Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.10.06 19:15	Machine	s1_win7_x6402
Filename	zip.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	7.0
ZERO API	file : malware
VT API (file)
md5	9de1f996f53b99da8ad9bcb3f8e3f120
sha256	b7129976a62dc1b2131e9918a883865bbaae0745c9a6b04afe5d1e17c08d71d3
ssdeep	196608:TP3BfZDQfvpv81bdSUZKp1Z+8nGKQqw4AS:TP9ZDQfR0iRZRZ
imphash
impfuzzy

Network IP location

Signature (14cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (149cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=175.208.134.152&slots=1000¶m=empty whois	GOOGLE	142.250.206.238		clean
http://aidandylan.top/syncUpd.exe whois	Trader soft LLC	85.143.221.30		malware
http://5.42.64.10/api/files/software/s2.exe whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36798	malware
http://185.225.74.144/files/Umm2.exe whois	Mayak Smart Services Ltd.	185.225.74.144		malware
http://45.9.74.80/zinda.exe whois		45.9.74.80		malware
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true whois	LG DACOM Corporation	211.168.53.110	27911	mailcious
http://colisumy.com/dl/build2.exe whois	LG DACOM Corporation	211.53.230.67	31026	malware
http://45.9.74.80/super.exe whois		45.9.74.80	36063	malware
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://194.169.175.232/autorun.exe whois		194.169.175.232	36817	malware
http://45.15.156.229/api/firegate.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	36052	mailcious
http://zexeq.com/files/1/build3.exe whois	Videosat 21 Vek OOD	95.158.162.200	27913	malware
http://171.22.28.226/download/WWW14_64.exe whois	CMCS	171.22.28.226	36907	malware
http://94.142.138.113/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.113	28877	mailcious
http://5.42.64.10/ip.php whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36799	mailcious
http://193.42.32.118/api/firegate.php whois		193.42.32.118	36458	mailcious
http://171.22.28.226/download/Services.exe whois	CMCS	171.22.28.226		malware
http://isaiahbenjamin.top/calc2.exe whois	Trader soft LLC	85.143.221.30		malware
http://230926170958727.kmj.xne26.cfd/f/fikim0926727.exe whois	Belcloud LTD	94.156.35.76	36902	malware
http://193.42.32.118/api/tracemap.php whois		193.42.32.118	36180	mailcious
http://enfantfoundation.com/netTime.exe whois	UNIFIEDLAYER-AS-1	108.179.232.106		malware
http://78.47.27.247/b4fc4cd2d76417bf461814b9d989fcdb whois	Hetzner Online GmbH	78.47.27.247		clean
http://94.142.138.113/api/firegate.php whois	Ihor Hosting LLC	94.142.138.113	36152	mailcious
http://193.42.32.118/api/firecom.php whois		193.42.32.118	36700	mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.67.53.17		clean
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.18.146.235		clean
http://171.22.28.213/3.exe whois	CMCS	171.22.28.213		malware
http://5.42.64.10/api/files/client/s24 whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36798	mailcious
http://77.91.68.249/navi/kur90.exe whois	Foton Telecom CJSC	77.91.68.249		malware
http://78.47.27.247/archieve.zip whois	Hetzner Online GmbH	78.47.27.247		clean
http://5.42.64.10/api/files/client/s21 whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36798	mailcious
http://5.42.64.10/api/files/client/s23 whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36798	mailcious
http://5.42.64.10/api/files/client/s22 whois	CJSC Kolomna-Sviaz TV	5.42.64.10	36798	mailcious
