popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

file_ver_9.rar

KeyLogger PWS Escalate priviledges AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Nov. 29, 2023, 3:51 p.m. Nov. 29, 2023, 3:53 p.m.
Size 6.3MB
Type RAR archive data, v5
MD5 0626f8e71d8a91fd6185df77a50b9fbc
SHA256 e91a27ef813d4687de455dc1abd55c7a40cf305e370606065aee1e347c8b6450
CRC32 631DE259
ssdeep 196608:eyUELVExN/fV+J84bKDOsvFItL19baaQpVfxA:dH+O8V3Q58PpVO
Yara None matched

Name Response Post-Analysis Lookup
medfioytrkdkcodlskeej.net
A 91.215.85.209
91.215.85.209
logisticspierias.com
A 162.0.215.51
162.0.215.51
iplogger.org
A 104.21.4.208
A 172.67.132.113
104.21.4.208
vanaheim.cn
A 158.160.82.150
158.160.82.150
apps.identrust.com
A 23.67.53.27
A 23.67.53.17
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.32.56.80
sun6-20.userapi.com
A 95.142.206.0
95.142.206.0
api.2ip.ua
A 104.21.65.24
A 172.67.139.220
172.67.139.220
ipinfo.io
A 34.117.59.81
34.117.59.81
sun6-22.userapi.com
A 95.142.206.2
95.142.206.2
api.myip.com
A 172.67.75.163
A 104.26.9.59
A 104.26.8.59
172.67.75.163
gons32cl.top
zexeq.com
A 190.12.87.61
A 211.40.39.251
A 187.224.61.233
A 190.218.32.77
A 190.187.52.42
A 211.104.254.139
A 211.168.53.110
A 123.213.233.131
A 211.181.24.132
A 195.158.3.162
211.168.53.110
thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs
A 104.21.31.74
A 172.67.175.68
172.67.175.68
iplis.ru
A 104.21.63.150
A 172.67.147.32
104.21.63.150
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.4.15
sun6-21.userapi.com
A 95.142.206.1
95.142.206.1
sun6-23.userapi.com
A 95.142.206.3
95.142.206.3
vk.com
A 87.240.129.133
A 87.240.132.72
A 87.240.132.67
A 87.240.137.164
A 93.186.225.194
A 87.240.132.78
87.240.132.72
IP Address Status Action
104.21.31.74 Active Moloch
104.26.4.15 Active Moloch
104.26.8.59 Active Moloch
109.107.182.45 Active Moloch
158.160.82.150 Active Moloch
162.0.215.51 Active Moloch
164.124.101.2 Active Moloch
172.67.132.113 Active Moloch
172.67.139.220 Active Moloch
172.67.147.32 Active Moloch
176.113.115.84 Active Moloch
190.187.52.42 Active Moloch
194.169.175.128 Active Moloch
194.33.191.60 Active Moloch
194.49.94.152 Active Moloch
194.49.94.80 Active Moloch
194.49.94.97 Active Moloch
23.67.53.17 Active Moloch
34.117.59.81 Active Moloch
5.42.64.35 Active Moloch
5.42.64.41 Active Moloch
77.232.39.164 Active Moloch
87.240.137.164 Active Moloch
91.215.85.209 Active Moloch
91.92.243.151 Active Moloch
95.142.206.0 Active Moloch
95.142.206.1 Active Moloch
95.142.206.2 Active Moloch
95.142.206.3 Active Moloch
95.214.26.17 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49178 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49178 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49176 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49187 -> 5.42.64.35:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 162.0.215.51:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 109.107.182.45:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 162.0.215.51:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49187 -> 5.42.64.35:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49181 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 5.42.64.35:80 -> 192.168.56.102:49187 2014819 ET INFO Packed Executable Download Misc activity
UDP 192.168.56.102:53778 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49190 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 109.107.182.45:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49200 -> 162.0.215.51:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49197 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2400019 ET DROP Spamhaus DROP Listed Traffic Inbound group 20 Misc Attack
TCP 192.168.56.102:49208 -> 162.0.215.51:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 5.42.64.35:80 -> 192.168.56.102:49187 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.102:49187 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 162.0.215.51:443 -> 192.168.56.102:49214 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 109.107.182.45:80 -> 192.168.56.102:49189 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 109.107.182.45:80 -> 192.168.56.102:49189 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.84:8080 -> 192.168.56.102:49209 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.102:49205 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49176 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49192 -> 104.21.31.74:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.31.74:80 -> 192.168.56.102:49192 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 162.0.215.51:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49193 -> 162.0.215.51:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49191 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49191 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 104.21.31.74:80 -> 192.168.56.102:49199 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49203 -> 104.21.31.74:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49207 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49207 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49175 -> 104.26.8.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49175 -> 104.26.8.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49173 -> 91.92.243.151:80 2045779 ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET) Malware Command and Control Activity Detected
