Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
9886	2023-07-31 17:27	run.bat a19fe50329633bae519220dcd4b0e432 Generic Malware Downloader Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself suspicious process WriteConsoleW Windows ComputerName Cryptographic key	4 Keyword trend analysis				3.6			ZeroCERT

9887	2023-07-31 17:19	2907.zip d8491c2201483a1c75ff76fe08e17e2c ZIP Format VirusTotal Malware Malicious Traffic NetSupport	1 Keyword trend analysis	5	1		2.4		13	ZeroCERT

9888	2023-07-31 16:55	3a64dce714d28968b2691168a78e03... 6258ec13a6d93e6ca60755540abebde6 Vidar LokiBot UPX PWS AntiDebug AntiVM BitCoin OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Telegram Buffer PE PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself malicious URLs Tofsee ComputerName Remote Code Execution DNS	3 Keyword trend analysis	5	4	2	11.2	M	17	guest

9889	2023-07-31 11:24	x64.exe 79a0dbb12842319812690aebfd1ee580 PE64 PE File VirusTotal Malware Malicious Traffic unpack itself suspicious TLD DNS	1 Keyword trend analysis	2	2		3.4		38	ZeroCERT

9890	2023-07-31 11:22	8a5fd1e9c9841ff0253b2a6f1e533d... 8a5fd1e9c9841ff0253b2a6f1e533d0e UPX Malicious Library OS Processor Check PE File PE32 ZIP Format Word 2007 file format(docx) VirusTotal Malware PDB Check memory RWX flags setting unpack itself suspicious process Tofsee Interception	1 Keyword trend analysis	2	2		3.2		13	ZeroCERT

9891	2023-07-31 11:21	002105e21f1bddf68e59743c440e41... 002105e21f1bddf68e59743c440e416a UPX Malicious Library OS Processor Check PE File PE32 ZIP Format Word 2007 file format(docx) VirusTotal Malware PDB Check memory RWX flags setting unpack itself suspicious process Tofsee Interception	1 Keyword trend analysis	2	2		3.2		10	ZeroCERT

9892	2023-07-31 11:20	위믹스팀-클라우드사용금지.doc b6614471ebf288689d33808c376540e1 VBA_macro ZIP Format Word 2007 file format(docx) VirusTotal Malware exploit crash unpack itself WriteConsoleW Tofsee Exploit crashed		2	2		4.2		31	ZeroCERT

9893	2023-07-31 11:06	sys.exe e08b723ca187ecfef73c1b7b5f0ecfc8 XMRig Miner Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware unpack itself ComputerName					1.8		48	r0d

