popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

gate9_pass1234.7z

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Sept. 27, 2023, 6:33 p.m. Sept. 27, 2023, 6:36 p.m.
Size 5.2MB
Type 7-zip archive data, version 0.4
MD5 fb744c58353b153a548fd04fd959b232
SHA256 da47cb8d45c95d20d365cb771a71e77331f241df1d4f269c45cccf7e8ac8ba0a
CRC32 AF04305B
ssdeep 98304:/PCED7mHNKdvzqspHYZDwrJP+QAgOam9jZZb/Bw7U/al6G5CXczO:/KED7YovGEEUdP+wOX1nb/Bw7U+6QCXX
Yara None matched

IP Address Status Action
104.18.145.235 Active Moloch
104.21.21.189 Active Moloch
104.21.6.10 Active Moloch
104.21.90.117 Active Moloch
104.244.42.193 Active Moloch
104.26.4.15 Active Moloch
104.26.8.59 Active Moloch
104.26.9.59 Active Moloch
146.59.10.173 Active Moloch
148.251.234.83 Active Moloch
148.251.234.93 Active Moloch
149.154.167.99 Active Moloch
156.236.72.121 Active Moloch
162.0.217.254 Active Moloch
164.124.101.2 Active Moloch
171.22.28.222 Active Moloch
171.22.28.208 Active Moloch
172.67.197.101 Active Moloch
172.67.75.163 Active Moloch
172.67.75.166 Active Moloch
176.113.115.84 Active Moloch
176.123.4.46 Active Moloch
176.123.9.142 Active Moloch
179.43.158.2 Active Moloch
193.42.32.118 Active Moloch
194.169.175.128 Active Moloch
194.169.175.232 Active Moloch
213.180.204.24 Active Moloch
213.6.54.58 Active Moloch
23.67.53.17 Active Moloch
23.67.53.27 Active Moloch
34.117.59.81 Active Moloch
45.129.14.83 Active Moloch
45.130.231.6 Active Moloch
45.15.156.229 Active Moloch
46.173.215.72 Active Moloch
5.255.255.70 Active Moloch
5.42.92.211 Active Moloch
62.217.160.2 Active Moloch
77.91.68.239 Active Moloch
87.240.132.72 Active Moloch
91.215.85.147 Active Moloch
94.142.138.131 Active Moloch
95.142.206.0 Active Moloch
95.142.206.1 Active Moloch
20.150.70.36 Active Moloch
20.150.79.68 Active Moloch
204.79.197.219 Active Moloch
31.41.244.27 Active Moloch
45.135.233.58 Active Moloch
62.122.184.58 Active Moloch
45.9.74.80 Active Moloch
77.91.124.55 Active Moloch
87.236.19.185 Active Moloch
87.240.129.133 Active Moloch
87.240.132.78 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49178 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49189 -> 171.22.28.208:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 171.22.28.208:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 171.22.28.208:80 2016698 ET HUNTING Suspicious services.exe in URI Potentially Bad Traffic
TCP 176.113.115.84:80 -> 192.168.56.102:49193 2400018 ET DROP Spamhaus DROP Listed Traffic Inbound group 19 Misc Attack
TCP 192.168.56.102:49188 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49188 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49208 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 104.26.9.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49182 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 104.26.9.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49182 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49197 -> 172.67.197.101:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 172.67.197.101:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49198 -> 172.67.197.101:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.197.101:80 -> 192.168.56.102:49198 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 172.67.197.101:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
UDP 192.168.56.102:53778 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 171.22.28.208:80 -> 192.168.56.102:49189 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.208:80 -> 192.168.56.102:49189 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49196 -> 46.173.215.72:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49196 -> 46.173.215.72:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.102:49183 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49183 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49207 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49184 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
UDP 192.168.56.102:51405 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49201 -> 172.67.197.101:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.90.117:80 -> 192.168.56.102:49195 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 194.169.175.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49194 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 45.129.14.83:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 194.169.175.232:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49202 -> 46.173.215.72:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49212 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.129.14.83:80 -> 192.168.56.102:49190 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.129.14.83:80 -> 192.168.56.102:49190 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49191 -> 77.91.68.239:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 194.169.175.232:80 -> 192.168.56.102:49192 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.169.175.232:80 -> 192.168.56.102:49192 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 77.91.68.239:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 46.173.215.72:80 -> 192.168.56.102:49202 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49203 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 46.173.215.72:80 -> 192.168.56.102:49202 2023464 ET HUNTING Possible EXE Download From Suspicious TLD Misc activity
TCP 192.168.56.102:49203 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49204 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49204 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49206 2400006 ET DROP Spamhaus DROP Listed Traffic Inbound group 7 Misc Attack
TCP 77.91.68.239:80 -> 192.168.56.102:49191 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.239:80 -> 192.168.56.102:49191 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49216 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49223 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49232 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49238 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49226 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49240 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49243 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49245 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49247 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49248 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49211 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49211 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.147:80 -> 192.168.56.102:49206 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49220 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49229 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49229 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49215 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49214 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49214 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49219 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49222 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49228 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49231 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49244 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49252 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49218 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49218 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49250 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49234 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49236 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49246 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49258 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49254 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49255 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49263 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49260 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49262 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49267 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49264 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49272 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49269 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49274 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49271 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49273 -> 149.154.167.99:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49279 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49276 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49281 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49282 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49285 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49286 -> 5.255.255.70:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49290 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.169.175.128:50500 -> 192.168.56.102:49289 2046266 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Malware Command and Control Activity Detected
