Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | Sept. 20, 2024, 10:34 a.m. | Sept. 20, 2024, 10:36 a.m. |
-
-
-
svchost.exe "C:\Users\test22\AppData\Local\Temp\PO-LIST.exe"
2104
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
geoplugin.net | 178.237.33.50 | |
nzobaku.ddns.net | 45.138.16.248 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.102:63709 -> 164.124.101.2:53 | 2028675 | ET POLICY DNS Query to DynDNS Domain *.ddns .net | Potentially Bad Traffic |
TCP 192.168.56.102:49164 -> 45.138.16.248:8081 | 2036594 | ET JA3 Hash - Remcos 3.x/4.x TLS Connection | Malware Command and Control Activity Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.3 192.168.56.102:49164 45.138.16.248:8081 |
None | None | None |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://geoplugin.net/json.gp |
domain | nzobaku.ddns.net |
request | GET http://geoplugin.net/json.gp |
description | svchost.exe tried to sleep 344 seconds, actually delayed analysis time by 344 seconds |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs |
file | C:\Users\test22\AppData\Local\directory\name.exe |
file | C:\Users\test22\AppData\Local\directory\name.exe |
file | C:\Users\test22\AppData\Local\directory\name.exe |
section | {u'size_of_data': u'0x00129600', u'virtual_address': u'0x000d4000', u'entropy': 7.98342214418379, u'name': u'.rsrc', u'virtual_size': u'0x00129434'} | entropy | 7.98342214418 | description | A section with a high entropy has been found | |||||||||
entropy | 0.581094284319 | description | Overall entropy of this PE file is high |
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win64.Injects.ts93 |
Cynet | Malicious (score: 100) |
Skyhigh | BehavesLike.Win32.TrojanAitInject.vc |
ALYac | AIT:Trojan.Nymeria.6323 |
Cylance | Unsafe |
VIPRE | AIT:Trojan.Nymeria.6323 |
Sangfor | Trojan.Win32.Autoit.Vgvj |
CrowdStrike | win/malicious_confidence_70% (D) |
BitDefender | Trojan.Generic.36766592 |
K7GW | Trojan ( 005ba79e1 ) |
K7AntiVirus | Trojan ( 005ba79e1 ) |
Arcabit | Trojan.Generic.D2310380 |
Symantec | ML.Attribute.HighConfidence |
Elastic | malicious (high confidence) |
ESET-NOD32 | a variant of Win32/Injector.Autoit.GJP |
Avast | Win32:Malware-gen |
Kaspersky | HEUR:Trojan.Script.Generic |
Alibaba | Trojan:Win32/Autoitinject.9e6f94a5 |
MicroWorld-eScan | Trojan.Generic.36766592 |
Rising | Trojan.Injector/Autoit!1.10326 (CLASSIC) |
Emsisoft | Trojan.Generic.36766592 (B) |
F-Secure | Dropper.DR/AutoIt.Gen8 |
TrendMicro | Backdoor.Win32.REMCOS.YXEIRZ |
McAfeeD | Real Protect-LS!E21B8AB72125 |
CTX | exe.trojan.autoit |
Sophos | Mal/Generic-S |
FireEye | Generic.mg.e21b8ab721253a90 |
Webroot | W32.Trojan.Script |
Detected | |
Avira | DR/AutoIt.Gen8 |
Kingsoft | Script.Trojan.Generic.a |
Gridinsoft | Ransom.Win32.Wacatac.sa |
Microsoft | Backdoor:MSIL/XWormRAT.PDAJ!MTB |
GData | Trojan.Generic.36766592 |
McAfee | Artemis!E21B8AB72125 |
DeepInstinct | MALICIOUS |
Malwarebytes | Spyware.PasswordStealer |
Ikarus | Trojan.Autoit |
Panda | Trj/CI.A |
TrendMicro-HouseCall | Backdoor.Win32.REMCOS.YXEIRZ |
Tencent | Script.Trojan.Generic.Ozfl |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | AutoIt/Agent.OM!tr |
AVG | Win32:Malware-gen |
Paloalto | generic.ml |