Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
11086	2023-08-01 09:09	4XR.exe 6c006bd6ae5d2a1f98bf1d3028db0749 Emotet Generic Malware Downloader UPX WinRAR Malicious Library Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Process VirusTotal Cryptocurrency Miner Malware Cryptocurrency powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities suspicious process AppData folder WriteConsoleW Firewall state off Windows ComputerName Remote Code Execution DNS Cryptographic key crashed CoinMiner		4	2		11.2		37	ZeroCERT

11087	2023-08-01 08:43	File_pass1234.7z becbf77d1e0b6a61d8203096792e76a4 Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Cryptocurrency Miner Malware Cryptocurrency Microsoft Telegram suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows RisePro DNS	27 Keyword trend analysis Info http://208.67.104.60/api/firegate.php - rule_id: 34253 http://95.214.25.207:3002/file.exe - rule_id: 35494 http://hugersi.com/dl/6523.exe - rule_id: 32660 http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://aa.imgjeoogbb.com/check/?sid=181850&key=8240077a9356286e413223063c28ca19 - rule_id: 34651 http://78.47.122.222/acea55252b775eee1be2febeda0c0d49 - rule_id: 35555 http://78.47.122.222/pack.zip - rule_id: 35556 http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.68.61/rock/index.php - rule_id: 35495 http://www.google.com/ http://208.67.104.60/api/tracemap.php - rule_id: 28876 http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482 http://aa.imgjeoogbb.com/check/safe - rule_id: 34652 http://www.maxmind.com/geoip/v2.1/city/me https://hooligapps.site/setup294.exe - rule_id: 35386 https://steamcommunity.com/profiles/76561199529242058 - rule_id: 35413 https://vk.com/doc801981293_667237000?hash=wJ5uCBdRHZzUjQjWqgBH48skmucYHiYj2GRiSACkdpw&dl=0FKa00zk0GBCzSFOZ7oP1FKOpaxYtVDdsq7vQUc0Gm4&api=1&no_preview=1#s https://db-ip.com/demo/home.php?s=175.208.134.152 https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://sun6-21.userapi.com/c909418/u801981293/docs/d19/cab0d9fd22fb/test.bmp?extra=S1lBZ2ara_uwvkUiCQO2CpDy8V8CT-DUsMDJDq5c-j9MzsI9R-MnJavBC7JjKow1RrS6V5Gt1xq0ExvtLgwopOUcyKFLyvxY2XmRgoY0ZkqV7tnvNQ-VvJNUjMmHJ0J8jIPVt2kRBM2Az8yPjA https://sun6-23.userapi.com/c909618/u801981293/docs/d44/475e3b19467d/s.bmp?extra=CXhY0FYqAixfAe5gJo7Du2h3NIxPT1pwd6-OGYvPBrGUFvJMhPwurTncp5qAumXPeaEsjP-9apm2cztbCqwM3BtYwSrG2usVk_yUD9MqnSphi6K9Aq2Kc23k8YWxnMAVObcde_7Phogwv24YQg https://sun6-22.userapi.com/c909628/u801981293/docs/d19/0473ba2c3397/PMmp.bmp?extra=WrUP7rtQyA__XGT96VkpbA09fH6-o78MtrcF3sMNML4tfmPd86znTXohoj2oY2iq7cXqb1ogncL3vqMNV51fvJBKLzDGTPGMaC4OONg8jXxXAsBqDQAvLjke5w40Iev0XWVFSDfyPSjjzQYtIg https://sun6-20.userapi.com/c909218/u801981293/docs/d32/1c8ef9b2fc28/new.bmp?extra=If9Lo5F5-e1eTZGduxSFLbQb0TVGFPXkyZWdMeMv2g26HJlc5QbDck071WaX_YgB9o1UpVtPqxy4QD-RrF0Q12P3DrQDvvKj93TpO8rTUDzPo40OWhmmYf1PD6BDnURtppPdCg-zVajpOAa3yw https://sun6-20.userapi.com/c909328/u801981293/docs/d24/084544a6c731/oip0uc82pz.bmp?extra=7iBeThmhh6DgxxYaPSgYpUe2xaYhvy6ZK-0HMLVHTGLGhFsWaOMYzD4oPREABqJmmPxnl2RS147cj8tiTALRAueLEt6VQbMoYwkK8FAFUhT-iPqHGu8D_3g2StFRnl2plAP3lJhvQaXWy0u0kA	72 Info db-ip.com(104.26.4.15) dialeta.com.br(192.185.223.202) hotelcasarafaelita.com(162.241.203.245) sun6-23.userapi.com(95.142.206.3) vanaheim.cn(45.145.4.170) t.me(149.154.167.99) - mailcious