Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
11971	2023-06-26 09:43	File.7z a53d02283b3fe9c0007527a8ec64a369 Redline PWS Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey Malware RecordBreaker suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Tofsee Fabookie Stealer Windows Trojan DNS	33 Keyword trend analysis Info http://aa.imgjeoogbb.com/check/?sid=177108&key=ad23249155e333db437b0b270f784e46 http://hugersi.com/dl/6523.exe - rule_id: 32660 http://aa.imgjeoogbb.com/check/safe http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll http://77.91.68.63/doma/net/index.php - rule_id: 34361 http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779 http://194.169.175.132:3002/ - rule_id: 34588 http://94.142.138.131/api/firegate.php - rule_id: 32650 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://us.imgjeoigaa.com/sts/imagc.jpg - rule_id: 33482 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll http://94.142.138.156/ http://45.9.74.6/2.exe - rule_id: 34108 http://83.97.73.134/gallery/photo085.exe - rule_id: 34603 http://apps.identrust.com/roots/dstrootcax3.p7c http://www.maxmind.com/geoip/v2.1/city/me http://94.142.138.156/04444ad1f427303b7500aeadfc3efa22 http://94.142.138.156/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll https://sun6-22.userapi.com/c909618/u808950829/docs/d28/55a715d70409/ccloudcosmic.bmp?extra=wV0ApLEscjwZrvnGGKdnlQxUONq074sxqnku5bw6htLImzSqiFFaACRRo-PlrY-fVRvA0HTFZuMIVU0jo88YKitH2XUxbQ4xtoiDTl2x1iQDs6T-0aBsj7w_zr7HKHRid6OaVQTces0m2PyZcQ https://vk.com/doc808950829_663370595?hash=shZybDXhXJCDtBsHz2eiK3Q7w1rFuIPnKZTPGYiBXZP&dl=sIEAZ80JfTGDtIXWtsPBVihBgsi8wYWRGVMfh9V3Cgg&api=1&no_preview=1#house https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self https://db-ip.com/ https://sun6-20.userapi.com/c909228/u808950829/docs/d4/8e4d155aa4c9/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=Gn5tJwexgD8LQF9RtyADTx5iocv5R1W-sS0jvSQwDoSangJnbodc8ra057sjgG81RyCM4Yo8BmQsq4GZ0u3ychCTHXUCCPCMCSaIjjJlsSHQ5LpUCFAPRDH0sTaRdSG7BFLEFPPepBjnqzk5EQ https://filetops.com/4444.exe https://traffic-to.site/294/setup294.exe https://sun6-22.userapi.com/c236331/u808950829/docs/d59/8c7b0933ca80/PMmp.bmp?extra=fTxIcktnpJv8PutTawtbypTuH5sV8j3ZbwjJ8xiQzoilZsjSoto_41zNhh2Ki0LM3iD7ZLxZ8Qz5VCOjHhO3nI0JBA4dPyKpuAfhaRtnkndjHRubGmKMZ0zUTycyjZSn4zIJk7h5EPxx78B4Vg https://sun6-22.userapi.com/c237231/u808950829/docs/d51/8454d583d332/House4Born2City.bmp?extra=mPcoLMjmDldLBXASauoOeJDB5_d-R9ooHyFVb47N8XFY3-SJMvDVCgGuThZzbgrQRSt4PCaMODwqotGk6s8MwUzRs16qblsTScpa3WCMAuc7PVCIh4xWapaqMrdGoXyYXf2Ero1xjCgqZofIbw	50 Info hugersi.com(91.215.85.147) - malware db-ip.com(104.26.5.15) api.myip.com(172.67.75.163) filetops.com(176.123.0.55) - malware iplis.ru(148.251.234.93) - mailcious ji.jahhaega2qq.com(172.67.182.87) - malware iplogger.org(148.251.234.83) - mailcious traffic-to.site(104.21.29.16) ipinfo.io(34.117.59.81) aa.imgjeoogbb.com(154.221.26.108) sun6-22.userapi.com(95.142.206.2) bitbucket.org(104.192.141.1) - malware www.maxmind.com(104.17.215.67) sun6-20.userapi.com(95.142.206.0) - mailcious api.db-ip.com(104.26.4.15) vk.com(87.240.132.78) - mailcious us.imgjeoigaa.com(103.100.211.218) - mailcious 148.251.234.93 - mailcious 194.169.175.128 - mailcious 154.221.26.108 91.215.85.147 - malware 176.123.0.55 - malware 104.26.5.15 176.123.9.85 - mailcious 45.12.253.74 - malware 135.125.27.228 - mailcious 157.254.164.98 - mailcious 34.117.59.81 172.67.182.87 - malware 148.251.234.83 104.26.8.59 194.169.175.132 - mailcious 94.142.138.131 - mailcious 104.192.141.1 - mailcious 185.81.68.115 - mailcious 83.97.73.131 - malware 104.17.214.67 83.97.73.134 - malware 94.142.138.156 77.91.68.63 - malware 45.15.156.229 - mailcious 104.26.4.15 87.240.137.164 - mailcious 163.123.143.4 - mailcious 95.142.206.0 - mailcious 121.254.136.27 45.9.74.6 - malware 95.142.206.2 172.67.171.62 103.100.211.218 - malware	31 Info ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Download from dotted-quad Host ET INFO TLS Handshake Failure ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET INFO EXE - Served Attached HTTP ET MALWARE Single char EXE direct download likely trojan (multiple families) ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET MALWARE Win32/RecordBreaker CnC Checkin M1 ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response ET INFO Dotted Quad Host DLL Request ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity ET HUNTING Possible Generic Stealer Sending System Information	10 Info http://hugersi.com/dl/6523.exe http://45.15.156.229/api/tracemap.php http://77.91.68.63/doma/net/index.php http://ji.jahhaega2qq.com/m/p0aw25.exe http://194.169.175.132:3002/ http://94.142.138.131/api/firegate.php http://94.142.138.131/api/tracemap.php http://us.imgjeoigaa.com/sts/imagc.jpg http://45.9.74.6/2.exe http://83.97.73.134/gallery/photo085.exe	6.2	M		ZeroCERT

