ScreenShot
Created | 2023.09.13 17:06 | Machine | s1_win7_x6402 |
Filename | Setup_pass1234.zip | ||
Type | Zip archive data, at least v5.1 to extract | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | |||
md5 | d6333d9f2326da7b78144d52fa20a05c | ||
sha256 | 33a6ea57e2165198411a5f7a855478a8aef5dd6631ee28b0571292c9d9214763 | ||
ssdeep | 196608:1PXO7GAkROaWG5XSO7JFns58Qm4UX1QbWQY7dr0:1feaWG9FnsyQmWI0 | ||
imphash | |||
impfuzzy |
Network IP location
Signature (8cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Sends data using the HTTP POST Method |
Rules (1cnts)
Level | Name | Description | Collection |
---|---|---|---|
info | zip_file_format | ZIP file format | binaries (upload) |
Network (126cnts) ?
Suricata ids
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE - Served Attached HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE Redline Stealer Activity (Response)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Packed Executable Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
SURICATA HTTP unable to match response to request
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE - Served Attached HTTP
ET HUNTING Possible EXE Download From Suspicious TLD
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE Redline Stealer Activity (Response)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO Packed Executable Download
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
SURICATA HTTP unable to match response to request