Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.09.27 18:45	Machine	s1_win7_x6402
Filename	gate9_pass1234.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	7.8
ZERO API	file : malware
VT API (file)
md5	fb744c58353b153a548fd04fd959b232
sha256	da47cb8d45c95d20d365cb771a71e77331f241df1d4f269c45cccf7e8ac8ba0a
ssdeep	98304:/PCED7mHNKdvzqspHYZDwrJP+QAgOam9jZZb/Bw7U/al6G5CXczO:/KED7YovGEEUdP+wOX1nb/Bw7U+6QCXX
imphash
impfuzzy

Network IP location

Signature (16cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Performs a TXT record DNS lookup potentially for command and control or covert channel
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (144cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://hugersi.com/dl/6523.exe whois	Petersburg Internet Network ltd.	91.215.85.147	32660	malware
http://xsk295c2.beget.tech/525403/setup.exe whois	Beget LLC	87.236.19.185	36854	mailcious
http://171.22.28.208/download/WWW14_64.exe whois	CMCS	171.22.28.208	36692	malware
http://ji.alie3ksgbb.com/m/esgla2i5.exe whois	CLOUDFLARENET	172.67.200.102	36693	mailcious
http://christopherantonio.top/calc2.exe whois	Garant-Park-Internet LLC	46.173.215.72	36694	malware
http://45.9.74.80/super.exe whois		45.9.74.80	36063	malware
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://194.169.175.232/autorun.exe whois		194.169.175.232	36817	malware
http://fc.ftimedica.com/netTime.exe whois	Hostinger International Limited	45.130.231.6	36695	malware
http://5.42.92.211/loghub/master whois	CJSC Kolomna-Sviaz TV	5.42.92.211	36282	mailcious
http://45.15.156.229/api/firegate.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	36052	mailcious
http://94.142.138.131/api/firegate.php whois	Ihor Hosting LLC	94.142.138.131	32650	mailcious
http://45.9.74.80/harbar.exe whois		45.9.74.80	36698	malware
http://230926170958727.kmj.xne26.cfd/f/fikim0926727.exe whois	Belcloud LTD	94.156.35.76		clean
http://171.22.28.222/3.exe whois	CMCS	171.22.28.222	36819	malware
http://94.142.138.131/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.131	28311	mailcious
http://193.42.32.118/api/tracemap.php whois		193.42.32.118	36180	mailcious
http://171.22.28.208/download/Services.exe whois	CMCS	171.22.28.208	36699	malware
http://176.113.115.84:8080/4.php whois	OOO Network of data-centers Selectel	176.113.115.84	34795	mailcious
http://77.91.68.239/wase/zor40.exe whois	Foton Telecom CJSC	77.91.68.239	36821	malware
http://193.42.32.118/api/firecom.php whois		193.42.32.118	36700	mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.67.53.17		clean
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.18.145.235		clean
http://45.129.14.83/c.exe whois	Bunea TELECOM SRL	45.129.14.83		malware
https://vk.com/doc52355237_665872078?hash=Kz3PaU1L3NGuBFJAoGXACEafD960Cp8NVVxAzQR8U3H&dl=TGSEkTjAuxGOcQ0N10qRiCJlxoGRDvtzjKPataFdHhc&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152 whois	CLOUDFLARENET	172.67.75.166		clean
https://vsblobprodscussu5shard58.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/98A14A45856422D571CDEA18737E156B89D4C85FE7A2C03E353274FC83996DE200.blob?sv=2019-07-07&sr=b&si=1&sig=QdxoMRgBiPBlQIidwJrjL2PzBr7lIkeGc6EhAO0P6m4%3D&spr=https&se=2023- whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.79.68		clean
https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA2/ntkrnlmp.pdb whois	MICROSOFT-CORP-MSN-AS-BLOCK	204.79.197.219		clean
