Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Aug. 30, 2024, 6:07 p.m. | Aug. 30, 2024, 6:11 p.m. |
Name | Response | Post-Analysis Lookup |
---|---|---|
bakad.qqfarmer.com.cn | 116.255.160.63 | |
images.qqfarmer.com.cn | 61.160.192.103 | |
down.qqfarmer.com.cn | 180.101.203.232 | |
ad.qqfarmer.com.cn | 8.210.224.3 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 58.218.215.167:80 -> 192.168.56.103:49170 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 58.218.215.167:80 -> 192.168.56.103:49176 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
Suricata TLS
No Suricata TLS
section | CODE |
section | DATA |
section | BSS |
section | .help |
section | .adata |
packer | ASPack v2.12 -> Alexey Solodovnikov |
resource name | BIN |
suspicious_features | POST method with no referer header | suspicious_request | POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299 | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817 | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691 | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984 | ||||||
suspicious_features | POST method with no referer header | suspicious_request | POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661 |
request | GET http://down.qqfarmer.com.cn/libeay32_0626_5f86d65a1686e6bb031048d04bb3fe04.xml?r=0.313291363418102 |
request | GET http://images.qqfarmer.com.cn/504486-20170712112840415-1890262410.gif |
request | GET http://images.qqfarmer.com.cn/504486-20162218235650745-1529273276.gif |
request | GET http://images.qqfarmer.com.cn/hongbao_nav.gif |
request | GET http://images.qqfarmer.com.cn/504486-20161218235650745-1529273276.gif |
request | GET http://down.qqfarmer.com.cn/ssleay32_0626_e503921a6061251302cb45772cb75f42.xml?r=0.329597188392654 |
request | GET http://ad.qqfarmer.com.cn/xml/encrypt.js?r=0.952554038958624 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=p&r=0.368447953602299 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=v&r=0.494936139322817 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=n&r=0.480842764023691 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=l&r=0.560313974739984 |
request | POST http://ad.qqfarmer.com.cn/login.php?id=x&r=0.44646016205661 |
name | BIN | language | LANG_CHINESE | filetype | DOS executable (COM, 0x8C-variant) | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x003f24e8 | size | 0x00000083 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | DOS executable (COM, 0x8C-variant) | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x003f24e8 | size | 0x00000083 | ||||||||||||||||||
name | BIN | language | LANG_CHINESE | filetype | DOS executable (COM, 0x8C-variant) | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x003f24e8 | size | 0x00000083 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00564a54 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00564a54 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00564a54 | size | 0x00000468 | ||||||||||||||||||
name | RT_ICON | language | LANG_CHINESE | filetype | GLS_BINARY_LSB_FIRST | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00564a54 | size | 0x00000468 | ||||||||||||||||||
name | RT_GROUP_ICON | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x00564a14 | size | 0x0000003e | ||||||||||||||||||
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0056471c | size | 0x000002f8 | ||||||||||||||||||
name | RT_MANIFEST | language | LANG_CHINESE | filetype | XML 1.0 document, ASCII text, with CRLF line terminators | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0056442c | size | 0x000002f0 |
section | {u'size_of_data': u'0x00117c00', u'virtual_address': u'0x00001000', u'entropy': 7.999794693402083, u'name': u'CODE', u'virtual_size': u'0x00370000'} | entropy | 7.9997946934 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00006600', u'virtual_address': u'0x00371000', u'entropy': 7.990947559617213, u'name': u'DATA', u'virtual_size': u'0x00013000'} | entropy | 7.99094755962 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x00001400', u'virtual_address': u'0x0038a000', u'entropy': 7.718748824639476, u'name': u'.idata', u'virtual_size': u'0x00004000'} | entropy | 7.71874882464 | description | A section with a high entropy has been found | |||||||||
section | {u'size_of_data': u'0x0009f200', u'virtual_address': u'0x003c3000', u'entropy': 7.982380591543004, u'name': u'.rsrc', u'virtual_size': u'0x001a0000'} | entropy | 7.98238059154 | description | A section with a high entropy has been found | |||||||||
entropy | 0.949494949495 | description | Overall entropy of this PE file is high |
Bkav | W32.AIDetectMalware |
Elastic | malicious (moderate confidence) |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
McAfeeD | ti!4F91F9C5D3BA |
Microsoft | Program:Win32/Wacapew.C!ml |
AhnLab-V3 | Unwanted/Win32.HackTool.R119402 |
BitDefenderTheta | Gen:NN.ZelphiF.36812.1P0ba4GDPTaR |
DeepInstinct | MALICIOUS |
VBA32 | BScope.Trojan.Click |
Malwarebytes | Generic.Malware.AI.DDS |
Paloalto | generic.ml |
CrowdStrike | win/grayware_confidence_100% (D) |