ipinfo.io(34.117.59.81) fastpool.xyz(213.91.128.133) - mailcious hooligapps.site(172.67.135.110) - mailcious steamcommunity.com(104.76.78.101) - mailcious iplogger.org(148.251.234.83) - mailcious aa.imgjeoogbb.com(154.221.26.108) - mailcious sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.4.15) sun6-21.userapi.com(95.142.206.1) - mailcious us.imgjeoigaa.com(103.100.211.218) - mailcious bitbucket.org(104.192.141.1) - malware zzz.fhauiehgha.com(156.236.72.121) - mailcious www.google.com(142.250.76.132) api.myip.com(172.67.75.163) hugersi.com(91.215.85.147) - malware sun6-22.userapi.com(95.142.206.2) www.maxmind.com(104.17.215.67) vk.com(87.240.129.133) - mailcious iplis.ru(148.251.234.93) - mailcious 148.251.234.93 - mailcious 142.250.204.36 51.89.201.49 - mailcious 154.221.26.108 - mailcious 23.34.107.26 77.91.124.156 - mailcious 104.17.215.67 91.215.85.147 - malware 194.169.175.128 - mailcious 162.241.203.245 62.122.184.92 - mailcious 45.145.4.170 78.47.122.222 - mailcious 208.67.104.60 - mailcious 95.214.25.207 - malware 176.123.9.85 - mailcious 149.154.167.99 - mailcious 172.67.75.166 80.66.75.4 - mailcious 172.67.75.163 80.66.75.77 192.185.223.202 - mailcious 157.254.164.98 - mailcious 34.117.59.81 176.113.115.84 - mailcious 176.113.115.85 - mailcious 148.251.234.83 176.113.115.135 - mailcious 176.113.115.136 - mailcious 45.143.201.238 - mailcious 45.12.253.74 - malware 104.192.141.1 - mailcious 77.91.124.231 - malware 77.91.68.61 - malware 156.236.72.121 - mailcious 45.15.156.229 - mailcious 104.21.6.229 104.26.4.15 95.142.206.3 163.123.143.4 - mailcious 95.142.206.1 - mailcious 95.142.206.0 - mailcious 121.254.136.27 95.142.206.2 87.240.132.72 - mailcious 103.100.211.218 - malware 213.91.128.133 - mailcious	30 Info ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SURICATA Applayer Mismatch protocol both directions SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET DROP Spamhaus DROP Listed Traffic Inbound group 21 ET INFO TLS Handshake Failure ET DROP Spamhaus DROP Listed Traffic Inbound group 8 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE - Served Attached HTTP ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Token) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (External IP) ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Redline Stealer Activity (Response) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Get_settings) ET MALWARE [ANY.RUN] RisePro TCP v.0.1 (Exfiltration) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET INFO Observed Telegram Domain (t .me in TLS SNI) ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) ET INFO Dotted Quad Host ZIP Request ET POLICY Cryptocurrency Miner Checkin	15 Info http://208.67.104.60/api/firegate.php http://95.214.25.207:3002/file.exe http://hugersi.com/dl/6523.exe http://zzz.fhauiehgha.com/m/okka25.exe http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://aa.imgjeoogbb.com/check/ http://78.47.122.222/acea55252b775eee1be2febeda0c0d49 http://78.47.122.222/pack.zip http://77.91.68.61/rock/index.php http://208.67.104.60/api/tracemap.php http://us.imgjeoigaa.com/sts/imagc.jpg http://aa.imgjeoogbb.com/check/safe https://hooligapps.site/setup294.exe https://steamcommunity.com/profiles/76561199529242058	7.0	M		ZeroCERT

