Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 2, 2023, 4:56 p.m. | Aug. 2, 2023, 5:04 p.m. |
-
x-admins.exe "C:\Users\test22\AppData\Local\Temp\x-admins.exe"
792
Name | Response | Post-Analysis Lookup |
---|---|---|
apps.identrust.com |
CNAME
a1952.dscq.akamai.net
CNAME
identrust.edgesuite.net
|
23.67.53.27 |
nodejs--veyynveyynov.repl.co | 35.186.245.55 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49161 -> 35.186.245.55:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49164 -> 35.186.245.55:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49166 -> 35.186.245.55:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49165 -> 35.186.245.55:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49161 35.186.245.55:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=repl.co | 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f |
TLSv1 192.168.56.103:49164 35.186.245.55:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=repl.co | 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f |
TLSv1 192.168.56.103:49166 35.186.245.55:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=repl.co | 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f |
TLSv1 192.168.56.103:49165 35.186.245.55:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=repl.co | 98:0e:de:6d:18:49:ac:af:7a:dd:24:4f:de:ce:cb:be:26:57:b1:5f |
request | GET http://apps.identrust.com/roots/dstrootcax3.p7c |
section | {u'size_of_data': u'0x0004ee00', u'virtual_address': u'0x00083000', u'entropy': 7.998566539586151, u'name': u'UPX1', u'virtual_size': u'0x0004f000'} | entropy | 7.99856653959 | description | A section with a high entropy has been found | |||||||||
entropy | 0.933431952663 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob |
Bkav | W32.AIDetectMalware |
FireEye | Generic.mg.1bdfa5d4db8f961f |
McAfee | Artemis!1BDFA5D4DB8F |
Malwarebytes | Malware.AI.1914786265 |
Symantec | ML.Attribute.HighConfidence |
Elastic | malicious (moderate confidence) |
Cynet | Malicious (score: 100) |
APEX | Malicious |
McAfee-GW-Edition | BehavesLike.Win32.Generic.fc |
Trapmine | malicious.high.ml.score |
SentinelOne | Static AI - Malicious PE |
Jiangmin | Trojan.Script.auxn |
Antiy-AVL | Trojan/Win32.PossibleThreat |
Xcitium | Packed.Win32.MUPX.Gen@24tbus |
Microsoft | Trojan:Script/Phonzy.A!ml |
AhnLab-V3 | Malware/Win32.RL_Generic.R325756 |
Rising | Trojan.Generic@AI.99 (RDML:AF2cKbJeSE3sCytm9DaVGA) |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | W32/PossibleThreat |
DeepInstinct | MALICIOUS |
CrowdStrike | win/malicious_confidence_60% (W) |