Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 15, 2022, 5:07 a.m. | May 15, 2022, 5:08 a.m. |
-
Gnwpizngkfaxnrdperkromddykwmeaazkg.exe "C:\Users\test22\AppData\Local\Temp\Gnwpizngkfaxnrdperkromddykwmeaazkg.exe"
2836
Name | Response | Post-Analysis Lookup |
---|---|---|
login.live.com |
CNAME
login.msa.msidentity.com
CNAME
prda.aadg.msidentity.com
|
20.190.141.39 |
onedrive.live.com |
CNAME
l-0004.l-msedge.net
|
13.107.42.13 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49164 -> 20.190.163.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49165 -> 20.190.163.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49163 -> 13.107.42.13:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49164 20.190.163.18:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 01:06:32:7f:27:0e:90:0d:d5:f4:c9:79:4a:16:3a:9c:4d:e8:59:d0 |
TLSv1 192.168.56.101:49165 20.190.163.18:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=graph.windows.net | 01:06:32:7f:27:0e:90:0d:d5:f4:c9:79:4a:16:3a:9c:4d:e8:59:d0 |
TLSv1 192.168.56.101:49163 13.107.42.13:443 |
C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | CN=onedrive.com | 77:7f:f2:95:29:a7:e3:cc:0f:bf:2f:ba:2e:6f:2a:38:62:8b:48:4d |
section | CODE |
section | DATA |
section | BSS |
packer | BobSoft Mini Delphi -> BoB / BobSoft |
request | GET https://onedrive.live.com/download?cid=DCD4F5588DB45110&resid=DCD4F5588DB45110%21117&authkey=ABNcDCFEJJwt5GE |
request | GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1652558890&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DDCD4F5588DB45110%26resid%3DDCD4F5588DB45110%2521117%26authkey%3DABNcDCFEJJwt5GE&lc=1033&id=250206&cbcxt=sky&cbcxt=sky |
request | GET https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1652558891&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%2Fdownload%3Fcid%3DDCD4F5588DB45110%26resid%3DDCD4F5588DB45110%2521117%26authkey%3DABNcDCFEJJwt5GE&lc=1033&id=250206&cbcxt=sky&cbcxt=sky |
section | {u'size_of_data': u'0x00040200', u'virtual_address': u'0x0005f000', u'entropy': 6.972380802096853, u'name': u'.rsrc', u'virtual_size': u'0x00040160'} | entropy | 6.9723808021 | description | A section with a high entropy has been found | |||||||||
entropy | 0.418092909535 | description | Overall entropy of this PE file is high |
process | Gnwpizngkfaxnrdperkromddykwmeaazkg.exe | useragent | zipo | ||||||
process | Gnwpizngkfaxnrdperkromddykwmeaazkg.exe | useragent | aswe |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
DrWeb | Trojan.Inject4.14525 |
Cynet | Malicious (score: 100) |
FireEye | Generic.mg.6331736d5de348e9 |
ALYac | Spyware.LokiBot |
Cylance | Unsafe |
Zillya | Trojan.Noon.Win32.17648 |
Sangfor | Virus.Win32.Save.a |
K7AntiVirus | Trojan ( 0057f9831 ) |
Alibaba | TrojanSpy:Win32/DelfInject.e46e09e0 |
K7GW | Trojan ( 0057f9831 ) |
Cybereason | malicious.15e6e4 |
Arcabit | Trojan.Generic.D23890BA |
BitDefenderTheta | Gen:NN.ZelphiF.34236.MGW@aaWp9Xni |
Cyren | W32/Delf.TXVA-4276 |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | Win32/TrojanDownloader.Delf.DGG |
Zoner | Trojan.Win32.119168 |
TrendMicro-HouseCall | TROJ_GEN.R01FC0DGM21 |
Kaspersky | HEUR:Trojan-Spy.Win32.Noon.gen |
BitDefender | Trojan.GenericKD.37261498 |
NANO-Antivirus | Trojan.Win32.Noon.ixsjfd |
MicroWorld-eScan | Trojan.GenericKD.37261498 |
Avast | Win32:InjectorX-gen [Trj] |
Tencent | Malware.Win32.Gencirc.10ce7e27 |
Ad-Aware | Trojan.GenericKD.37261498 |
Emsisoft | Trojan.Injector (A) |
F-Secure | Trojan.TR/Dldr.Delphi.oilby |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R01FC0DGM21 |
McAfee-GW-Edition | BehavesLike.Win32.Backdoor.jc |
Sophos | Mal/Generic-R + Troj/Fareit-LVA |
Ikarus | Trojan.Inject |
MaxSecure | Trojan.Malware.300983.susgen |
Avira | TR/Dldr.Delphi.oilby |
Antiy-AVL | Trojan[Spy]/Win32.Noon |
Gridinsoft | Trojan.Win32.Downloader.oa!s1 |
Microsoft | Trojan:Win32/DelfInject.VAM!MTB |
ZoneAlarm | HEUR:Trojan-Spy.Win32.Noon.gen |
GData | Trojan.GenericKD.37261498 |
AhnLab-V3 | Malware/Win.Generic.C4559104 |
McAfee | Fareit-FCVN!6331736D5DE3 |
MAX | malware (ai score=89) |
VBA32 | TScope.Trojan.Delf |
Malwarebytes | Backdoor.Remcos |
APEX | Malicious |
Rising | Trojan.Generic@ML.87 (RDMK:x0zfXrhg9pjBhAiVL0nnzA) |
Yandex | Trojan.Injector!081ev/18u/k |
SentinelOne | Static AI - Malicious PE |