TCP 156.236.72.121:443 -> 192.168.56.102:49299 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49303 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49303 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49303 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 156.236.72.121:443 -> 192.168.56.102:49292 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49302 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49293 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 194.169.175.128:50500 -> 192.168.56.102:49289 2046267 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) Malware Command and Control Activity Detected
TCP 192.168.56.102:49306 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49305 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49307 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49307 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49307 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 156.236.72.121:443 -> 192.168.56.102:49313 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49308 -> 62.217.160.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49315 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49317 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49312 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49319 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49316 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49289 -> 194.169.175.128:50500 2046269 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.102:49327 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49320 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49325 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49321 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49328 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49340 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49358 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49343 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49345 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49348 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49333 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49353 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.102:49331 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49357 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49357 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49357 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49336 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:53991 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.102:49366 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49366 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49354 -> 176.123.9.142:37637 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49354 -> 176.123.9.142:37637 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49354 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49354 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 194.169.175.232:45451 -> 192.168.56.102:49356 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49370 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49365 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 176.123.9.142:37637 -> 192.168.56.102:49354 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49339 -> 193.42.32.118:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49392 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49389 -> 171.22.28.208:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49393 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49256 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49278 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 149.154.167.99:443 -> 192.168.56.102:49277 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49389 -> 171.22.28.208:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49283 -> 104.244.42.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49288 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49363 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49298 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49395 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49311 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 171.22.28.208:80 -> 192.168.56.102:49389 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.208:80 -> 192.168.56.102:49389 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49375 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49372 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49326 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49346 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 148.251.234.83:443 -> 192.168.56.102:49344 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49349 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49381 -> 87.240.129.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49387 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49364 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49391 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49361 -> 87.240.129.133:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49361 -> 87.240.129.133:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 146.59.10.173:45035 -> 192.168.56.102:49355 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49371 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49376 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49396 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49380 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49382 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49388 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49397 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49401 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49399 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49400 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49403 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49405 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49406 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49408 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49409 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49410 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49416 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49417 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49411 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49411 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49420 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.9.74.80:80 -> 192.168.56.102:49411 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.9.74.80:80 -> 192.168.56.102:49411 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49425 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49426 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49428 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49433 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49259 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49268 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49436 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49414 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49297 -> 172.67.75.163:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49297 -> 172.67.75.163:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49301 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2047625 ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST) A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49412 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49323 -> 213.180.204.24:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49330 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49334 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49337 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49441 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49437 