11972	2023-06-26 09:27	cred64.dll 4bd56443d35c388dbeabd8357c73c67d Browser Login Data Stealer UPX Malicious Library OS Processor Check DLL PE64 PE File VirusTotal Malware PDB Checks debugger installed browsers check Browser ComputerName crashed					2.4	M	40	ZeroCERT

11973	2023-06-26 09:22	frutt237.exe dabf9d76781534549d9d382ceb71b854 UPX Malicious Library OS Processor Check PE File PE32 Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Check memory Checks debugger buffers extracted unpack itself Collect installed applications WriteConsoleW installed browsers check Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed		1	3		6.4		42	ZeroCERT

11974	2023-06-26 09:22	clip64.dll 49b3faf5b84f179885b1520ffa3ef3da UPX Malicious Library Admin Tool (Sysinternals etc ...) OS Processor Check DLL PE File PE32 VirusTotal Malware PDB Checks debugger unpack itself					2.0		53	ZeroCERT

11975	2023-06-26 08:14	AAAd.exe 3dd072d71907f6d5a5b046908c081f11 Gen1 HermeticWiper Emotet Browser Login Data Stealer Generic Malware Downloader UPX Malicious Library Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) DGA Socket HTTP PWS Http API Internet API Escalate priviledges Anti_VM AntiDebug A Malware download Amadey VirusTotal Malware powershell PDB suspicious privilege MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates shortcut Creates executable files RWX flags setting unpack itself Windows utilities Checks Bios powershell.exe wrote Check virtual network interfaces suspicious process AppData folder AntiVM_Disk sandbox evasion WriteConsoleW China anti-virtualization VM Disk Size Check installed browsers check Tofsee Windows Browser ComputerName DNS Cryptographic key crashed Downloader	21 Keyword trend analysis Info http://109.206.241.33/9bDc8sQ/Plugins/cred64.dll http://109.206.241.33/9bDc8sQ/index.php?scr=1 http://79.137.192.3/staticlittlesource.exe http://85.217.144.143/files/My2.exe http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM - rule_id: 34561 http://galandskiyher2.com/downloads/toolspub1.exe http://apps.identrust.com/roots/dstrootcax3.p7c http://109.206.241.33/9bDc8sQ/Plugins/clip64.dll http://85.217.144.143/files/setup.exe http://gejevesd.beget.tech/385118/setup.exe http://109.206.241.33/9bDc8sQ/index.php https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/download/11.2.0.11537/300.910/WPSOffice_11.2.0.11537.exe https://sungeomatics.com/css/colors/cc2.exe - rule_id: 34563 https://sungeomatics.com/css/colors/cc1.php - rule_id: 34595 https://sungeomatics.com/css/colors/cc4.exe - rule_id: 34565 https://sungeomatics.com/css/colors/debug2.ps1 - rule_id: 34560 https://sungeomatics.com/css/colors/cc5.exe - rule_id: 34566 https://sungeomatics.com/css/colors/dd_64.exe - rule_id: 34562 https://sungeomatics.com/css/colors/cc3.exe - rule_id: 34564 https://sungeomatics.com/css/colors/cc2.php - rule_id: 34597 https://sungeomatics.com/css/colors/cc3.php - rule_id: 34596	16 Info foryourbar.org(172.67.205.237) galandskiyher2.com(194.50.153.68) wdl1.pcfg.cache.wpscdn.com(104.17.188.189) gejevesd.beget.tech(91.106.207.112) sungeomatics.com(205.134.251.88) - mailcious 91.106.207.112 - mailcious 85.217.144.143 - malware 195.123.226.82 - mailcious 104.17.187.189 85.217.144.228 - malware 121.254.136.27 194.50.153.68 - malware 109.206.241.33 - mailcious 172.67.205.237 205.134.251.88 - mailcious 79.137.192.3	15 Info ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Executable Download from dotted-quad Host ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE Amadey Bot Activity (POST) M1 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 ET MALWARE Amadey Bot Activity (POST) ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile ET INFO Packed Executable Download ET INFO Dotted Quad Host DLL Request	10 Info http://195.123.226.82/index.php https://sungeomatics.com/css/colors/cc2.exe https://sungeomatics.com/css/colors/cc1.php https://sungeomatics.com/css/colors/cc4.exe https://sungeomatics.com/css/colors/debug2.ps1 https://sungeomatics.com/css/colors/cc5.exe https://sungeomatics.com/css/colors/dd_64.exe https://sungeomatics.com/css/colors/cc3.exe https://sungeomatics.com/css/colors/cc2.php https://sungeomatics.com/css/colors/cc3.php	10.0	M	51	ZeroCERT