TCP 192.168.56.102:49226 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49227 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49213 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49213 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49215 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49216 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49186 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49186 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49198 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49230 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49218 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49236 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49232 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49194 -> 104.21.31.74:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.21.31.74:80 -> 192.168.56.102:49194 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 91.215.85.209:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49196 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49206 -> 162.0.215.51:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49204 -> 91.215.85.209:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49219 -> 91.215.85.209:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 91.215.85.209:443 -> 192.168.56.102:49221 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49223 -> 95.142.206.3:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49238 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49245 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49253 -> 95.142.206.2:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49251 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49251 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49255 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49255 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49241 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49241 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49244 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49250 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49220 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49220 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49222 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49228 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49235 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49235 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49242 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49243 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49243 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49252 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49252 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49257 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49224 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49234 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49260 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49260 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49262 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49262 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49265 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49266 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 87.240.137.164:80 -> 192.168.56.102:49246 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49256 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49261 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49263 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49267 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49271 -> 95.142.206.1:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49272 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49272 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49268 -> 95.142.206.0:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49269 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49275 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 194.169.175.128:50505 -> 192.168.56.102:49281 2046266 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Malware Command and Control Activity Detected
TCP 192.168.56.102:49281 -> 194.169.175.128:50505 2046269 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.102:49281 -> 194.169.175.128:50505 2049060 ET MALWARE Suspected RisePro TCP Heartbeat Packet A Network Trojan was detected
UDP 192.168.56.102:50447 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.102:49292 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044244 ET MALWARE Win32/Stealc Requesting browsers Config from C2 Malware Command and Control Activity Detected
TCP 5.42.64.41:80 -> 192.168.56.102:49289 2044245 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config Malware Command and Control Activity Detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044246 ET MALWARE Win32/Stealc Requesting plugins Config from C2 Malware Command and Control Activity Detected
