Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| fesad.s3.eu-north-1.amazonaws.com | 16.12.9.26 |
- UDP Requests
-
-
192.168.56.102:63709 164.124.101.2:53
-
192.168.56.102:64513 164.124.101.2:53
-
192.168.56.102:137 192.168.56.103:137
-
192.168.56.102:137 192.168.56.255:137
-
192.168.56.102:138 192.168.56.255:138
-
192.168.56.102:49152 239.255.255.250:3702
-
192.168.56.102:63712 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.102:123
-
GET
0
https://fesad.s3.eu-north-1.amazonaws.com/Apppdfread.msi
REQUEST
RESPONSE
BODY
GET /Apppdfread.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: fesad.s3.eu-north-1.amazonaws.com
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49170 -> 16.12.11.30:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49173 -> 185.157.162.126:443 | 906200095 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (BitRAT) | undefined |
| TCP 185.157.162.126:443 -> 192.168.56.102:49173 | 2030724 | ET MALWARE Observed Malicious SSL Cert (BitRAT CnC) | Domain Observed Used for C2 Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49170 16.12.11.30:443 |
C=US, O=Amazon, CN=Amazon RSA 2048 M01 | CN=*.s3.eu-north-1.amazonaws.com | 8e:bc:29:ca:40:d5:e9:65:60:42:17:f2:71:e5:3b:24:e1:b7:9a:41 |
|
TLS 1.2 192.168.56.102:49173 185.157.162.126:443 |
CN=BitRAT | CN=BitRAT | fb:e2:a7:63:31:a4:36:70:f5:2c:87:7b:ab:0b:4b:f8:e5:9c:9b:7a |
Snort Alerts
No Snort Alerts