popup

Report - pass_setup1234.7z

PrivateLoader Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.21 09:20 Machine s1_win7_x6402
Filename pass_setup1234.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
5.8
ZERO API file : malware
VT API (file)
md5 c0a9b3aec9fea6881332adfe384232c3
sha256 4f50a2d71c446c081d420daafa5c39167bf4c0858eab8f2b070194201abab8fb
ssdeep 98304:dE1Od++hedHWxGjtd4YJl8mhSOq96ocz2kDBqmWkxmmOmuEg+Mw4P:iM5h0tRZJl80SV9Fcvkc1dg1bP
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (132cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://hugersi.com/dl/6523.exe
whois
RU Petersburg Internet Network ltd. 91.215.85.147 32660 malware
http://171.22.28.208/download/WWW14_64.exe
whois
DE CMCS 171.22.28.208 malware
http://ji.alie3ksgbb.com/m/esgla2i5.exe
whois
US CLOUDFLARENET 172.67.200.102 mailcious
http://230907161118223.nmr.xrm42.top/f/fikim0907223.exe
whois
BG Belcloud LTD 94.156.35.76 36358 malware
http://christopherantonio.top/calc2.exe
whois
RU Garant-Park-Internet LLC 46.173.215.72 malware
http://45.9.74.80/super.exe
whois
Unknown 45.9.74.80 36063 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://fc.ftimedica.com/netTime.exe
whois
DE Hostinger International Limited 45.130.231.6 clean
http://5.42.92.211/loghub/master
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 36282 mailcious
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://87.121.221.58/c.exe
whois
Unknown 87.121.221.58 malware
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
http://193.42.32.118/api/firegate.php
whois
Unknown 193.42.32.118 36458 mailcious
http://77.91.68.238/love/no230.exe
whois
RU Foton Telecom CJSC 77.91.68.238 36359 malware
http://45.9.74.80/harbar.exe
whois
Unknown 45.9.74.80 malware
http://193.42.32.118/api/tracemap.php
whois
Unknown 193.42.32.118 36180 mailcious
http://171.22.28.208/download/Services.exe
whois
DE CMCS 171.22.28.208 malware
http://94.142.138.113/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.113 36152 mailcious
http://193.42.32.118/api/firecom.php
whois
Unknown 193.42.32.118 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.145.235 clean
http://94.142.138.221/file/name.exe
whois
RU Ihor Hosting LLC 94.142.138.221 clean
https://vk.com/doc52355237_665938507?hash=m6OB9an6EOeD8heKew1wDxncbYrgO4cjTs8IHxSGOMH&dl=uy9JCFMd880sjLNRgNT9fjPRywC1WLtHDR3fT9z2QTX&api=1&no_preview=1#test2
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc52355237_665872078?hash=Kz3PaU1L3NGuBFJAoGXACEafD960Cp8NVVxAzQR8U3H&dl=TGSEkTjAuxGOcQ0N10qRiCJlxoGRDvtzjKPataFdHhc&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://mememania.net/test/gametools.exe
whois
US CLOUDFLARENET 172.67.171.201 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 172.67.75.166 clean
https://vk.com/doc18596347_668003295?hash=XreQfq4NrtoZDNELVIDLcr1yWsXW1dqZDR7duHAGA7P&dl=pCTGBpgzC0ESbYP6jKlQReXTFcupII5gHdo5zk9YOZk&api=1&no_preview=1#delux
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://preconcert.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.197.101 36162 malware
https://vk.com/doc52355237_665880768?hash=ubcUBEaLWzipHTOeg3jEhyfSeC0h7DJrmPTohND0B6D&dl=sqZTWs3nWU6WRCWJjrqnLtWUJOv5NeFbk7N6Ssv2Ifs&api=1&no_preview=1#redcl
whois
RU VKontakte Ltd 87.240.137.164 clean
https://sun6-20.userapi.com/c909218/u52355237/docs/d42/99a08ca55dfc/x11.bmp?extra=8lCSeefRbUfQ1dl7gbWZP9rbdidKpDTSF8OZ6II3c5dVhNYEE3JOfRSQ9QN0OKnu8ye-0PUn-xX1m3ghX-e-NPxQZdN986ED3XRYwWoTFI71f8ecdJ6L8zo5eALFHBYEKUxJUCo8jIKU5H66
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc52355237_665938565?hash=XvxTzvFmz7lm4FmiX255WzfNZAIoEEiVPkRx4ZmjMgL&dl=9f0mriSzvdjZFQuHfBCX9y95tahovgb47vQqAJV8jo0&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 87.240.137.164 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.8.59 clean
https://vk.com/doc17799268_667394499?hash=8O4zNnF9tP9wsaxLkeHeWDXqO2rxWYjyDP69QeOzwaz&dl=ozGE2ISNCA8zD35yB4dk4cB4VAjrpT4UYePmL4tZmmc&api=1&no_preview=1#utube