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49338 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49338 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49338 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49412 -> 45.9.74.80:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49338 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49423 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49350 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49448 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49449 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49450 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49429 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49430 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49352 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49453 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49445 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49454 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49432 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49456 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49457 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49434 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49360 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 194.169.175.232:45451 -> 192.168.56.102:49356 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49463 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49367 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49369 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 77.91.124.55:19071 -> 192.168.56.102:49461 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49377 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49466 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49469 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49438 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49384 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49440 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49458 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49471 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49386 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 146.59.10.173:45035 -> 192.168.56.102:49355 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49462 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49446 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49483 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49483 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49483 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49477 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49477 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49481 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49482 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49488 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49356 -> 194.169.175.232:45451 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49465 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49492 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49493 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49495 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49497 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49502 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49505 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49506 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49503 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49503 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49291 -> 5.42.92.211:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.102:49510 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49511 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49508 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 77.91.124.55:19071 -> 192.168.56.102:49461 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49472 -> 94.142.138.131:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49521 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49467 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49419 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49473 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49522 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49507 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49515 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49516 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49421 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49518 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49523 -> 162.0.217.254:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49523 -> 162.0.217.254:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49523 -> 162.0.217.254:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49527 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49528 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49536 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49485 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.102:49529 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49543 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49544 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49487 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49532 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49549 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49533 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49539 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49442 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49545 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49552 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49444 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49553 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49564 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49559 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:53039 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49563 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49580 -> 104.21.21.189:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49586 -> 104.21.21.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49576 -> 104.21.21.189:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.21.189:80 -> 192.168.56.102:49576 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49452 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49592 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49569 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49575 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49575 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49561 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49561 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49577 -> 172.67.197.101:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.197.101:80 -> 192.168.56.102:49577 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49582 -> 87.236.19.185:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49579 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49460 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49584 -> 172.67.197.101:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49475 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.90.117:80 -> 192.168.56.102:49572 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49476 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49478 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49573 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49489 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49491 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49498 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49498 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49589 -> 172.67.197.101:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.102:62197 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49599 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49519 -> 162.0.217.254:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49519 -> 162.0.217.254:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49519 -> 162.0.217.254:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49594 -> 45.130.231.6:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49535 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49537 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49540 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49578 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49578 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49542 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49551 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49554 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49556 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49558 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49496 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49567 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49568 -> 171.22.28.222:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49568 -> 171.22.28.222:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49585 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49587 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49568 -> 171.22.28.222:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected
TCP 192.168.56.102:49568 -> 171.22.28.222:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49595 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 171.22.28.222:80 -> 192.168.56.102:49568 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 171.22.28.222:80 -> 192.168.56.102:49568 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49601 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49582 -> 87.236.19.185:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49605 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49603 -> 45.130.231.6:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49603 -> 45.130.231.6:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49603 -> 45.130.231.6:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.231.6:443 -> 192.168.56.102:49603 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49603 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
UDP 192.168.56.102:63080 -> 8.8.8.8:53 2047719 ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49500 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49617 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49613 -> 45.130.231.6:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49613 -> 45.130.231.6:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49501 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.231.6:443 -> 192.168.56.102:49613 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49613 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49627 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49615 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49615 -> 148.251.234.93:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49615 -> 148.251.234.93:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49618 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49612 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49628 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49632 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49630 -> 45.130.231.6:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49630 -> 45.130.231.6:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49630 -> 45.130.231.6:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.231.6:443 -> 192.168.56.102:49630 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49630 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49638 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49639 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49619 -> 213.6.54.58:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49619 -> 213.6.54.58:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49640 -> 45.130.231.6:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49640 -> 45.130.231.6:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49640 -> 45.130.231.6:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.231.6:443 -> 192.168.56.102:49640 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49640 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.102:49645 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49650 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49621 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49634 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49654 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49648 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49624 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49641 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49641 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49646 -> 213.6.54.58:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49606 -> 104.21.6.10:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49598 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49597 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49597 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49658 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49512 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49607 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49611 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49652 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49652 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49661 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49662 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49616 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49663 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49671 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49664 -> 213.6.54.58:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49673 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.102:49674 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49675 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49626 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49685 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49679 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49684 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49682 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49692 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49698 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49695 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49629 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49690 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49706 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49708 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49709 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49712 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49711 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49689 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49716 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49694 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49691 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49517 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49725 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 148.251.234.93:443 -> 192.168.56.102:49721 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49633 -> 213.6.54.58:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49633 -> 213.6.54.58:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49721 -> 148.251.234.93:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49721 -> 148.251.234.93:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49722 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49729 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49524 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49733 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49715 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49530 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49734 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49735 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49737 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49740 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49746 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49747 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49647 -> 45.130.231.6:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49647 -> 45.130.231.6:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49647 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 45.130.231.6:443 -> 192.168.56.102:49647 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49730 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49751 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49547 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49750 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49653 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49754 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49756 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49565 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49759 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49763 -> 204.79.197.219:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49570 -> 104.21.21.189:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.21.189:80 -> 192.168.56.102:49570 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49761 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49562 -> 87.240.132.72:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49562 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49581 -> 172.67.197.101:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.197.101:80 -> 192.168.56.102:49581 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49765 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49600 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 31.41.244.27:41140 -> 192.168.56.102:49769 2400000 ET DROP Spamhaus DROP Listed Traffic Inbound group 1 Misc Attack