11976	2023-06-26 07:59	HCX.exe 3e1dfc7cfb1d1a466f31dfa4f69e6018 Generic Malware UPX Malicious Library Antivirus PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed					8.6	M	40	ZeroCERT

11977	2023-06-26 07:58	BLUE.exe be2ef16c72f19b8af1de903ca869d47c PE64 PE File VirusTotal Malware Check memory Checks debugger unpack itself Windows DNS Cryptographic key		1			3.0	M	35	ZeroCERT

11978	2023-06-26 07:57	FLEX.exe f78c8e53c514ce13844541e2d735c9b8 Ave Maria WARZONE RAT Generic Malware UPX Malicious Library Downloader Malicious Packer Antivirus OS Processor Check PE File PE32 Browser Info Stealer Malware download AveMaria NetWireRC VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege MachineGuid Check memory buffers extracted WMI Creates executable files unpack itself Windows utilities AntiVM_Disk WriteConsoleW Firewall state off VM Disk Size Check human activity check installed browsers check Windows Browser RAT Email ComputerName Remote Code Execution DNS		3	2		9.8	M	58	ZeroCERT

11979	2023-06-26 07:56	foto172.exe f2d6b9680fb0b9d38268179a0c29af24 Gen1 Emotet Malicious Library UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 .NET EXE OS Processor Check DLL CAB Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	10 Info ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1 ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	15.6	M		ZeroCERT

11980	2023-06-26 07:53	AAAd1.exe 94f7dacd5b046eba244fceebe7b9a1dd Emotet Generic Malware UPX Malicious Library PE File PE32 VirusTotal Malware PDB unpack itself					2.2	M	39	ZeroCERT

11981	2023-06-26 07:53	Setup.exe d4d1d09cb001fd13a0bbe7f775bb8aa6 Malicious Library Malicious Packer PE File PE32 VirusTotal Malware					1.4	M	32	ZeroCERT

11982	2023-06-26 07:51	HCX.exe 3e1dfc7cfb1d1a466f31dfa4f69e6018 Generic Malware UPX Malicious Library Antivirus PE File PE32 PowerShell VirusTotal Malware powershell suspicious privilege Check memory Checks debugger Creates shortcut unpack itself Windows utilities powershell.exe wrote suspicious process Windows ComputerName Cryptographic key crashed					8.6	M	40	ZeroCERT

11983	2023-06-26 07:51	1.exe ae9e4e404bb0a9ddfda4c71a2f5304eb UPX Malicious Library OS Processor Check PE File PE32 unpack itself					1.0	M		ZeroCERT

11984	2023-06-26 07:49	test.exe ba43067146c6f4e833dbf56b6c8a6a19 PE64 PE File VirusTotal Malware MachineGuid Check memory Checks debugger unpack itself Windows DNS Cryptographic key		2			3.8	M	53	ZeroCERT

11985	2023-06-26 07:49	IE_Global.exe 6b90959b8fe28679025b61b5cdae040b NSIS UPX Malicious Library PE File PE32 OS Processor Check DLL Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware AutoRuns suspicious privilege Check memory Checks debugger buffers extracted Creates executable files unpack itself Check virtual network interfaces AppData folder IP Check Tofsee Windows Browser Email ComputerName Cryptographic key Software crashed	1 Keyword trend analysis	2	1		9.0	M	49	ZeroCERT