Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 19, 2023, 2:42 p.m.	July 19, 2023, 2:44 p.m.

Size	5.3MB
Type	7-zip archive data, version 0.4
MD5	`46ad54c4ee3c4d92f87f62c0d7ca7c38`
SHA256	`8cf5d9cfe95a53fd7029349306b6d6eb98e39973df594ccab6440cade9e4c2bc`
CRC32	`63B4F273`
ssdeep	`98304:U4mL0QH58l7kj5Le5v5bOdL+QpifZQMwYvzqMmZtwWsfJPVRr+B8A:U4c0llYj5WbapiW3HfngrK1`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "OSEMcI" C:\Users\test22\AppData\Local\Temp\File_pass1234.7z
3020
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\File_pass1234.7z"
  932

Name	Response	Post-Analysis Lookup
us.imgjeoigaa.com	A 103.100.211.218	103.100.211.218
152.134.208.175.in-addr.arpa
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.137.164
zzz.fhauiehgha.com	A 156.236.72.121	156.236.72.121
iplis.ru	A 148.251.234.93	148.251.234.93
aa.imgjeoogbb.com	A 154.221.26.108	154.221.26.108
astergo.in	A 194.195.113.17	194.195.113.17
ipinfo.io	A 34.117.59.81	34.117.59.81
www.google.com	A 142.251.220.36	142.250.76.132
sun6-22.userapi.com	A 95.142.206.2	95.142.206.2
iplogger.org	A 148.251.234.83	148.251.234.83
hugersi.com	A 91.215.85.147	91.215.85.147
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
camoverde.pw
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15
www.maxmind.com	A 104.17.214.67 A 104.17.215.67	104.17.215.67
vanaheim.cn	A 46.173.215.12	46.173.215.12
sun6-21.userapi.com	A 95.142.206.1	95.142.206.1
fastpool.xyz	A 213.91.128.133	213.91.128.133
api.db-ip.com	A 104.26.4.15 A 104.26.5.15 A 172.67.75.166	104.26.5.15

