Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| fesad.s3.eu-north-1.amazonaws.com | 16.12.9.14 |
GET
0
https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi
REQUEST
RESPONSE
BODY
GET /Apppdfread.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: fesad.s3.eu-north-1.amazonaws.com
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49174 -> 52.95.171.4:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49176 -> 185.157.162.126:443 | 906200095 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) | undefined |
| TCP 185.157.162.126:443 -> 192.168.56.101:49176 | 2030724 | ET MALWARE Observed Malicious SSL Cert (BitRAT CnC) | Domain Observed Used for C2 Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49174 52.95.171.4:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.s3.eu-north-1.amazonaws.com | 8e:bc:29:ca:40:d5:e9:65:60:42:17:f2:71:e5:3b:24:e1:b7:9a:41 |
|
TLS 1.2 192.168.56.101:49176 185.157.162.126:443 |
CN=BitRAT | CN=BitRAT | fb:e2:a7:63:31:a4:36:70:f5:2c:87:7b:ab:0b:4b:f8:e5:9c:9b:7a |
Snort Alerts
No Snort Alerts