popup

Report - Archive.7z

Stealc PrivateLoader Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.17 16:28 Machine s1_win7_x6402
Filename Archive.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
6.4
ZERO API file : clean
VT API (file)
md5 14cf80a7fd8a77c3eaed98b8ec615eb4
sha256 c5d36d14ec04f6a568172a2a91959b17dc768c41dc6bc9486d975d41056ac7b0
ssdeep 49152:+DFo8pF6h1toD9tvTKsQHCBLPnHGS9CozJYPBAmu9FXooJtewXmR:+DFRF6nA3K8HGSkodsGm8PLjmR
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (146cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://elijahdiego.top/412a0310f85f16ad/msvcp140.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://elijahdiego.top/e9c345fc99a4e67e.php
whois
CZ Coolhousing s.r.o. 45.132.1.20 37238 mailcious
http://49.12.118.149/
whois
DE Hetzner Online GmbH 49.12.118.149 clean
http://171.22.28.226/download/WWW14_64.exe
whois
DE CMCS 171.22.28.226 36907 malware
http://elijahdiego.top/412a0310f85f16ad/nss3.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://elijahdiego.top/412a0310f85f16ad/freebl3.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
AR Telecom Argentina S.A. 181.170.86.159 27911 mailcious
http://49.12.118.149/13088c19c5a97b42d0d1d9573cc9f1b8
whois
DE Hetzner Online GmbH 49.12.118.149 clean
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://colisumy.com/dl/build2.exe
whois
HU Telenor Hungary plc 84.224.231.39 31026 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://194.169.175.232/autorun.exe
whois
Unknown 194.169.175.232 36817 malware
http://elijahdiego.top/412a0310f85f16ad/vcruntime140.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://jackantonio.top/timeSync.exe
whois
CZ Coolhousing s.r.o. 45.132.1.20 malware
http://79.137.192.18/latestX.exe
whois
RU Psk-set LLC 79.137.192.18 37269 malware
http://zexeq.com/files/1/build3.exe
whois
KR SK Broadband Co Ltd 175.120.254.9 27913 malware
http://elijahdiego.top/412a0310f85f16ad/softokn3.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://elijahdiego.top/412a0310f85f16ad/sqlite3.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://49.12.118.149/upgrade.zip
whois
DE Hetzner Online GmbH 49.12.118.149 clean
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
http://lakuiksong.known.co.ke/netTimer.exe
whois
Unknown 146.59.70.14 malware
http://193.42.32.118/api/tracemap.php
whois
Unknown 193.42.32.118 36180 mailcious
http://45.9.74.80/0bjdn2Z/index.php
whois
Unknown 45.9.74.80 26790 mailcious
http://45.9.74.80/zinda.exe
whois
Unknown 45.9.74.80 37063 malware
http://elijahdiego.top/412a0310f85f16ad/mozglue.dll
whois
CZ Coolhousing s.r.o. 45.132.1.20 clean
http://galandskiyher5.com/downloads/toolspub2.exe
whois
Unknown 194.169.175.127 37268 malware
http://171.22.28.213/3.exe
whois
DE CMCS 171.22.28.213 37068 malware
http://94.142.138.113/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.113 36152 mailcious
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://193.42.32.118/api/firecom.php
whois
Unknown 193.42.32.118 36700 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US CCCH-3 23.43.165.66 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.146.235 clean
http://77.91.68.249/navi/kur90.exe
whois
RU Foton Telecom CJSC 77.91.68.249 37069 malware
https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 clean
