Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
11791	2023-07-04 16:22	PO894Y23.PDF.exe 9e82efab8cc5b74afca76c45f900ca7a Ave Maria WARZONE RAT Gen1 Generic Malware UPX Malicious Library Downloader Malicious Packer Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 PNG Format DLL PE64 MSOffice File Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting exploit crash unpack itself Windows utilities suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Tofsee Windows Exploit Browser RAT Email ComputerName Remote Code Execution DNS Cryptographic key crashed	15 Keyword trend analysis Info http://serving.bepolite.eu/script?space=50dd7b0f-4105-441f-8f60-18cc3fcb090c&type=direct&page_id=670568&screen_width=1233&screen_height=841&os=Win32&refurl=&pageurl=file%3A%2F%2FC%3A%5CUsers%5Ctest22%5CAppData%5CRoaming%5ChDHm.nson.html&rnd=1688470430209 https://www.upload.ee/images/eng/flag.png https://www.upload.ee/images/arrow.gif https://www.googletagmanager.com/gtag/js?id=UA-6703115-1 https://www.upload.ee/images/menubg.gif https://www.upload.ee/files/15369657/IkemRats.exe.html https://www.googletagmanager.com/gtag/js?id=G-LT9YQX0N49&l=dataLayer&cx=c https://www.upload.ee/images/rus/flag.png https://www.upload.ee/images/est/flag.png https://www.upload.ee/images/dl_.png https://www.upload.ee/images/eng/logo.png https://www.upload.ee/static/ubr__style.css https://www.google-analytics.com/analytics.js https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js https://www.upload.ee/js/js__file_upload.js	13 Info www.googletagmanager.com(142.250.206.200) www.upload.ee(51.91.30.159) s7.addthis.com(104.70.236.166) pagead2.googlesyndication.com(142.250.207.98) - mailcious www.google-analytics.com(142.250.207.110) serving.bepolite.eu(212.47.222.21) 212.47.222.20 142.251.130.14 142.250.66.130 142.251.220.40 23.195.108.124 172.93.222.150 51.91.30.159	4		15.8		67	ZeroCERT

11792	2023-07-04 16:15	INQUIRY_009270_9092023.exe fe7ab7bf623f74792ce3be09ad7f8654 Gen1 email stealer Generic Malware Downloader UPX Malicious Packer Malicious Library Antivirus Socket Escalate priviledges Code injection PWS DNS persistence KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check DLL PE64 Browser Info Stealer VirusTotal Email Client Info Stealer Malware powershell AutoRuns PDB suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself powershell.exe wrote suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check human activity check installed browsers check Windows Browser Email ComputerName DNS Cryptographic key crashed		1			16.4		36	ZeroCERT

11793	2023-07-04 16:15	c35f4ebfa52e9f721f843eac4e01e9... c35f4ebfa52e9f721f843eac4e01e981 AgentTesla email stealer Downloader .NET framework(MSIL) Socket Escalate priviledges Code injection PWS Sniff Audio DNS ScreenShot persistence KeyLogger AntiDebug AntiVM PE File .NET EXE PE32 Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware powershell suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files unpack itself Windows utilities powershell.exe wrote suspicious process malicious URLs AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Windows Browser RAT Email ComputerName DNS Cryptographic key		3	2		15.2		51	ZeroCERT

11794	2023-07-04 14:37	Marketing_plan_Heyhappines_23.... c529390bb78ea6af60043ec06b6a2a89 PDF Suspicious Link PDF						M		ZeroCERT

11795	2023-07-04 11:22	RFx - NRSB-SPCI_QHK_NRSB_SPCI_... abf89b932e8ef30a751c9b989549ec89 NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL FormBook Malware download VirusTotal Malware suspicious privilege Malicious Traffic Check memory Creates executable files unpack itself AppData folder suspicious TLD DNS	2 Keyword trend analysis	6	4		5.0		47	ZeroCERT

11796	2023-07-04 11:16	Veekmvhuxdctye.exe 50da9726e918f94a39afacf32db3e5fe UPX Malicious Library MZP Format PE File PE32 VirusTotal Malware RWX flags setting unpack itself Remote Code Execution DNS		7	1		3.2		34	ZeroCERT

11797	2023-07-04 11:14	9009282736273.exe 7b9d1ae776aabfa0caa2a92ac560e5ff UPX Malicious Library MZP Format PE File PE32 VirusTotal Malware RWX flags setting unpack itself					2.6		32	ZeroCERT