9894	2023-07-31 10:36	File_pass1234.7z c5997806d938310f6b0cbde8389b2108 Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Discord RisePro DNS	40 Keyword trend analysis Info http://208.67.104.60/api/firegate.php - rule_id: 34253 http://95.214.25.207:3002/file.exe - rule_id: 35494 http://hugersi.com/dl/6523.exe - rule_id: 32660 http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://77.91.68.61/rock/index.php - rule_id: 35495 http://www.microsoft.com/ http://78.47.122.222/acea55252b775eee1be2febeda0c0d49 http://78.47.122.222/ http://aa.imgjeoogbb.com/check/?sid=236822&key=d294ba04ff5222de790b309dae810e54 - rule_id: 34651 http://aa.imgjeoogbb.com/check/?sid=236822&key=d294ba04ff5222de790b309dae810e54 http://78.47.122.222/pack.zip http://ip-api.com/json/?fields=query,status,countryCode,city,timezone http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://208.67.104.60/api/tracemap.php - rule_id: 28876 http://208.67.104.60/api/tracemap.php http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482 http://us.imgjeoigaa.com/sts/imagc.jpg http://77.91.124.47/new/foto5566.exe http://aa.imgjeoogbb.com/check/safe - rule_id: 34652 http://aa.imgjeoogbb.com/check/safe https://hooligapps.site/setup294.exe - rule_id: 35386 https://hooligapps.site/setup294.exe https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test https://vk.com/doc801981293_667028020?hash=zNXj4WrlTyEKRUBB0vxsLD8HwE7hYL7JgYi8vgPFINH&dl=UHDS7B9XXtrml8Ov9nEnY8cZe5Q3T6Z0UJqbZWjTksT&api=1&no_preview=1#scjeen https://vk.com/doc801981293_667066083?hash=m6Sjui2f4HpWtz9GQYumUhPuRTfIRk3Z6g4OA7TOD4L&dl=QdPsOGLXyKwtXjXJewQAbmRgAgTggz12uJxZZc3F10c&api=1&no_preview=1 https://sun6-22.userapi.com/c909628/u801981293/docs/d19/0473ba2c3397/PMmp.bmp?extra=WrUP7rtQyA__XGT96VkpbA09fH6-o78MtrcF3sMNML4tfmPd86znTXohoj2oY2iq7cXqb1ogncL3vqMNV51fvJBKLzDGTPGMaC4OONg8jXxXAsBlDwcrLjke5w40Iev0XWRBEmv0OivuyVUpIg https://db-ip.com/demo/home.php?s=175.208.134.152 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 https://vk.com/doc801981293_667139817?hash=fnY3s9xTCH8TvBuyjrszXkHvJq23CHHvk5PULwK4ZqD&dl=CAUx7IkjdyeFKrDihPvqPbyjkgiOxZZb3jve3rrp8vL&api=1&no_preview=1 https://cdn.discordapp.com/attachments/1133862996200935568/1133863783173984256/zdkecjb7.exe https://sun6-21.userapi.com/c909418/u801981293/docs/d19/cab0d9fd22fb/test.bmp?extra=S1lBZ2ara_uwvkUiCQO2CpDy8V8CT-DUsMDJDq5c-j9MzsI9R-MnJavBC7JjKow1RrS6V5Gt1xq0ExvtLgwopOUcyKFLyvxY2XmRgoY0ZkqV7tngNwiRvJNUjMmHJ0J8jIeG5jRLUsvWyZyJgw https://sun6-20.userapi.com/c909218/u801981293/docs/d32/1c8ef9b2fc28/new.bmp?extra=If9Lo5F5-e1eTZGduxSFLbQb0TVGFPXkyZWdMeMv2g26HJlc5QbDck071WaX_YgB9o1UpVtPqxy4QD-RrF0Q12P3DrQDvvKj93TpO8rTUDzPo40BWB6iYf1PD6BDnURtppWFDQzjUa3oYQiwwg https://vk.com/doc801981293_667089680?hash=rVIr38BrzIinBtaaqLw8bfBo4PPqpdnYNI24AEk2s4c&dl=J840u5Bv36XIVNgrl2q6ZZe4BL6Dzqm1CKoCTOCZiz4&api=1&no_preview=1#rise_test https://vk.com/doc801981293_666878057?hash=1cohXPp9aLK2Xz7H2hezj89drs50PYuLRBoirKPj3B8&dl=vMZbPrQFZIXfQgzBVvuUmx7NUXxKHs9ZVFMOgU7roi0&api=1&no_preview=1#WW1 https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats https://sun6-20.userapi.com/c909328/u801981293/docs/d24/084544a6c731/oip0uc82pz.bmp?extra=7iBeThmhh6DgxxYaPSgYpUe2xaYhvy6ZK-0HMLVHTGLGhFsWaOMYzD4oPREABqJmmPxnl2RS147cj8tiTALRAueLEt6VQbMoYwkK8FAFUhT-iPqIGOgH_3g2StFRnl2plFelxcY5RKfVl0y2nA	57 Info watson.microsoft.com(104.208.16.93) - db-ip.com(104.26.5.15) - zzz.fhauiehgha.com(156.236.72.121) - t.me(149.154.167.99) - ipinfo.io(34.117.59.81) - ip-api.com(208.95.112.1) - hooligapps.site(104.21.6.229) - steamcommunity.com(104.76.78.101) - aa.imgjeoogbb.com(154.221.26.108) - cdn.discordapp.com(162.159.130.233) - sun6-20.userapi.com(95.142.206.0) - api.db-ip.com(172.67.75.166) - sun6-21.userapi.com(95.142.206.1) - us.imgjeoigaa.com(103.100.211.218) - bitbucket.org(104.192.141.1) - www.microsoft.com(23.36.221.62) - api.myip.com(104.26.9.59) - hugersi.com(91.215.85.147) - sun6-22.userapi.com(95.142.206.2) - www.maxmind.com(104.17.214.67) - vk.com(87.240.132.78) - 194.169.175.128 - 51.89.201.49 - 154.221.26.108 - 208.95.112.1 - 77.91.124.156 - 91.215.85.147 - 77.91.68.1 - 162.159.135.233 - 78.47.122.222 - 104.26.5.15 - 208.67.104.60 - 95.214.25.207 - 149.154.167.99 - 172.67.75.166 - 172.67.75.163 - 185.159.129.168 - 77.91.124.47 - 157.254.164.98 - 34.117.59.81 - 45.12.253.74 - 104.192.141.1 - 104.208.16.93 - 104.17.214.67 - 77.91.68.61 - 156.236.72.121 - 45.15.156.229 - 104.21.6.229 - 87.240.137.164 - 163.123.143.4 - 95.142.206.1 - 95.142.206.0 - 121.254.136.27 - 95.142.206.2 - 103.100.211.218 - 23.36.221.62 - 104.76.78.101 -	32 Info SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET INFO TLS Handshake Failure ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Packed Executable Download ET INFO EXE - Served Attached HTTP ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (External IP) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Exfiltration) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET MALWARE Redline Stealer Activity (Response) ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host ZIP Request ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET POLICY Microsoft user-agent automated process response to automated request ET POLICY External IP Lookup ip-api.com	11 Info http://208.67.104.60/api/firegate.php http://95.214.25.207:3002/file.exe http://hugersi.com/dl/6523.exe http://zzz.fhauiehgha.com/m/okka25.exe http://45.15.156.229/api/tracemap.php http://77.91.68.61/rock/index.php http://aa.imgjeoogbb.com/check/ http://208.67.104.60/api/tracemap.php http://us.imgjeoigaa.com/sts/imagc.jpg http://aa.imgjeoogbb.com/check/safe https://hooligapps.site/setup294.exe	6.2	M		ZeroCERT

