Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 11, 2023, 2:19 p.m.	Dec. 11, 2023, 2:21 p.m.

Size	9.5MB
Type	RAR archive data, v5
MD5	`a64249c49fd7686653154060beaa68dc`
SHA256	`c3c3259c0632e2ad6260d505378b9d23a995df2260f5a48f6fbd572ca3c9be58`
CRC32	`3BC37FE2`
ssdeep	`196608:nQEim0Uq0gdPyIAjsvIuxwypgiICFY9R1voPuJlNTdIxuEHeHxCH:nLim0Uq/YjxO9qFAY93cuJl3IxJHeHxI`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "KrmVnVmOkst" C:\Users\test22\AppData\Local\Temp\release_ver9.rar
3024
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\release_ver9.rar"
  2188

Name	Response	Post-Analysis Lookup
medfioytrkdkcodlskeej.net	A 91.215.85.209	91.215.85.209
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.67 A 87.240.137.164 A 93.186.225.194 A 87.240.132.78	87.240.132.72
iplogger.org	A 104.21.4.208 A 172.67.132.113	172.67.132.113
apps.identrust.com	CNAME a1952.dscq.akamai.net A 23.43.165.105 CNAME identrust.edgesuite.net A 23.43.165.66	23.67.53.17
ipinfo.io	A 34.117.59.81	34.117.59.81
ioiouoiuououiyjgroup.sbs	A 104.21.37.196 A 172.67.212.175	172.67.212.175
never.hitsturbo.com	A 104.21.46.59 A 172.67.168.30	172.67.168.30
iplis.ru	A 104.21.63.150 A 172.67.147.32	104.21.63.150
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.8.59

IP Address	Status	Action
104.21.37.196	Active	Moloch
104.21.46.59	Active	Moloch
104.21.63.150	Active	Moloch
104.26.5.15	Active	Moloch
104.26.9.59	Active	Moloch
109.107.182.3	Active	Moloch
164.124.101.2	Active	Moloch
172.67.132.113	Active	Moloch
185.216.70.235	Active	Moloch
193.233.132.34	Active	Moloch
193.233.132.51	Active	Moloch
194.49.94.97	Active	Moloch
195.20.16.45	Active	Moloch
23.43.165.105	Active	Moloch
34.117.59.81	Active	Moloch
5.42.64.35	Active	Moloch
5.42.64.41	Active	Moloch
87.240.132.67	Active	Moloch
87.240.132.72	Active	Moloch
91.215.85.209	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49181 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49181 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49177 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49184 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49185 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:443 -> 192.168.56.102:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 87.240.132.67:80 -> 192.168.56.102:49182	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49192 -> 5.42.64.35:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49195 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49195 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 5.42.64.35:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49194 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 5.42.64.35:80 -> 192.168.56.102:49192	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.102:49194 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49199 -> 91.215.85.209:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 104.21.37.196:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:80 -> 192.168.56.102:49199	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49176 -> 195.20.16.45:80	2045779	ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)	Malware Command and Control Activity Detected
TCP 5.42.64.35:80 -> 192.168.56.102:49192	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.35:80 -> 192.168.56.102:49192	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49203 -> 91.215.85.209:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 109.107.182.3:80 -> 192.168.56.102:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.102:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49180 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49190 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 104.21.37.196:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.37.196:80 -> 192.168.56.102:49196	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49198 -> 104.21.37.196:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49189 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 104.21.37.196:80 -> 192.168.56.102:49198	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49189 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 104.21.46.59:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 104.21.37.196:80 -> 192.168.56.102:49200	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 104.21.46.59:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 104.21.46.59:80 -> 192.168.56.102:49197	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.46.59:80 -> 192.168.56.102:49197	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49207 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49207 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49206 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 91.215.85.209:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49208 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 91.215.85.209:443 -> 192.168.56.102:49211	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 87.240.132.67:80 -> 192.168.56.102:49212	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49210 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49216 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 193.233.132.34:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 87.240.132.67:80 -> 192.168.56.102:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49226 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected
TCP 87.240.132.67:443 -> 192.168.56.102:49222	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49223 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.67:443 -> 192.168.56.102:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49256 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49237 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49227 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49227 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 193.233.132.34:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49253 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49253 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49280 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49280 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49261 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49261 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49263 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49263 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49283 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49269 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49293 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49230 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49279 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49225 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49231 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:60523 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49238 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49238 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49243 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49275 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49265 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49275 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49286 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49272 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49285 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49278 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49278	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49288 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:443 -> 192.168.56.102:49287	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49281 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:443 -> 192.168.56.102:49291	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49282 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.132.72:443 -> 192.168.56.102:49295	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 193.233.132.51:50500 -> 192.168.56.102:49301	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49305 -> 104.21.63.150:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49306 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49306 -> 34.117.59.81:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49301 -> 193.233.132.51:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.102:49306 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.51:50500 -> 192.168.56.102:49301	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49306 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49301 -> 193.233.132.51:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49301 -> 193.233.132.51:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 193.233.132.34:80 -> 192.168.56.102:49193	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 87.240.132.72:443 -> 192.168.56.102:49248	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49254 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49255 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49255 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49260 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49260 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49262 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49262 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49264 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49267 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:443 -> 192.168.56.102:49271	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49274 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49274 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:443 -> 192.168.56.102:49298	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49308 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.102:49309 -> 172.67.132.113:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49309 -> 172.67.132.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 5.42.64.41:80 -> 192.168.56.102:49303	2044245	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config	Malware Command and Control Activity Detected
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 5.42.64.41:80 -> 192.168.56.102:49303	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	Malware Command and Control Activity Detected
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 5.42.64.41:80 -> 192.168.56.102:49303	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.64.41:80 -> 192.168.56.102:49303	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49217 -> 87.240.132.67:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49217 -> 87.240.132.67:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49220 -> 87.240.132.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.132.72:443 -> 192.168.56.102:49242	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49246 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:443 -> 192.168.56.102:49249	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49251 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49251 -> 87.240.132.72:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49257 -> 87.240.132.72:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49270 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.72:80 -> 192.168.56.102:49276	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 87.240.132.72:443 -> 192.168.56.102:49289	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49296 -> 87.240.132.72:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49303 -> 5.42.64.41:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.102:49306 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49178 -> 34.117.59.81:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49177 104.26.9.59:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	92:b4:ed:98:67:d9:db:8a:1e:bd:0e:fe:7f:22:45:e9:79:b5:78:65
TLSv1 192.168.56.102:49202 104.21.37.196:443	C=US, O=Let's Encrypt, CN=E1	CN=ioiouoiuououiyjgroup.sbs	69:14:e0:4f:aa:e6:f1:e1:6f:18:48:7e:74:8a:c3:2a:f0:2e:53:a4
TLSv1 192.168.56.102:49305 104.21.63.150:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=iplis.ru	04:2b:ef:ab:43:60:60:33:69:03:f3:51:37:11:c8:29:26:89:a4:93
TLSv1 192.168.56.102:49308 104.26.5.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.102:49309 172.67.132.113:443	C=US, O=Let's Encrypt, CN=E1	CN=iplogger.org	1e:76:b5:78:be:35:ec:fb:3f:26:d0:5f:1c:2a:2d:33:0e:51:6f:7e

