Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | May 13, 2021, 8:20 a.m. | May 13, 2021, 8:25 a.m. |
-
update201703280212.exe "C:\Users\test22\AppData\Local\Temp\update201703280212.exe"
5032
Name | Response | Post-Analysis Lookup |
---|---|---|
edgedl.me.gvt1.com | 34.104.35.123 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49808 -> 142.250.207.67:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 34.104.35.123:80 -> 192.168.56.102:49809 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 34.104.35.123:80 -> 192.168.56.102:49809 | 2014520 | ET INFO EXE - Served Attached HTTP | Misc activity |
TCP 192.168.56.102:49810 -> 142.250.66.35:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49811 -> 142.250.66.35:443 | 906200022 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 34.104.35.123:80 -> 192.168.56.102:49809 | 2015744 | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | Misc activity |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.102:49808 142.250.207.67:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55 |
TLS 1.2 192.168.56.102:49810 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55 |
TLS 1.2 192.168.56.102:49811 142.250.66.35:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | 15:69:6f:01:b7:7b:17:83:16:4d:11:27:0c:74:37:21:a4:81:88:55 |
resource name | ZIP |
suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2 | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2 |
request | HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe |
request | GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe |
request | POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2 |
request | POST https://update.googleapis.com/service/update2 |
request | POST https://update.googleapis.com/service/update2?cup2key=10:804420565&cup2hreq=04b49ece93c885a4cd63aa4b6ee0ff8021674e6a856951fcd14dfae377c3f3d2 |
request | POST https://update.googleapis.com/service/update2 |
name | ZIP | language | LANG_TURKISH | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x000515c8 | size | 0x0006076b |
section | {u'size_of_data': u'0x00087c00', u'virtual_address': u'0x00034000', u'entropy': 7.797780400638962, u'name': u'UPX1', u'virtual_size': u'0x00088000'} | entropy | 7.79778040064 | description | A section with a high entropy has been found | |||||||||
entropy | 0.996330275229 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
host | 142.250.207.67 | |||
host | 142.250.66.35 | |||
host | 172.217.25.14 |
Bkav | W32.AIDetectVM.malware1 |
FireEye | Generic.mg.3ccd1b5d4ea318d1 |
McAfee | Artemis!3CCD1B5D4EA3 |
Cylance | Unsafe |
Sangfor | Malware |
Alibaba | Trojan:Win32/Fugrafa.95b51548 |
Cyren | W32/Trojan.CSH.gen!Eldorado |
APEX | Malicious |
Paloalto | generic.ml |
AegisLab | Trojan.Win32.Generic.4!c |
F-Secure | Heuristic.HEUR/AGEN.1118742 |
DrWeb | Trojan.DownLoad4.6872 |
McAfee-GW-Edition | BehavesLike.Win32.Dropper.hc |
Sophos | Generic PUA BD (PUA) |
Jiangmin | AdWare.Generic.gssa |
eGambit | Unsafe.AI_Score_95% |
Avira | HEUR/AGEN.1118742 |
Antiy-AVL | Trojan/Win32.Generic |
Gridinsoft | Trojan.Win32.Agent.vb!s2 |
Microsoft | PUA:Win32/Presenoker |
Cynet | Malicious (score: 100) |
VBA32 | Trojan.Download |
Yandex | Trojan.GenAsa!DPzVoG23Lus |
Ikarus | Trojan.Fugrafa |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | W32/Generic_PUA_BD.KJ!tr |
Qihoo-360 | Win32/Trojan.419 |