Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 20, 2023, 9:38 a.m.	June 20, 2023, 9:41 a.m.

Size	4.7MB
Type	7-zip archive data, version 0.4
MD5	`228119ee4c65cb1007f6a059d9b9ea04`
SHA256	`540b52866f994dc6c92ed34bb9e3d7f9ed6183ce5ad09daa9c0704da733ae060`
CRC32	`40DF445E`
ssdeep	`98304:O3vnS3jwpt1B1ODe16f/dqDlvgYCrBBkTRuRs4hI5z:OKMnODe16f/dqZvawRuRjqz`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "mdSHovBQ" C:\Users\test22\AppData\Local\Temp\File_pass1234.7z
2996
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File_pass1234.7z"
  932

Name	Response	Post-Analysis Lookup
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
ipinfo.io	A 34.117.59.81	34.117.59.81
bc4ef8da-d887-49be-b429-28634ffc09c5.uuid.cdntokiog.studio		185.82.216.49
hugersi.com	A 91.215.85.147	91.215.85.147
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
ji.jaoaaoas11.com	A 154.221.19.146	154.221.19.146
lodar2ben.top
us.imgjeoigaa.com	A 154.221.19.146	154.221.19.146
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
stun3.l.google.com	A 74.125.197.127	142.251.2.127
as.imgjeoigaa.com	A 39.109.117.57	39.109.117.57
vsblobprodscussu5shard58.blob.core.windows.net	CNAME blob.sat09prdstrz08a.trafficmanager.net CNAME blob.sat09prdstrz08a.store.core.windows.net A 20.150.79.68 A 20.150.70.36 A 20.150.38.228	20.150.79.68
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.8.59
bitbucket.org	A 104.192.141.1	104.192.141.1
msdl.microsoft.com	CNAME msdl.microsoft.akadns.net CNAME msdl-microsoft-com.a-0016.a-msedge.net CNAME a-0016.a-msedge.net A 204.79.197.219	204.79.197.219
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.129.133
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
ji.jahhaega2qq.com	A 104.21.18.146 A 172.67.182.87	104.21.18.146
www.maxmind.com	A 104.17.215.67 A 104.17.214.67	104.17.215.67
t.me	A 149.154.167.99	149.154.167.99
getnoon.top	A 195.22.152.206	195.22.152.206
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
luckytradeone.com	A 172.67.181.198 A 104.21.35.252	172.67.181.198
steamcommunity.com	A 104.88.222.199	104.76.78.101
server9.cdntokiog.studio	A 185.82.216.49	185.82.216.49
iplis.ru	A 148.251.234.93	148.251.234.93
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
vsblobprodscussu5shard10.blob.core.windows.net	CNAME blob.sat09prdstrz08a.trafficmanager.net CNAME blob.sat09prdstrz08a.store.core.windows.net A 20.150.79.68 A 20.150.38.228 A 20.150.70.36	20.150.70.36
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
104.17.214.67	Active	Moloch
104.17.215.67	Active	Moloch
104.192.141.1	Active	Moloch
104.21.35.252	Active	Moloch
104.88.222.199	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
104.26.8.59	Active	Moloch
116.203.166.104	Active	Moloch
149.154.167.99	Active	Moloch
154.221.19.146	Active	Moloch
157.254.164.98	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
162.159.130.233	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
172.67.182.87	Active	Moloch
172.67.75.166	Active	Moloch
172.67.75.172	Active	Moloch
185.81.68.115	Active	Moloch
185.82.216.49	Active	Moloch
194.169.175.124	Active	Moloch
194.169.175.128	Active	Moloch
195.22.152.206	Active	Moloch
20.150.79.68	Active	Moloch
204.79.197.219	Active	Moloch
34.117.59.81	Active	Moloch
39.109.117.57	Active	Moloch
45.12.253.56	Active	Moloch
45.12.253.72	Active	Moloch
45.12.253.74	Active	Moloch
45.12.253.75	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.6	Active	Moloch
45.9.74.80	Active	Moloch
79.137.204.46	Active	Moloch
83.97.73.131	Active	Moloch
85.208.136.10	Active	Moloch
87.240.132.78	Active	Moloch
91.215.85.147	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.3	Active	Moloch
20.150.70.36	Active	Moloch
74.125.197.127	Active	Moloch
77.91.68.63	Active	Moloch
83.97.73.128	Active	Moloch
95.216.249.153	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49174 -> 104.26.8.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 85.208.136.10:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49174 -> 104.26.8.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49178 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49198 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49213	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 45.9.74.6:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49192 -> 45.9.74.6:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 45.9.74.6:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49192 -> 45.9.74.6:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 83.97.73.131:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 83.97.73.131:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.6:80 -> 192.168.56.102:49192	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 172.67.182.87:80 -> 192.168.56.102:49195	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.6:80 -> 192.168.56.102:49192	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 83.97.73.131:80 -> 192.168.56.102:49189	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 83.97.73.131:80 -> 192.168.56.102:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49196 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 45.9.74.6:80 -> 192.168.56.102:49192	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49230 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.97.73.131:80 -> 192.168.56.102:49189	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49186 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49186	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49202	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49203 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49211	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49215 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49222 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 45.9.74.80:80 -> 192.168.56.102:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.102:49188	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49219 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49220 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49210 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49200	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49239 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49237 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49214	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49204	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49226	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49242 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49252 -> 39.109.117.57:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected
TCP 192.168.56.102:49250 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49251 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49265 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49270 -> 104.17.215.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 79.137.204.46:48843 -> 192.168.56.102:49264	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
UDP 192.168.56.102:53991 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49279 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49279 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49279 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49283 -> 45.12.253.56:80	2044034	ET MALWARE Potential GCleaner CnC Checkin	A Network Trojan was detected
TCP 192.168.56.102:49256 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49256 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49256 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49266 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49285 -> 45.12.253.72:80	2044031	ET MALWARE GCleaner CnC Checkin M1	A Network Trojan was detected
TCP 192.168.56.102:49271 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.83:443 -> 192.168.56.102:49280	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49285 -> 45.12.253.72:80	2044032	ET MALWARE GCleaner Payload Retrieval Attempt	A Network Trojan was detected
TCP 45.12.253.72:80 -> 192.168.56.102:49285	2044037	ET MALWARE GCleaner Downloader - Payload Response	A Network Trojan was detected
TCP 192.168.56.102:49259 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49259 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49259 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49259 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 157.254.164.98:28449 -> 192.168.56.102:49263	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49277 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49278	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.102:53208 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49292 -> 195.22.152.206:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49292 -> 195.22.152.206:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49292	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	Malware Command and Control Activity Detected