TCP 192.168.56.102:49769 -> 31.41.244.27:41140 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49602 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49769 -> 31.41.244.27:41140 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49769 -> 31.41.244.27:41140 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49769 -> 31.41.244.27:41140 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49773 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49782 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49779 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49776 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49780 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49790 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49796 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49799 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49803 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49806 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49808 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49809 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49818 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49797 -> 45.15.156.229:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49815 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49817 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49817 -> 148.251.234.93:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49817 -> 148.251.234.93:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49816 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49835 -> 176.123.4.46:33783 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49827 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49830 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49835 -> 176.123.4.46:33783 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49835 -> 176.123.4.46:33783 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 176.123.4.46:33783 -> 192.168.56.102:49835 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49839 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49846 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49841 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49850 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49610 -> 87.240.132.72:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49610 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49843 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49855 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49461 -> 77.91.124.55:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49870 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49872 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49623 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49881 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49858 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49883 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49857 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49878 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49878 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49864 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49891 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49865 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49908 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49869 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49911 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49742 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49918 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49922 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49862 -> 148.251.234.93:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49930 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49871 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49936 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49937 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49863 -> 87.240.132.78:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49945 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.78:80 -> 192.168.56.102:49863 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.102:49912 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49668 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49835 -> 176.123.4.46:33783 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49947 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49642 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49643 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49867 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49651 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49889 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49657 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49672 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49897 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49665 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49666 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49907 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49669 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49909 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49913 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49917 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49678 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49926 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49929 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49938 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49941 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49942 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49681 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49687 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 156.236.72.121:443 -> 192.168.56.102:49697 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49676 -> 213.6.54.58:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49702 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49703 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49707 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 213.6.54.58:443 -> 192.168.56.102:49686 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49717 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49719 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49724 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49726 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49705 -> 87.240.132.72:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49727 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49732 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49741 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49743 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49745 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49757 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49714 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49766 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49770 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49772 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49775 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49720 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49785 -> 20.150.79.68:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49788 