11798	2023-07-04 11:14	JD%20Business%20Plan%202023.ln... 229b39c9a2ed47dd87d2eae54f11f41f Gen1 Formbook Generic Malware UPX .NET framework(MSIL) Malicious Library Admin Tool (Sysinternals etc ...) Malicious Packer OS Processor Check PE File PE32 NetWireRC VirusTotal Malware PDB Check memory Creates shortcut Creates executable files RAT ComputerName					2.8	M	4	ZeroCERT

11799	2023-07-04 11:12	File_pass1234.7z 4483d5690270b7692a1aef79acf05ef7 Escalate priviledges PWS KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Cryptocurrency Miner Malware Cryptocurrency suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files ICMP traffic unpack itself IP Check PrivateLoader Tofsee Stealer Windows Remote Code Execution Trojan DNS Downloader	22 Keyword trend analysis Info http://hugersi.com/dl/6523.exe - rule_id: 32660 http://zzz.fhauiehgha.com/m/okka25.exe - rule_id: 34705 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://176.113.115.84:8080/4.php - rule_id: 34795 http://85.208.136.10/api/firegate.php - rule_id: 32663 http://95.214.25.233:3002/ - rule_id: 34794 http://www.maxmind.com/geoip/v2.1/city/me http://apps.identrust.com/roots/dstrootcax3.p7c http://77.91.124.31/gallery/photo270.exe - rule_id: 34796 http://45.66.230.164/g.exe - rule_id: 34813 http://85.208.136.10/api/tracemap.php - rule_id: 32662 http://77.91.68.63/doma/net/index.php - rule_id: 34361 http://work.a-poster.info:25000/http://work.a-poster.info:25000/ http://www.google.com/ http://77.91.68.157/new/foto175.exe - rule_id: 34808 https://sun6-21.userapi.com/c237331/u808950829/docs/d48/d1d91a4b21f4/crypted.bmp?extra=D_BWRC57Taws3-Fgtz0Gxn3f2opCiSMWtqiuFxYQA0aksgwVh6YjjIPNW5MpGk6yKGdNg8ZTX6CvpZzfgkwz7tiur4dQ3bAKw7tDCF4jRNZWimRJ_LVkrc_IZPmptHVkvrJVfSKHI0ooAQ2gRw https://vk.com/doc808950829_663757713?hash=MV1SXyDS4uzEVWhEqhhdzBKaHhSpB1pMWajJ3kWBQV8&dl=e0Oyc6MBznNTvzhob66JHCdZRBEsNzCGWPgvdgUA1Ww&api=1&no_preview=1#cryp https://traffic-to.site/294/setup294.exe - rule_id: 34662 https://sun6-21.userapi.com/c909618/u808950829/docs/d11/42869e7f9cc3/3kqwpj3h.bmp?extra=iu5bVjMFNIqUemb79KZZ24CeL5cMX_YUphspjbrsKQ0QUE_HJGYYUnXWE5KNEfFj7ZsXJieTmQRDLqmGmAGJaPTY6e85eIHkBVaoNrbdjuIl31OOfC0u5WF-jtr_iluF_uWpnxURNYekfLRxxw https://sun6-20.userapi.com/c909228/u808950829/docs/d39/44e1f5793080/PMmp.bmp?extra=Z1r9oittoDfhiJ4OcYscFihyLdo44Yji7Xs_I3mUIZWuCfOWtNcTOccvpUtUCzvyju5K8UH8Puj8jHq26H3oPHzUvwyZJ89D69QVwWsj-HDqatEErOgxwiRb6RiYTuRfRhpAie_4w1WtpXYgeQ https://db-ip.com/ https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self	59 Info work.a-poster.info(37.1.217.172) - mailcious db-ip.com(104.26.4.15) fastpool.xyz(213.91.128.133) - mailcious www.google.com(142.250.207.100) iplis.ru(148.251.234.93) - mailcious hugersi.com(91.215.85.147) - malware sun6-21.userapi.com(95.142.206.1) - mailcious zzz.fhauiehgha.com(156.236.72.121) - mailcious traffic-to.site(172.67.171.62) - malware ipinfo.io(34.117.59.81) iplogger.org(148.251.234.83) - mailcious api.myip.com(172.67.75.163) bitbucket.org(104.192.141.1) - malware www.maxmind.com(104.17.215.67) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.5.15) vanaheim.cn(8.211.5.234) vk.com(93.186.225.194) - mailcious z.nnnaajjjgc.com(156.236.72.121) - malware 77.91.68.157 - malware 148.251.234.93 - mailcious 95.142.206.0 - mailcious 146.59.161.7 - mailcious 91.215.85.147 - malware 62.122.184.92 104.26.5.15 80.66.75.254 77.91.124.49 - mailcious 172.67.75.166 80.66.75.4 194.26.135.162 - mailcious 85.208.136.10 - mailcious 157.254.164.98 - mailcious 87.240.132.72 - mailcious 34.117.59.81 176.113.115.84 - mailcious 185.157.120.11 - mailcious 148.251.234.83 176.113.115.135 77.91.68.63 - malware 176.113.115.136 45.12.253.74 - malware 45.66.230.164 - malware 104.192.141.1 - mailcious 104.17.214.67 95.214.25.233 - mailcious 156.236.72.121 - mailcious 37.1.217.172 104.26.9.59 8.211.5.234 163.123.143.4 - mailcious 95.142.206.1 - mailcious 45.143.201.238 121.254.136.27 45.15.156.229 - mailcious 77.91.124.31 - mailcious 216.58.200.228 172.67.171.62 213.91.128.133 - mailcious	26 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) ET DROP Spamhaus DROP Listed Traffic Inbound group 22 ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO EXE - Served Attached HTTP ET DROP Spamhaus DROP Listed Traffic Inbound group 27 ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY Cryptocurrency Miner Checkin ET DROP Dshield Block Listed Source group 1 ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	12 Info http://hugersi.com/dl/6523.exe http://zzz.fhauiehgha.com/m/okka25.exe http://45.15.156.229/api/tracemap.php http://176.113.115.84:8080/4.php http://85.208.136.10/api/firegate.php http://95.214.25.233:3002/ http://77.91.124.31/gallery/photo270.exe http://45.66.230.164/g.exe http://85.208.136.10/api/tracemap.php http://77.91.68.63/doma/net/index.php http://77.91.68.157/new/foto175.exe https://traffic-to.site/294/setup294.exe	7.0	M		ZeroCERT

