Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | June 14, 2024, 9:17 a.m. | June 14, 2024, 9:19 a.m. |
-
WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\bin1.doc
2100
IP Address | Status | Action |
---|---|---|
104.21.68.117 | Active | Moloch |
149.88.71.203 | Active | Moloch |
162.0.238.43 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.66.44.73 | Active | Moloch |
172.67.134.136 | Active | Moloch |
198.54.117.242 | Active | Moloch |
35.212.60.56 | Active | Moloch |
45.33.6.223 | Active | Moloch |
47.239.13.172 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.103:64894 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
TCP 192.168.56.103:49163 -> 172.67.134.136:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49185 -> 35.212.60.56:80 | 2221033 | SURICATA HTTP Request abnormal Content-Encoding header | Generic Protocol Command Decode |
TCP 192.168.56.103:49184 -> 35.212.60.56:80 | 2221033 | SURICATA HTTP Request abnormal Content-Encoding header | Generic Protocol Command Decode |
TCP 198.54.117.242:80 -> 192.168.56.103:49178 | 2527002 | ET Threatview.io High Confidence Cobalt Strike C2 IP group 3 | Misc Attack |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49163 172.67.134.136:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=dukeenergyltd.top | dc:d1:cd:ef:25:8a:f4:08:21:69:c1:4e:19:c4:d8:e3:67:23:ee:f6 |
file | C:\Users\test22\AppData\Local\Temp\~$bin1.doc |
filetype_details | Rich Text Format data, version 1, unknown character set | filename | bin1.doc |
Lionic | Trojan.MSOffice.CVE-2018-0802.3!c |
Cynet | Malicious (score: 99) |
CAT-QuickHeal | Exp.RTF.Obfus.Gen |
Skyhigh | BehavesLike.Trojan.hx |
ALYac | Exploit.CVE-2018-0802.Gen |
VIPRE | Exploit.CVE-2018-0802.Gen |
Sangfor | Malware.Generic-RTF.Save.7ed7ea68 |
Symantec | Exp.CVE-2017-11882!g6 |
McAfee | RTFObfustream.c!AB6398C625D0 |
Avast | RTF:Obfuscated-gen [Trj] |
Kaspersky | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
BitDefender | Exploit.CVE-2018-0802.Gen |
MicroWorld-eScan | Exploit.CVE-2018-0802.Gen |
Rising | Exploit.Generic!1.EB5C (CLASSIC) |
Emsisoft | Exploit.CVE-2018-0802.Gen (B) |
F-Secure | Trojan.TR/AVF.Obfuscated.nbtos |
DrWeb | Exploit.CVE-2018-0798.4 |
TrendMicro | HEUR_RTFMALFORM |
FireEye | Exploit.CVE-2018-0802.Gen |
Ikarus | Exploit.CVE-2018-0802 |
Detected | |
Avira | TR/AVF.Obfuscated.nbtos |
Kingsoft | Win32.Infected.AutoInfector.a |
Arcabit | Exploit.CVE-2018-0802.Gen |
ZoneAlarm | HEUR:Exploit.MSOffice.CVE-2018-0802.gen |
GData | Exploit.CVE-2018-0802.Gen |
Varist | RTF/ABRisk.AQCU-8 |
AhnLab-V3 | OLE/Cve-2018-0798.Gen |
Zoner | Probably Heur.RTFObfuscation |
MAX | malware (ai score=88) |
Fortinet | MSOffice/CVE_2018_0798.BOR!exploit |
AVG | RTF:Obfuscated-gen [Trj] |