Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 9, 2021, 4:34 p.m. | March 9, 2021, 4:36 p.m. |
-
-
winlog.exe "C:\Users\test22\AppData\Local\Temp\winlog.exe"
2208
-
IP Address | Status | Action |
---|---|---|
104.223.213.141 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.217.161.51 | Active | Moloch |
178.128.48.21 | Active | Moloch |
184.168.131.241 | Active | Moloch |
198.185.159.144 | Active | Moloch |
216.239.32.21 | Active | Moloch |
23.227.38.74 | Active | Moloch |
3.223.115.185 | Active | Moloch |
34.102.136.180 | Active | Moloch |
69.163.225.40 | Active | Moloch |
75.2.73.220 | Active | Moloch |
Suricata Alerts
Suricata TLS
No Suricata TLS
section | .ndata |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.whatsbanking.com/smd0/?iB9=Rtx4AnT4DdcL+dY/LPBlAgSoR5YMmpASIHwDekHrgZTiAuGnJvUi6HQFLgay33zoKjNu1vEV&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.hikayemedya.com/smd0/?iB9=GOmwBBTkN+4Rw04hXmNjyqcLvSsgQS1p0LkYyDLRUFzBiGCdWpAuZHWozxzGfk8WgE6AjVgS&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.rumahmadu99.info/smd0/?iB9=qXoP2RJMRCK3rW0hAwFrIYdpt1xkmYbp86QG06cgF5ncbymE6n6Kkxf/5QZ0ZXcPUmBC0xPI&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.blackloveapparel2020.com/smd0/?iB9=s9r6Qr8S14mPNw4ooaw5kH2N4QA0oAVuuu/NxF5g2JYmdYQ2R4m2GUq1St/vlb0vu+FYFIJJ&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.classtoshop.com/smd0/?iB9=5Rb+8ZQiDHH9+wx5aTS1K3PV2fWUECtpeZ/oSRZRwjBFbHfVn6G5RVWQmMoEAHPAbEtvMSSQ&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.anaffordablehand.com/smd0/?iB9=inuBuTf/fLTP6L8UweQf9uXa+UJ2K3Fk/5bm1vZWmg2qzrg50JfTOYaWcZugy5BpBq8XsNUF&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.sachatco.com/smd0/?iB9=woMX8F4wNCY7+Wt/mmlnHE6MJ6944slQEs6ArHb+iOC3qKS/a+htGY+rbiHJ1p2k9yZYILjh&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.scamregister.net/smd0/?iB9=UaLR7GyefzIhysespKehGuNFZB+29zKaMEIqWZbX3h2mogJjrxRZ2Dgp7JHKMVqkIoRVOLgT&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.slimproxy.com/smd0/?iB9=iWbSppuimIyokxW1eiLPfphhgkQ2SXNm4uFFvKUmx027aKARaNW+pS+X1lPGoZDgWan1yHBu&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.stellarbookkeeping.com/smd0/?iB9=qKAvPN8GRxjTUGbYok3GF23v8sJH4WnOStud3UluPKIdHj57CTp5vYr2EhhgUd0soBU4s7dW&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.legendaryrelics.com/smd0/?iB9=rIQCq794CnyDwVjSH4p0QAmLdr9zq7aGG5gebZ71dN2N3Nii+D18DFv7mSLHtqRqif8E9GPL&lH18=VTRPbxNpZJSHZD | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.yzhxnhcl.com/smd0/?iB9=k3TllRAvr5OtQUY+nMpSaqyzbjiURRVW/k5VwoEAlmeua29KJafZx4NoeuinLMD5CPQd2de0&lH18=VTRPbxNpZJSHZD |
request | POST http://www.whatsbanking.com/smd0/ |
request | GET http://www.whatsbanking.com/smd0/?iB9=Rtx4AnT4DdcL+dY/LPBlAgSoR5YMmpASIHwDekHrgZTiAuGnJvUi6HQFLgay33zoKjNu1vEV&lH18=VTRPbxNpZJSHZD |
request | POST http://www.hikayemedya.com/smd0/ |
request | GET http://www.hikayemedya.com/smd0/?iB9=GOmwBBTkN+4Rw04hXmNjyqcLvSsgQS1p0LkYyDLRUFzBiGCdWpAuZHWozxzGfk8WgE6AjVgS&lH18=VTRPbxNpZJSHZD |
request | POST http://www.rumahmadu99.info/smd0/ |
request | GET http://www.rumahmadu99.info/smd0/?iB9=qXoP2RJMRCK3rW0hAwFrIYdpt1xkmYbp86QG06cgF5ncbymE6n6Kkxf/5QZ0ZXcPUmBC0xPI&lH18=VTRPbxNpZJSHZD |
request | POST http://www.blackloveapparel2020.com/smd0/ |
request | GET http://www.blackloveapparel2020.com/smd0/?iB9=s9r6Qr8S14mPNw4ooaw5kH2N4QA0oAVuuu/NxF5g2JYmdYQ2R4m2GUq1St/vlb0vu+FYFIJJ&lH18=VTRPbxNpZJSHZD |
request | POST http://www.classtoshop.com/smd0/ |
