Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 28, 2023, 2:51 p.m.	June 28, 2023, 2:54 p.m.

Size	5.9MB
Type	7-zip archive data, version 0.4
MD5	`a391d1c7127c4d323d110d325a8ad4fd`
SHA256	`af0f8d8b9e50de64ab335fc0bbb4b28b4fa01f773b3f61a6a6f2e56d040f72d4`
CRC32	`22CAE34C`
ssdeep	`98304:eovWT17/EPHI54ye4SXvpwPvSg30p28ZYzVvDRtP2IzkUXuJ5X:a17qo54yetuvSeeNYZRtOwXuJ5X`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "UdzIAQH" C:\Users\test22\AppData\Local\Temp\File_pass1234.7z
3036
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File_pass1234.7z"
  2184

Name	Response	Post-Analysis Lookup
api.db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.67.53.19 CNAME identrust.edgesuite.net A 23.67.53.18	23.67.53.19
aa.imgjeoogbb.com	A 154.221.26.108	154.221.26.108
ipinfo.io	A 34.117.59.81	34.117.59.81
api.telegram.org	A 149.154.167.220	149.154.167.220
hugersi.com	A 91.215.85.147	91.215.85.147
api.mylnikov.org	A 172.67.196.114 A 104.21.44.66	172.67.196.114
sun6-23.userapi.com	A 95.142.206.3	95.142.206.3
us.imgjeoigaa.com	A 103.100.211.218	103.100.211.218
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
icanhazip.com	A 104.18.115.97 A 104.18.114.97	104.18.114.97
www.maxmind.com	A 104.17.215.67 A 104.17.214.67	104.17.214.67
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	172.67.75.163
bitbucket.org	A 104.192.141.1	104.192.141.1
www.belma.ro	A 89.37.143.13 CNAME belma.ro	89.37.143.13
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.78
iplogger.org	A 148.251.234.83	148.251.234.83
sun6-20.userapi.com	A 95.142.206.0	95.142.206.0
filetops.com	A 176.123.0.55	176.123.0.55
zzz.fhauiehgha.com	A 156.236.72.121	156.236.72.121
traffic-to.site	A 172.67.171.62 A 104.21.29.16	104.21.29.16
iplis.ru	A 148.251.234.93	148.251.234.93
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
103.100.211.218	Active	Moloch
104.17.214.67	Active	Moloch
104.18.115.97	Active	Moloch
104.192.141.1	Active	Moloch
104.21.29.16	Active	Moloch
104.26.4.15	Active	Moloch
104.26.9.59	Active	Moloch
135.125.27.228	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
149.154.167.220	Active	Moloch
154.221.26.108	Active	Moloch
156.236.72.121	Active	Moloch
157.254.164.98	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
172.67.196.114	Active	Moloch
172.67.75.166	Active	Moloch
176.113.115.239	Active	Moloch
176.123.0.55	Active	Moloch
194.169.175.128	Active	Moloch
194.169.175.132	Active	Moloch
208.67.104.60	Active	Moloch
23.67.53.18	Active	Moloch
23.67.53.19	Active	Moloch
34.117.59.81	Active	Moloch
45.12.253.74	Active	Moloch
45.15.156.229	Active	Moloch
45.9.74.6	Active	Moloch
77.91.68.63	Active	Moloch
83.97.73.131	Active	Moloch
83.97.73.134	Active	Moloch
85.208.136.10	Active	Moloch
87.240.137.164	Active	Moloch
89.37.143.13	Active	Moloch
91.215.85.147	Active	Moloch
95.142.206.0	Active	Moloch
95.142.206.2	Active	Moloch
95.142.206.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 208.67.104.60:80 -> 192.168.56.102:49174	2400039	ET DROP Spamhaus DROP Listed Traffic Inbound group 40	Misc Attack
TCP 192.168.56.102:49179 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49179	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49175 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 208.67.104.60:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49184 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 104.21.29.16:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.29.16:80 -> 192.168.56.102:49196	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49200 -> 104.21.29.16:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 104.21.29.16:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.29.16:80 -> 192.168.56.102:49197	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:80 -> 192.168.56.102:49195	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.29.16:80 -> 192.168.56.102:49198	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 83.97.73.134:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 83.97.73.134:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49201 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 104.192.141.1:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 83.97.73.134:80 -> 192.168.56.102:49192	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 83.97.73.134:80 -> 192.168.56.102:49192	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 104.192.141.1:443 -> 192.168.56.102:49209	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49204 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49204	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49210 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49212 -> 89.37.143.13:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 89.37.143.13:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 176.123.0.55:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.123.0.55:80 -> 192.168.56.102:49216	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49217 -> 89.37.143.13:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 87.240.137.164:80 -> 192.168.56.102:49226	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 176.123.0.55:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49227 -> 176.123.0.55:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49187	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49205 -> 104.192.141.1:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 176.123.0.55:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 176.123.0.55:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49206 -> 89.37.143.13:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 89.37.143.13:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49208	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49232 -> 89.37.143.13:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 89.37.143.13:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49228	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 89.37.143.13:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 89.37.143.13:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 89.37.143.