IP Address	Status	Action
103.100.211.218	Active	Moloch
104.17.214.67	Active	Moloch
104.26.4.15	Active	Moloch
104.26.5.15	Active	Moloch
142.251.220.36	Active	Moloch
147.135.165.22	Active	Moloch
148.251.234.83	Active	Moloch
148.251.234.93	Active	Moloch
154.221.26.108	Active	Moloch
156.236.72.121	Active	Moloch
157.254.164.98	Active	Moloch
163.123.143.4	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.163	Active	Moloch
176.113.115.135	Active	Moloch
176.113.115.136	Active	Moloch
176.113.115.84	Active	Moloch
176.113.115.85	Active	Moloch
176.123.9.142	Active	Moloch
176.123.9.85	Active	Moloch
194.169.175.128	Active	Moloch
194.169.175.138	Active	Moloch
194.195.113.17	Active	Moloch
194.26.135.162	Active	Moloch
213.91.128.133	Active	Moloch
34.117.59.81	Active	Moloch
45.12.253.74	Active	Moloch
45.143.201.238	Active	Moloch
45.15.156.229	Active	Moloch
46.173.215.12	Active	Moloch
62.122.184.92	Active	Moloch
77.91.124.40	Active	Moloch
77.91.68.3	Active	Moloch
77.91.68.56	Active	Moloch
80.66.75.254	Active	Moloch
80.66.75.4	Active	Moloch
87.120.88.198	Active	Moloch
87.240.132.67	Active	Moloch
91.215.85.147	Active	Moloch
94.142.138.131	Active	Moloch
95.142.206.1	Active	Moloch
95.142.206.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49178 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49178 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49179 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.102:65226 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.102:49174 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49185 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49174 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.113.115.84:80 -> 192.168.56.102:49189	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.102:49185 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49173 -> 94.142.138.131:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49195 -> 194.195.113.17:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 194.195.113.17:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 194.195.113.17:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 194.195.113.17:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 194.195.113.17:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49204 -> 194.195.113.17:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 194.195.113.17:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 194.195.113.17:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.195.113.17:443 -> 192.168.56.102:49204	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49204	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 176.113.115.84:8080 -> 192.168.56.102:49203	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49203	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49203	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49193 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 194.195.113.17:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 194.195.113.17:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49202 -> 194.195.113.17:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.195.113.17:443 -> 192.168.56.102:49202	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49202	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 91.215.85.147:80 -> 192.168.56.102:49197	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49210 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49210 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49215 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49207 -> 194.169.175.138:3002	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49212 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49212 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49214 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49214 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 194.169.175.138:3002 -> 192.168.56.102:49207	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 194.169.175.138:3002 -> 192.168.56.102:49207	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 194.169.175.138:3002 -> 192.168.56.102:49207	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49217 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49220 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:80 -> 192.168.56.102:49219	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49223 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49188 -> 77.91.124.40:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 77.91.124.40:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49228 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 77.91.124.40:80 -> 192.168.56.102:49188	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.124.40:80 -> 192.168.56.102:49188	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49198 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49209 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2018581	ET MALWARE Single char EXE direct download likely trojan (multiple families)	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.120.88.198:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 87.120.88.198:80 -> 192.168.56.102:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 87.120.88.198:80 -> 192.168.56.102:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49227 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49233 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 156.236.72.121:80 -> 192.168.56.102:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.102:49231 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49218 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49222 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49234 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49235 -> 95.142.206.2:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49236 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 95.142.206.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 45.15.156.229:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 148.251.234.93:443 -> 192.168.56.102:49259	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49264 -> 147.135.165.22:38685	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49268 -> 176.123.9.85:16482	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 176.123.9.142:14845 -> 192.168.56.102:49270	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 77.91.68.56:19071 -> 192.168.56.102:49272	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49273 -> 77.91.68.3:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49273 -> 77.91.68.3:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49256 -> 104.17.214.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:65488 -> 8.8.8.8:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 194.26.135.162:2920 -> 192.168.56.102:49261	2400026	ET DROP Spamhaus DROP Listed Traffic Inbound group 27	Misc Attack
TCP 192.168.56.102:49261 -> 194.26.135.162:2920	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 148.251.234.83:443 -> 192.168.56.102:49262	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49253 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49254 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49258 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 157.254.164.98:28449 -> 192.168.56.102:49265	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49250 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49250 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49250 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49248 -> 154.221.26.108:80	2045057	ET MALWARE Win32/Fabookie.ek CnC Request M4 (GET)	A Network Trojan was detected
TCP 192.168.56.102:49251 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49260 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49260 -> 148.251.234.83:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49260 -> 148.251.234.83:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 176.113.115.135:431 -> 192.168.56.102:49281	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 176.113.115.136:431 -> 192.168.56.102:49282	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.102:49276 -> 213.91.128.133:10060	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 62.122.184.92:431 -> 192.168.56.102:49277	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 176.113.115.85:431 -> 192.168.56.102:49283	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49272 -> 77.91.68.56:19071	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49265 -> 157.254.164.98:28449	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49270 -> 176.123.9.142:14845	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49247 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 194.195.113.17:443 -> 192.168.56.102:49208	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 194.195.113.17:443 -> 192.168.56.102:49208	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.102:49276 -> 213.91.128.133:10060	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.102:49175 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49174 172.67.75.163:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49215 95.142.206.2:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49182 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49209 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49227 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49233 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49239 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49222 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49225 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49234 87.240.132.67:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1 192.168.56.102:49235 95.142.206.2:443	None	None	None
TLSv1 192.168.56.102:49237 95.142.206.1:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com	bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1 192.168.56.102:49253 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49254 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49251 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 19, 2023, 2:42 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 19, 2023, 2:42 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://94.142.138.131/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://94.142.138.131/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.91.124.40/info/photo113.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://87.120.88.198/g.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://87.120.88.198/g.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.124.40/info/photo113.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://176.113.115.84:8080/4.php
suspicious_features	Connection to IP address	suspicious_request	GET http://45.15.156.229/api/tracemap.php
suspicious_features	POST method with no referer header	suspicious_request	POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.68.3/home/love/index.php

Performs some HTTP requests (34 events)

