Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | March 22, 2024, 7:28 a.m. | March 22, 2024, 7:41 a.m. |
-
-
-
svchost.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
2532
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
shgoini.com | 107.175.229.143 | |
geoplugin.net | 178.237.33.50 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49168 -> 107.175.229.143:30902 | 2036594 | ET JA3 Hash - Remcos 3.x TLS Connection | Malware Command and Control Activity Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.103:49168 107.175.229.143:30902 |
None | None | None |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://geoplugin.net/json.gp |
request | GET http://geoplugin.net/json.gp |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs |
file | C:\Users\test22\AppData\Local\directory\excel.exe |
file | C:\Users\test22\AppData\Local\directory\excel.exe |
file | C:\Users\test22\AppData\Local\directory\excel.exe |
section | {u'size_of_data': u'0x0007c200', u'virtual_address': u'0x000c8000', u'entropy': 7.93348878421446, u'name': u'.rsrc', u'virtual_size': u'0x0007c084'} | entropy | 7.93348878421 | description | A section with a high entropy has been found | |||||||||
entropy | 0.380459770115 | description | Overall entropy of this PE file is high |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs |
parent_process | excel.exe | martian_process | "C:\Users\test22\AppData\Local\Temp\wininit.exe" |
file | C:\Users\test22\AppData\Local\directory\excel.exe |
Lionic | Trojan.Win32.AutoIt.4!c |
Elastic | malicious (high confidence) |
Skyhigh | BehavesLike.Win32.TrojanAitInject.tc |
Cylance | unsafe |
Sangfor | Virus.Win32.Save.a |
ESET-NOD32 | a variant of Win32/Injector.Autoit.FWA |
APEX | Malicious |
McAfee | Artemis!589DDF53393F |
Kaspersky | UDS:DangerousObject.Multi.Generic |
Alibaba | Trojan:Win32/Strab.dcae1ac0 |
Rising | Trojan.Injector/Autoit!1.F5AA (CLASSIC) |
FireEye | Generic.mg.589ddf53393fe19f |
Sophos | Troj/AutoIt-DGJ |
Detected | |
Kingsoft | Win32.Troj.Unknown.a |
Gridinsoft | Ransom.Win32.Sabsik.sa |
Microsoft | Trojan:Win32/Strab.GPX!MTB |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
Varist | W32/AutoIt.IJ.gen!Eldorado |
DeepInstinct | MALICIOUS |
VBA32 | Trojan-Downloader.Autoit.gen |
Malwarebytes | Trojan.Injector.AutoIt |
SentinelOne | Static AI - Malicious PE |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | AutoIt/Injector.AAD!tr |
CrowdStrike | win/malicious_confidence_90% (W) |