TCP 194.169.175.124:3002 -> 192.168.56.102:49243	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.124:3002 -> 192.168.56.102:49243	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.169.175.124:3002 -> 192.168.56.102:49243	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49296 -> 204.79.197.219:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.124:3002 -> 192.168.56.102:49243	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49300 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49300 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49300 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.102:49302	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49253 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49253 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49253 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49255 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49258 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49253 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49304 -> 104.88.222.199:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49261 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49262 -> 185.81.68.115:2920	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49293 -> 195.22.152.206:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 195.22.152.206:80 -> 192.168.56.102:49293	2044247	ET MALWARE Win32/Stealc Active C2 Responding with plugins Config	Malware Command and Control Activity Detected
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 116.203.166.104:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.102:49294 -> 195.22.152.206:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
UDP 192.168.56.102:53991 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49297 -> 195.22.152.206:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 45.9.74.80:80 -> 192.168.56.102:49274	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49297	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49297	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49297	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49301 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49301 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49301 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49309 -> 95.216.249.153:81	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.128:19071 -> 192.168.56.102:49306	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49309 -> 95.216.249.153:81	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 95.216.249.153:81 -> 192.168.56.102:49309	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.12.253.75:80 -> 192.168.56.102:49287	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49263 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 154.221.19.146:80 -> 192.168.56.102:49288	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 154.221.19.146:80 -> 192.168.56.102:49288	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49274 -> 45.9.74.80:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49289 -> 195.22.152.206:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.102:49295 -> 39.109.117.57:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected
TCP 192.168.56.102:49298 -> 20.150.79.68:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49312 -> 195.22.152.206:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49309 -> 95.216.249.153:81	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49312	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49312	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49312	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49314 -> 195.22.152.206:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.128:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49314	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49314	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49314	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49315 -> 20.150.70.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49316 -> 77.91.68.63:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49316 -> 77.91.68.63:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.102:49316 -> 77.91.68.63:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49318	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49318	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49318	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49321 -> 195.22.152.206:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49321	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49321	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49264 -> 79.137.204.46:48843	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49321	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.102:63044 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.102:49323 -> 185.82.216.49:443	2043043	ET MALWARE Observed Glupteba CnC Domain (cdntokiog .studio in TLS SNI)	Domain Observed Used for C2 Detected
TCP 192.168.56.102:49327 -> 195.22.152.206:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49327 -> 195.22.152.206:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49327	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49327	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49327	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 192.168.56.102:49328 -> 195.22.152.206:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 195.22.152.206:80 -> 192.168.56.102:49328	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.22.152.206:80 -> 192.168.56.102:49328	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 195.22.152.206:80 -> 192.168.56.102:49328	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
UDP 192.168.56.102:53040 -> 74.125.197.127:19302	2033078	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)	Misc activity
TCP 192.168.56.102:49313 -> 172.67.75.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49322 -> 162.159.130.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49259 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49256 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49253 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49300 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49174 104.26.8.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49183 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49230 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49239 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49237 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49241 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49225 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49228 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49234 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49231 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49235 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49240 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49242 95.142.206.3:443	None	None	None
TLSv1 192.168.56.102:49265 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49266 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49296 204.79.197.219:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com	bb:73:9f:5a:9b:a2:e7:20:0b:4c:b1:55:37:ef:e0:d4:c9:29:9b:21
TLSv1 192.168.56.102:49255 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49258 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49304 104.88.222.199:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5
TLSv1 192.168.56.102:49261 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49298 20.150.79.68:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=*.blob.core.windows.net	d5:0b:d3:97:69:7b:50:64:d8:ef:f5:4a:58:07:8b:a0:34:f1:f4:59
TLSv1 192.168.56.102:49315 20.150.70.36:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=*.blob.core.windows.net	d5:0b:d3:97:69:7b:50:64:d8:ef:f5:4a:58:07:8b:a0:34:f1:f4:59
TLS 1.3 192.168.56.102:49323 185.82.216.49:443	None	None	None
TLSv1 192.168.56.102:49313 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLS 1.3 192.168.56.102:49322 162.159.130.233:443	None	None	None
TLS 1.3 192.168.56.102:49325 104.21.35.252:443	None	None	None