whois
RU VKontakte Ltd 87.240.137.164 clean
https://sun6-23.userapi.com/c909518/u52355237/docs/d47/c32a87b017af/328dj2afg.bmp?extra=AdLbRDTDwp25OjVl_rkgkBABFCOyonhlWW7CDMe9GL_9z2F3Rbp-qONbZweHREJZNxFW-9yWDZAfklcQE_aPRkRblSP8r_Qm4CI4CGb3xrvmHpyXHIpTKonFX0MBDXtzMzTcl6DXiw4DpN3M
whois
RU VKontakte Ltd 95.142.206.3 clean
https://sun6-23.userapi.com/c909628/u52355237/docs/d40/84a7e7bb4a92/RisePro.bmp?extra=xI9rQt-tAmVWJ4Cboh5rKsshtX-SsNrjxNURKcxJPprTTGiUnFY-yItehO5J0QNqNUV4-jVAUa2eSJ7Ltoa9bv0phLUk8UAOg_kVU668de0ePCpYqzcEkR-3L-C2_JaH40oJrXTO14MuCs0A
whois
RU VKontakte Ltd 95.142.206.3 clean
https://sun6-21.userapi.com/c909328/u52355237/docs/d26/2a08637c5a56/Bot_Clien.bmp?extra=y_zFyxma88H6dv--oDcF3mjcRiUllKPEI1NfWSYTjOkoS4VxUDz4pTNRjGBbIu1ESvSIn2GnyukrEBeSjITObbHP114lfjEtthAnLx_4lJ5308bG5Wa4IYJq9fmBBBcSF9HXYjPrSPBzB4yu
whois
RU VKontakte Ltd 95.142.206.1 clean
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://vk.com/doc18596347_668016285?hash=PonWwXIKRFukGezNmW2MnNeYu7LcagbIrZ1mIj3kZ1T&dl=hMKz4JErXb8SqgVrul6D4r1N9nijVikLYJlJ2MlrC4H&api=1&no_preview=1#orig
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sso.passport.yandex.ru/push?uuid=4af81aa5-42ac-465c-8b53-50abc5b79641&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://vk.com/doc52355237_665906704?hash=twL5pVXU2zOTXLlVLVZr95EUqG9FWXoizRXa1VGWXa8&dl=DxECaHRbKbeWIf9PdqniyvNDb3PMMB293ucxAh6qla0&api=1&no_preview=1#qq
whois
RU VKontakte Ltd 87.240.132.72 clean
https://sun6-22.userapi.com/c909218/u52355237/docs/d17/f321660640ac/red.bmp?extra=krZWcq-zAkNaBNmsoERJsOJa3Cg1I6UjdOZU3L-GI9vyoD55Ev3Tbh_x-0cUyZ3Ri_FPWScrzLHj5EmKYU7OCZJBRziStKqu-UtjaWLFwrGE0KbWwLZDxyl3ong78toNCakJfLlTzw8ZTK-Q
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc52355237_665940325?hash=vG1T2xzTiDOe4TmInLX7s7wjd83C3zXZYQEX1fBro3P&dl=zuGVKYwUQZwfzizd3ZYojpiw2upFzPGsk9fJVUbOtuz&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.72 clean
https://vk.com/doc52355237_665861662?hash=ImDE8wJKeKsidLNmyeypwBZxNsPon1YnZ9AJMNJmzVs&dl=759gQwYNSpwSgt6vmZb21ZfK2G3kzxLbJOWuWICosow&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://neuralshit.net/32558400f22545916bbc3a5405a39f3c/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.134.35 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.72 mailcious
https://sun6-21.userapi.com/c909518/u52355237/docs/d51/e8935b71753f/test22009.bmp?extra=E81y1PchGDLCccZqFap9XwnBZHb2tZOG_bLcYjV_6NiSBnzF-773e5vRBRDwsPpOBT7SVgT4BaH9tbQpDwEvlZSB_REPpHhM6B1x-Eiy6LTA3fAyvPWimR80u_LweADlyYBq41G2bV7421tC
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-23.userapi.com/c909328/u52355237/docs/d15/e12aaa6cce9f/crypted.bmp?extra=40Y6DawDYM7b7WOQZLfptmDCQJV-iehBJ1NFMFcRrAbaetx_gWbv82DdxhRfhyDLOz6AvRBmvSFPMuHCj46yy3X54agnQRB-o41VexMxCXISGOX7pQjHrn-yblo4XH_tpuTsNCucFrWANCsv
whois
RU VKontakte Ltd 95.142.206.3 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
https://sun6-23.userapi.com/c240331/u52355237/docs/d18/72647bd8c4c5/PL_Client.bmp?extra=wsnjoysZ-SfrRC-OO0LHysFRBWUhnNxWfKD6shBocvO0v5l5WBSXSRm9ylFlqqauG93DOhHDgQVUjLlwGBQOhEs9hM_b4yR2OzbAmPIkdzxIBh_hVV5VLzxD9ZjvpvW19VcIZBClXSVXiI5U
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_665916972?hash=PGtJZU2lyBun4kcjAuDW4sr3qZoaazswmzm43vqfrD8&dl=fmNbRucq2G5KCRA22nIJETEH1oOZZHD8AqBpxxaUybz&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 clean
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.200.10 clean
neuralshit.net
whois
US CLOUDFLARENET 172.67.134.35 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
yandex.ru
whois
RU YANDEX LLC 77.88.55.88 clean
wahaaudit.ps
whois
PS Palestine Telecommunications Company (PALTEL) 213.6.54.58 malware
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
preconcert.pw
whois
US CLOUDFLARENET 172.67.197.101 malware
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
z.nnnaajjjgc.com
whois
US HK Kwaifong Group Limited 156.236.72.121 malware