https://vk.com/doc52355237_665872078?hash=Kz3PaU1L3NGuBFJAoGXACEafD960Cp8NVVxAzQR8U3H&dl=TGSEkTjAuxGOcQ0N10qRiCJlxoGRDvtzjKPataFdHhc&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152 whois	CLOUDFLARENET	172.67.75.166		clean
https://script.googleusercontent.com/macros/echo?user_content_key=L8KUs1rDf-0IxQaOsq4CEpa7DDTmpmXtfNxjubxYqEQM4p4Z4FWvLgPEWYS54LjtIqEZBEGVtnrPKA7Hm9CoK7E1dT35ZNduOJmA1Yb3SEsKFZqtv3DaNYcMrmhZHmUMWojr9NvTBuBLhyHCd5hHa_kSw3KJAyZKK3RTU5bpIFQ10ckTyHVSt1vTS5MZ6 whois	GOOGLE	142.250.66.97		clean
https://sun6-23.userapi.com/c235031/u52355237/docs/d13/73bbf3ecac7f/RisePro.bmp?extra=gmXlCsZiYpjnowLP1swWjhY13jlPrTv5pHnTY-UPWWq67yIxI8gpzQyCDAgcSMxg3HmEWDVFcv4uizvvHUpLyvaeP6yJ4WcGChVcA4r9lEKFycqfPVgpvV17uloL6pKJuj6CmFdFwkq5t3jX whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	87.240.129.133		mailcious
https://vk.com/doc52355237_666614921?hash=mcgvNSqLTxZlPytCXZGqWTE2UxkIsNsWwhJHKMUGNwP&dl=81n92g6ZKnuIdZcRjbJMbEnGbmv0a8p1IKQCT30gQB8&api=1&no_preview=1#risetest whois	VKontakte Ltd	87.240.129.133		clean
https://canonicate.pw/setup294.exe whois	CLOUDFLARENET	172.67.221.49		clean
https://sun6-22.userapi.com/c237031/u52355237/docs/d49/4c3217c05748/66.bmp?extra=Md8eQEgzLGuOlPoQc55hANOV4S0t3MVk5Mq7j2oL9oMgKsIqX8p_L-eYo8Z0ACwN52xGrArbvIMXatBttmTHoFb8gQidHkcg5mbrFvML_A_l6nshcASkR0cVT8nCToj3Cb-0JteqFOHTxI1H whois	VKontakte Ltd	95.142.206.2		clean
https://api.myip.com/ whois	CLOUDFLARENET	172.67.75.163		clean
https://vk.com/doc52355237_666590785?hash=N9XtNiMroCgPfI0zEbYcHPGlKJBrPpbgER5008wKXgo&dl=iXMzcCAwAL4mYrLUL1WiJZkinj4A8dUzVBRZ9BP5y50&api=1&no_preview=1#redcl whois	VKontakte Ltd	87.240.129.133		clean
https://neuralshit.net/de23c80b17fd061a388b791d44b53133/7725eaa6592c80f8124e769b4e8a07f7.exe whois	CLOUDFLARENET	172.67.134.35		clean
https://vk.com/doc52355237_666294895?hash=MrFrxQ1QY2cQxZMJSWB2ifsnzfn6OL4Lra0UjlNVtcg&dl=KQd3ouCijKMpS3N5SuzYWBo56zMPCFtaA3gtOmd22rc&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		clean
https://sso.passport.yandex.ru/push?uuid=ae03ef72-00d8-4bf0-95e7-2adf274c6da2&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue whois	YANDEX LLC	213.180.204.24		clean
https://dzen.ru/?yredirect=true whois	Invest Mobile LLC	62.217.160.2		clean
https://vk.com/doc52355237_666586594?hash=KW7IbIZ7tmBJH0wG2dYyLQaNt8WD8FYrf1vp2ZdUsZg&dl=pOjzjpwFnDOIJueQO9TQfsaai7iwjVToI4s7cZ7eqks&api=1&no_preview=1#1 whois	VKontakte Ltd	87.240.129.133		clean
https://steamcommunity.com/profiles/76561199557479327 whois	Akamai International B.V.	104.76.78.101		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		mailcious
https://script.google.com/macros/s/AKfycbxu6XZln0F2VKs8FMpn924RlKozFV5XZApwvto57voh-zMdTnkCnYo38kxDLRAyW0hb/exec?xfgnxfgn&stream=2&ip=175.208.134.152&slots=1000¶m=empty whois	GOOGLE	142.250.204.78		clean
https://vk.com/doc52355237_666507428?hash=2uHHBsd637ELYzCc9kndmkrUdA72UYNEDayDJQpqLzT&dl=D6ajMB07kruzP2IXhjebY4apDN454ViEX7btbSffzho&api=1&no_preview=1#test22 whois	VKontakte Ltd	87.240.129.133		clean
https://sun6-21.userapi.com/c909228/u52355237/docs/d44/80744560c58d/RisePro_0_7_8d3TUvJJlkW1iIngb5qf_vmp.bmp?extra=Kk6yLQHn--N5FompiT-IH0ifi01IFPYP7q2QQzo0bJalEmOgQtvgf1zOtvbiiYBNSbHP-VAvDjqF79IIcuZTgAjYUUAfAB-3LyKUeyXFYvfpnWmV4UpmP5Ic1AyRMimEqEetIhCY8DkV whois	VKontakte Ltd	95.142.206.1		clean
https://sun6-23.userapi.com/c237031/u52355237/docs/d40/13239ef116f6/crypted.bmp?extra=jf3Id-iBwCJuvxr_KRXy5iVBKvlBt9haNJnwFGhMhOGggvJmKTwuqVbRSPa3SInEVwMOySNlTCqJhf3WldOoR-8sHm1LapRTJDK_pGi_CPACwLEQXtJNeXxIsyq6aPqaHF78MEMsh43llNUi whois	VKontakte Ltd	95.142.206.3		clean