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 20, 2023, 9:38 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2023, 9:38 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (34 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://85.208.136.10/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://85.208.136.10/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.80/undoo.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://83.97.73.131/gallery/photo221.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://45.9.74.6/2.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://83.97.73.131/gallery/photo221.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.6/2.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.9.74.80/undoo.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://as.imgjeoigaa.com/check/?sid=471022&key=35ecd06fa094e8e3f819bf02984a598e
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.9.74.80/0bjdn2Z/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/offer/setup.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/offer/toolspub2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.9.74.80/offer/3eef203fb515bda85f514e168abb5973.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixone&substr=mixazed
suspicious_features	Connection to IP address	suspicious_request	GET http://45.12.253.72/default/stuk.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.12.253.72/default/puk.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.12.253.75/dll.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://ji.jaoaaoas11.com/m/ss41.exe
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://getnoon.top/410b5129171f10ea.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://as.imgjeoigaa.com/check/?sid=471204&key=7eee7f9860dae7a11fd31138ce88ab95
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/sqlite3.dll
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.166.104/a6fcde3d4457e243dbb20bf48006aee2
suspicious_features	Connection to IP address	suspicious_request	GET http://116.203.166.104/upload.zip
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://116.203.166.104/
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/freebl3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.63/doma/net/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/msvcp140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/nss3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/softokn3.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://getnoon.top/c043bcd0ba06ae1d/vcruntime140.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://api.ip.sb/ip