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc52355237_666953453?hash=NVFeHD1X6xxwiPyDZ4kbilHig693YsIH5g6X9HkS69s&dl=dzQeH4YkPFmuRHRZXunNV4NBh3hv5ZLppdno3QUFjqD&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://vk.com/doc52355237_667050459?hash=NQ6HDrMciNrk8Op9e7nKqKnZP9u5xJpPRChkwNPyBm8&dl=GmBH7q7bEBk6zEfSp9MzqQBJzBwkDu0dFrhvnqw9kZX&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/74273ccf856a/PL_Client.bmp?extra=csnf916qLySdbOnPb4QM1wJpYN_KmcpQ0uEFEG_2BbxdphBM_paLXN7TqQuhyJHVsORGU7Lwfy-9qBR2zD4xszU1xUBr__claLXF0x6sHrD1ifcltJe58oDUrMaND0_8ZVYazlP3PyjpseqU
whois
RU VKontakte Ltd 95.142.206.3 clean
https://rangeroverfan.org/499e7c149c3637ba0e1fb742ba195677/e0cbefcb1af40c7d4aff4aca26621a98.exe
whois
US CLOUDFLARENET 172.67.165.223 clean
https://sun6-23.userapi.com/c909228/u52355237/docs/d47/e2ccee6d682c/test222.bmp?extra=U4162n5729zjzlGgVMiKIwzkJSzSn6BRN_m83VHCDSL2utwpPZDW9dRU8eEsy3wfrW9-Fnnv7vUexxvyKCeW1kRRzPKq6pr-ITEC7sbkXtFyxI0n2PV1UEvsmCo1nAB9EjpwBAPoujY85rFq
whois
RU VKontakte Ltd 95.142.206.3 clean
https://api.myip.com/
whois
US CLOUDFLARENET 172.67.75.163 clean
https://steamcommunity.com/profiles/76561199563297648
whois
US Akamai International B.V. 104.76.78.101 clean
https://vk.com/doc52355237_667007935?hash=kuzA3bv8gFM9aPx1xppN6S57Z5FudS8VHgMzVNpYwzD&dl=0btHZXBhsJfZuUYdw9b30BIP8DDelUCYMFbdByUZzSz&api=1&no_preview=1#redcl
whois
RU VKontakte Ltd 93.186.225.194 clean
https://sun6-22.userapi.com/c909218/u52355237/docs/d2/f567f079ad99/RisePro.bmp?extra=83cSc7SmRJtjl8ec5OifozM_93tFy3jitg49sHNddO9i3ziQaQp3z9kjzmQmhEhbVDBaQMd-IcnziRKKHxPrBqsRJToRLDIngFoFoi58B3XLhIbZgrloTMF2bOKk1Z3Eu7sYPaYt_5og4PqN
whois
RU VKontakte Ltd 95.142.206.2 clean
https://foxandcatbet.org/e0cbefcb1af40c7d4aff4aca26621a98.exe
whois
US CLOUDFLARENET 172.67.142.109 clean
https://sun6-21.userapi.com/c237231/u52355237/docs/d27/97f34481b2d7/tmvwr.bmp?extra=MbgzQeRuofM3NgGPkxkb0_xwXGY1o0ISiHXbQDKdc321StSZO94IbBXMfprao9MyHL5npLe6QCtHnmMBR8O05vh1T0ga5C9dTDnASZTZANNWKwDcQ5hoDq2_RwfwvphDyBdjR1nIT5nczJep
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc52355237_667000543?hash=eKOuemWuRCZmXal2YVj4QW37gepCmLzd9U7bLDKtdnX&dl=Le3z6AAKjnE7RlnXRnVZJtvMGIu3iOAwG2df2VZCSfz&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://sun6-20.userapi.com/c909418/u52355237/docs/d49/67dc191caaa7/Bot_Clien.bmp?extra=R7Za_Su74KEChmw7p4WuJr3aQHsGFZ2niNVfSw7b_TcPR0Sh2TQRPc3x_dKUmQJGRsRS4Xg6uck9HOypT7iZguOe0t_Bgd5pRLa3KUoDL1FvFkA_0hWK1agbjgpqkyYmx7lhWSAmGHQio_uh
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://sun6-22.userapi.com/c236331/u52355237/docs/d33/42ad5fd25833/red.bmp?extra=jBPpxCu8-8kHW7GkJagOOeVXeAQjqfh9RbubCoWwr1e6QBnvUiXFOpQD6-AOKdEluD9PjClWI2PdF4IE7pjgRurUidTgNX-Z5pW4fVBPn3w3ta24Al5usw3MYV0bfl8SrrAG1BgwPh-7QEH9
whois
RU VKontakte Ltd 95.142.206.2 clean
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 104.21.65.24 clean
https://sun6-23.userapi.com/c909518/u52355237/docs/d48/ec8a82716932/WWW11_32.bmp?extra=_TX1F44UV3ZALg1n2AWa4_-qKufakNhMTfVuhdspFzFQRFCYWXoMm-jfuDOI_Y1mPEIdF3QRBd-YZg3Y7R9ZqYiRxeF73Pg5AywpwdKlTdb0i9gHQl8XO2m4_9Zg9zDYpvmcVNGrm6ByCU3-
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://sso.passport.yandex.ru/push?uuid=c8f6077b-5611-4c81-b623-d60b8e575442&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://sun6-23.userapi.com/c909228/u52355237/docs/d38/bd7e3c736003/d3h782af.bmp?extra=38DKfqb_w8hVm9RJN_Qn_gfteoDZJ7YQzPjblN39bGB-Bitknr4lgd3LDYR1O7LVHAF6-hZmbIGzgBwxsaZ5vMrHZr8hMpGk5u6ApIHydB_NQ8ERsGkKXcgd4qEQTxriiwoM1M8FJB4mclLk
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_666990393?hash=FTORQeSjuGQM3QZ0VZVmUaPzzMTjiHgVozgZL1VKkLs&dl=WHDNqvgddqa5sNEafsQGa9H9myfZRZuS1RHM37yysD8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 172.67.75.166 clean