request	GET http://94.142.138.131/api/tracemap.php
request	POST http://94.142.138.131/api/firegate.php
request	HEAD http://77.91.124.40/info/photo113.exe
request	HEAD http://87.120.88.198/g.exe
request	GET http://87.120.88.198/g.exe
request	GET http://77.91.124.40/info/photo113.exe
request	HEAD http://hugersi.com/dl/6523.exe
request	HEAD http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://zzz.fhauiehgha.com/m/okka25.exe
request	GET http://176.113.115.84:8080/4.php
request	GET http://hugersi.com/dl/6523.exe
request	GET http://us.imgjeoigaa.com/sts/imagc.jpg
request	GET http://45.15.156.229/api/tracemap.php
request	GET http://aa.imgjeoogbb.com/check/safe
request	POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
request	GET http://www.maxmind.com/geoip/v2.1/city/me
request	POST http://77.91.68.3/home/love/index.php
request	GET http://www.google.com/
request	GET https://api.myip.com/
request	GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request	GET https://vk.com/doc808950829_664352898?hash=TpvyQqEeYsjdodWTHrXtKlZqBTWVZrPRit56oUnvQNg&dl=sD0PBsoT1zBUSEgqcJWb3g6HPzuBQ8Yjvhr8mqZxT94&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c909218/u808950829/docs/d53/58e33ed5db21/h8d337t1s6ya.bmp?extra=CPXirvuFil6wae1g7IzRKLCuKaBG5TMNvah7vd8GEz_qhtFRRku91mgqgiq76or0u2ti2o0zTN89ctJv3eG53ZlBxfMxw-IYA776yUdrGBSY26Z4EfetiDoRLEeWerrhtc2_i9f6b90E94we8g
request	GET https://vk.com/doc808950829_663788437?hash=2eEvnU5tvv0tTTXDhEX8q9Boubn9undHCOt73KTUqzD&dl=EJ05zUitXuxdQoIcYUJ5Zj5KPM6Kzzrdpz0VhUeNkOo&api=1&no_preview=1#WW1
request	GET https://vk.com/doc808950829_664207170?hash=kMt7FUJyRMXd3utd25izhIrZbfZfaKJzCnFJqUmY3Sw&dl=uZ3GDnIBuaFj1FCG7xA3gziJZ6Zba8NMATPW6Lqrzb0&api=1&no_preview=1
request	GET https://sun6-22.userapi.com/c237331/u808950829/docs/d28/86e75507997e/PMmp.bmp?extra=gA4zaT6Xr3h2ftzx9AuPCMbqvjUtc-wRsrEKNOhevLqt_SZZwdVTPal8iTx6xd2U97xgKU53JupP_eejmSYNdmzSQRzU982T2aZornEsede4YUpcvteGCqHEQW4bsNatQleffyY9lAwLiXRnZg
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request	GET https://vk.com/doc808950829_664295976?hash=wWP2uKSW6vc2Zwh4dERWVq2558nuK0zAmie4S5babxg&dl=fnVWutUVH5EHCOnwUxAqrClRC7zCIeOyomm4pfSrZFc&api=1&no_preview=1#rise_test
request	GET https://vk.com/doc808950829_664443643?hash=BMSfO07vvSfVgzBLa3AhQ2T8ZfTsYk5klLKtxOZyNZT&dl=PkFfe0R1U4A4nZCFzzMLIHdvp6Lpl8cZoPyc3f4s1g0&api=1&no_preview=1#3
request	GET https://sun6-22.userapi.com/c237031/u808950829/docs/d38/ea4433a2b522/RisePro_0_2_9rOsvaKa1eDf138eBlTl.bmp?extra=DnpHLlKvtxovB1KUV49UCSmwoMRpKlllUvvs5vFdMDd9kEn--_oArRN2soMPvOpEI-bb2dSpQpeWyz19HgECB7QD057wQXbgM_yxe6Qe4PwZmwkS5S0weMFY6E7oO0zeiqN5poXsMtje8Ga45g
request	GET https://sun6-21.userapi.com/c236331/u808950829/docs/d20/0cef145379dd/3.bmp?extra=sissnLmA8_-6n9mrlaFvFGqsuE8xRQHYK27yqnUnxwCijQuiveAV-H1daYlYFGiEZwSXhdTHhRGRsJ1mxNlypFuQCV04gy5jZ4xe1_1nBm9bazUTI_xskEd39VLXPyTmLgdCohnnm6fC-d9b4Q
request	GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://db-ip.com/
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Sends data using the HTTP POST Method (4 events)

request	POST http://94.142.138.131/api/firegate.php
request	POST http://aa.imgjeoogbb.com/check/?sid=461810&key=12d22f1e6641af4b6121fa40717f1c68
request	POST http://77.91.68.3/home/love/index.php
request	POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (10 events)

ip	147.135.165.22
ip	157.254.164.98
ip	176.113.115.84
ip	176.123.9.142
ip	176.123.9.85
ip	194.169.175.128
ip	194.169.175.138
ip	194.26.135.162
ip	213.91.128.133
ip	77.91.68.56

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 19, 2023, 2:42 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74062000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 19, 2023, 2:42 p.m.	process_identifier: 932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zE4A3BE98A\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 19, 2023, 2:42 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW July 19, 2023, 2:42 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (23 events)

host	147.135.165.22
host	157.254.164.98
host	163.123.143.4
host	176.113.115.135
host	176.113.115.136
host	176.113.115.84
host	176.113.115.85
host	176.123.9.142
host	176.123.9.85
host	194.169.175.128
host	194.169.175.138
host	194.26.135.162
host	45.12.253.74
host	45.143.201.238
host	45.15.156.229
host	62.122.184.92
host	77.91.124.40
host	77.91.68.3
host	77.91.68.56
host	80.66.75.254
host	80.66.75.4
host	87.120.88.198
host	94.142.138.131

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 events)

dead_host	194.169.175.138:80
dead_host	45.12.253.74:80
dead_host	176.113.115.84:80
dead_host	192.168.56.102:49186
dead_host	163.123.143.4:80
dead_host	192.168.56.102:49189

File_pass1234.7z

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All