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49789 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49793 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49795 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49804 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49810 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49811 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49820 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49832 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49833 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49837 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49842 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49854 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49892 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49895 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49899 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49902 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49949 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49950 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49738 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49749 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49753 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49758 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49762 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49768 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 156.236.72.121:443 -> 192.168.56.102:49778 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49784 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49787 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49798 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49802 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49819 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49825 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49355 -> 146.59.10.173:45035 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49834 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49851 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49852 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49856 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49877 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49767 -> 20.150.70.36:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49879 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49884 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49894 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49896 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49890 -> 87.240.132.78:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49904 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49905 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49925 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49931 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49934 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49943 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49946 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49948 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49783 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49791 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49812 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49812 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49824 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49824 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49824 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49823 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49829 -> 176.123.9.142:37637 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49829 -> 176.123.9.142:37637 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49829 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49829 -> 176.123.9.142:37637 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49836 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 176.123.9.142:37637 -> 192.168.56.102:49829 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 156.236.72.121:443 -> 192.168.56.102:49845 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49849 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49860 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49868 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49876 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.102:49873 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49882 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49886 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49885 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49898 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49919 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49910 -> 87.240.132.78:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49921 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 148.251.234.93:443 -> 192.168.56.102:49915 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49915 -> 148.251.234.93:443 2047718 ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49915 -> 148.251.234.93:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49923 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49924 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49933 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49935 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 156.236.72.121:443 -> 192.168.56.102:49953 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 176.123.4.46:33783 -> 192.168.56.102:49835 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 31.41.244.27:41140 -> 192.168.56.102:49769 2046106 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) A Network Trojan was detected
TCP 192.168.56.102:49338 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49519 -> 162.0.217.254:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49955 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 45.130.231.6:443 -> 192.168.56.102:49594 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 45.130.231.6:443 -> 192.168.56.102:49594 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.102:49954 -> 156.236.72.121:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49179
104.26.9.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49186
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49201
172.67.197.101:443 		C=US, O=Let's Encrypt, CN=E1 CN=preconcert.pw 60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1
192.168.56.102:49212
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49238
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49243
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49245
95.142.206.0:443 		None None None
TLSv1
192.168.56.102:49248
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49247
95.142.206.1:443 		None None None
TLSv1
192.168.56.102:49242
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49239
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49249
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49244
95.142.206.1:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49252
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49234
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49246
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49286
5.255.255.70:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=*.xn--d1acpjx3f.xn--p1ai e4:ba:b2:7f:bf:93:b8:22:10:26:70:37:9c:03:1a:9d:fb:23:17:24
TLSv1
192.168.56.102:49306
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49308
62.217.160.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=VK LLC, CN=*.dzen.ru 6a:31:14:29:60:07:c9:c6:17:7b:d1:27:ad:53:57:ec:d8:c1:d8:d2
TLSv1
192.168.56.102:49381
87.240.129.133:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49297
172.67.75.163:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49323
213.180.204.24:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=RU, ST=Moscow, L=Moscow, O=Yandex LLC, CN=sso.passport.yandex.ru f0:52:26:54:41:65:2b:6a:37:7b:c1:5b:de:9c:e9:d4:41:c6:81:2d
TLSv1
192.168.56.102:49360
172.67.75.166:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49367
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49477
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49586
104.21.21.189:443 		C=US, O=Let's Encrypt, CN=E1 CN=octocrabs.com 77:33:49:da:ac:e1:32:31:64:ad:8a:16:84:a3:aa:04:d0:fc:15:d7
TLSv1
192.168.56.102:49589
172.67.197.101:443 		C=US, O=Let's Encrypt, CN=E1 CN=preconcert.pw 60:b2:a3:3e:2f:80:57:cd:6f:c1:a3:e9:b3:c6:cb:95:41:83:4a:64