https://sun6-20.userapi.com/c909218/u52355237/docs/d16/5d0c4daa5259/crypted.bmp?extra=zdJvqwXZDa8_UiT0CZkexuzamnA3vGRlqUCNSeV2re5ViYefGQXE-s2XyeiWHMWIWKihhjzFbVx8b-AhzTMnVv1bOjWdfeLqlT9r8TsjJ0AP2GI09Lli1MDOrZRhRqMRf8mx_2PK8T0YD8mn whois	VKontakte Ltd	95.142.206.0		clean
https://sun6-21.userapi.com/c909418/u52355237/docs/d13/911be371f0c0/r1.bmp?extra=oWOmWiP64UIJiSCefnNude-l_2SrMu7fcUjIfHBHew1wrBQvuiTTUTrKfHz6yY7V7We9U9PBmQx9jFPC1J4P3M9qIDjbFa8Z0uKW1yIkD3KFawgEcPTsQjxBnE3pTGHWOHttvUj-LRW2n-Yg whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	87.240.132.72		mailcious
https://preconcert.pw/setup294.exe whois	CLOUDFLARENET	172.67.197.101	36162	malware
https://vk.com/doc52355237_665981002?hash=5dlf3DheCq3ZynwxfclKIYSMaBUrqVsiNEQbz1ZBeez&dl=qhGcA2zWn1OHnSTesbATZlb3MbAcGMzKaqeVHxmyiH8&api=1&no_preview=1#rise whois	VKontakte Ltd	87.240.132.72		mailcious
https://neuralshit.net/7c467608943063cf2ce14a0d7be36ad5/7725eaa6592c80f8124e769b4e8a07f7.exe whois	CLOUDFLARENET	104.21.6.10		clean
https://api.myip.com/ whois	CLOUDFLARENET	104.26.8.59		clean
https://msdl.microsoft.com/download/symbols/index2.txt whois	MICROSOFT-CORP-MSN-AS-BLOCK	204.79.197.219		clean
https://msdl.microsoft.com/download/symbols/winload_prod.pdb/768283CA443847FB8822F9DB1F36ECC51/winload_prod.pdb whois	MICROSOFT-CORP-MSN-AS-BLOCK	204.79.197.219		clean
https://sun6-21.userapi.com/c909628/u52355237/docs/d56/ecd474467072/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=VSMMPHzYfzhCEpRVmMEKMEF8s0Pf7BKVDv-7xy6dDQBx1KyO3-8hTO6YuKHOjQ-Pg5vq7E-ITVnT2FH9w-IGGXKUlNNTBg56UHPr-mj809AdTNTnzqIF7JT9vv0b2Xi7I6Zyc21RN4sr whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc52355237_666188067?hash=r1Na54ZxAjG4KOFDeXqZX17ZBZPd5xxdBOOWsDvp5TX&dl=EOYAxqrIN0WwY7MTgf0eTj1ZJVCjuUa0FY3feLNyZEc&api=1&no_preview=1#r1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://dzen.ru/?yredirect=true whois	Invest Mobile LLC	62.217.160.2		clean
https://vk.com/doc52355237_666181938?hash=qWMdOCbpzj2Wb6MYMI1Ka3xNmUOJ6pLxfkyOLYrGUSk&dl=PhPb48gjucqZZtWBFDR0mODlEKUHEtoOiZ9xMEZxbHg&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.78		mailcious
https://vk.com/doc52355237_666216113?hash=9p2AYlk8zwbC1pvEZPQBKzQhzl3oRzLZPdIHhe6p664&dl=cslpZZMp7VLHk2zTPNYIuOvrqDOXg4V4He4DdoaGlzo&api=1&no_preview=1#acotr whois	VKontakte Ltd	87.240.132.72		clean
https://vsblobprodscussu5shard10.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/3361580E1DAA2301EF4C62D105FB67166BD89EA03FCDE3C800EACFAF71EE01C200.blob?sv=2019-07-07&sr=b&si=1&sig=hm32OqAt9lsZB1fYwq4K5gZaGtF99zAvthdX3gJ2HgE%3D&spr=https&se=2023- whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.70.36		clean
https://sun6-21.userapi.com/c909628/u52355237/docs/d4/d83307b38fc0/PL_Client.bmp?extra=z3Lt_zd6Ph0zNrYgbhR7VxTfTSY73wjsMQd--sPaubZaZsMzCBR1GNoOQhnrH8HBEpLifv3b8t-WJcSxi4h5ZUY9LPzkW0vTQyDGtqLcYWBES37AQqbSJ6K8codv63r-_00AGPHrJJCl_A2u whois	VKontakte Ltd	95.142.206.1		clean
https://sun6-21.userapi.com/c237031/u52355237/docs/d27/3acc0367b01b/asca1ex.bmp?extra=QVhameGd0VGJO_jouh9BCdw2T5ubEhKTYsuT20gOSz_2T1WKexK1igJKLpdLlpy0Z3Z13z06kclCgARHhHqiVQgSMPyMWbCWBayiXqs_HedsPcHdhAGwf7H9wpdfzb_wP45PgVmEB_orql9C whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc52355237_666155284?hash=ImdsfIi1GWolUBV61ckzTPwgq51ZCNzIz6Qz8GSqP7P&dl=7w4np6RfyRANUVCTVCTAKrQpLvvL9JdOzpG1MG3SxH0&api=1&no_preview=1#1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	87.240.132.72		mailcious
