Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
11956	2023-06-26 17:26	Info.exe 9873d7a24b69e63fee428d9fe75b9a32 PhysicalDrive PE64 PE File VirusTotal Malware unpack itself crashed					1.2		4	ZeroCERT

11957	2023-06-26 15:09	microengine.dll fb83690fe7e7e0d3a8f40b110de316d0 UPX Malicious Library OS Processor Check DLL PE32 PE File VirusTotal Malware PDB Checks debugger unpack itself Browser Remote Code Execution					3.0	M	30	ZeroCERT

11958	2023-06-26 14:29	cleanmgr.exe f503da8eee4e7cd822239110b488b08b Backdoor RemcosRAT browser info stealer Downloader Google Chrome User Data Confuser .NET Create Service Socket DNS Escalate priviledges PWS Sniff Audio ScreenShot Internet API KeyLogger AntiDebug AntiVM .NET EXE PE32 PE File PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows DNS DDNS	1 Keyword trend analysis	3	6 Info ET INFO Executable Download from dotted-quad Host ET INFO DYNAMIC_DNS Query to a .duckdns .org Domain ET INFO DYNAMIC_DNS Query to .duckdns. Domain ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	1	13.2	M	54	r0d

11959	2023-06-26 14:24	cleanmgr.exe f503da8eee4e7cd822239110b488b08b Client SW User Data Stealer browser info stealer Google Chrome User Data Downloader Confuser .NET Create Service Socket DNS PWS Sniff Audio Internet API ScreenShot Escalate priviledges KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 PE64 VirusTotal Malware PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder WriteConsoleW Windows DNS DDNS	1 Keyword trend analysis	3	6 Info ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO DYNAMIC_DNS Query to a .duckdns .org Domain ET INFO DYNAMIC_DNS Query to .duckdns. Domain	1	13.2	M	54	r0d

11960	2023-06-26 14:10	rPAGO_4536222.exe f01bdbc4e97c2a1886094c3fe2092448 SMTP KeyLogger AntiDebug AntiVM .NET EXE PE File PE32 Browser Info Stealer Malware download FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AgentTesla PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces Windows Browser Email ComputerName Cryptographic key Software crashed		2	2		10.8		30	ZeroCERT

11961	2023-06-26 10:20	setup294.exe 271867a2e2c2998d614643878910065e UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 DLL PDB Code Injection Checks debugger Creates executable files unpack itself AppData folder Remote Code Execution					3.4			ZeroCERT

11962	2023-06-26 10:20	4444.exe ee539424f2973dd2a45ab3b8f10128b6 RedLine stealer UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware Buffer PE PDB suspicious privilege Code Injection Check memory Checks debugger buffers extracted WMI unpack itself Collect installed applications installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed		1	1		11.8		26	ZeroCERT

11963	2023-06-26 10:18	setup1.exe ae935cda1e1db321d41cdd7e6431d1af RedLine stealer UPX DNS PWS AntiDebug AntiVM .NET EXE PE File PE32 VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key					9.2		51	ZeroCERT

11964	2023-06-26 10:18	setup.exe 54e5447517c883ded154b44a07b4eb95 Malicious Library PE File PE32 VirusTotal Malware WMI Creates executable files RWX flags setting Checks Bios anti-virtualization ComputerName					4.2	M	55	ZeroCERT

11965	2023-06-26 10:14	setup.exe 8f9b8f33a0ea96d78873f951b2b62f68 Malicious Library PE File PE32 WMI Creates executable files RWX flags setting Checks Bios anti-virtualization ComputerName					3.0	M		ZeroCERT

11966	2023-06-26 10:12	toolspub1.exe 667b278b249d16f1504634b77b3da797 UPX Malicious Library AntiDebug AntiVM OS Processor Check PE File PE32 Malware Code Injection Checks debugger buffers extracted unpack itself					6.0	M		ZeroCERT

11967	2023-06-26 10:10	staticlittlesource.exe ae9991a02aa20ebbc2cc3c0f40924442 UPX Malicious Library Malicious Packer ScreenShot AntiDebug AntiVM OS Processor Check PE File PE32 Malware Buffer PE Code Injection buffers extracted WMI RWX flags setting unpack itself WriteConsoleW ComputerName crashed					8.0	M		ZeroCERT

11968	2023-06-26 09:57	fotod95.exe e8dc42f50270cc92cfafe4a52fe2c77d Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 OS Processor Check DLL CAB Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	10 Info ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	15.2	M		ZeroCERT

11969	2023-06-26 09:55	foto172.exe 94b7834a3b8954758c8004a572f0e024 Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE OS Processor Check CAB DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	10 Info ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	15.6	M		ZeroCERT