Performs some HTTP requests (50 out of 63 events)

request	GET http://85.208.136.10/api/tracemap.php
request	POST http://85.208.136.10/api/firegate.php
request	HEAD http://45.9.74.80/undoo.exe
request	HEAD http://83.97.73.131/gallery/photo221.exe
request	HEAD http://45.9.74.6/2.exe
request	HEAD http://ji.jahhaega2qq.com/m/p0aw25.exe
request	GET http://ji.jahhaega2qq.com/m/p0aw25.exe
request	GET http://83.97.73.131/gallery/photo221.exe
request	HEAD http://hugersi.com/dl/6523.exe
request	GET http://hugersi.com/dl/6523.exe
request	GET http://45.9.74.6/2.exe
request	GET http://45.9.74.80/undoo.exe
request	GET http://us.imgjeoigaa.com/sts/imagc.jpg
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://94.142.138.131/api/tracemap.php
request	GET http://as.imgjeoigaa.com/check/safe
request	POST http://as.imgjeoigaa.com/check/?sid=471022&key=35ecd06fa094e8e3f819bf02984a598e
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	POST http://45.9.74.80/0bjdn2Z/index.php
request	GET http://45.9.74.80/offer/setup.exe
request	GET http://45.9.74.80/offer/toolspub2.exe
request	GET http://45.9.74.80/offer/3eef203fb515bda85f514e168abb5973.exe
request	GET http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixone&substr=mixazed
request	GET http://45.12.253.72/default/stuk.php
request	GET http://45.12.253.72/default/puk.php
request	GET http://45.12.253.75/dll.php
request	GET http://ji.jaoaaoas11.com/m/ss41.exe
request	POST http://getnoon.top/410b5129171f10ea.php
request	POST http://as.imgjeoigaa.com/check/?sid=471204&key=7eee7f9860dae7a11fd31138ce88ab95
request	GET http://getnoon.top/c043bcd0ba06ae1d/sqlite3.dll
request	GET http://116.203.166.104/a6fcde3d4457e243dbb20bf48006aee2
request	GET http://116.203.166.104/upload.zip
request	POST http://116.203.166.104/
request	GET http://getnoon.top/c043bcd0ba06ae1d/freebl3.dll
request	GET http://getnoon.top/c043bcd0ba06ae1d/mozglue.dll
request	POST http://77.91.68.63/doma/net/index.php
request	GET http://getnoon.top/c043bcd0ba06ae1d/msvcp140.dll
request	GET http://getnoon.top/c043bcd0ba06ae1d/nss3.dll
request	GET http://getnoon.top/c043bcd0ba06ae1d/softokn3.dll
request	GET http://getnoon.top/c043bcd0ba06ae1d/vcruntime140.dll
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc228185173_661824370?hash=voN0qMUYyG6idLKUN9WTq6aQoJBZOwLzZiSJPxnGnoz&dl=3UT4z4tzRL1V6VIedoxzLudkL43ZLt4otOi2TuOIPxT&api=1&no_preview=1
request	GET https://sun6-23.userapi.com/c235031/u228185173/docs/d2/86708e41457b/falaxy.bmp?extra=QrIHLQfHihFfoOBO9hsubnI4SNZnkrTh3ABCjFlHY8gB2CcoULfZ8kzd9QqUqKZ7VQVMoICuE450aU3XpQcl69fzFPjQdc01cZdb7tDJFwpt8YcEa8R-LOx6jdxHI1yh2H3Ii5gVjaITrI3Lcw
request	GET https://vk.com/doc228185173_661830509?hash=z77Tp2Bt5jc8CbHfC9pdvdFVpeHj77HUzJtS6jx8WZ8&dl=1eqxtSfgbXKz7M994WFagxxb8DLoZQgtZJXs62syX8T&api=1&no_preview=1#rise_test
request	GET https://sun6-21.userapi.com/c237131/u228185173/docs/d35/cba1dc576daa/RisePro_0_1_mA7L5kJnTfFOiuHxQYaS.bmp?extra=6eFX10003NmkdK20n5UdCb3WEylambZUyUim5R_OPESX2F0_moXizx4HxLPlF3bQclEN7i-gKWYRYOAEwXiW7wKnOQzR5j9q7bB9Mq3I8GYQYrBMtoqTTh3b_PeDpkJl6dJp96wredDP5e_x2Q
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc228185173_661675966?hash=WIZmJ4srelm3loy6LntaCgIGY3LmupjV3W4uezZEqWo&dl=zhVczqBPZOQpqnKDUVkAVPrl9zZlS025dfZ0dmo13KT&api=1&no_preview=1#WW1
request	GET https://sun6-23.userapi.com/c909418/u228185173/docs/d27/5c0eb308c9d0/WWW1.bmp?extra=gjhLzDJWSRkwWYb9db9Qt7BAlTsoMWakHEa-g3uQI-jbiub7EVtjj6cX0PXK_mc-GZS4ELWmGQl3wImOtBZV7ocXJBluHOWEz6MFlwg4KMrre4fU7wLA_6UpnR3kemsnmM4-DWh0_Ht_xufXmA

