Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | March 11, 2021, 11:38 a.m. | March 11, 2021, 11:39 a.m. |
-
ADVER.exe "C:\Users\test22\AppData\Local\Temp\ADVER.exe"
3588
Name | Response | Post-Analysis Lookup |
---|---|---|
telete.in | 195.201.225.248 | |
fabulouscityofbruges.top |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49805 -> 195.201.225.248:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
UDP 192.168.56.102:61459 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49805 195.201.225.248:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=telecut.in | 14:8d:58:21:b9:91:38:b0:2c:1f:8b:a9:83:d2:f9:89:84:11:99:e2 |
registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
suspicious_features | GET method with no useragent header | suspicious_request | GET https://telete.in/j901kotam1 |
request | GET https://telete.in/j901kotam1 |
domain | fabulouscityofbruges.top | description | Generic top level domain TLD |
url | http://crl.comodo.net/TrustedCertificateServices.crl0 |
url | http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0 |
url | http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
url | http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
url | http://cert.startcom.org/policy.pdf0 |
url | http://crl.securetrust.com/STCA.crl0 |
url | http://crl.securetrust.com/SGCA.crl0 |
url | http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0= |
url | http://www.ssc.lt/cps03 |
url | http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0 |
url | http://crt.comodoca.com/COMODORSAAddTrustCA.crt0 |
url | http://users.ocsp.d-trust.net03 |
url | http://crl.startcom.org/sfsca-crl.crl0 |
url | http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0 |
url | http://www.microsoft.com/pki/certs/TrustListPCA.crt0 |
url | http://crl.comodo.net/AAACertificateServices.crl0 |
url | http://www.pkioverheid.nl/policies/root-policy0 |
url | https://www.verisign.com |
url | http://cps.chambersign.org/cps/chambersroot.html0 |
url | http://www.disig.sk/ca/crl/ca_disig.crl0 |
url | http://www.entrust.net/CRL/Client1.crl0 |
url | http://crl.chambersign.org/publicnotaryroot.crl0 |
url | http://ocsp.comodoca.com0 |
url | http://logo.verisign.com/vslogo.gif0 |
url | https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0 |
url | http://www.crc.bg0 |
url | http://www.acabogacia.org/doc0 |
url | http://www.e-szigno.hu/SZSZ/0 |
url | http://crl.ssc.lt/root-b/cacrl.crl0 |
url | http://isrg.trustid.ocsp.identrust.com0 |
url | https://www.verisign.com/rpa0 |
url | http://www.quovadis.bm0 |
url | https://www.catcert.net/verarrel05 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0 |
url | http://crl.chambersign.org/chambersroot.crl0 |
url | http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0 |
url | http://crl.globalsign.net/root-r2.crl0 |
url | http://certificates.starfieldtech.com/repository/1604 |
url | http://www.d-trust.net0 |
url | https://www.catcert.net/verarrel |
url | http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0 |
url | http://crl.ssc.lt/root-a/cacrl.crl0 |
url | http://crl.usertrust.com/UTN-DATACorpSGC.crl0 |
url | http://www.certicamara.com/certicamaraca.crl0 |
url | http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0 |
url | http://crl.usertrust.com/UTN-USERFirst-Object.crl0) |
url | http://www.post.trust.ie/reposit/cps.html0 |
url | http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0 |
url | http://www2.public-trust.com/crl/ct/ctroot.crl0 |
url | http://cert.startcom.org/sfsca-crl.crl0 |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Hijack network configuration | rule | hijack_network | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over Toredo network | rule | network_toredo | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Gen:Variant.Razy.704872 |
FireEye | Generic.mg.a279d96f54af8224 |
CAT-QuickHeal | TrojanSpy.Stealer |
McAfee | GenericRXMR-YQ!A279D96F54AF |
Malwarebytes | Spyware.PasswordStealer |
Zillya | Trojan.Stealer.Win32.10024 |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Spyware ( 005768171 ) |
Alibaba | TrojanPSW:Win32/Racealer.d4c04037 |
K7GW | Spyware ( 005768171 ) |
Cybereason | malicious.f54af8 |
BitDefenderTheta | Gen:NN.ZexaF.34608.KqW@aiQUTdo |
TrendMicro-HouseCall | TROJ_GEN.R002C0DC321 |
Avast | Win32:PWSX-gen [Trj] |
ClamAV | Win.Malware.Ulise-7344017-0 |
Kaspersky | HEUR:Trojan-Spy.Win32.Stealer.gen |
BitDefender | Gen:Variant.Razy.704872 |
NANO-Antivirus | Trojan.Win32.Stealer.iiqiyi |
Paloalto | generic.ml |
ViRobot | Trojan.Win32.Z.Stealer.592896.D |
Tencent | Malware.Win32.Gencirc.10ce371a |
Ad-Aware | Gen:Variant.Razy.704872 |
DrWeb | Trojan.PWS.Stealer.29860 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R002C0DC321 |
SentinelOne | Static AI - Suspicious PE |
Emsisoft | Gen:Variant.Razy.704872 (B) |
APEX | Malicious |
ESET-NOD32 | a variant of Win32/Spy.Raccoon.A |
eGambit | Unsafe.AI_Score_97% |
Avira | HEUR/AGEN.1141176 |
MAX | malware (ai score=85) |
Gridinsoft | Spy.Win32.Keylogger.oa!s1 |
AegisLab | Trojan.Win32.Stealer.l!c |
GData | Gen:Variant.Razy.704872 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Malware/Win32.RL_Generic.R367564 |
VBA32 | TrojanSpy.Stealer |
ALYac | Gen:Variant.Razy.704872 |
Rising | Spyware.Agent!8.C6 (CLOUD) |
Yandex | TrojanSpy.Raccoon!zM6YjMts2xk |
Ikarus | Trojan-Spy.Agent |
MaxSecure | Trojan.Malware.73793603.susgen |
Fortinet | W32/Agent.PQZ!tr |
AVG | Win32:PWSX-gen [Trj] |
Panda | Trj/GdSda.A |
CrowdStrike | win/malicious_confidence_90% (W) |
Qihoo-360 | Win32/TrojanSpy.Generic.HwoCqccA |