11088	2023-08-01 08:11	Wallet.exe f8e6425f51d262f94758c86fe2b936bf Generic Malware UPX .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself					2.4	M	30	ZeroCERT

11089	2023-08-01 08:09	photo443.exe e248dada31a4ae88394b5c8363218701 Gen1 Emotet Amadey UPX Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware Microsoft AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	12 Info ET INFO Microsoft net.tcp Connection Initialization Activity ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO Dotted Quad Host DLL Request ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Redline Stealer Activity (Response) ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	16.0	M		ZeroCERT

11090	2023-08-01 08:09	p9iLwGB7kusHed.exe bf1d64bea29e43b8a75708b26ea268d1 Malicious Library PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself					2.4	M	31	ZeroCERT

11091	2023-08-01 08:08	C3VB.exe a32e1510eaf70c772b81fc4e9f4c46f3 LokiBot RedLine stealer Emotet Generic Malware Downloader UPX WinRAR Malicious Library .NET framework(MSIL) Admin Tool (Sysinternals etc ...) Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS S Browser Info Stealer RedLine FTP Client Info Stealer VirusTotal Malware powershell AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities Collect installed applications Check virtual network interfaces suspicious process AppData folder WriteConsoleW Firewall state off installed browsers check Tofsee Stealer Windows Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	3 Keyword trend analysis	8	5 Info ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound SURICATA HTTP unable to match response to request		22.6		41	ZeroCERT

11092	2023-08-01 08:06	x.exe 56d79c2e80c07da469b2e00bcf381659 UPX Malicious Library OS Processor Check PE64 PE File VirusTotal Malware anti-virtualization					2.4		45	ZeroCERT

11093	2023-08-01 08:05	xx.exe 6b6573622aaa1b886bd60699c99d6fbb UPX .NET framework(MSIL) Malicious Library Malicious Packer Antivirus OS Processor Check .NET EXE PE File PE32 VirusTotal Malware Check memory Checks debugger unpack itself					2.0		63	ZeroCERT

11094	2023-08-01 08:04	ratt.exe dc0ec514d428d56d042c087457f843c0 Emotet Generic Malware Downloader UPX WinRAR Malicious Library Antivirus Create Service Socket P2P DGA Steal credential Http API Escalate priviledges PWS Sniff Audio HTTP DNS ScreenShot Code injection Internet API FTP KeyLogger AntiDebug AntiVM OS Process powershell AutoRuns PDB suspicious privilege Code Injection Check memory Checks debugger WMI Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process AppData folder malicious URLs WriteConsoleW Firewall state off Windows ComputerName Remote Code Execution DNS Cryptographic key crashed		3	1		11.2			ZeroCERT

11095	2023-08-01 08:03	dasf.exe 89ef9f770753ea98cde8dd221b71f510 UPX Malicious Library OS Processor Check PE File PE32 DNS		1			1.6			ZeroCERT

11096	2023-07-31 18:02	sf64r.dll 374d8e8089ecf5f1a161514d1b346432 Malicious Library DLL PE64 PE File Checks debugger unpack itself Remote Code Execution DNS		1			3.0			ZeroCERT

11097	2023-07-31 18:02	BRA.exe d5bddbbbf64a97dc0e98d4db2b675fb3 Themida Packer UPX .NET EXE PE File PE32 Check memory Checks debugger unpack itself Checks Bios Detects VMWare VMware anti-virtualization Windows ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed		1			6.8			ZeroCERT

11098	2023-07-31 17:58	000000000000000%23%23%23%23%23... 92bb79c8468691d39e3750967f235588 MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware buffers extracted exploit crash Exploit DNS crashed		1			4.2		29	ZeroCERT

11099	2023-07-31 17:52	blinkzx.doc 3bda3743edc516b3b4687e86606fb844 MS_RTF_Obfuscation_Objects RTF File doc Malware download VirusTotal Malware Malicious Traffic RWX flags setting exploit crash IP Check Tofsee Windows Exploit DNS crashed	1 Keyword trend analysis	5	8 Info ET INFO Executable Download from dotted-quad Host ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 SURICATA Applayer Detect protocol only one direction ET INFO TLS Handshake Failure SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET POLICY PE EXE or DLL Windows file download HTTP ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response		5.6		36	ZeroCERT

11100	2023-07-31 17:49	zdkecjb7.exe 2eb21acbab653f9007db89469ca991c9 Generic Malware UPX Malicious Library Antivirus Anti_VM AntiDebug AntiVM OS Processor Check PE File PE32 PowerShell VirusTotal Malware Microsoft Buffer PE suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself suspicious process WriteConsoleW IP Check Tofsee Windows ComputerName DNS Cryptographic key crashed	7 Keyword trend analysis Info http://www.microsoft.com/ http://ip-api.com/json/?fields=query,status,countryCode,city,timezone http://46.29.235.84/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys http://pastebin.com/raw/r0KhEEzi - rule_id: 35402 http://pastebin.com/raw/r0KhEEzi https://pastebin.com/raw/r0KhEEzi - rule_id: 35401 https://pastebin.com/raw/r0KhEEzi	10	3	2	14.4		55	ZeroCERT