt8GVlJ3J5XGCr-W3w https://sun6-22.userapi.com/c909328/u825067038/docs/d10/fd086603287f/red.bmp?extra=zYTCTjDurMXD3dgkI5bHy3cXnZBNncN4I8n51Y9hk8bLzF3Dv1aePJ8XfT539FOwfZjMjTIKqvS07bnzor215dPE1aiIH1IuV444DOz8_yaiOt5TK6-4XGc9sUBOTdmW7tFv7qTLjhBAWTg-TQ https://sun6-21.userapi.com/c235031/u825067038/docs/d20/a29a3db0069e/fresh1.bmp?extra=1dRSa-0TgJXqa93p4EbSQk90rNhKUH9so_jMimdjR_fNC7yh-U0RyUPFHhbKcUIbyspnMp2_-SsDdNtn56RI5ilXyOziZCizDJ2AoOkqCch-5X1wkTeC416YOe_GFTo7wCHGV03e__SBLuJNdQ https://api.2ip.ua/geo.json https://vk.com/doc825067038_675098543?hash=fDGebbbbT59ZXUS0aTzHqJh9k55SUFqRxrdzJALVzSP&dl=VyQDbVL7k7q0VT6QORxGuLdfGzZ7nqAOWUJBLGBju7c&api=1&no_preview=1#test22 https://vk.com/doc825067038_675096729?hash=qSZS9aM0ivWNtijm1zaWyzA7J0bEJfI7RF562vpg2qP&dl=Di89rUJwazaYzfGe5B8jQKQ6f8sDEfxK1AwIneVf478&api=1&no_preview=1#redcl https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywG5Ca3_U5z3i17rpBqe5XQmjKFOYO0l9YmCbXIH8Z7L2QC49OAi4jslnwM1-fvL4i20vS36Q https://sun6-20.userapi.com/c235031/u825067038/docs/d50/da83a607ce58/file261023.bmp?extra=oZYPM_XOV2yUnI1OIkqXvssiCX90LOMpdatPJ3Mo-Iy7KPl61syaohofhhshJ3MqAGzAGOOjyd2hns--mq7Yi8XIYXFJZP2JkQdW10m1262TpjTS9wualsTezDU7MTljJq1XP6azEUjxwVkt_Q https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://sun6-20.userapi.com/c909418/u825067038/docs/d26/484476cefcda/crypted.bmp?extra=xKumbx-TTXs_1he4_Ei0XOGCQ7hjCAmh0Tfxiar8m_-yHzKu8fpiKEbsBT6lBgNyPmwVvmrnWrMWcYvr0uDWeewVVOX6C76OSOO6saJLa-Sb0UvH22ikkXipev0DFE-_kzKEApKnwBDNKESMfw https://neuralshit.net/8b54e3f23ea4df83b44da9add06c973d/7725eaa6592c80f8124e769b4e8a07f7.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe - rule_id: 36716	91 Info neuralshit.net(172.67.134.35) - malware db-ip.com(104.26.4.15) roberthamilton.top(37.139.129.88) - malware vanaheim.cn(84.201.152.220) - mailcious ipinfo.io(34.117.59.81) accounts.google.com(142.250.206.205) sun6-23.userapi.com(95.142.206.3) - mailcious yandex.ru(77.88.55.88) dzen.ru(62.217.160.2) medfioytrkdkcodlskeej.net(91.215.85.209) - malware learn.microsoft.com(23.40.45.69) api.2ip.ua(104.21.65.24) iplogger.org(148.251.234.83) - mailcious twitter.com(104.244.42.1) telegram.org(149.154.167.99) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(172.67.75.166) sun6-21.userapi.com(95.142.206.1) - mailcious sso.passport.yandex.ru(213.180.204.24) lakuiksong.known.co.ke(146.59.70.14) - malware experiment.pw(172.67.167.220) - malware ssl.gstatic.com(142.250.207.99) howardwood.top(37.139.129.88) - mailcious iplogger.com(148.251.234.93) - mailcious zexeq.com(123.213.233.131) - malware octocrabs.com(172.67.200.10) - mailcious www.google.com(142.250.76.132) iplis.ru(148.251.234.93) - mailcious sun6-22.userapi.com(95.142.206.2) - mailcious www.maxmind.com(104.18.146.235) vk.com(87.240.129.133) - mailcious api.myip.com(104.26.8.59) 148.251.234.93 - mailcious 87.240.132.78 - mailcious 84.201.152.220 104.18.145.235 148.251.234.83 93.186.225.194 - mailcious 172.67.167.220 - malware 185.225.75.171 - mailcious 77.91.124.1 - malware 62.122.184.92 - mailcious 193.233.255.73 - mailcious 104.26.5.15 149.154.167.99 - mailcious 193.42.32.118 - mailcious 104.21.34.37 - phishing 62.217.160.2 142.250.204.109 83.97.73.44 171.22.28.226 - malware 142.250.76.132 171.22.28.221 - malware 34.117.59.81 104.21.21.189 142.250.199.67 77.88.55.60 104.244.42.65 - suspicious 104.26.8.59 142.250.66.100 37.139.129.88 - mailcious 172.67.134.35 - malware 213.180.204.24 77.91.124.86 