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 89.37.143.13:443 -> 192.168.56.102:49229	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.37.143.13:443 -> 192.168.56.102:49229	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49236 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49220 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49235 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49240 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49240 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49243	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49252 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49254 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49258 -> 95.142.206.3:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49257 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 89.37.143.13:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 89.37.143.13:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 89.37.143.13:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.132:3002 -> 192.168.56.102:49263	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.132:3002 -> 192.168.56.102:49263	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.169.175.132:3002 -> 192.168.56.102:49263	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49233 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 87.240.137.164:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49246 -> 87.240.137.164:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49255 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49271 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49273 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49283 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49275 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49275 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49275 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49285 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49284 -> 154.221.26.108:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected
TCP 192.168.56.102:49290 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49297 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49294 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49297 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49297 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
UDP 192.168.56.102:63564 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.102:49298	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49256 -> 87.240.137.164:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.220:443 -> 192.168.56.102:49310	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49305 -> 172.67.196.114:443	2033010	ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49305 -> 172.67.196.114:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49310 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.102:49310 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49310 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.102:49304 -> 104.18.115.97:80	2017398	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)	Attempted Information Leak
TCP 192.168.56.102:49317 -> 77.91.68.63:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49317 -> 77.91.68.63:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.102:49317 -> 77.91.68.63:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
UDP 192.168.56.102:54117 -> 8.8.8.8:53	2033966	ET HUNTING Telegram API Domain in DNS Lookup	Misc activity
TCP 192.168.56.102:49259 -> 95.142.206.0:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49269 -> 85.208.136.10:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49270 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 148.251.234.93:443 -> 192.168.56.102:49295	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.131:19071 -> 192.168.56.102:49306	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 83.97.73.131:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49279 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49280 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49281 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49281 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49281 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49287 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.220:443 -> 192.168.56.102:49308	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49308 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.102:49308 -> 149.154.167.220:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49308 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.102:49308 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 192.168.56.102:49310 -> 149.154.167.220:443	2033967	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)	Misc activity
TCP 89.37.143.13:443 -> 192.168.56.102:49232	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.37.143.13:443 -> 192.168.56.102:49232	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49271 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 89.37.143.13:443 -> 192.168.56.102:49223	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 89.37.143.13:443 -> 192.168.56.102:49223	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49177 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49175 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49184 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49200 104.21.29.16:443	C=US, O=Let's Encrypt, CN=E1	CN=traffic-to.site	e6:eb:e3:d8:cd:99:c5:cb:65:18:d5:6c:59:8a:9b:ba:10:fb:ae:d9
TLSv1 192.168.56.102:49227 176.123.0.55:443	C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority	CN=filetops.com	4e:54:49:63:ef:6b:47:5c:15:8f:ca:37:04:ad:6d:7a:98:e2:a0:8c
TLSv1 192.168.56.102:49245 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49249 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49251 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49241 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49252 95.142.206.2:443	None	None	None
TLSv1 192.168.56.102:49254 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49258 95.142.206.3:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49257 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49255 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49283 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49273 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49285 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49256 87.240.137.164:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLS 1.2 192.168.56.102:49305 172.67.196.114:443	C=US, O=Let's Encrypt, CN=E1	CN=mylnikov.org	d5:7e:b5:9d:8c:35:39:14:75:a5:ea:ee:59:ac:7d:5b:94:53:8a:f8
TLSv1 192.168.56.102:49259 95.142.206.0:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49279 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49280 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 28, 2023, 2:51 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 28, 2023, 2:51 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://208.67.104.60/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://208.67.104.60/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://83.97.73.134/gallery/photo085.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://83.97.73.134/gallery/photo085.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://85.208.136.10/api/tracemap.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://aa.imgjeoogbb.com/check/?sid=276518&key=b5328cbca81c5120b1a821f3fa173faf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://icanhazip.com/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.63/doma/net/index.php

