Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Oct. 8, 2024, 9:45 p.m. | Oct. 8, 2024, 9:52 p.m. |
-
-
MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2124
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
62.204.41.150 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 62.204.41.150:80 -> 192.168.56.103:49164 | 2400005 | ET DROP Spamhaus DROP Listed Traffic Inbound group 6 | Misc Attack |
TCP 192.168.56.103:49164 -> 62.204.41.150:80 | 2044243 | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://62.204.41.150/ | ||||||
suspicious_features | POST method with no referer header, POST method with no useragent header, Connection to IP address | suspicious_request | POST http://62.204.41.150/edd20096ecef326d.php |
request | GET http://62.204.41.150/ |
request | POST http://62.204.41.150/edd20096ecef326d.php |
request | POST http://62.204.41.150/edd20096ecef326d.php |
section | {u'size_of_data': u'0x0004e200', u'virtual_address': u'0x0002d000', u'entropy': 7.99058719352079, u'name': u'.data', u'virtual_size': u'0x0004ef80'} | entropy | 7.99058719352 | description | A section with a high entropy has been found | |||||||||
entropy | 0.634517766497 | description | Overall entropy of this PE file is high |
description | Client_SW_User_Data_Stealer | rule | Client_SW_User_Data_Stealer | ||||||
description | ftp clients info stealer | rule | infoStealer_ftpClients_Zero | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API |
host | 62.204.41.150 |