Submissions

Date range button:

First seen:

Last seen:

No	Date	Request	Urls	Hosts	IDS	Rule	Score	Zero	VT	Player
12226	2023-06-14 17:46	netTime.exe 69b55498f8568671d14a91a952c82b49 Emotet PWS .NET framework RAT Generic Malware UPX Malicious Packer Antivirus PE64 PE File VirusTotal Malware suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut Creates executable files unpack itself suspicious process Windows ComputerName Remote Code Execution Cryptographic key					5.0	M	25	ZeroCERT

12227	2023-06-14 17:46	Ref%20EU482002Y92DH983HR9UOFR0... bee4228379337219946d60655bfa9341 PWS .NET framework .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself					2.2	M	26	ZeroCERT

12228	2023-06-14 17:44	setup.exe ca29125444e8792b19fe34c901fc6721 Suspicious_Script_Bin UPX Malicious Library PE File PE32 Check memory Creates executable files					0.8	M		ZeroCERT

12229	2023-06-14 17:44	AsyncClient.exe 3dc64f540a2a9278e15cadf61d71369f Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed					2.0	M	31	ZeroCERT

12230	2023-06-14 17:42	Client-built202.exe 81fe02b22a1c5d7d2f58071929b4c6dd Generic Malware UPX Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed					1.8	M	22	ZeroCERT

12231	2023-06-14 17:42	DOO.exe ae6f85c26fa500b5c13cb8775c1a5b22 Admin Tool (Sysinternals etc ...) .NET EXE PE File PE32 VirusTotal Malware PDB Check memory Checks debugger unpack itself crashed					2.2	M	32	ZeroCERT

12232	2023-06-14 16:04	7za_SC.bat 4bd2a27b7bb64b9d060d0e4cafadceac Downloader Create Service DGA Socket DNS Code injection HTTP PWS[m] Sniff Audio Steal credential Http API P2P Internet API Escalate priviledges FTP KeyLogger ScreenShot AntiDebug AntiVM WriteConsoleW					0.6			ZeroCERT

12233	2023-06-14 16:02	hh.exe 49e5db7cd2169dfc4d0e2011beccf2a0 Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed					2.2	M	50	r0d

12234	2023-06-14 16:01	hh.exe 49e5db7cd2169dfc4d0e2011beccf2a0 Generic Malware UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) PE File PE32 VirusTotal Malware RWX flags setting unpack itself crashed					2.2	M	50	r0d

12235	2023-06-14 15:38	photo221.exe af65da5da42fc008093bee50c7479c30 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	10 Info ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	15.6	M		ZeroCERT

12236	2023-06-14 15:36	fotod75.exe 3be106aaea624a6423d549f9227e1535 Gen1 Emotet UPX Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) CAB PE File PE32 OS Processor Check DLL Browser Info Stealer RedLine Malware download Amadey FTP Client Info Stealer VirusTotal Malware AutoRuns PDB suspicious privilege Malicious Traffic Check memory Checks debugger WMI Creates executable files unpack itself Windows utilities Disables Windows Security Collect installed applications suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check installed browsers check Stealer Windows Update Browser ComputerName Remote Code Execution DNS Cryptographic key Software crashed	3 Keyword trend analysis	2	10 Info ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET INFO Dotted Quad Host DLL Request ET INFO Packed Executable Download ET POLICY PE EXE or DLL Windows file download HTTP ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	3	16.8	M	43	ZeroCERT

12237	2023-06-14 15:34	23.exe 428d5dbe757e12d9981141ebc01725c5 Gen2 Generic Malware UPX Malicious Library Malicious Packer OS Processor Check PE File PE32 icon Browser Info Stealer VirusTotal Malware PDB suspicious privilege Code Injection Check memory Checks debugger Creates executable files exploit crash unpack itself Check virtual network interfaces installed browsers check Windows Exploit Browser Remote Code Execution Cryptographic key crashed					9.0	M	32	ZeroCERT

12238	2023-06-14 13:50	File_pass1234.7z 9a6a7d29d7a28cdd312defc7ce231351 PWS[m] Escalate priviledges KeyLogger AntiDebug AntiVM RedLine Malware download Amadey VirusTotal Malware Microsoft suspicious privilege Malicious Traffic Check memory Checks debugger Creates executable files unpack itself IP Check PrivateLoader Kelihos Tofsee Stealer Windows Discord Trojan DNS	24 Keyword trend analysis Info http://94.142.138.131/api/firegate.php - rule_id: 32650 http://45.9.74.6/2.exe - rule_id: 34108 http://185.159.129.168/clpr/OWUsN2UsODMsOWIsOWUsODIsOTAsOTEsNjQsN2Ys http://hugersi.com/dl/6523.exe - rule_id: 32660 http://77.91.68.30/DSC01491/foto164.exe - rule_id: 34218 http://45.15.156.229/api/tracemap.php - rule_id: 33783 http://www.microsoft.com/ http://77.91.68.30/music/rock/index.php - rule_id: 34087 http://77.91.68.30/DSC01491/fotod75.exe - rule_id: 34217 http://ip-api.com/json/?fields=query,status,countryCode,city,timezone http://94.142.138.131/api/tracemap.php - rule_id: 28311 http://www.maxmind.com/geoip/v2.1/city/me http://45.9.74.80/0bjdn2Z/index.php - rule_id: 26790 http://83.97.73.131/gallery/photo221.exe http://194.169.175.124:3002/ - rule_id: 34039 http://ji.jahhaega2qq.com/m/p0aw25.exe - rule_id: 33779 https://sun6-22.userapi.com/c237131/u228185173/docs/d24/4319464c905b/galaxzy.bmp?extra=zKe1lvO8HmQ83AqO4qgCD5e5sJX_8qIqAuvd7okRRHvVyIFJr5fsUaVGlebpe5JmxVj5J-kE20n3nH6x8G9NUZgJT5mtf76VjAVYGNaoK36gpTiAEKI-USLXfHGL6f8HjsIzxDqIZoPeuGl8-w https://sun6-20.userapi.com/c909218/u228185173/docs/d11/e6fc77394466/StealerClient.bmp?extra=utJC4DWKwLCLcHd2VbzusBuvIlvTtKVnx7Ycl2-DoRuWcrivvT3Ve4Vjk_R_W7GH3bMWLwHqeTbEvES1_tp6_moIJ5gbaIV_exj_3f5OEDpzBZoAH0q2hUUVceVmomdGo0lOu1Xop6yMrkq65A https://db-ip.com/demo/home.php?s=175.208.134.152 https://sun6-20.userapi.com/c240331/u228185173/docs/d10/3b0f4d08c343/WWW1.bmp?extra=5G9xyQXXZiOP45K7q83O3Ic3JOEJssz4V6I_GAlzOiPi7rAVVsJd81Il1_6m49auDnLbPMkz6apauE_obwxXqqSlr7P3LGZPGF6VwoxCwXisXOdgmbB-GxeTd8CmMXkWR-C-iGW8oTmq34Myyg https://db-ip.com/ https://sun6-22.userapi.com/c909328/u228185173/docs/d16/ec165af90354/PMmp.bmp?extra=rr0iPfGriEf8ulu76Xfi6cvtXpvvUPah-1OWSkukAO5O8hIGj1vvXN_VfjkyY6og6XBPMvm4rknfEImV4cFyIYzgaDaM90EVJWC4T3jd6comOA45Yy3iTuW_NUXrjgrCOacIAMIS9doBruWTYw https://cdn.discordapp.com/attachments/1117983655265050656/1117983762727317544/23.exe https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self	47 Info www.maxmind.com(104.17.214.67) db-ip.com(104.26.4.15) api.db-ip.com(104.26.4.15) api.myip.com(104.26.9.59) hugersi.com(91.215.85.147) - malware iplis.ru(148.251.234.93) - mailcious ji.jahhaega2qq.com(104.21.18.146) - malware iplogger.org(148.251.234.83) - mailcious ipinfo.io(34.117.59.81) sun6-22.userapi.com(95.142.206.2) ip-api.com(208.95.112.1) sun6-20.userapi.com(95.142.206.0) - mailcious vk.com(87.240.132.78) - mailcious cdn.discordapp.com(162.159.134.233) - malware www.microsoft.com(23.210.37.58) 148.251.234.93 - mailcious 194.169.175.128 - mailcious 95.142.206.2 