https://sun6-20.userapi.com/c909228/u52355237/docs/d44/c0e13179ad83/test2.bmp?extra=FRiWShW93DWsuiDd8DMk6E3A8FNgmmKQA0s3Hex7US-8REQiMPFomVj7Qhqd1yFwQfJZQ9tF7jSGUOC5HJSyT_qRGb0A0es_wx-c1InV3LR1OmQmPbWUNgKG4EhdvHXJ5EbmyXWG3RP7qg8c whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc52355237_666234015?hash=jC8k9uZNDwpIzHryeQnmi9pC0nHf4JLz2m1bJdWIZeD&dl=hRM2hk5MgfZVhMzLzxpzfwqDj4yDsI3PzHnkqlAJNJL&api=1&no_preview=1#test22 whois	VKontakte Ltd	87.240.132.72		clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.4.15		clean
https://vk.com/doc52355237_665916972?hash=PGtJZU2lyBun4kcjAuDW4sr3qZoaazswmzm43vqfrD8&dl=fmNbRucq2G5KCRA22nIJETEH1oOZZHD8AqBpxxaUybz&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://vk.com/doc52355237_665880768?hash=ubcUBEaLWzipHTOeg3jEhyfSeC0h7DJrmPTohND0B6D&dl=sqZTWs3nWU6WRCWJjrqnLtWUJOv5NeFbk7N6Ssv2Ifs&api=1&no_preview=1#redcl whois	VKontakte Ltd	87.240.132.72		mailcious
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe whois	CLOUDFLARENET	104.21.21.189	36716	mailcious
https://sso.passport.yandex.ru/push?uuid=5cdb7085-4e7c-499d-9406-152dc4e400b8&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue whois	YANDEX LLC	213.180.204.24		clean
neuralshit.net whois	CLOUDFLARENET	172.67.134.35		malware
db-ip.com whois	CLOUDFLARENET	104.26.5.15		clean
vanaheim.cn whois	LLC Baxet	45.135.233.58		mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
0476fa47-9285-4c60-8419-baac6d5e2796.uuid.окрф.рф whois				clean
yandex.ru whois	YANDEX LLC	5.255.255.77		clean
wahaaudit.ps whois	Palestine Telecommunications Company (PALTEL)	213.6.54.58		malware
dzen.ru whois	Invest Mobile LLC	62.217.160.2		clean
preconcert.pw whois	CLOUDFLARENET	172.67.197.101		malware
api.2ip.ua whois	ACP	162.0.217.254		clean
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
z.nnnaajjjgc.com whois	HK Kwaifong Group Limited	156.236.72.121		malware
twitter.com whois	TWITTER	104.244.42.65		clean
msdl.microsoft.com whois	MICROSOFT-CORP-MSN-AS-BLOCK	204.79.197.219		clean
telegram.org whois	Telegram Messenger Inc	149.154.167.99		clean
christopherantonio.top whois	Garant-Park-Internet LLC	46.173.215.72		malware
octocrabs.com whois	CLOUDFLARENET	104.21.21.189		mailcious
230926170958727.kmj.xne26.cfd whois	Belcloud LTD	94.156.35.76		clean
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
sso.passport.yandex.ru whois	YANDEX LLC	213.180.204.24		clean
230404015907217.ism.wity21.info whois				clean
xsk295c2.beget.tech whois	Beget LLC	87.236.19.185		mailcious
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
ji.alie3ksgbb.com whois	CLOUDFLARENET	104.21.90.117		mailcious
iplogger.com whois	Hetzner Online GmbH	148.251.234.93		mailcious
api.db-ip.com whois	CLOUDFLARENET	104.26.5.15		clean
vsblobprodscussu5shard58.blob.core.windows.net whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.79.68		clean
vsblobprodscussu5shard10.blob.core.windows.net whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.38.228		clean
iplis.ru whois	Hetzner Online GmbH	148.251.234.93		mailcious
hugersi.com whois	Petersburg Internet Network ltd.	91.215.85.147		malware
www.maxmind.com whois	CLOUDFLARENET	104.18.146.235		clean
vk.com whois	VKontakte Ltd	87.240.132.72		mailcious
api.myip.com whois	CLOUDFLARENET	172.67.75.163		clean
fc.ftimedica.com whois	Hostinger International Limited	45.130.231.6		malware
146.59.10.173 whois		146.59.10.173		mailcious