TLSv1
192.168.56.102:49618
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49606
104.21.6.10:443 		C=US, O=Let's Encrypt, CN=E1 CN=neuralshit.net 48:34:be:08:a6:7d:1e:ee:b7:5d:2d:12:63:b2:18:02:6a:d9:0d:74
TLSv1
192.168.56.102:49663
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49690
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49691
95.142.206.1:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49517
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49722
95.142.206.1:443 		None None None
TLSv1
192.168.56.102:49763
204.79.197.219:443 		C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=msdl.microsoft.com 38:41:7e:3d:62:ae:23:84:cc:0e:a0:df:1b:44:80:83:13:e5:3b:51
TLSv1
192.168.56.102:49705
87.240.132.72:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49785
20.150.79.68:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=*.blob.core.windows.net d5:0b:d3:97:69:7b:50:64:d8:ef:f5:4a:58:07:8b:a0:34:f1:f4:59
TLSv1
192.168.56.102:49767
20.150.70.36:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 CN=*.blob.core.windows.net d5:0b:d3:97:69:7b:50:64:d8:ef:f5:4a:58:07:8b:a0:34:f1:f4:59
TLSv1
192.168.56.102:49812
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49910
87.240.132.78:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.142.138.131/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://94.142.138.131/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.208/download/Services.exe
suspicious_features Connection to IP address suspicious_request HEAD http://45.129.14.83/c.exe
suspicious_features Connection to IP address suspicious_request HEAD http://77.91.68.239/wase/zor40.exe
suspicious_features Connection to IP address suspicious_request HEAD http://194.169.175.232/autorun.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.208/download/Services.exe
suspicious_features Connection to IP address suspicious_request GET http://45.129.14.83/c.exe
suspicious_features Connection to IP address suspicious_request GET http://194.169.175.232/autorun.exe
suspicious_features Connection to IP address suspicious_request GET http://77.91.68.239/wase/zor40.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://5.42.92.211/loghub/master
suspicious_features Connection to IP address suspicious_request GET http://45.15.156.229/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://45.15.156.229/api/firegate.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.42.32.118/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://193.42.32.118/api/firecom.php
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.208/download/WWW14_64.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.208/download/WWW14_64.exe
suspicious_features Connection to IP address suspicious_request HEAD http://45.9.74.80/harbar.exe
suspicious_features Connection to IP address suspicious_request HEAD http://45.9.74.80/super.exe
suspicious_features Connection to IP address suspicious_request GET http://45.9.74.80/harbar.exe
suspicious_features Connection to IP address suspicious_request GET http://45.9.74.80/super.exe
suspicious_features Connection to IP address suspicious_request HEAD http://171.22.28.222/3.exe
suspicious_features Connection to IP address suspicious_request GET http://171.22.28.222/3.exe
request GET http://94.142.138.131/api/tracemap.php
request POST http://94.142.138.131/api/firegate.php
request HEAD http://171.22.28.208/download/Services.exe
request HEAD http://45.129.14.83/c.exe
request HEAD http://77.91.68.239/wase/zor40.exe
request HEAD http://194.169.175.232/autorun.exe
request HEAD http://ji.alie3ksgbb.com/m/esgla2i5.exe
request GET http://ji.alie3ksgbb.com/m/esgla2i5.exe
request HEAD http://christopherantonio.top/calc2.exe
request GET http://171.22.28.208/download/Services.exe
request GET http://45.129.14.83/c.exe
request GET http://194.169.175.232/autorun.exe
request GET http://christopherantonio.top/calc2.exe
request GET http://77.91.68.239/wase/zor40.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request HEAD http://hugersi.com/dl/6523.exe
request GET http://176.113.115.84:8080/4.php
request GET http://hugersi.com/dl/6523.exe
request POST http://5.42.92.211/loghub/master
request GET http://45.15.156.229/api/tracemap.php
request POST http://45.15.156.229/api/firegate.php
request GET http://193.42.32.118/api/tracemap.php
request POST http://193.42.32.118/api/firecom.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request HEAD http://171.22.28.208/download/WWW14_64.exe
request GET http://171.22.28.208/download/WWW14_64.exe
request HEAD http://45.9.74.80/harbar.exe
request HEAD http://45.9.74.80/super.exe
request GET http://45.9.74.80/harbar.exe
request GET http://45.9.74.80/super.exe
request HEAD http://230926170958727.kmj.xne26.cfd/f/fikim0926727.exe
request GET http://230926170958727.kmj.xne26.cfd/f/fikim0926727.exe
request HEAD http://171.22.28.222/3.exe
request HEAD http://fc.ftimedica.com/netTime.exe
request HEAD http://xsk295c2.beget.tech/525403/setup.exe
request GET http://171.22.28.222/3.exe
request GET http://xsk295c2.beget.tech/525403/setup.exe
request GET http://fc.ftimedica.com/netTime.exe
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://preconcert.pw/setup294.exe
request GET https://vk.com/doc52355237_665916972?hash=PGtJZU2lyBun4kcjAuDW4sr3qZoaazswmzm43vqfrD8&dl=fmNbRucq2G5KCRA22nIJETEH1oOZZHD8AqBpxxaUybz&api=1&no_preview=1
request GET https://vk.com/doc52355237_666234015?hash=jC8k9uZNDwpIzHryeQnmi9pC0nHf4JLz2m1bJdWIZeD&dl=hRM2hk5MgfZVhMzLzxpzfwqDj4yDsI3PzHnkqlAJNJL&api=1&no_preview=1#test22
request GET https://sun6-20.userapi.com/c909228/u52355237/docs/d44/c0e13179ad83/test2.bmp?extra=FRiWShW93DWsuiDd8DMk6E3A8FNgmmKQA0s3Hex7US-8REQiMPFomVj7Qhqd1yFwQfJZQ9tF7jSGUOC5HJSyT_qRGb0A0es_wx-c1InV3LR1OmQmPbWUNgKG4EhdvHXJ5EbmyXWG3RP7qg8c
request GET https://vk.com/doc52355237_666188067?hash=r1Na54ZxAjG4KOFDeXqZX17ZBZPd5xxdBOOWsDvp5TX&dl=EOYAxqrIN0WwY7MTgf0eTj1ZJVCjuUa0FY3feLNyZEc&api=1&no_preview=1#r1
request GET https://vk.com/doc52355237_666155284?hash=ImdsfIi1GWolUBV61ckzTPwgq51ZCNzIz6Qz8GSqP7P&dl=7w4np6RfyRANUVCTVCTAKrQpLvvL9JdOzpG1MG3SxH0&api=1&no_preview=1#1
request GET https://vk.com/doc52355237_665981002?hash=5dlf3DheCq3ZynwxfclKIYSMaBUrqVsiNEQbz1ZBeez&dl=qhGcA2zWn1OHnSTesbATZlb3MbAcGMzKaqeVHxmyiH8&api=1&no_preview=1#rise
request GET https://sun6-21.userapi.com/c909418/u52355237/docs/d13/911be371f0c0/r1.bmp?extra=oWOmWiP64UIJiSCefnNude-l_2SrMu7fcUjIfHBHew1wrBQvuiTTUTrKfHz6yY7V7We9U9PBmQx9jFPC1J4P3M9qIDjbFa8Z0uKW1yIkD3KFawgEcPTsQjxBnE3pTGHWOHttvUj-LRW2n-Yg
request GET https://sun6-20.userapi.com/c909218/u52355237/docs/d16/5d0c4daa5259/crypted.bmp?extra=zdJvqwXZDa8_UiT0CZkexuzamnA3vGRlqUCNSeV2re5ViYefGQXE-s2XyeiWHMWIWKihhjzFbVx8b-AhzTMnVv1bOjWdfeLqlT9r8TsjJ0AP2GI09Lli1MDOrZRhRqMRf8mx_2PK8T0YD8mn
request GET https://sun6-21.userapi.com/c909628/u52355237/docs/d56/ecd474467072/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=VSMMPHzYfzhCEpRVmMEKMEF8s0Pf7BKVDv-7xy6dDQBx1KyO3-8hTO6YuKHOjQ-Pg5vq7E-ITVnT2FH9w-IGGXKUlNNTBg56UHPr-mj809AdTNTnzqIF7JT9vv0b2Xi7I6Zyc21RN4srGpt5
request POST http://94.142.138.131/api/firegate.php
request POST http://5.42.92.211/loghub/master
request POST http://45.15.156.229/api/firegate.php
request POST http://193.42.32.118/api/firecom.php
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
ip 146.59.10.173
ip 176.113.115.84
ip 176.123.4.46
ip 176.123.9.142
ip 194.169.175.128
ip 194.169.175.232
ip 31.41.244.27
ip 77.91.124.55
domain preconcert.pw description Palau domain TLD
domain yandex.ru description Russian Federation domain TLD
domain iplis.ru description Russian Federation domain TLD
domain sso.passport.yandex.ru description Russian Federation domain TLD
domain dzen.ru description Russian Federation domain TLD
domain christopherantonio.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73913000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zE0B8A0CC3\File.exe
file C:\Users\test22\AppData\Local\Temp\7zE0B8A0CC3\CrystalDecisions.Shared.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
domain 0476fa47-9285-4c60-8419-baac6d5e2796.uuid.окрф.рф
host 146.59.10.173
host 171.22.28.222
host 171.22.28.208
host 176.113.115.84
host 176.123.4.46
host 176.123.9.142
host 193.42.32.118
host 194.169.175.128
host 194.169.175.232
host 45.129.14.83
host 45.15.156.229
host 5.42.92.211
host 77.91.68.239
host 94.142.138.131
host 31.41.244.27
host 62.122.184.58
host 45.9.74.80
host 77.91.124.55
dead_host 192.168.56.102:49193
dead_host 176.113.115.84:80