Sends data using the HTTP POST Method (8 events)

request	POST http://85.208.136.10/api/firegate.php
request	POST http://as.imgjeoigaa.com/check/?sid=471022&key=35ecd06fa094e8e3f819bf02984a598e
request	POST http://45.9.74.80/0bjdn2Z/index.php
request	POST http://getnoon.top/410b5129171f10ea.php
request	POST http://as.imgjeoigaa.com/check/?sid=471204&key=7eee7f9860dae7a11fd31138ce88ab95
request	POST http://116.203.166.104/
request	POST http://77.91.68.63/doma/net/index.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (7 events)

ip	157.254.164.98
ip	185.81.68.115
ip	194.169.175.124
ip	194.169.175.128
ip	79.137.204.46
ip	83.97.73.128
ip	74.125.197.127

Resolves a suspicious Top Level Domain (TLD) (3 events)

domain	iplis.ru	description	Russian Federation domain TLD
domain	getnoon.top	description	Generic top level domain TLD
domain	lodar2ben.top	description	Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 20, 2023, 9:38 a.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 20, 2023, 9:38 a.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73913000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE4A3D37D1\File.exe

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

MicroWorld-eScan	Trojan.GenericKD.67583218
FireEye	Trojan.GenericKD.67583218
BitDefender	Trojan.GenericKD.67583218
McAfee-GW-Edition	Artemis
Emsisoft	Trojan.GenericKD.67583218 (B)
MAX	malware (ai score=81)
Arcabit	Trojan.Generic.D4073CF2
GData	Trojan.GenericKD.67583218

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 20, 2023, 9:38 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW June 20, 2023, 9:38 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Performs a TXT record DNS lookup potentially for command and control or covert channel (1 event)

domain

bc4ef8da-d887-49be-b429-28634ffc09c5.uuid.cdntokiog.studio

Communicates with host for which no DNS query was performed (20 events)

host	116.203.166.104
host	157.254.164.98
host	163.123.143.4
host	185.81.68.115
host	194.169.175.124
host	194.169.175.128
host	45.12.253.56
host	45.12.253.72
host	45.12.253.74
host	45.12.253.75
host	45.15.156.229
host	45.9.74.6
host	45.9.74.80
host	79.137.204.46
host	83.97.73.131
host	85.208.136.10
host	94.142.138.131
host	77.91.68.63
host	83.97.73.128
host	95.216.249.153

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	45.12.253.74:80
dead_host	194.169.175.124:80
dead_host	163.123.143.4:80

File_pass1234.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All