194.169.175.128 whois		194.169.175.128		mailcious
104.18.145.235 whois	CLOUDFLARENET	104.18.145.235		clean
172.67.197.101 whois	CLOUDFLARENET	172.67.197.101		clean
45.130.231.6 whois	Hostinger International Limited	45.130.231.6		malware
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
77.91.124.55 whois	Foton Telecom CJSC	77.91.124.55		clean
176.123.4.46 whois	Alexhost Srl	176.123.4.46		mailcious
87.240.129.133 whois	VKontakte Ltd	87.240.129.133		mailcious
20.150.70.36 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.70.36		clean
62.217.160.2 whois	Invest Mobile LLC	62.217.160.2		clean
179.43.158.2 whois	Private Layer INC	179.43.158.2		clean
87.236.19.185 whois	Beget LLC	87.236.19.185		mailcious
5.255.255.70 whois	YANDEX LLC	5.255.255.70		clean
23.67.53.27 whois	Akamai International B.V.	23.67.53.27		clean
5.42.92.211 whois	CJSC Kolomna-Sviaz TV	5.42.92.211		mailcious
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99		mailcious
193.42.32.118 whois		193.42.32.118		mailcious
172.67.75.166 whois	CLOUDFLARENET	172.67.75.166		clean
172.67.75.163 whois	CLOUDFLARENET	172.67.75.163		clean
45.9.74.80 whois		45.9.74.80		malware
204.79.197.219 whois	MICROSOFT-CORP-MSN-AS-BLOCK	204.79.197.219		clean
31.41.244.27 whois	LLC Aeroexpress	31.41.244.27		mailcious
46.173.215.72 whois	Garant-Park-Internet LLC	46.173.215.72		mailcious
171.22.28.208 whois	CMCS	171.22.28.208		malware
20.150.79.68 whois	MICROSOFT-CORP-MSN-AS-BLOCK	20.150.79.68		clean
162.0.217.254 whois	ACP	162.0.217.254		clean
45.129.14.83 whois	Bunea TELECOM SRL	45.129.14.83		malware
176.113.115.84 whois	OOO Network of data-centers Selectel	176.113.115.84		mailcious
45.135.233.58 whois	LLC Baxet	45.135.233.58		clean
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
104.26.8.59 whois	CLOUDFLARENET	104.26.8.59		clean
104.21.6.10 whois	CLOUDFLARENET	104.21.6.10		malware
104.21.90.117 whois	CLOUDFLARENET	104.21.90.117		malware
213.180.204.24 whois	YANDEX LLC	213.180.204.24		clean
171.22.28.222 whois	CMCS	171.22.28.222		malware
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
23.67.53.17 whois	Akamai International B.V.	23.67.53.17		clean
194.169.175.232 whois		194.169.175.232		malware
176.123.9.142 whois	Alexhost Srl	176.123.9.142		mailcious
156.236.72.121 whois	HK Kwaifong Group Limited	156.236.72.121		mailcious
213.6.54.58 whois	Palestine Telecommunications Company (PALTEL)	213.6.54.58		malware
104.26.9.59 whois	CLOUDFLARENET	104.26.9.59		clean
104.26.4.15 whois	CLOUDFLARENET	104.26.4.15		clean
104.21.21.189 whois	CLOUDFLARENET	104.21.21.189		clean
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
91.215.85.147 whois	Petersburg Internet Network ltd.	91.215.85.147		malware
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
104.244.42.193 whois	TWITTER	104.244.42.193		suspicious
87.240.132.78 whois	VKontakte Ltd	87.240.132.78		mailcious
62.122.184.58 whois		62.122.184.58		mailcious
87.240.132.72 whois	VKontakte Ltd	87.240.132.72		mailcious
77.91.68.239 whois	Foton Telecom CJSC	77.91.68.239		malware
94.142.138.131 whois	Ihor Hosting LLC	94.142.138.131		mailcious

Suricata ids

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING Possible EXE Download From Suspicious TLD
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)

Report - gate9_pass1234.7z

Signature (16cnts)

Rules (11cnts)

Network (144cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure