Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | March 21, 2021, 6:51 p.m. | March 21, 2021, 6:53 p.m. |
-
-
winlog3.exe "C:\Users\test22\AppData\Local\Temp\winlog3.exe"
2680
-
IP Address | Status | Action |
---|---|---|
103.251.44.218 | Active | Moloch |
164.124.101.2 | Active | Moloch |
173.231.242.82 | Active | Moloch |
184.168.131.241 | Active | Moloch |
198.49.23.145 | Active | Moloch |
217.160.0.236 | Active | Moloch |
34.102.136.180 | Active | Moloch |
34.201.8.187 | Active | Moloch |
85.187.128.38 | Active | Moloch |
94.136.40.51 | Active | Moloch |
Suricata Alerts
Suricata TLS
No Suricata TLS
section | .ndata |
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.creationsbyjamie.com/nsag/?OtxhT2=ikjZmpp2rKIdfQGHLwg8/vzbnsAf6IhlNdWefevTJsajsTw6xmjgOZnutL3cpS9z2eZcVCpP&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.aashlokhospitals.com/nsag/?OtxhT2=NiGY7UM8w96/Atqu+lE4BNOULiUW6ss8cB8FeVv4x1SJhjCrK3DaPWYfm9ta74zNnQQf9ajE&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.mistressofherdivinity.com/nsag/?OtxhT2=4H5+XAsX17t5i9bqNGjmVam9RdXQplhGCrWVGCPL7TSnyRXxkP5OCpmi44+txHN+I78jwTfj&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.scanourworld.com/nsag/?OtxhT2=RjpY/w7SlG6X0MktOkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71tk1m8LnOJlxdfFnslqN&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.usopencoverage.com/nsag/?OtxhT2=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.glowtheblog.com/nsag/?OtxhT2=HzZPNJQ8O4WE+bdm4vfaT6k2sBckkYigm/ImWf97pB6lZmCMtuvHJWo30XNbtj7YSTZJJE49&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.bukaino.net/nsag/?OtxhT2=oC6r1HmZx5wn5oXPzQLXQ4VMDjeb3X29kqfgvoAAEugKEHNilNhbzg6QyG7lAWIEjI8cRCmD&W4=inHpWra8G | ||||||
suspicious_features | GET method with no useragent header | suspicious_request | GET http://www.athara-kiano.com/nsag/?OtxhT2=1e70w6qva0/8AhhFV27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY0sNjUuYvF5UKGbPHp55&W4=inHpWra8G |
request | POST http://www.creationsbyjamie.com/nsag/ |
request | GET http://www.creationsbyjamie.com/nsag/?OtxhT2=ikjZmpp2rKIdfQGHLwg8/vzbnsAf6IhlNdWefevTJsajsTw6xmjgOZnutL3cpS9z2eZcVCpP&W4=inHpWra8G |
request | POST http://www.aashlokhospitals.com/nsag/ |
request | GET http://www.aashlokhospitals.com/nsag/?OtxhT2=NiGY7UM8w96/Atqu+lE4BNOULiUW6ss8cB8FeVv4x1SJhjCrK3DaPWYfm9ta74zNnQQf9ajE&W4=inHpWra8G |
request | POST http://www.mistressofherdivinity.com/nsag/ |
request | GET http://www.mistressofherdivinity.com/nsag/?OtxhT2=4H5+XAsX17t5i9bqNGjmVam9RdXQplhGCrWVGCPL7TSnyRXxkP5OCpmi44+txHN+I78jwTfj&W4=inHpWra8G |
request | POST http://www.scanourworld.com/nsag/ |
request | GET http://www.scanourworld.com/nsag/?OtxhT2=RjpY/w7SlG6X0MktOkaS4a7cxyPO11vhmKSgl8HqKcRxVLLhONg71tk1m8LnOJlxdfFnslqN&W4=inHpWra8G |
request | POST http://www.usopencoverage.com/nsag/ |
request | GET http://www.usopencoverage.com/nsag/?OtxhT2=og4DIg58JlKco58KkdqEYNLQLc3eWWfvHIn4nR8VBNKZeGgyeIgd3wA4BT8g076OhyzEqtq0&W4=inHpWra8G |
request | POST http://www.glowtheblog.com/nsag/ |
request | GET http://www.glowtheblog.com/nsag/?OtxhT2=HzZPNJQ8O4WE+bdm4vfaT6k2sBckkYigm/ImWf97pB6lZmCMtuvHJWo30XNbtj7YSTZJJE49&W4=inHpWra8G |
request | POST http://www.bukaino.net/nsag/ |
request | GET http://www.bukaino.net/nsag/?OtxhT2=oC6r1HmZx5wn5oXPzQLXQ4VMDjeb3X29kqfgvoAAEugKEHNilNhbzg6QyG7lAWIEjI8cRCmD&W4=inHpWra8G |
request | POST http://www.athara-kiano.com/nsag/ |
request | GET http://www.athara-kiano.com/nsag/?OtxhT2=1e70w6qva0/8AhhFV27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY0sNjUuYvF5UKGbPHp55&W4=inHpWra8G |
