Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 14, 2021, 6:09 p.m.	May 14, 2021, 6:11 p.m.

Size	169.2KB
Type	Microsoft Word 2007+
MD5	`af7ee4f20a624c4d7b5cfc7adde79332`
SHA256	`2bfdb32860a99dc2edce59ff9c92da4e64459396097e7e58db6e9aae892550b6`
CRC32	`BBDA8482`
ssdeep	`3072:2hnDbdhVPdsPdhPdrPdrUSw212V6mjPdJ73S:2hDbdh5CL1G1212V6Wn7C`
Yara	None matched

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\1.doc
112

Name	Response	Post-Analysis Lookup
facextrade.com.br	A 187.45.240.69	187.45.240.69
nyc008.hawkhost.com	A 172.96.187.2	172.96.187.2

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.96.187.2	Active	Moloch
187.45.240.69	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 187.45.240.69:80 -> 192.168.56.101:49216	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49215	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49217	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49221	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49214	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49229	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49224	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49225	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49227	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49237	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49235	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49233	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 187.45.240.69:80 -> 192.168.56.101:49246	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49251 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49251 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49258 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49251 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49258 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49258 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 187.45.240.69:80 -> 192.168.56.101:49243	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 172.96.187.2:443 -> 192.168.56.101:49251	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49244	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 172.96.187.2:443 -> 192.168.56.101:49251	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49258	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49258	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49219	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49259 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49264 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49259 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49247 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49264 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49259 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49247 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49247 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49264	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49264	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49259	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49248 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49259	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49248 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49248 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49266 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49266 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49266 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49262 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49247	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49262 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49247	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49262 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49266	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49266	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49248	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49248	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49262	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49262	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49249 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49272 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49249 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49272 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49249 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49272 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 187.45.240.69:80 -> 192.168.56.101:49241	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 172.96.187.2:443 -> 192.168.56.101:49249	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49272	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49249	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49272	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49250 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49288 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49250 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49254 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49288 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49250 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49254 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49288 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49254 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49288	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49250	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49254	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49288	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49250	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49254	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49269 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49252 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49269 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49260 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49252 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49238	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49269 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49260 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49252 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49260 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49260	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49252	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49260	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49252	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49261 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49245	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49261 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49253 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49261 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49253 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49253 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49261	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49261	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49218	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49268 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49253	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49268 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49253	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49268 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49255 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49265 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49255 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49265 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49268	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49255 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49265 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49268	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49255	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49269	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49255	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49265	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49276 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49269	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49265	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49276 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49276 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49270 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49276	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49267 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49276	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49267 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49270 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49267 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49277 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49270	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49267	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49277 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49270	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 187.45.240.69:80 -> 192.168.56.101:49231	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 192.168.56.101:49274 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49277 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49267	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49274 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49274 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49277	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49275 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49277	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49274	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49275 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49274	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49275 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49282 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49275	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49282 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49275	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49282 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49285 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49285 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49285 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49282	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49282	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49285	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49285	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49283 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49283 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49283 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49256 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49256 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49256 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49256	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49256	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49283	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49283	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49257 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49257 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49257 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49278 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49278 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49257	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49278 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49257	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49271 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49271 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49271 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49278	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49278	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49271	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49271	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49279 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49281 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49279 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49281 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49279 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49281 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49279	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49281	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49279	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49281	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49284 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49284 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49284 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49284	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49284	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49286 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49286 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49286 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49286	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49286	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49287 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49287 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49287 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49287	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49287	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49289 -> 172.96.187.2:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.101:49289 -> 172.96.187.2:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.101:49289 -> 172.96.187.2:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 172.96.187.2:443 -> 192.168.56.101:49289	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 172.96.187.2:443 -> 192.168.56.101:49289	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://facextrade.com.br/0C.txt
suspicious_features	GET method with no useragent header				suspicious_request	GET http://facextrade.com.br/0A.txt

Performs some HTTP requests (3 events)

request	GET http://facextrade.com.br/z.mp3
request	GET http://facextrade.com.br/0C.txt
request	GET http://facextrade.com.br/0A.txt

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$1.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 14, 2021, 6:09 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003ec filepath: C:\Users\test22\AppData\Local\Temp\~$1.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$1.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

FireEye	VB.Heur.Chronos.7.3D17CC43.Gen
Alibaba	TrojanDownloader:VBA/Obfuscation.A
Arcabit	HEUR.VBA.Trojan.d
Symantec	CL.Downloader!gen87
ESET-NOD32	a variant of Generik.LEIKKZW
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB.Heur.Chronos.7.3D17CC43.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
TACHYON	Suspicious/WOX.Obfus.Gen.8
Emsisoft	VB.Heur.Chronos.7.3D17CC43.Gen (B)
McAfee-GW-Edition	BehavesLike.Downloader.cc
AegisLab	Trojan.Script.Generic.a!c
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	VB.Heur.Chronos.7.3D17CC43.Gen (12x)
MAX	malware (ai score=82)
Fortinet	VBA/Chronos.3D17!tr

1.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All