https://sun6-23.userapi.com/c237231/u52355237/docs/d20/a8c8e356a397/test21.bmp?extra=Tjw0Zjy3je3HMZXeKdEeufMcQUFV6Kmbq55-H6joKLRFzQtDRuF2VhtBI3HjFl4CSoL9kMSlXGIpQpmPdA112UYjtUJm9oEc6SZw2CzG8VK9ffvrZ5Ne4lXUeTqzct0FEcciUIElKxuvn4fK whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc52355237_666326545?hash=syS3a4VzeA6ooPqV2bDmzdZcRY1zZZVZSwKomUizgpH&dl=9YVv5GINa4fsl9tfR95IZk8DoZOa4nbjbaLRAcxuMog&api=1&no_preview=1 whois	VKontakte Ltd	87.240.129.133		clean
https://sun6-21.userapi.com/c237231/u52355237/docs/d22/84c17767b8f5/2.bmp?extra=7GGUqehS9cUw4D_UVlnB-WQh96d-uDWVI9rWh5wEXCeBm0fdDYnLC_zieZY4sPcEWwLMlYJVF6StZc55T2RYsn9F-Ukgh9zqn8ob0nvmE6-oS-hUZ8a-1KX2SINgfeEiVIsNlQPFV_oevlI3 whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc52355237_666599954?hash=Ke0Vjy4wKSLLxQozgUIZIwbp7FUtx2g2p6dpZCPIz4w&dl=bAWjUoWQU7Q3yZO1dsgL8W1vYS7neHPYrNA6TsTwqPk&api=1&no_preview=1#fr whois	VKontakte Ltd	87.240.129.133		clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.4.15		clean
https://vk.com/doc52355237_666326536?hash=rjXXx4NTWZOjPDm1rBOZV0MNZKJKSPIncZVbfM7fUgs&dl=Xla71nPCOIeJASWCr6aET2SrexVgHh8tOBiaI24D3yw&api=1&no_preview=1#rise whois	VKontakte Ltd	87.240.129.133		clean
https://sun6-20.userapi.com/c235031/u52355237/docs/d13/0aeb7c514923/PL_Client.bmp?extra=zEYLOhDaQqXBo8LHo45R7nwioXoRej0oNRyEVJGCrqajrvSvMw0tliZUIWtDiJ7aOfgdBozitFTgy__8OMIvxe4kKI1wRLO-Ex-HxkH2YWqrhTpszc1R-VBrI5-Kmqhg_zVTt6CoGc2U5-Af whois	VKontakte Ltd	95.142.206.0		clean
script.googleusercontent.com whois	GOOGLE	172.217.161.225		clean
neuralshit.net whois	CLOUDFLARENET	104.21.6.10		malware
db-ip.com whois	CLOUDFLARENET	104.26.5.15		clean
t.me whois	Telegram Messenger Inc	149.154.167.99		mailcious
canonicate.pw whois	CLOUDFLARENET	104.21.35.128		clean
ipinfo.io whois	GOOGLE	34.117.59.81		clean
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		clean
script.google.com whois	GOOGLE	142.250.206.238		compromised
yandex.ru whois	YANDEX LLC	5.255.255.77		clean
wahaaudit.ps whois	Palestine Telecommunications Company (PALTEL)	213.6.54.58		malware
dzen.ru whois	Invest Mobile LLC	62.217.160.2		clean
api.2ip.ua whois	ACP	162.0.218.244		clean
steamcommunity.com whois	Akamai International B.V.	104.76.78.101		mailcious
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
twitter.com whois	TWITTER	104.244.42.65		clean
telegram.org whois	Telegram Messenger Inc	149.154.167.99		clean
cdn.discordapp.com whois		162.159.133.233		malware
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
api.db-ip.com whois	CLOUDFLARENET	172.67.75.166		clean
230926170958727.kmj.xne26.cfd whois	Belcloud LTD	94.156.35.76		malware
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
sso.passport.yandex.ru whois	YANDEX LLC	213.180.204.24		clean
230404015907217.ism.wity21.info whois				clean
enfantfoundation.com whois	UNIFIEDLAYER-AS-1	108.179.232.106		malware
iplogger.com whois	Hetzner Online GmbH	148.251.234.93		mailcious
ekovel.ro whois	T-Mobile Czech Republic a.s.	89.42.13.207		clean
zexeq.com whois	Videosat 21 Vek OOD	95.158.162.200		malware
isaiahbenjamin.top whois	Trader soft LLC	85.143.221.30		malware
octocrabs.com whois	CLOUDFLARENET	104.21.21.189		mailcious
aidandylan.top whois	Trader soft LLC	85.143.221.30		malware
retailtechnologynews.com whois				clean
colisumy.com whois	Uninet S.A. de C.V.	187.156.64.85		malware
iplis.ru whois	Hetzner Online GmbH	148.251.234.93		mailcious
sun6-22.userapi.com whois	VKontakte Ltd	95.142.206.2		clean