twitter.com
whois
US TWITTER 104.244.42.1 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
christopherantonio.top
whois
RU Garant-Park-Internet LLC 46.173.215.72 malware
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
ji.alie3ksgbb.com
whois
US CLOUDFLARENET 104.21.90.117 mailcious
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
230907161118223.nmr.xrm42.top
whois
BG Belcloud LTD 94.156.35.76 malware
octocrabs.com
whois
US CLOUDFLARENET 104.21.21.189 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
hugersi.com
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 clean
www.maxmind.com
whois
US CLOUDFLARENET 104.18.146.235 clean
vk.com
whois
RU VKontakte Ltd 93.186.225.194 mailcious
mememania.net
whois
US CLOUDFLARENET 172.67.171.201 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
fc.ftimedica.com
whois
DE Hostinger International Limited 45.130.231.6 clean
94.156.35.76
whois
BG Belcloud LTD 94.156.35.76 malware
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
104.18.145.235
whois
US CLOUDFLARENET 104.18.145.235 clean
51.38.95.107
whois
FR OVH SAS 51.38.95.107 clean
172.67.197.101
whois
US CLOUDFLARENET 172.67.197.101 clean
45.130.231.6
whois
DE Hostinger International Limited 45.130.231.6 clean
94.142.138.221
whois
RU Ihor Hosting LLC 94.142.138.221 clean
91.215.85.147
whois
RU Petersburg Internet Network ltd. 91.215.85.147 malware
77.91.68.238
whois
RU Foton Telecom CJSC 77.91.68.238 malware
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
172.67.171.201
whois
US CLOUDFLARENET 172.67.171.201 phishing
172.67.200.102
whois
US CLOUDFLARENET 172.67.200.102 clean
5.42.92.211
whois
RU CJSC Kolomna-Sviaz TV 5.42.92.211 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
45.9.74.80
whois
Unknown 45.9.74.80 malware
23.43.165.105
whois
US CCCH-3 23.43.165.105 clean
46.173.215.72
whois
RU Garant-Park-Internet LLC 46.173.215.72 mailcious
171.22.28.208
whois
DE CMCS 171.22.28.208 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
172.67.200.10
whois
US CLOUDFLARENET 172.67.200.10 clean
31.41.244.27
whois
RU LLC Aeroexpress 31.41.244.27 mailcious
182.162.106.32
whois
KR LG DACOM Corporation 182.162.106.32 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
172.67.134.35
whois
US CLOUDFLARENET 172.67.134.35 clean
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
104.21.84.222
whois
US CLOUDFLARENET 104.21.84.222 malware
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
77.88.55.88
whois
RU YANDEX LLC 77.88.55.88 clean
176.123.9.142
whois
MD Alexhost Srl 176.123.9.142 mailcious
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
185.225.73.32
whois
DE Mayak Smart Services Ltd. 185.225.73.32 mailcious
156.236.72.121
whois
US HK Kwaifong Group Limited 156.236.72.121 mailcious
213.6.54.58
whois
PS Palestine Telecommunications Company (PALTEL) 213.6.54.58 malware
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 clean
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 clean
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
104.244.42.193
whois
US TWITTER 104.244.42.193 suspicious
87.121.221.58
whois
Unknown 87.121.221.58 malware
185.225.74.51
whois
DE Mayak Smart Services Ltd. 185.225.74.51 mailcious
87.240.132.72
whois
RU VKontakte Ltd 87.240.132.72 mailcious
69.46.15.167
whois
US HVC-AS 69.46.15.167 mailcious

Suricata ids

ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
SURICATA Applayer Mismatch protocol both directions
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.top domain - Likely Hostile
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] PovertyStealer Check-In via TCP
ET HUNTING ZIP file exfiltration over raw TCP
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET MALWARE Redline Stealer Activity (Response)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1

Similarity measure (PE file only) - Checking for service failure