request | GET http://www.classtoshop.com/smd0/?iB9=5Rb+8ZQiDHH9+wx5aTS1K3PV2fWUECtpeZ/oSRZRwjBFbHfVn6G5RVWQmMoEAHPAbEtvMSSQ&lH18=VTRPbxNpZJSHZD |
request | POST http://www.anaffordablehand.com/smd0/ |
request | GET http://www.anaffordablehand.com/smd0/?iB9=inuBuTf/fLTP6L8UweQf9uXa+UJ2K3Fk/5bm1vZWmg2qzrg50JfTOYaWcZugy5BpBq8XsNUF&lH18=VTRPbxNpZJSHZD |
request | POST http://www.sachatco.com/smd0/ |
request | GET http://www.sachatco.com/smd0/?iB9=woMX8F4wNCY7+Wt/mmlnHE6MJ6944slQEs6ArHb+iOC3qKS/a+htGY+rbiHJ1p2k9yZYILjh&lH18=VTRPbxNpZJSHZD |
request | POST http://www.scamregister.net/smd0/ |
request | GET http://www.scamregister.net/smd0/?iB9=UaLR7GyefzIhysespKehGuNFZB+29zKaMEIqWZbX3h2mogJjrxRZ2Dgp7JHKMVqkIoRVOLgT&lH18=VTRPbxNpZJSHZD |
request | POST http://www.slimproxy.com/smd0/ |
request | GET http://www.slimproxy.com/smd0/?iB9=iWbSppuimIyokxW1eiLPfphhgkQ2SXNm4uFFvKUmx027aKARaNW+pS+X1lPGoZDgWan1yHBu&lH18=VTRPbxNpZJSHZD |
request | POST http://www.stellarbookkeeping.com/smd0/ |
request | GET http://www.stellarbookkeeping.com/smd0/?iB9=qKAvPN8GRxjTUGbYok3GF23v8sJH4WnOStud3UluPKIdHj57CTp5vYr2EhhgUd0soBU4s7dW&lH18=VTRPbxNpZJSHZD |
request | POST http://www.legendaryrelics.com/smd0/ |
request | GET http://www.legendaryrelics.com/smd0/?iB9=rIQCq794CnyDwVjSH4p0QAmLdr9zq7aGG5gebZ71dN2N3Nii+D18DFv7mSLHtqRqif8E9GPL&lH18=VTRPbxNpZJSHZD |
request | POST http://www.yzhxnhcl.com/smd0/ |
request | GET http://www.yzhxnhcl.com/smd0/?iB9=k3TllRAvr5OtQUY+nMpSaqyzbjiURRVW/k5VwoEAlmeua29KJafZx4NoeuinLMD5CPQd2de0&lH18=VTRPbxNpZJSHZD |
request | POST http://www.whatsbanking.com/smd0/ |
request | POST http://www.hikayemedya.com/smd0/ |
request | POST http://www.rumahmadu99.info/smd0/ |
request | POST http://www.blackloveapparel2020.com/smd0/ |
request | POST http://www.classtoshop.com/smd0/ |
request | POST http://www.anaffordablehand.com/smd0/ |
request | POST http://www.sachatco.com/smd0/ |
request | POST http://www.scamregister.net/smd0/ |
request | POST http://www.slimproxy.com/smd0/ |
request | POST http://www.stellarbookkeeping.com/smd0/ |
request | POST http://www.legendaryrelics.com/smd0/ |
request | POST http://www.yzhxnhcl.com/smd0/ |
file | C:\Users\test22\AppData\Local\Temp\nsy6377.tmp\ymvkl8s8.dll |
file | C:\Users\test22\AppData\Local\Temp\nsy6377.tmp\ymvkl8s8.dll |
url | http://nsis.sf.net/NSIS_Error |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper |
Bkav | W32.AIDetect.malware2 |
MicroWorld-eScan | Gen:Variant.Barys.102245 |
FireEye | Generic.mg.b70b9db72b2ca57b |
McAfee | Artemis!B70B9DB72B2C |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Riskware ( 0040eff71 ) |
K7GW | Riskware ( 0040eff71 ) |
CrowdStrike | win/malicious_confidence_60% (W) |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
Paloalto | generic.ml |
Kaspersky | UDS:DangerousObject.Multi.Generic |
BitDefender | Gen:Variant.Barys.102245 |
Avast | FileRepMalware |
Ad-Aware | Gen:Variant.Barys.102245 |
Sophos | ML/PE-A |
McAfee-GW-Edition | BehavesLike.Win32.Ransom.dc |
Emsisoft | Gen:Variant.Barys.102245 (B) |
Arcabit | Trojan.Barys.D18F65 |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
GData | Gen:Variant.Barys.102245 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Malware/Gen.RL_Reputation.R370470 |
ALYac | Gen:Variant.Barys.102245 |
MAX | malware (ai score=85) |
Malwarebytes | Generic.Malware/Suspicious |
SentinelOne | Static AI - Suspicious PE |
Fortinet | W32/Injector.EORP!tr |
AVG | FileRepMalware |
Qihoo-360 | HEUR/QVM20.1.C84F.Malware.Gen |