www.maxmind.com whois	CLOUDFLARENET	104.18.145.235		clean
vk.com whois	VKontakte Ltd	87.240.132.78		mailcious
api.myip.com whois	CLOUDFLARENET	104.26.8.59		clean
89.42.13.207 whois	T-Mobile Czech Republic a.s.	89.42.13.207		clean
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
194.169.175.128 whois		194.169.175.128		mailcious
162.159.133.233 whois		162.159.133.233		malware
104.18.145.235 whois	CLOUDFLARENET	104.18.145.235		clean
194.169.175.123 whois		194.169.175.123		clean
162.0.218.244 whois	ACP	162.0.218.244		clean
87.240.129.133 whois	VKontakte Ltd	87.240.129.133		mailcious
62.217.160.2 whois	Invest Mobile LLC	62.217.160.2		clean
179.43.158.2 whois	Private Layer INC	179.43.158.2		clean
5.255.255.70 whois	YANDEX LLC	5.255.255.70		clean
142.250.66.97 whois	GOOGLE	142.250.66.97		clean
23.67.53.27 whois	Akamai International B.V.	23.67.53.27		clean
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99		mailcious
193.42.32.118 whois		193.42.32.118		mailcious
172.67.75.166 whois	CLOUDFLARENET	172.67.75.166		clean
172.67.75.163 whois	CLOUDFLARENET	172.67.75.163		clean
51.255.152.132 whois	OVH SAS	51.255.152.132		clean
45.9.74.80 whois		45.9.74.80		malware
108.179.232.106 whois	UNIFIEDLAYER-AS-1	108.179.232.106		mailcious
93.186.225.194 whois	VKontakte Ltd	93.186.225.194		mailcious
171.22.28.226 whois	CMCS	171.22.28.226		malware
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
172.67.221.49 whois	CLOUDFLARENET	172.67.221.49		clean
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
104.26.8.59 whois	CLOUDFLARENET	104.26.8.59		clean
85.143.221.30 whois	Trader soft LLC	85.143.221.30		malware
172.67.134.35 whois	CLOUDFLARENET	172.67.134.35		malware
211.53.230.67 whois	LG DACOM Corporation	211.53.230.67		malware
78.47.27.247 whois	Hetzner Online GmbH	78.47.27.247		clean
190.141.134.150 whois	Cable Onda	190.141.134.150		clean
185.225.74.144 whois	Mayak Smart Services Ltd.	185.225.74.144		malware
194.169.175.232 whois		194.169.175.232		malware
176.123.9.142 whois	Alexhost Srl	176.123.9.142		mailcious
94.142.138.113 whois	Ihor Hosting LLC	94.142.138.113		mailcious
77.91.68.249 whois	Foton Telecom CJSC	77.91.68.249		malware
213.6.54.58 whois	Palestine Telecommunications Company (PALTEL)	213.6.54.58		malware
104.26.4.15 whois	CLOUDFLARENET	104.26.4.15		clean
104.21.35.128 whois	CLOUDFLARENET	104.21.35.128		mailcious
104.21.21.189 whois	CLOUDFLARENET	104.21.21.189		clean
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		clean
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
104.244.42.129 whois	TWITTER	104.244.42.129		suspicious
142.250.204.78 whois	GOOGLE	142.250.204.78		clean
213.180.204.24 whois	YANDEX LLC	213.180.204.24		clean
104.76.78.101 whois	Akamai International B.V.	104.76.78.101		mailcious
95.142.206.2 whois	VKontakte Ltd	95.142.206.2		clean
5.42.64.10 whois	CJSC Kolomna-Sviaz TV	5.42.64.10		malware
171.22.28.213 whois	CMCS	171.22.28.213		malware

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.pw domain - Likely Hostile
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
SURICATA TLS invalid record type
SURICATA TLS invalid record/traffic
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET INFO Packed Executable Download
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO Dotted Quad Host ZIP Request
SURICATA Applayer Wrong direction first Data

Report - zip.7z

Signature (14cnts)

Rules (11cnts)

Network (149cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure