Summary | ZeroBOX

File_pass1234.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
Category Machine Started Completed
FILE s1_win7_x6402 July 13, 2023, 1:14 p.m. July 13, 2023, 1:16 p.m.
Size 5.9MB
Type 7-zip archive data, version 0.4
MD5 40058f3b772f34b08e4de41ce5975864
SHA256 a6d646057f8339a07f7b04c8771e9dac3cf1da9903c0f766c6530922610e16e5
CRC32 289CBE50
ssdeep 98304:VyRpzgTZWDbkTbmyAR+RRREagGjHAzp0VUYd9BAbDCn36SU6FDy:4RpzgNWDb6SR+bREagGj4p03AfcqSUJ
Yara None matched

IP Address Status Action
103.100.211.218 Active Moloch
104.17.215.67 Active Moloch
104.192.141.1 Active Moloch
104.21.0.171 Active Moloch
104.26.4.15 Active Moloch
104.26.5.15 Active Moloch
147.135.165.22 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
154.221.26.108 Active Moloch
156.236.72.121 Active Moloch
157.254.164.98 Active Moloch
163.123.143.4 Active Moloch
164.124.101.2 Active Moloch
172.67.75.163 Active Moloch
176.123.9.85 Active Moloch
194.169.175.128 Active Moloch
194.169.175.136 Active Moloch
194.26.135.162 Active Moloch
34.117.59.81 Active Moloch
45.12.253.74 Active Moloch
45.15.156.229 Active Moloch
45.66.230.164 Active Moloch
61.111.58.35 Active Moloch
77.91.124.40 Active Moloch
87.240.137.164 Active Moloch
91.215.85.147 Active Moloch
94.142.138.113 Active Moloch
94.142.138.131 Active Moloch
95.142.206.0 Active Moloch
95.142.206.1 Active Moloch
95.142.206.3 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49177 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49177 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49177 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.0.171:80 -> 192.168.56.102:49195 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 104.192.141.1:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49192 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 104.192.141.1:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 45.66.230.164:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 104.192.141.1:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 45.66.230.164:80 -> 192.168.56.102:49190 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.66.230.164:80 -> 192.168.56.102:49190 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 104.21.0.171:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.0.171:80 -> 192.168.56.102:49193 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 104.21.0.171:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49185 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:53778 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 104.21.0.171:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.0.171:80 -> 192.168.56.102:49194 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 77.91.124.40:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 77.91.124.40:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49200 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49211 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49201 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49201 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49215 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49214 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49214 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49205 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49205 -> 104.192.141.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49216 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49217 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49217 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49175 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 156.236.72.121:80 -> 192.168.56.102:49206 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49218 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 77.91.124.40:80 -> 192.168.56.102:49189 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.124.40:80 -> 192.168.56.102:49189 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49224 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49224 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49181 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49228 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49232 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49208 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49234 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49235 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.192.141.1:443 -> 192.168.56.102:49210 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49242 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49243 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49236 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49248 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49246 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.192.141.1:443 -> 192.168.56.102:49209 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49209 -> 104.192.141.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49203 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49249 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49239 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49241 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49241 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49229 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49257 -> 154.221.26.108:80 2045057 ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET) A Network Trojan was detected
TCP 192.168.56.102:49263 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49265 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49259 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 157.254.164.98:28449 -> 192.168.56.102:49273 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 147.135.165.22:17748 -> 192.168.56.102:49275 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49233 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49240 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.169.175.136:3002 -> 192.168.56.102:49251 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.169.175.136:3002 -> 192.168.56.102:49251 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 194.169.175.136:3002 -> 192.168.56.102:49251 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49258 -> 176.123.9.85:16482 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