176.113.115.135 - mailcious 190.141.134.150 176.113.115.136 - mailcious 185.172.128.69 - malware 45.143.201.238 - mailcious 172.67.75.166 194.169.175.233 - malware 94.142.138.131 - mailcious 94.142.138.113 - mailcious 91.215.85.209 - mailcious 23.67.53.17 23.40.45.69 95.142.206.3 - mailcious 176.113.115.84 - mailcious 172.67.139.220 95.142.206.0 - mailcious 80.66.75.4 - mailcious 45.15.156.229 - mailcious 146.59.70.14 - malware 194.169.175.234 23.45.53.206 95.142.206.2 - mailcious 87.240.132.72 - mailcious 80.66.75.77 - mailcious 109.107.182.2 - malware 95.142.206.1 - mailcious 171.22.28.213 - malware	42 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DNS Query to a .pw domain - Likely Hostile ET DROP Spamhaus DROP Listed Traffic Inbound group 19 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 SURICATA Applayer Mismatch protocol both directions ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET INFO HTTP Request to a .top domain ET DNS Query to a *.top domain - Likely Hostile ET INFO Executable Download from dotted-quad Host ET HUNTING Suspicious services.exe in URI ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET HUNTING Possible EXE Download From Suspicious TLD ET INFO TLS Handshake Failure ET POLICY External IP Address Lookup DNS Query (2ip .ua) ET INFO Packed Executable Download ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) ET MALWARE Win32/Filecoder.STOP Variant Public Key Download ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)	23 Info http://171.22.28.226/download/WWW14_64.exe http://109.107.182.2/race/bus50.exe http://zexeq.com/test2/get.php http://45.15.156.229/api/tracemap.php http://185.172.128.69/newumma.exe http://45.15.156.229/api/firegate.php http://194.169.175.233/setup.exe http://171.22.28.221/files/Ads.exe http://94.142.138.113/api/tracemap.php http://94.142.138.131/api/firegate.php http://193.42.32.118/api/firegate.php http://171.22.28.226/download/Services.exe http://howardwood.top/e9c345fc99a4e67e.php http://lakuiksong.known.co.ke/netTimer.exe http://193.42.32.118/api/tracemap.php http://77.91.124.1/theme/index.php http://176.113.115.84:8080/4.php http://193.233.255.73/loghub/master http://94.142.138.131/api/tracemap.php http://193.42.32.118/api/firecom.php http://171.22.28.213/3.exe https://experiment.pw/setup294.exe https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe	6.8	M		ZeroCERT

9281	2023-10-27 10:58	ngown.vbs 74558dda2ee55f1223e34b0e18411764 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted wscript.exe payload download Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	4 Keyword trend analysis	5	2		9.6	M	5	ZeroCERT

9282	2023-10-27 10:56	don.vbs 049cbf1fa6fb0b213b5d6aace06efbd9 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

9283	2023-10-27 10:54	ngone.vbs bb1a98b873c6fbebb5c2bab804fbe831 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

9284	2023-10-27 10:54	bdolsx.vbs 44c457dd13efcd6622b1b6dbab5c1965 VirusTotal Malware buffers extracted wscript.exe payload download Tofsee	1 Keyword trend analysis	2	2		3.0	M	5	ZeroCERT

9285	2023-10-27 10:13	ereeeeeeeeeeeefereFile.vbs 73d2fd40cb82f20bb3d340720da666d0 Generic Malware Antivirus PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger buffers extracted Creates shortcut unpack itself Check virtual network interfaces suspicious process WriteConsoleW Tofsee Windows ComputerName Cryptographic key	3 Keyword trend analysis	3	1		8.4		3	ZeroCERT