11800	2023-07-04 11:06	xcrypted.exe 44211d88e9c690e108c78e0e5041b7e0 Downloader UPX .NET framework(MSIL) Create Service Socket DGA Steal credential Escalate priviledges Code injection HTTP PWS Sniff Audio DNS ScreenShot Http API Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File .NET EXE PE32 OS Processor Check VirusTotal Malware Telegram suspicious privilege Code Injection Check memory Checks debugger unpack itself Check virtual network interfaces suspicious process AppData folder Tofsee ComputerName DNS crashed		2	4		5.6	M	38	ZeroCERT

11801	2023-07-04 07:34	rama.exe 03b453f78a11fc192d88447d789524f5 UPX Malicious Library OS Processor Check PE File PE32 DLL PDB unpack itself AppData folder Remote Code Execution					1.8	M		ZeroCERT

11802	2023-07-04 07:32	pstol1.exe 064773034947221b8da5f3ffcaadd75d Generic Malware UPX .NET framework(MSIL) Antivirus PWS AntiDebug AntiVM PE File .NET EXE PE32 PowerShell Malware download Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates shortcut unpack itself powershell.exe wrote Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key	1 Keyword trend analysis	1	3		11.4			ZeroCERT

11803	2023-07-04 07:32	Update_new.exe b7284f4a9502d0d74e77d465f60f78f0 Themida Packer UPX Anti_VM PE File .NET EXE PE32 Browser Info Stealer Malware download Malware Check memory Checks debugger unpack itself Checks Bios Collect installed applications Detects VMWare VMware anti-virtualization installed browsers check SectopRAT Windows Browser Backdoor ComputerName Remote Code Execution Firmware DNS Cryptographic key crashed		1	1		8.4			ZeroCERT

11804	2023-07-04 07:29	mmfqdf2p9r107.exe 47d27bb5f4a208f3081471d00e87d1e4 Generic Malware task schedule UPX Malicious Library Antivirus AntiDebug AntiVM OS Processor Check PE File PE32 Malware powershell Buffer PE AutoRuns PDB suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut unpack itself Windows utilities powershell.exe wrote Check virtual network interfaces suspicious process malicious URLs WriteConsoleW Tofsee Windows ComputerName Cryptographic key crashed	4 Keyword trend analysis	4	1	2	14.8	M		ZeroCERT

11805	2023-07-04 07:27	monitordhcp_cr.exe c184ad0157a2da3638fa56a6554dc6c7 .NET framework(MSIL) Admin Tool (Sysinternals etc ...) PE File .NET EXE PE32 PDB Check memory Checks debugger unpack itself					1.4			ZeroCERT