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 11, 2023, 2:19 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 11, 2023, 2:19 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (16 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://195.20.16.45/api/tracemap.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://195.20.16.45/api/firegate.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.64.35/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://193.233.132.34/autorun.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/moda/good.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.64.35/timeSync.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/moda/good.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://193.233.132.34/autorun.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://5.42.64.41/40d570f44e84a454.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll

Performs some HTTP requests (23 events)

request	GET http://195.20.16.45/api/tracemap.php
request	POST http://195.20.16.45/api/firegate.php
request	HEAD http://5.42.64.35/timeSync.exe
request	HEAD http://193.233.132.34/autorun.exe
request	HEAD http://109.107.182.3/moda/good.exe
request	HEAD http://never.hitsturbo.com/order/tuc6.exe
request	GET http://5.42.64.35/timeSync.exe
request	GET http://109.107.182.3/moda/good.exe
request	GET http://never.hitsturbo.com/order/tuc6.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://193.233.132.34/autorun.exe
request	POST http://5.42.64.41/40d570f44e84a454.php
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/sqlite3.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/freebl3.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/mozglue.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/msvcp140.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/nss3.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/softokn3.dll
request	GET http://5.42.64.41/2a7743b8bbd7e4a7/vcruntime140.dll
request	GET https://api.myip.com/
request	GET https://IOIOUOIUOUOUIYJGROUP.SBS/setup294.exe
request	GET https://iplis.ru/1Gemv7.mp3
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152

Sends data using the HTTP POST Method (2 events)

request	POST http://195.20.16.45/api/firegate.php
request	POST http://5.42.64.41/40d570f44e84a454.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

iplis.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 11, 2023, 2:19 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Dec. 11, 2023, 2:19 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\7zEC882990D\File.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 11, 2023, 2:19 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW Dec. 11, 2023, 2:19 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (8 events)

host	109.107.182.3
host	185.216.70.235
host	193.233.132.34
host	193.233.132.51
host	194.49.94.97
host	195.20.16.45
host	5.42.64.35
host	5.42.64.41

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

194.49.94.97:80

release_ver9.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All