request | POST http://www.creationsbyjamie.com/nsag/ |
request | POST http://www.aashlokhospitals.com/nsag/ |
request | POST http://www.mistressofherdivinity.com/nsag/ |
request | POST http://www.scanourworld.com/nsag/ |
request | POST http://www.usopencoverage.com/nsag/ |
request | POST http://www.glowtheblog.com/nsag/ |
request | POST http://www.bukaino.net/nsag/ |
request | POST http://www.athara-kiano.com/nsag/ |
file | C:\Users\test22\AppData\Local\Temp\nss63A6.tmp\p4bs.dll |
file | C:\Users\test22\AppData\Local\Temp\nss63A6.tmp\p4bs.dll |
url | http://nsis.sf.net/NSIS_Error |
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Create a COM server | rule | create_com_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper | ||||||
description | Communications over FTP | rule | network_ftp | ||||||
description | Communications over RAW socket | rule | network_tcp_socket | ||||||
description | Communications use DNS | rule | network_dns | ||||||
description | Communication using dga | rule | network_dga | ||||||
description | Escalade priviledges | rule | escalate_priv | ||||||
description | Take screenshot | rule | screenshot | ||||||
description | Run a keylogger | rule | keylogger | ||||||
description | Steal credential | rule | cred_local | ||||||
description | Record Audio | rule | sniff_audio | ||||||
description | APC queue tasks migration | rule | migrate_apc | ||||||
description | Malware can spread east-west file | rule | spreading_file | ||||||
description | Malware can spread east-west using share drive | rule | spreading_share | ||||||
description | Create or check mutex | rule | win_mutex | ||||||
description | Affect system registries | rule | win_registry | ||||||
description | Affect system token | rule | win_token | ||||||
description | Affect private profile | rule | win_private_profile | ||||||
description | Affect private profile | rule | win_files_operation | ||||||
description | Match Winsock 2 API library declaration | rule | Str_Win32_Winsock2_Library | ||||||
description | Match Windows Inet API library declaration | rule | Str_Win32_Wininet_Library | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | inject_thread | ||||||
description | Create a windows service | rule | create_service | ||||||
description | Communications over UDP network | rule | network_udp_sock | ||||||
description | Listen for incoming communication | rule | network_tcp_listen | ||||||
description | Communications over P2P network | rule | network_p2p_win | ||||||
description | Communications over HTTP | rule | network_http | ||||||
description | File downloader/dropper | rule | network_dropper |
MicroWorld-eScan | Gen:Variant.Cerbu.93211 |
FireEye | Generic.mg.593168105682fb59 |
ALYac | Gen:Variant.Cerbu.93211 |
Cylance | Unsafe |
Sangfor | Trojan.Win32.Save.a |
BitDefender | Gen:Variant.Cerbu.93211 |
Cyren | W32/Injector.AFV.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
APEX | Malicious |
McAfee-GW-Edition | BehavesLike.Win32.Ipamor.dc |
Emsisoft | Gen:Variant.Cerbu.93211 (B) |
Ikarus | Trojan.NSIS.Agent |
Avira | HEUR/AGEN.1134255 |
MAX | malware (ai score=83) |
Arcabit | Trojan.Cerbu.D16C1B |
GData | Gen:Variant.Cerbu.93211 |
Cynet | Malicious (score: 90) |
Malwarebytes | Trojan.MalPack.NSIS |
ESET-NOD32 | a variant of Win32/Injector.EOXL |
SentinelOne | Static AI - Suspicious PE |
Fortinet | W32/Injector.EOWC!tr |
dead_host | 34.201.8.187:80 |