TCP 5.42.64.41:80 -> 192.168.56.102:49289 2044247 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config Malware Command and Control Activity Detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044248 ET MALWARE Win32/Stealc Submitting System Information to C2 Malware Command and Control Activity Detected
TCP 192.168.56.102:49274 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044301 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 5.42.64.41:80 -> 192.168.56.102:49289 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 5.42.64.41:80 -> 192.168.56.102:49289 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.102:49283 -> 172.67.132.113:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.102:49283 -> 172.67.132.113:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 194.49.94.152:50500 -> 192.168.56.102:49285 2046266 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Malware Command and Control Activity Detected
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 194.49.94.152:50500 -> 192.168.56.102:49285 2046267 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) Malware Command and Control Activity Detected
TCP 194.169.175.128:37853 -> 192.168.56.102:49287 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49290 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49290 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49290 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49285 -> 194.49.94.152:50500 2046270 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration) Malware Command and Control Activity Detected
TCP 194.169.175.128:50500 -> 192.168.56.102:49294 2046266 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Malware Command and Control Activity Detected
TCP 192.168.56.102:49285 -> 194.49.94.152:50500 2046269 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.102:49294 -> 194.169.175.128:50500 2046269 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.102:49270 -> 87.240.137.164:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.102:49270 -> 87.240.137.164:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 194.169.175.128:37853 -> 192.168.56.102:49287 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49284 -> 194.33.191.60:44675 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49284 -> 194.33.191.60:44675 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49284 -> 194.33.191.60:44675 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49284 -> 194.33.191.60:44675 2046105 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound) A Network Trojan was detected
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49296 -> 172.67.139.220:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 172.67.139.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49287 -> 194.169.175.128:37853 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49277 -> 87.240.137.164:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.33.191.60:44675 -> 192.168.56.102:49284 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 194.33.191.60:44675 -> 192.168.56.102:49284 2046106 ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response) A Network Trojan was detected
TCP 192.168.56.102:49282 -> 172.67.147.32:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49298 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49298 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.102:49298 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49288 -> 194.49.94.80:29960 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 77.232.39.164:32157 -> 192.168.56.102:49286 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49288 -> 194.49.94.80:29960 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 77.232.39.164:32157 -> 192.168.56.102:49286 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 194.49.94.80:29960 -> 192.168.56.102:49288 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 95.214.26.17:24714 -> 192.168.56.102:49293 2400007 ET DROP Spamhaus DROP Listed Traffic Inbound group 8 Misc Attack
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 95.214.26.17:24714 -> 192.168.56.102:49293 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 95.214.26.17:24714 -> 192.168.56.102:49293 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.102:49297 -> 172.67.139.220:443 2033214 ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Potentially Bad Traffic
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49297 -> 172.67.139.220:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49293 -> 95.214.26.17:24714 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 194.169.175.128:50500 -> 192.168.56.102:49294 2046267 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP) Malware Command and Control Activity Detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49294 -> 194.169.175.128:50500 2049060 ET MALWARE Suspected RisePro TCP Heartbeat Packet A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49294 -> 194.169.175.128:50500 2046268 ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings) Malware Command and Control Activity Detected
