Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 8, 2024, 11:07 a.m.	July 8, 2024, 11:09 a.m.

Size	14.9MB
Type	RAR archive data, v5
MD5	`2074be740d489e298715968ed68fd122`
SHA256	`e83b773fd848f80d85e5a2e2121b4681a87bfe9e1567b62f32726a3aaba8282d`
CRC32	`63257830`
ssdeep	`393216:Blp4NRae5LtT37veosKeSI/DA2Mx+SiZFhLEo+d48+aDu:BCge5hT37veo4PPOiZLYdt+eu`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "qclfNiH" C:\Users\test22\AppData\Local\Temp\archive.rar
3052
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\archive.rar"
  2200

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.109.133
iplogger.org	A 104.21.4.208 A 172.67.132.113	172.67.132.113
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.132.72
lop.foxesjoy.com	A 172.67.159.232 A 104.21.66.124	104.21.66.124
apps.identrust.com	A 182.162.106.33 A 182.162.106.144 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.201.35.162
ipinfo.io	A 34.117.186.192	34.117.186.192
api.myip.com	A 172.67.75.163 A 104.26.9.59 A 104.26.8.59	104.26.9.59
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166
api64.ipify.org	A 173.231.16.77 A 104.237.62.213	104.237.62.213
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.133.233

IP Address	Status	Action
104.21.66.124	Active	Moloch
104.26.4.15	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch
172.67.132.113	Active	Moloch
172.67.75.163	Active	Moloch
173.231.16.77	Active	Moloch
176.111.174.109	Active	Moloch
182.162.106.144	Active	Moloch
182.162.106.33	Active	Moloch
185.199.111.133	Active	Moloch
34.117.186.192	Active	Moloch
43.153.49.49	Active	Moloch
5.42.99.177	Active	Moloch
77.105.133.27	Active	Moloch
77.91.77.80	Active	Moloch
80.78.242.100	Active	Moloch
87.240.129.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49186 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.102:49184 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49184 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49200 -> 185.199.111.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49199 -> 185.199.111.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49184 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49199 -> 185.199.111.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49211 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49211 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49209 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49211 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49206 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49216 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.21.66.124:80 -> 192.168.56.102:49206	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49208 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49216 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 104.21.66.124:80 -> 192.168.56.102:49208	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
UDP 192.168.56.102:51903 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 104.21.66.124:80 -> 192.168.56.102:49218	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49225 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49198 -> 185.199.111.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49225 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49198 -> 185.199.111.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49212 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49212 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49212 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49226 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49226 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49202 -> 185.199.111.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.111.174.109:80 -> 192.168.56.102:49194	2400029	ET DROP Spamhaus DROP Listed Traffic Inbound group 30	Misc Attack
TCP 192.168.56.102:49210 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49210 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49210 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49196 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49196 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 80.78.242.100:80 -> 192.168.56.102:49193	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 192.168.56.102:49233 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49233 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49207 -> 43.153.49.49:8888	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49217 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49217 -> 162.159.135.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49217 -> 162.159.135.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49197 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49197 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 43.153.49.49:8888 -> 192.168.56.102:49207	2014819	ET INFO Packed Executable Download	Misc activity
TCP 80.78.242.100:80 -> 192.168.56.102:49192	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 192.168.56.102:49179 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49179 -> 172.67.75.163:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 172.67.75.163:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.102:49222 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49222 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49229 -> 104.21.66.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 176.111.174.109:80 -> 192.168.56.102:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.111.174.109:80 -> 192.168.56.102:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49236 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 176.111.174.109:80 -> 192.168.56.102:49194	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49221 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49221 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 43.153.49.49:8888 -> 192.168.56.102:49207	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 43.153.49.49:8888 -> 192.168.56.102:49207	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 43.153.49.49:8888 -> 192.168.56.102:49207	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 77.105.133.27:80 -> 192.168.56.102:49191	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.105.133.27:80 -> 192.168.56.102:49191	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 77.105.133.27:80 -> 192.168.56.102:49191	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.102:49181 -> 173.231.16.77:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.102:49181 -> 173.231.16.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49181 -> 173.231.16.77:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.102:49181 -> 173.231.16.77:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 173.231.16.77:443 -> 192.168.56.102:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49203 -> 185.199.111.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49195 -> 43.153.49.49:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 77.105.133.27:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49190 -> 77.105.133.27:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49235 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 77.105.133.27:80 -> 192.168.56.102:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.105.133.27:80 -> 192.168.56.102:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49230 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49230 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49232 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49231 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49239 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49239 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49240 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49241 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49242 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49244 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49248 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.129.133:80 -> 192.168.56.102:49248	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49250 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49249 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49251 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49251 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49254 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49254 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49245 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49247 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49247 -> 87.240.129.133:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49246 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49260 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49253 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.102:49256 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49263 -> 172.67.132.113:443	2035949	ET POLICY IP Check Domain (iplogger .org in TLS SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49263 -> 172.67.132.113:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.102:58521 -> 164.124.101.2:53	2035948	ET POLICY IP Check Domain (iplogger .org in DNS Lookup)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49257 -> 87.240.129.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49258 -> 87.240.129.133:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 80.78.242.100:80 -> 192.168.56.102:49192	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity
TCP 80.78.242.100:80 -> 192.168.56.102:49193	2049228	ET HUNTING Redirect to Discord Attachment Download	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49186 104.26.4.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25
TLSv1 192.168.56.102:49179 172.67.75.163:443	C=US, O=Let's Encrypt, CN=R3	CN=myip.com	87:d2:90:92:b6:6a:56:3c:25:f1:ae:56:52:d9:2b:ac:16:44:bb:bc
TLSv1 192.168.56.102:49229 104.21.66.124:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=foxesjoy.com	98:61:17:75:9f:9b:34:ec:5e:dd:5b:36:49:5e:1b:7d:2d:22:18:22
TLSv1 192.168.56.102:49240 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49244 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49245 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49246 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49260 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49256 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.102:49263 172.67.132.113:443	C=US, O=Let's Encrypt, CN=E1	CN=iplogger.org	d8:ec:fc:e7:1f:4d:3a:fd:89:ef:f1:f1:1a:93:1b:94:db:b5:87:ec
TLSv1 192.168.56.102:49257 87.240.129.133:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2024, 11:07 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2024, 11:07 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.99.177/api/crazyfish.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://5.42.99.177/api/twofish.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.105.133.27/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.105.133.27/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://80.78.242.100/d/385132
suspicious_features	Connection to IP address	suspicious_request	HEAD http://80.78.242.100/d/525403
suspicious_features	Connection to IP address	suspicious_request	HEAD http://176.111.174.109/psyzh
suspicious_features	Connection to IP address	suspicious_request	HEAD http://43.153.49.49:8888/down/0GPThy6iSZBT.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://80.78.242.100/d/525403
suspicious_features	Connection to IP address	suspicious_request	GET http://77.105.133.27/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://176.111.174.109/psyzh
suspicious_features	Connection to IP address	suspicious_request	GET http://77.105.133.27/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	GET http://80.78.242.100/d/385132