UDP 192.168.56.102:65168 -> 8.8.8.8:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.102:49268 -> 104.17.215.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49275 -> 147.135.165.22:17748 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49260 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49260 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49262 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49264 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49266 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49266 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49266 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 148.251.234.83:443 -> 192.168.56.102:49271 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 194.26.135.162:2920 -> 192.168.56.102:49274 2400026 ET DROP Spamhaus DROP Listed Traffic Inbound group 27 Misc Attack
TCP 192.168.56.102:49274 -> 194.26.135.162:2920 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49273 -> 157.254.164.98:28449 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49177 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49183
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49197
104.21.0.171:443
C=US, O=Let's Encrypt, CN=E1 CN=camoverde.pw 0b:eb:e2:e3:13:12:aa:a6:e0:88:7b:07:c6:0f:e5:6a:59:08:cf:18
TLSv1
192.168.56.102:49176
172.67.75.163:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49225
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49228
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49230
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49232
95.142.206.0:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49244
95.142.206.1:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49243
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49248
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49246
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49247
95.142.206.1:443
None None None
TLSv1
192.168.56.102:49249
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49229
95.142.206.3:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49265
104.26.4.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49240
87.240.137.164:443
C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49262
104.26.5.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.124.40/info/photo540.exe
suspicious_features Connection to IP address suspicious_request HEAD http://45.66.230.164/g.exe
suspicious_features Connection to IP address suspicious_request GET http://45.66.230.164/g.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.124.40/info/photo540.exe
suspicious_features POST method with no referer header suspicious_request POST http://aa.imgjeoogbb.com/check/?sid=450708&key=ba2d5ff6ab8de1774d12bbe8f58b5f80
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://77.91.124.40/info/photo540.exe
request HEAD http://45.66.230.164/g.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://45.66.230.164/g.exe
request GET http://77.91.124.40/info/photo540.exe
request HEAD http://hugersi.com/dl/6523.exe
request HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://zzz.fhauiehgha.com/m/okka25.exe
request GET http://hugersi.com/dl/6523.exe
request GET http://us.imgjeoigaa.com/sts/imagc.jpg
request GET http://aa.imgjeoogbb.com/check/safe
request POST http://aa.imgjeoogbb.com/check/?sid=450708&key=ba2d5ff6ab8de1774d12bbe8f58b5f80
request GET http://45.15.156.229/api/tracemap.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://camoverde.pw/setup294.exe
request GET https://vk.com/doc808950829_663974118?hash=dOMWUsvinJ2cpviUzz7vnxpsK8egTpcGetxzR7zZrlH&dl=jOHjRjzy9zAt3pzHP5nbHskFZI2CUKmKC4cOjJyWMzc&api=1&no_preview=1#5
request GET https://sun6-23.userapi.com/c240331/u808950829/docs/d25/053a5d3ab851/5.bmp?extra=MgPqKvSpJRVzdc1sy4MhZh-5VcUgelLtlp5JQWONauDmpOLNKT3Dn1g342miQlipJZwQuz-T04bTlW8_-12eYUYB4gplokbQobMBlLGgw595euXc82IPMSrVok_cNx30Fk4rpmdNs2flQOg0wA
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://vk.com/doc808950829_664179824?hash=7y975z01doW0l1g0cI8z6K8SmxVd0YYXHDhMKKaBTZz&dl=XbJyBV6ZufZQ2A2vwUeIeNZ42zKjemc02v0szs3TE6z&api=1&no_preview=1#rise_test
request GET https://sun6-20.userapi.com/c909518/u808950829/docs/d27/7e44ee901e11/RisePro_0_2_9OlnHESIYJe6q7VK6ha9.bmp?extra=mFRh8hRuIL4PQbqjQpKrFn-yk8q7e2BWnJcqbaqBfpWrw12CSNwXPiydpOm7fdZW-VkLBpEDSQCAh9N4wgX73nDTC4QfkafUuRdE_zB6PAkYt8WkLxrZWRCZYzL9R1d-09JMTc0rjx7nTc8Ejw
request GET https://vk.com/doc808950829_663933421?hash=ioG5QB3qvIws86ott1cKJe6Pb7yplHVFXBwsSvr5HZs&dl=mmMqy1dNgzrQdMHtVCaer8XyZ5fyDV65DqKrscCiZKT&api=1&no_preview=1
request GET https://sun6-21.userapi.com/c235131/u808950829/docs/d53/768dda3e213b/31bhpef20u5o7.bmp?extra=dgmz4H72H5rvy_EBF4On77fbct5UBiCHg6aSLsmzFCBhDfvNnlr2E6WPbQDljvi-waBkmv0xSg8yRpLQO23hZ-sRBEpulUOykXPpY1Ka14ypP4q2TKzaWXBzUVGWmHL24zjTWqVEfilJLyVB5Q
request GET https://vk.com/doc808950829_664186552?hash=1s9iE5Kgt9FANPHVKZA2SevYzVjMVZoFv12OonZIzaT&dl=BQIZXKyYvEtMx9159XykdFJl2YsvYGygHeUBECzJOOX&api=1&no_preview=1#grey
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://sun6-21.userapi.com/c237331/u808950829/docs/d45/9e7526772d0a/Grey_MAsttre03.bmp?extra=8T3GVnRSHkbnOoamPgnW-Cv4xANxtyuLJC8y0QjDtpRD-bEhN0Uh8mhU3WHYrtyD-5SBhAokPpIvJ7QfT1aoGL667fCB4gXDv6A4mFx_xqyCDYuGNBN5ZlDyNeZUV-cCTGua33902_8YFarU7A
request GET https://vk.com/doc808950829_663871412?hash=8ehIwnmHBe3gPQFQr33m9RxU44AQihyQbijm4RaLc48&dl=Mq7velIvPVVgNnqKI27x77nmBa5DkTDs5e4oXZ7UFF8&api=1&no_preview=1
request GET https://sun6-20.userapi.com/c235031/u808950829/docs/d20/7255882231b8/PMmp.bmp?extra=y_OyY7INsH6aj7-dRXOZMRg8E7fAVBvEPjv-ZYd1fS-NIL0_vUy0d6mwXew80qrwMnqyLGSBlfN7EDlJ08NCr224j8-e2KmiUheMEur5pNv8keQ7mF88gBsWX9iPegCBlecJOMIS7-Vb41JftQ
request GET https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST http://94.142.138.131/api/firegate.php
request POST http://aa.imgjeoogbb.com/check/?sid=450708&key=ba2d5ff6ab8de1774d12bbe8f58b5f80
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 147.135.165.22
ip 157.254.164.98
ip 176.123.9.85
ip 194.169.175.136
ip 194.26.135.162
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2188
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737e3000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zEC885B0AA\File.exe
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 147.135.165.22
host 157.254.164.98
host 163.123.143.4
host 176.123.9.85
host 194.169.175.128
host 194.169.175.136
host 194.26.135.162
host 45.12.253.74
host 45.15.156.229
host 45.66.230.164
host 77.91.124.40
host 94.142.138.113
host 94.142.138.131
dead_host 45.12.253.74:80
dead_host 194.169.175.128:50500
dead_host 194.169.175.136:80
dead_host 163.123.143.4:80