TCP 192.168.56.102:49300 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49302 -> 190.187.52.42:80 2002400 ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) A Network Trojan was detected
TCP 192.168.56.102:49302 -> 190.187.52.42:80 2036334 ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key A Network Trojan was detected
TCP 190.187.52.42:80 -> 192.168.56.102:49302 2036335 ET MALWARE Win32/Filecoder.STOP Variant Public Key Download A Network Trojan was detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 5.42.64.41:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected
UDP 192.168.56.102:65488 -> 164.124.101.2:53 2027026 ET POLICY External IP Address Lookup DNS Query (2ip .ua) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49286 -> 77.232.39.164:32157 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.102:49290 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 162.0.215.51:80 -> 192.168.56.102:49202 2221010 SURICATA HTTP unable to match response to request Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49203
104.21.31.74:443 		C=US, O=Let's Encrypt, CN=E1 CN=thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs 08:4e:ff:78:a5:79:72:d0:52:5f:3b:db:9d:72:02:82:d3:30:7a:0e
TLSv1
192.168.56.102:49175
104.26.8.59:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1
192.168.56.102:49183
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49216
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49230
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49232
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49223
95.142.206.3:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49249
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49253
95.142.206.2:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49250
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49234
95.142.206.1:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49265
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49266
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49261
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49267
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49271
95.142.206.1:443 		None None None
TLSv1
192.168.56.102:49268
95.142.206.0:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.userapi.com bc:a9:84:5f:86:90:b1:02:ba:2d:66:e8:e5:46:c1:57:e9:c0:cc:24
TLSv1
192.168.56.102:49269
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49292
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.102:49274
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49283
172.67.132.113:443 		C=US, O=Let's Encrypt, CN=E1 CN=iplogger.org 1e:76:b5:78:be:35:ec:fb:3f:26:d0:5f:1c:2a:2d:33:0e:51:6f:7e
TLSv1
192.168.56.102:49296
172.67.139.220:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=2ip.ua df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1
192.168.56.102:49277
87.240.137.164:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com 6b:39:d3:5a:fa:5a:ee:80:1a:d7:f6:77:30:52:cf:2b:52:a1:82:09
TLSv1
192.168.56.102:49282
172.67.147.32:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=iplis.ru 04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1
192.168.56.102:49297
172.67.139.220:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=2ip.ua df:8e:38:7b:a5:b7:63:5f:01:77:75:f0:d6:4a:08:30:fa:63:46:8f
TLSv1
192.168.56.102:49300
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://91.92.243.151/api/tracemap.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://91.92.243.151/api/firegate.php
suspicious_features Connection to IP address suspicious_request HEAD http://5.42.64.35/timeSync.exe
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.45/trend/home.exe
suspicious_features Connection to IP address suspicious_request GET http://5.42.64.35/timeSync.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.45/trend/home.exe
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.84:8080/4.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://5.42.64.41/40d570f44e84a454.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
request GET http://91.92.243.151/api/tracemap.php
request POST http://91.92.243.151/api/firegate.php
request HEAD http://5.42.64.35/timeSync.exe
request HEAD http://109.107.182.45/trend/home.exe
request GET http://5.42.64.35/timeSync.exe
request GET http://109.107.182.45/trend/home.exe
request GET http://176.113.115.84:8080/4.php
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request POST http://5.42.64.41/40d570f44e84a454.php
request GET http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
request GET http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
request GET http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
request GET https://api.myip.com/
request GET https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
request GET https://thezccasdsadasdafdsdfdgfdfdfhdfhagdfahfsgh.sbs/setup294.exe
request GET https://vk.com/doc418490229_668929938?hash=ktCgmKYqoZFe4ivRZzzbNBxLkP2YROgRTvMCbGK5rtc&dl=Q00m1ouR7KqanosInfovEoKZoXQN3pn1V9bUiGxjkk0&api=1&no_preview=1