104.17.215.67 91.215.85.147 - malware 94.142.138.113 - mailcious 104.26.5.15 172.67.75.166 45.9.74.80 - malware 77.91.68.30 - malware 185.159.129.168 - mailcious 157.254.164.98 - mailcious 34.117.59.81 172.67.182.87 - malware 148.251.234.83 104.26.8.59 23.210.37.58 83.97.73.130 - malware 45.12.253.74 - malware 94.142.138.131 - mailcious 208.95.112.1 185.81.68.115 - mailcious 83.97.73.131 194.169.175.124 - mailcious 45.15.156.229 - mailcious 162.159.129.233 - malware 87.240.137.164 - mailcious 147.135.231.58 - mailcious 163.123.143.4 - mailcious 95.142.206.0 - mailcious 45.9.74.6 - malware 176.113.115.239 - malware	27 Info ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) SURICATA Applayer Mismatch protocol both directions ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) ET INFO Executable Download from dotted-quad Host ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET MALWARE Single char EXE direct download likely trojan (multiple families) ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) ET MALWARE RedLine Stealer TCP CnC net.tcp Init ET MALWARE Redline Stealer TCP CnC Activity ET MALWARE Redline Stealer TCP CnC - Id1Response ET INFO EXE - Served Attached HTTP ET MALWARE Amadey CnC Check-In ET MALWARE Win32/Amadey Bot Activity (POST) M2 ET MALWARE Possible Kelihos.F EXE Download Common Structure ET INFO Packed Executable Download ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO TLS Handshake Failure ET POLICY IP Check Domain (iplogger .org in TLS SNI) ET POLICY IP Check Domain (iplogger .org in DNS Lookup) ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) ET INFO Observed Discord Domain (discordapp .com in TLS SNI) ET POLICY External IP Lookup ip-api.com ET POLICY Microsoft user-agent automated process response to automated request	11 Info http://94.142.138.131/api/firegate.php http://45.9.74.6/2.exe http://hugersi.com/dl/6523.exe http://77.91.68.30/DSC01491/foto164.exe http://45.15.156.229/api/tracemap.php http://77.91.68.30/music/rock/index.php http://77.91.68.30/DSC01491/fotod75.exe http://94.142.138.131/api/tracemap.php http://45.9.74.80/0bjdn2Z/index.php http://194.169.175.124:3002/ http://ji.jahhaega2qq.com/m/p0aw25.exe	6.6	M	1	ZeroCERT

12239	2023-06-14 13:40	unknown.zip 93b21205544e5f6eab2df513c96cda2b ZIP Format VirusTotal Malware					0.8	M	24	ZeroCERT

12240	2023-06-14 10:07	jgpBAvoF9bOl.js d0bcc81b0ece3fb4b0d58591480e4ab7 Generic Malware Antivirus Hide_URL AntiDebug AntiVM PowerShell VirusTotal Malware powershell suspicious privilege Code Injection Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName Cryptographic key	9 Keyword trend analysis Info http://185.59.188.101/Ix4/Vsfsp http://58.244.49.68/6Typ/T http://sanitisesDownily.life/x/w http://195.139.108.156/kd/by6z6 https://misrepresentative.reviews/Rim/lMqo https://98.167.188.253/XEv/6zNL http://192.121.17.70/cDSuGb/FpM0M6b http://192.121.17.69/7xvnh1Y/zKMfslTrydQR http://192.121.17.14/8Bz/BWNctfkbR				6.0		9	ZeroCERT