Performs some HTTP requests (16 events)

request	GET http://5.42.99.177/api/crazyfish.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	POST http://5.42.99.177/api/twofish.php
request	HEAD http://77.105.133.27/download/123p.exe
request	HEAD http://77.105.133.27/download/th/space.php
request	HEAD http://80.78.242.100/d/385132
request	HEAD http://80.78.242.100/d/525403
request	HEAD http://176.111.174.109/psyzh
request	HEAD http://43.153.49.49:8888/down/0GPThy6iSZBT.exe
request	GET http://80.78.242.100/d/525403
request	GET http://77.105.133.27/download/123p.exe
request	GET http://176.111.174.109/psyzh
request	GET http://77.105.133.27/download/th/space.php
request	GET http://80.78.242.100/d/385132
request	GET https://db-ip.com/demo/home.php?s=
request	GET https://lop.foxesjoy.com/ssl/crt.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://5.42.99.177/api/twofish.php

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2024, 11:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74002000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 8, 2024, 11:07 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e3000 process_handle: 0xffffffff	1	0	0

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (17 events)

file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\setup.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (12) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\ResIL.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (11) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (6).exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\vivoxsdk.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (7) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (8) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (13) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (6) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (5).exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (2) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (10) — копия.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\libGLESv2.dll
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (7).exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\res_mods\1.23.0.0\scripts\client\gui\mods\7zA.exe
file	C:\Users\test22\AppData\Local\Temp\7zE8985C7A1\update\Uninstall\unins000 — копия (9) — копия.exe

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 8, 2024, 11:07 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0
LookupPrivilegeValueW July 8, 2024, 11:07 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Run a KeyLogger	rule	KeyLogger

Communicates with host for which no DNS query was performed (6 events)

host	176.111.174.109
host	43.153.49.49
host	5.42.99.177
host	77.105.133.27
host	77.91.77.80
host	80.78.242.100

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

77.91.77.80:80

archive.rar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All