11970	2023-06-26 09:53	File_pass1234.7z 835c29165e9dce36a4c7ec3afbe27e45 Redline PWS Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey VirusTotal Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS	33 Keyword trend analysis Info http://hugersi.com/dl/6523.exe - rule_id: 32660 http://aa.imgjeoogbb.com/check/safe http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://94.142.138.156/bcea0969fd65c6358044be27886e6c64 http://77.91.68.63/doma/net/index.php - rule_id: 34361 http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779 http://194.169.175.132:3002/ - rule_id: 34588 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://aa.imgjeoogbb.com/check/?sid=179432&key=4ab5b74502edb4de6f6f34b83109eb32 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://94.142.138.156/ http://45.9.74.6/2.exe - rule_id: 34108 http://83.97.73.134/gallery/photo085.exe - rule_id: 34603 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll https://sun6-22.userapi.com/c909618/u808950829/docs/d28/55a715d70409/ccloudcosmic.bmp?extra=wV0ApLEscjwZrvnGGKdnlQxUONq074sxqnku5bw6htLImzSqiFFaACRRo-PlrY-fVRvA0HTFZuMIVU0jo88YKitH2XUxbQ4xtoiDTl2x1iQDs6T-0aBsj7w_zr7HKHRid6OaVQTces0m2PyZcQ https://vk.com/doc808950829_663370595?hash=shZybDXhXJCDtBsHz2eiK3Q7w1rFuIPnKZTPGYiBXZP&dl=sIEAZ80JfTGDtIXWtsPBVihBgsi8wYWRGVMfh9V3Cgg&api=1&no_preview=1#house https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://sun6-20.userapi.com/c909228/u808950829/docs/d4/8e4d155aa4c9/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=Gn5tJwexgD8LQF9RtyADTx5iocv5R1W-sS0jvSQwDoSangJnbodc8ra057sjgG81RyCM4Yo8BmQsq4GZ0u3ychCTHXUCCPCMCSaIjjJlsSHQ5LpUCFAPRDH0sTaRdSG7BFLEFPPepBjnqzk5EQ https://filetops.com/4444.exe https://traffic-to.site/294/setup294.exe https://sun6-22.userapi.com/c236331/u808950829/docs/d59/8c7b0933ca80/PMmp.bmp?extra=fTxIcktnpJv8PutTawtbypTuH5sV8j3ZbwjJ8xiQzoilZsjSoto_41zNhh2Ki0LM3iD7ZLxZ8Qz5VCOjHhO3nI0JBA4dPyKpuAfhaRtnkndjHRubGmKMZ0zUTycyjZSn4zIJk7h5EPxx78B4Vg https://sun6-22.userapi.com/c237231/u808950829/docs/d51/8454d583d332/House4Born2City.bmp?extra=mPcoLMjmDldLBXASauoOeJDB5_d-R9ooHyFVb47N8XFY3-SJMvDVCgGuThZzbgrQRSt4PCaMODwqotGk6s8MwUzRs16qblsTScpa3WCMAuc7PVCIh4xWapaqMrdGoXyYXf2Ero1xjCgqZofIbw	47 Info filetops.com(176.123.0.55) - malware db-ip.com(104.26.4.15) api.myip.com(172.67.75.163) hugersi.com(91.215.85.147) - malware ji.jahhaega2qq.com(104.21.18.146) - malware traffic-to.site(104.21.29.16) ipinfo.io(34.117.59.81) aa.imgjeoogbb.com(154.221.26.108) sun6-22.userapi.com(95.142.206.2) bitbucket.org(104.192.141.1) - malware www.maxmind.com(104.17.214.67) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.4.15) vk.com(87.240.137.164) - mailcious us.imgjeoigaa.com(103.100.211.218) - mailcious 194.169.175.128 - mailcious 154.221.26.108 91.215.85.147 - malware 176.123.0.55 - malware 94.142.138.113 - mailcious 104.26.5.15 176.123.9.85 - mailcious 172.67.75.166 135.125.27.228 - mailcious 157.254.164.98 - mailcious 34.117.59.81 172.67.182.87 - malware 194.169.175.132 - mailcious 45.12.253.74 - malware 94.142.138.131 - mailcious 104.192.141.1 - mailcious 185.81.68.115 - mailcious 83.97.73.131 - malware 104.17.214.67 83.97.73.134 - malware 94.142.138.156 77.91.68.63 - malware 45.15.156.229 - mailcious 104.26.9.59 163.123.143.4 - mailcious 95.142.206.0 - mailcious 121.254.136.27 87.240.132.78 - mailcious 45.9.74.6 - malware 95.142.206.2 172.67.171.62 103.100.211.218 - malware	29 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO EXE - Served Attached HTTP ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING Possible Generic Stealer Sending System Information ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2	10 Info http://hugersi.com/dl/6523.exe http://45.15.156.229/api/tracemap.php http://77.91.68.63/doma/net/index.php http://ji.jahhaega2qq.com/m/p0aw25.exe http://194.169.175.132:3002/ http://94.142.138.131/api/firegate.php http://94.142.138.131/api/tracemap.php http://us.imgjeoigaa.com/sts/imagc.jpg http://45.9.74.6/2.exe http://83.97.73.134/gallery/photo085.exe	6.8	M	10	ZeroCERT