Performs some HTTP requests (36 events)

request	GET http://208.67.104.60/api/tracemap.php
request	POST http://208.67.104.60/api/firegate.php
request	HEAD http://83.97.73.134/gallery/photo085.exe
request	HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://83.97.73.134/gallery/photo085.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	HEAD http://hugersi.com/dl/6523.exe
request	GET http://hugersi.com/dl/6523.exe
request	GET http://us.imgjeoigaa.com/sts/imagc.jpg
request	GET http://85.208.136.10/api/tracemap.php
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://aa.imgjeoogbb.com/check/safe
request	POST http://aa.imgjeoogbb.com/check/?sid=276518&key=b5328cbca81c5120b1a821f3fa173faf
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	GET http://icanhazip.com/
request	POST http://77.91.68.63/doma/net/index.php
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://traffic-to.site/294/setup294.exe
request	GET https://filetops.com/4444.exe
request	GET https://vk.com/doc808950829_663175378?hash=I29Eyccvik9W3sMTiQkMGRrmawPF3AUVge22Ez2sdQc&dl=CSMWKomjoZBnBwX0QjOb95MM0LIvJKsuh3hvz4d7znH&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c236331/u808950829/docs/d59/97db56109cc3/PMmp.bmp?extra=3xUHc3vIHtsQ4apnaudEaaOMUwCmuCT6niflMu74sArfyQ6BO1MW5K_lgXqba9BbDXcHHOULMqn-0_5izleDdeGisDVBClQfV7bhzFoQp38yKz78535Pooh6osgYrP3WPHDbx2frougok3yr8g
request	GET https://vk.com/doc808950829_663479541?hash=K0yCWPEa4A7ApJpKzIuTMuHBaXSAot8zL0NuY18rchD&dl=LqAsNGup5PzzrdltO8f4O2XIetwWiPuj1UIdzZ97p40&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c909228/u808950829/docs/d36/855a1208b9a5/123.bmp?extra=8rST-m7cMkdMRkZCAhuuQ9KqgqRBIOP3ztgMUrNp4ACjIUPvMDEJYtJCTV-kVQ33SLq2EuEutrTeM9UoPFnX937kT5WW4PxRkNQ7kecEXFo_UIM-94riMimx9fBmFWiaPIYYhZA1bcS6674WuQ
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://vk.com/doc808950829_663416193?hash=TwgmTA3pMX5XUbfBEPazmzdRVPdFw9t8BbYBqJvidU8&dl=H6DzAmaBeDTytHVbTKfRExM88kxUqIpLizX7g2YgUEL&api=1&no_preview=1#WW1
request	GET https://vk.com/doc808950829_663371568?hash=nCbeQhSdektZCklmCq7XtG48Ee60nv8DORi9fErSJWH&dl=TYjpYtrURbaoeiox6ukI3zcdJlSPMzTTZwoXzpHEm48&api=1&no_preview=1#rise_test
request	GET https://sun6-23.userapi.com/c909518/u808950829/docs/d20/db5f8308e1f9/WWW1.bmp?extra=FNA7yVy05GQ6wVOEZNucpCb6b4M1teQcHl7LIarVuy1dP8AfdlS5w2G5sMhRZG-7yzXm4os_E_Aq9SmiRQmjEtqwJOlQ38yC8iNRsxIyTdf53FnxlRm7ZRell0Yigc5D98LiZCLZpKmhQ47PiQ
request	GET https://vk.com/doc808950829_663224718?hash=MecbZtH1dewIoIW4kjPPGbZGLae6mvGIIKRzV97LeZz&dl=tuiyrZQKgq9qLcaQMk2ZMvnmbdHXhuzWormyzFZS5MT&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c909618/u808950829/docs/d28/98c9c22b33e0/ccloudcosmic.bmp?extra=8vDjYTwOMfy2Uk2uqA9i7sJlBOEjdYp1CiXU2QbXgN5VNOJ9w-tEc8evgdnPCNljH_BxwXWoia4-4QI8HDBIwF1ZibiisNI0RPtZ8Ri7xZX54RTOIRYPjSsVJmFW6Sjkl9h_whZo2JjgFCNlEQ
request	GET https://sun6-20.userapi.com/c909228/u808950829/docs/d4/31b070f9c2c7/RisePro_0_1_vgWJ8smB7NzPfuCfGTFK.bmp?extra=wCM9GLpF0p59NfnMtAVSYbrsqVTt8DFtQfayqC0SOxSsv1u5Cp_dIG2klbiJu8xODeDQQPpcb_sVIWoc_Mps1nY1FZPHqUuKqQxQKU6QD240PNLfYmhP5BtZX-je24Zi-3VynTW00KVb3jV25Q
request	GET https://db-ip.com/
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Sends data using the HTTP POST Method (4 events)

request	POST http://208.67.104.60/api/firegate.php
request	POST http://aa.imgjeoogbb.com/check/?sid=276518&key=b5328cbca81c5120b1a821f3fa173faf
request	POST http://77.91.68.63/doma/net/index.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 28, 2023, 2:51 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory June 28, 2023, 2:51 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (2 events)

domain	icanhazip.com
domain	ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE8883B081\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 28, 2023, 2:51 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW June 28, 2023, 2:52 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (14 events)

host	135.125.27.228
host	157.254.164.98
host	163.123.143.4
host	176.113.115.239
host	194.169.175.128
host	194.169.175.132
host	208.67.104.60
host	45.12.253.74
host	45.15.156.229
host	45.9.74.6
host	77.91.68.63
host	83.97.73.131
host	83.97.73.134
host	85.208.136.10

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (15 events)

dead_host	45.12.253.74:80
dead_host	192.168.56.102:49303
dead_host	45.9.74.6:80
dead_host	176.113.115.239:8080
dead_host	192.168.56.102:49302
dead_host	135.125.27.228:39396
dead_host	192.168.56.102:49313
dead_host	192.168.56.102:49277
dead_host	176.113.115.239:80
dead_host	192.168.56.102:49299
dead_host	194.169.175.132:80
dead_host	192.168.56.102:49316
dead_host	163.123.143.4:80
dead_host	157.254.164.98:28449
dead_host	192.168.56.102:49320

File_pass1234.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All