9895	2023-07-31 10:23	debug2.ps1 385c874a9adc94c9cddb7618a86b8299 Generic Malware Antivirus Malware powershell Malicious Traffic Check memory unpack itself Check virtual network interfaces WriteConsoleW Windows ComputerName DNS Cryptographic key crashed	2 Keyword trend analysis	1		1	4.6			ZeroCERT

9896	2023-07-31 10:01	secbobbyzx.doc 50a7ad2ace11903c9d16a6c8660631de MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic exploit crash Tofsee Windows Exploit DNS crashed	2 Keyword trend analysis	4	10 Info ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response		4.2		37	ZeroCERT

9897	2023-07-31 07:53	vvlio7wypLsHed.exe 732d840080e5382a366afe1ffd3e7aa3 NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder	5 Keyword trend analysis Info http://www.leaffonly.com/s27k/?mzr4=pW37V/wDdSqrMpF5ldchVc6r7Ddh2sY8bFEqKAvZO/A4bpL2AchokubKXEqi/NpFzOeyX4rN&Ulm=1bVHT http://www.truthistanbul.xyz/s27k/?mzr4=3t3cgmEc0SVZPbnF8WWvxCxcuLKlJaxXzFA+5x0Cdy6tIgxohJLcV2dbV3iAPSPHze8p/k40&Ulm=1bVHT http://www.foreverenamored.com/s27k/?mzr4=K0JmOqXr9HCtj2qTWz3wm1ISclVIfppkL5EMoSSMyzeFhY/mEgvox6BxsSrLYXaYq3j87tFB&Ulm=1bVHT http://www.happyhedgehogpress.com/s27k/?mzr4=a2nlmsvFJPfX3VFlu+jfFNID+dUFrRaa9nceP0cgqTTsgglWoa+YQxHQjSPpl/c00euLIa3j&Ulm=1bVHT http://www.flippinyourbusiness.com/s27k/?mzr4=Xi7F+l4Lb4Vq+ZnK/97dtmej1UbPO7AQVB5jWoV3FA39X8wswabFceq/socQVQQl0jUSsZ5z&Ulm=1bVHT	9	2		4.6	M	45	ZeroCERT

9898	2023-07-31 07:42	Tumeg.exe e5655066c86f74f6b444f66f3222ce07 Gen1 Emotet UPX Malicious Library Antivirus CAB PE File PE32 VirusTotal Malware AutoRuns PDB Check memory Creates executable files unpack itself Windows utilities AntiVM_Disk WriteConsoleW VM Disk Size Check Windows Remote Code Execution					4.6		28	ZeroCERT

9899	2023-07-31 07:40	Setup.exe 9bb0bf48749cecfeadc4e6be1a2ad5ef Emotet Gen1 UPX Malicious Library Malicious Packer AntiDebug AntiVM OS Processor Check .NET EXE PE File PE32 DLL Browser Info Stealer Malware download VirusTotal Email Client Info Stealer Malware c&c Buffer PE PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications sandbox evasion anti-virtualization installed browsers check Stealc Stealer Windows Browser Email ComputerName Remote Code Execution DNS plugin	8 Keyword trend analysis Info http://91.212.166.50/812472d22955f523.php http://91.212.166.50/1b13d87b74e22997/nss3.dll http://91.212.166.50/1b13d87b74e22997/sqlite3.dll http://91.212.166.50/1b13d87b74e22997/vcruntime140.dll http://91.212.166.50/1b13d87b74e22997/msvcp140.dll http://91.212.166.50/1b13d87b74e22997/mozglue.dll http://91.212.166.50/1b13d87b74e22997/softokn3.dll http://91.212.166.50/1b13d87b74e22997/freebl3.dll	1	17 Info ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in ET MALWARE Win32/Stealc Requesting browsers Config from C2 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config ET MALWARE Win32/Stealc Requesting plugins Config from C2 ET INFO Dotted Quad Host DLL Request ET MALWARE Win32/Stealc Active C2 Responding with plugins Config ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting System Information to C2 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET MALWARE Win32/Stealc Submitting Screenshot to C2		14.2		9	ZeroCERT

9900	2023-07-31 07:35	sys.exe e08b723ca187ecfef73c1b7b5f0ecfc8 Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE64 PE File VirusTotal Malware unpack itself ComputerName					1.8	M	48	ZeroCERT