ScreenShot
Created | 2023.09.21 09:20 | Machine | s1_win7_x6402 |
Filename | pass_setup1234.7z | ||
Type | 7-zip archive data, version 0.4 | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : malware | ||
VT API (file) | |||
md5 | c0a9b3aec9fea6881332adfe384232c3 | ||
sha256 | 4f50a2d71c446c081d420daafa5c39167bf4c0858eab8f2b070194201abab8fb | ||
ssdeep | 98304:dE1Od++hedHWxGjtd4YJl8mhSOq96ocz2kDBqmWkxmmOmuEg+Mw4P:iM5h0tRZJl80SV9Fcvkc1dg1bP | ||
imphash | |||
impfuzzy |
Network IP location
Signature (14cnts)
Level | Description |
---|---|
warning | Generates some ICMP traffic |
watch | Communicates with host for which no DNS query was performed |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
notice | Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol |
notice | Creates executable files on the filesystem |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Sends data using the HTTP POST Method |
notice | Yara rule detected in process memory |
info | Checks amount of memory in system |
info | Checks if process is being debugged by a debugger |
Rules (11cnts)
Level | Name | Description | Collection |
---|---|---|---|
notice | Escalate_priviledges | Escalate priviledges | memory |
notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
notice | KeyLogger | Run a KeyLogger | memory |
info | anti_dbg | Checks if being debugged | memory |
info | DebuggerCheck__GlobalFlags | (no description) | memory |
info | DebuggerCheck__QueryInfo | (no description) | memory |
info | DebuggerHiding__Active | (no description) | memory |
info | DebuggerHiding__Thread | (no description) | memory |
info | disable_dep | Bypass DEP | memory |
info | SEH__vectored | (no description) | memory |
info | ThreadControl__Context | (no description) | memory |
Network (132cnts) ?
Suricata ids
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
ET HUNTING ZIP file exfiltration over raw TCP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
ET HUNTING ZIP file exfiltration over raw TCP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1