request GET https://sun6-23.userapi.com/c909328/u418490229/docs/d4/513c59e462a3/2s78sh2agf.bmp?extra=wo3J3uOiHbgaAFfUUpBiWNnQ_wa3RVUVpf16WebNgU3tW18tv009ULs2b4b8x5HTDD7XJTCRwRbunl6DgE_pXd2Bpht21e04pZ2mEDxtRrUOB_l46TDy9w7D_F8mVOCDwNW_T0c_ZlIZ8-Hh2A
request GET https://vk.com/doc278414724_666785048?hash=BEECsUI0KihIsE0U0nCflKTI5jGLqnjbHrZ921hHoIo&dl=MlH2hFcAGSgijzPzzjYVJFJFj9WHHsyc0XO9FI0mX38&api=1&no_preview=1#ww11
request GET https://vk.com/doc418490229_668767729?hash=65wAhIT5Td9Qu0SLdsQyFz8gx9sXRgxbSsg6rImiJQH&dl=ur2wv4vg3UjVwTO0wSnjKdxULtRETYEfElriZjtBG64&api=1&no_preview=1
request GET https://sun6-21.userapi.com/c237331/u418490229/docs/d28/adfc4032e372/BotClients.bmp?extra=u6VcUNDBHlz4YtdAG5FSiCZtBVvB20an469YZyM8KYXq3Vh2UQ8YRDjgubImLSU5YyYT8TRfRocazjx4RVqpRtmvXLm18R9BiDOzCavVrvZPK5TXT1v1nS1lYeEizYUGJUOVTFeMRkJhvuR3lQ
request GET https://vk.com/doc418490229_668931401?hash=iAFqqX4VsjibbUrFFs3uLnWGAIedldaHRjTySVZmqV0&dl=hZ7Ql2epmfz2WiO8BxGI8cdwo6AK6bLFPyI65FMR3FH&api=1&no_preview=1#maff
request GET https://vk.com/doc418490229_668929813?hash=CcrmLI7IeiRz0lU8DnAVrRG7zp1VmDOzkljV4YdvlFg&dl=fbXhUnfoCiOFBNTYzP3G4TgseWVmer9dhybO06Dbf3X&api=1&no_preview=1#risepro
request GET https://sun6-23.userapi.com/c909328/u418490229/docs/d20/f3a7ad2143af/mr_Bro.bmp?extra=LeAgMHn_2s_EVvaW-K_cYV6O9innY-2Ivke0GMPWzt-Bxu8pOVe7OUztp54ANXLikgsNht2ZvFU3mutgl9UWPZP25IvV6FHhjqfrAX2L6bAqCC7SyALVe6WD2lVYAeSAh3Vn80bmEFxY13YjhQ
request GET https://sun6-22.userapi.com/c236331/u418490229/docs/d5/af51deff0236/Rise.bmp?extra=EXpRRrsiC1jWoHBXbvHHi-UWj6Grj_AkUV6kOcM6llnGcexjn5FNP-bw5dsGphz9RLFdXu9yhqgky3xkYW4oblIQTqffvix3MCOTMskXb-0k6HOQ4MwchfLG5QMetCJb-25Uj9rO2AF0wV3bkQ
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
request GET https://vk.com/doc418490229_668929802?hash=JGJzKUDsQctWofQ698XiG5TtXyL4jHXW5WO9kYCx09g&dl=jnJZekjN4zWOrABguUPz6zoyi3nglzHT0X5thDnbzMX&api=1&no_preview=1#redline_rm
request GET https://vk.com/doc418490229_668938366?hash=5FoUaQok0B2gtiDqcFJ4bpegTD2SPzTjKqykfkwb3zc&dl=vyAqT5Xe4xXyZ38CTECObVL4GlrQZGRjeNMqsV10szg&api=1&no_preview=1#1
request GET https://vk.com/doc26060933_667508201?hash=6VnuemqrvgMX7JGCKhOp7uAllSfIKzasrs7cM1fWhgL&dl=JwY775FVXYxbFspXlbElezWDzeVHhbpuZXgjGmHUTZs&api=1&no_preview=1#setup
request GET https://sun6-20.userapi.com/c909518/u418490229/docs/d51/4406a2506340/red_line.bmp?extra=1GONfT_9cHm8rJzJ70PLJj4VAC91m0S4Gca-QG052TIJ_-UwtxALkVaPJ0uZ1FKVXet0kJLaXAZ51JpjRgVz_JEdKGwQ8dO7nEJ5B0ilU4MZvTvhmkRuXRNbW12qcvV2G5xp2F3bcuW3WdIAhQ
request GET https://sun6-21.userapi.com/c909328/u418490229/docs/d52/e20150ec5011/crypted.bmp?extra=9_uUHyTbLcXEPVRQVoDX2SVXXD5LQIa5cbmPsUZ3sANv_Z7qrNnfAbxOeHfG8kJovBnfxWwX2ooHmOeZbCi822CJMQagWtI1l_OJm3U24MjBdIRMy5fjt-zQyydy6dHJmDi4Osx0CqpLJikI0A
request GET https://vk.com/doc418490229_668950817?hash=eI5j14qEZqSaw1aKlx69PDkbeE2RaV0OZkR8TCBVlkH&dl=Q3HIRdzNrrMLZtN2dhibLhc4W12UZleN44GQrBv9zQc&api=1&no_preview=1#xin
request GET https://sun6-21.userapi.com/c909418/u418490229/docs/d33/0707ec1a9cdf/cz28.bmp?extra=sGRI4H5niz7RxILWD_zUG_ctDcTaUSYqKpF1niVRahjkUS__H9KEp1ZwCxgayUfHyz5J9Nz_aiGnRQ0XXPiLbkZhLPYOYfkejwL07zdN1voMsYNb9bZ-9a11sYdof2VMN6HvEZGjbQ-CNlvy4A
request GET https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
request GET https://vk.com/doc418490229_668951217?hash=0wrWsiW5bDYiOaBQlj1ut0KnfM2SerHsUNtSIA8n0BX&dl=OYYh0EDgZLGz5BRVaNfHjBWXrjyY3hvz3peQaRwCvJ0&api=1&no_preview=1#test22
request GET https://sun6-22.userapi.com/c909218/u418490229/docs/d39/b36e581ef415/file281123.bmp?extra=bJDa7mvscY-voQdIZZUksYr44DtBJP-kJssHt6Ahl0Q3MWE0gDizV1mxjHiRYniFlTlcLPFRW15HwvmQT66uxmB5hPFhj1YM_rOkx1nDbAHpSg6gKZ6T_jczVxXuiS1oknRU7mtsN-SX-p1ujg
request GET https://iplis.ru/1Gemv7.mp3
request GET https://db-ip.com/demo/home.php?s=175.208.134.152
request GET https://api.2ip.ua/geo.json
request POST http://91.92.243.151/api/firegate.php
request POST http://5.42.64.41/40d570f44e84a454.php
ip 176.113.115.84
ip 194.169.175.128
ip 194.33.191.60
ip 194.49.94.152
ip 194.49.94.80
ip 77.232.39.164
ip 95.214.26.17
domain iplis.ru description Russian Federation domain TLD
domain gons32cl.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74002000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73913000
process_handle: 0xffffffff
1 0 0
domain ipinfo.io
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\conc.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\concrt140.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\dbgh.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\setup.exe
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\gettext.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\dbghelp.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\ieframe.dll
file C:\Users\test22\AppData\Local\Temp\7zEC9859F36\prom\concrt1.dll
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
host 109.107.182.45
host 176.113.115.84
host 194.169.175.128
host 194.33.191.60
host 194.49.94.152
host 194.49.94.80
host 194.49.94.97
host 5.42.64.35
host 5.42.64.41
host 77.232.39.164
host 91.92.243.151
host 95.214.26.17
dead_host 176.113.115.84:80
dead_host 194.49.94.97:80
dead_host 192.168.56.102:49188