Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | Nov. 29, 2023, 2:21 p.m. | Nov. 29, 2023, 2:30 p.m. |
-
-
._cache_123.exe "C:\Users\test22\AppData\Local\Temp\._cache_123.exe"
2784 -
Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2856
-
Name | Response | Post-Analysis Lookup |
---|---|---|
www.dropbox.com |
CNAME
www-env.dropbox-dns.com
|
162.125.84.18 |
xred.mooo.com | ||
docs.google.com | 142.250.206.206 | |
freedns.afraid.org | 69.42.215.252 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.101:53004 -> 164.124.101.2:53 | 2015633 | ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com | Misc activity |
TCP 192.168.56.101:49174 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49172 -> 142.251.220.14:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49173 -> 162.125.84.18:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49164 -> 45.125.57.96:8888 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
TCP 45.125.57.96:8888 -> 192.168.56.101:49164 | 2045860 | ET HUNTING Rejetto HTTP File Sever Response | A Network Trojan was detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49172 142.251.220.14:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 | CN=*.google.com | 4c:0d:17:8c:f1:30:7c:3a:6f:9b:8e:b4:83:0e:5c:bd:ed:17:3e:95 |
section | CODE |
section | DATA |
section | BSS |
packer | BobSoft Mini Delphi -> BoB / BobSoft |
domain | xred.mooo.com |
request | GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download |
request | GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download |
name | RT_ICON | language | LANG_TURKISH | filetype | dBase IV DBT of @.DBF, block length 8192, next free block index 40 | sublanguage | SUBLANG_DEFAULT | offset | 0x000b1028 | size | 0x000010a8 | ||||||||||||||||||
name | RT_ICON | language | LANG_TURKISH | filetype | dBase IV DBT of @.DBF, block length 8192, next free block index 40 | sublanguage | SUBLANG_DEFAULT | offset | 0x000b1028 | size | 0x000010a8 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_RCDATA | language | LANG_TURKISH | filetype | Microsoft Excel 2007+ | sublanguage | SUBLANG_DEFAULT | offset | 0x000f1794 | size | 0x000047d3 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_TURKISH | filetype | data | sublanguage | SUBLANG_DEFAULT | offset | 0x000f5f68 | size | 0x00000014 |
domain | docs.google.com |
file | C:\Program Files\AppPatch\8.77.dll |
file | C:\ProgramData\Synaptics\Synaptics.dll |
file | C:\Users\test22\AppData\Local\Temp\._cache_123.exe |
domain | www.dropbox.com |
file | C:\Users\test22\AppData\Local\Temp\._cache_123.exe |
file | C:\Users\test22\AppData\Local\Temp\._cache_123.exe |
host | 45.125.57.96 |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver | reg_value | C:\ProgramData\Synaptics\Synaptics.exe |
process | ._cache_123.exe | useragent | Mozilla/4.0 (compatible) | ||||||
process | Synaptics.exe | useragent | MyApp | ||||||
process | Synaptics.exe | useragent | Synaptics.exe |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.DarkKomet.tp6k |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Generic.Dacic.AEA16DAA.A.96E7E3ED |
FireEye | Generic.mg.5ab89a96be7570df |
CAT-QuickHeal | Sus.Nocivo.E0011 |
Skyhigh | BehavesLike.Win32.Downloader.dh |
ALYac | Generic.Dacic.AEA16DAA.A.96E7E3ED |
Cylance | unsafe |
Zillya | Trojan.Delf.Win32.76144 |
Sangfor | Suspicious.Win32.Save.ins |
K7AntiVirus | Trojan ( 000112511 ) |
Alibaba | Backdoor:Win32/Zlob.180910 |
K7GW | Trojan ( 000112511 ) |
Cybereason | malicious.9e77e0 |
BitDefenderTheta | AI:Packer.96BD33E81D |
Symantec | W32.Zorex |
tehtris | Generic.Malware |
ESET-NOD32 | Win32/Delf.NBX |
Cynet | Malicious (score: 100) |
APEX | Malicious |
ClamAV | Win.Downloader.Zegost-6484584-1 |
Kaspersky | Backdoor.Win32.DarkKomet.hqxy |
BitDefender | Generic.Dacic.AEA16DAA.A.96E7E3ED |
NANO-Antivirus | Trojan.Win32.DarkKomet.fazbwq |
Avast | Win32:Dropper-OHP [Trj] |
Tencent | Virus.Win32.DarkKomet.yb |
TACHYON | Backdoor/W32.DP-DarkKomet.985088.B |
Emsisoft | Generic.Dacic.AEA16DAA.A.96E7E3ED (B) |
Baidu | Win32.Trojan-Downloader.Agent.bh |
F-Secure | Trojan:W97M/MaliciousMacro.GEN |
DrWeb | Trojan.DownLoader22.9658 |
VIPRE | Generic.Dacic.AEA16DAA.A.96E7E3ED |
TrendMicro | Virus.Win32.NAPWHICH.B |
Sophos | Troj/Zegost-ID |
Ikarus | Trojan-PWS.Win32.QQPass |
Jiangmin | Backdoor.DarkKomet.ljd |
Webroot | W32.Malware.gen |
Varist | W32/Backdoor.OAZM-5661 |
Avira | TR/Dldr.Agent.SH |
Antiy-AVL | Virus/Win32.DarkKomet.a |
Kingsoft | Win32.HeurC.KVM007.a |
Microsoft | Worm:Win32/AutoRun!atmn |
Gridinsoft | Trojan.Win32.Gen.tr |
Xcitium | Virus.Win32.Agent.DE@74b38h |
Arcabit | HEUR.VBA.Trojan.d |
ViRobot | Win32.Zorex.A |
ZoneAlarm | Backdoor.Win32.DarkKomet.hqxy |
GData | Win32.Backdoor.Agent.AXS |
Detected |
dead_host | 192.168.56.101:49178 |
dead_host | 192.168.56.101:49166 |
dead_host | 45.125.57.96:2005 |
dead_host | 192.168.56.101:49177 |