Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | June 15, 2021, 9:21 p.m. | June 15, 2021, 9:27 p.m. |
-
-
-
-
GetX64BTIT.exe "C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe"
1108
-
-
-
-
explorer.exe C:\Windows\Explorer.EXE
1848
Name | Response | Post-Analysis Lookup |
---|---|---|
i.imgur.com | 151.101.52.193 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.23.244.244:80 -> 192.168.56.101:49206 | 2522324 | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325 | Misc Attack |
TCP 192.168.56.101:49202 -> 151.101.40.193:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49203 -> 151.101.40.193:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49206 -> 193.23.244.244:80 | 2028914 | ET POLICY TOR Consensus Data Requested | Potential Corporate Privacy Violation |
TCP 192.168.56.101:49206 -> 193.23.244.244:80 | 2221033 | SURICATA HTTP Request abnormal Content-Encoding header | Generic Protocol Command Decode |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49202 151.101.40.193:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com | f4:34:6e:0c:34:5f:9f:d4:b5:ef:1c:cf:a5:e9:c1:67:1b:65:2a:a7 |
TLSv1 192.168.56.101:49203 151.101.40.193:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=California, L=San Francisco, O=Imgur, Inc., CN=*.imgur.com | f4:34:6e:0c:34:5f:9f:d4:b5:ef:1c:cf:a5:e9:c1:67:1b:65:2a:a7 |
suspicious_features | GET method with no useragent header, HTTP version 1.0 used, Connection to IP address | suspicious_request | GET http://193.23.244.244/tor/status-vote/current/consensus | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET https://i.imgur.com/qOLD3Td.png |
request | GET http://193.23.244.244/tor/status-vote/current/consensus |
request | HEAD https://i.imgur.com/qOLD3Td.png |
request | GET https://i.imgur.com/qOLD3Td.png |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvp.lnk |
cmdline | C:\Users\test22\AppData\Local\Temp\cmd.exe |
file | C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe |
section | {u'size_of_data': u'0x0000f800', u'virtual_address': u'0x0012f000', u'entropy': 6.873823789889154, u'name': u'.data', u'virtual_size': u'0x00014000'} | entropy | 6.87382378989 | description | A section with a high entropy has been found |
cmdline | C:\Windows\System32\ipconfig.exe |
host | 193.23.244.244 |
file | C:\Users\test22\AppData\Local\Temp\GetX64BTIT.exe |
MicroWorld-eScan | Trojan.GenericKD.34502366 |
FireEye | Trojan.GenericKD.34502366 |
CAT-QuickHeal | Trojan.Shellcode |
ALYac | Trojan.GenericKD.34502366 |
Cylance | Unsafe |
K7AntiVirus | Riskware ( 0040eff71 ) |
Alibaba | Exploit:Win32/Shellcode.e6e9e737 |
K7GW | Riskware ( 0040eff71 ) |
CrowdStrike | win/malicious_confidence_100% (W) |
Arcabit | Trojan.Generic.D20E76DE |
Invincea | Mal/Generic-S |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Avast | Win32:Malware-gen |
Kaspersky | Exploit.Win32.Shellcode.ttk |
BitDefender | Trojan.GenericKD.34502366 |
Paloalto | generic.ml |
Ad-Aware | Trojan.GenericKD.34502366 |
Sophos | Mal/Generic-S |
F-Secure | Trojan.TR/AD.NsisInject.odady |
DrWeb | BackDoor.Rat.281 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R069C0WIC20 |
McAfee-GW-Edition | Artemis!Trojan |
MaxSecure | Trojan.Malware.106434902.susgen |
Emsisoft | Trojan.GenericKD.34502366 (B) |
Avira | TR/AD.NsisInject.odady |
Microsoft | Trojan:Win32/Tiggre!rfn |
AegisLab | Hacktool.Win32.Shellcode.3!c |
ZoneAlarm | Exploit.Win32.Shellcode.ttk |
GData | Trojan.GenericKD.34502366 |
Cynet | Malicious (score: 85) |
McAfee | Artemis!793707365DF2 |
MAX | malware (ai score=83) |
VBA32 | Malware-Cryptor.Limpopo |
ESET-NOD32 | Win32/Spy.Kronosbot.A |
TrendMicro-HouseCall | TROJ_GEN.R069C0WIC20 |
Rising | Backdoor.Konus!8.AC8 (TFE:6:G4wbRRZm8RN) |
Ikarus | Trojan.NsisInject |
Fortinet | W32/Rugmi.FAH!tr.dldr |
AVG | Win32:Malware-gen |
Panda | Trj/GdSda.A |
Qihoo-360 | Generic/Trojan.f93 |