https://sun6-21.userapi.com/c909328/u52355237/docs/d47/2d1629fb7768/crypted.bmp?extra=67ZspKd_7kut6U_BdMgPfLmi-rrOqPQZg3ry0Z3nw-UpCPBi2s6Gs3v_cRKTtjcjmYcFSwZCRNI6VHoHLKEzQGK9rCbhfCs7HFqkPSTyx8jwjYinbba-X5Bwaw38J2IoTeNUu2uqVAtoOWGQ
whois
RU VKontakte Ltd 95.142.206.1 clean
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://neuralshit.net/499e7c149c3637ba0e1fb742ba195677/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.134.35 clean
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 104.21.21.189 36716 mailcious
rangeroverfan.org
whois
US CLOUDFLARENET 104.21.66.240 clean
neuralshit.net
whois
US CLOUDFLARENET 172.67.134.35 malware
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
jackantonio.top
whois
CZ Coolhousing s.r.o. 45.132.1.20 malware
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
galandskiyher5.com
whois
Unknown 194.169.175.127 malware
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
api.2ip.ua
whois
US CLOUDFLARENET 104.21.65.24 clean
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
twitter.com
whois
US TWITTER 104.244.42.129 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
octocrabs.com
whois
US CLOUDFLARENET 172.67.200.10 mailcious
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
lakuiksong.known.co.ke
whois
Unknown 146.59.70.14 malware
yandex.ru
whois
RU YANDEX LLC 77.88.55.88 clean
foxandcatbet.org
whois
US CLOUDFLARENET 104.21.71.26 clean
onualituyrs.org
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
elijahdiego.top
whois
CZ Coolhousing s.r.o. 45.132.1.20 mailcious
zexeq.com
whois
AR Telecom Argentina S.A. 181.170.86.159 malware
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
colisumy.com
whois
BR Sercomtel Participacoes S.A. 187.18.108.158 malware
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
vk.com
whois
RU VKontakte Ltd 87.240.137.164 mailcious
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
104.18.145.235
whois
US CLOUDFLARENET 104.18.145.235 clean
182.162.106.33
whois
KR LG DACOM Corporation 182.162.106.33 malware
93.186.225.194
whois
RU VKontakte Ltd 93.186.225.194 mailcious
194.169.175.127
whois
Unknown 194.169.175.127 malware
185.225.75.171
whois
DE Mayak Smart Services Ltd. 185.225.75.171 mailcious
45.9.74.80
whois
Unknown 45.9.74.80 malware
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
104.21.65.24
whois
US CLOUDFLARENET 104.21.65.24 clean
211.171.233.129
whois
KR LG DACOM Corporation 211.171.233.129 clean
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
172.67.75.163
whois
US CLOUDFLARENET 172.67.75.163 clean
175.120.254.9
whois
KR SK Broadband Co Ltd 175.120.254.9 malware
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
172.67.142.109
whois
US CLOUDFLARENET 172.67.142.109 clean
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
172.67.165.223
whois
US CLOUDFLARENET 172.67.165.223 clean
104.21.21.189
whois
US CLOUDFLARENET 104.21.21.189 clean
77.88.55.60
whois
RU YANDEX LLC 77.88.55.60 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
79.137.192.18
whois
RU Psk-set LLC 79.137.192.18 malware
172.67.134.35
whois
US CLOUDFLARENET 172.67.134.35 malware
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
45.132.1.20
whois
CZ Coolhousing s.r.o. 45.132.1.20 mailcious
185.225.74.144
whois
DE Mayak Smart Services Ltd. 185.225.74.144 malware
194.169.175.232
whois
Unknown 194.169.175.232 malware
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
77.91.68.249
whois
RU Foton Telecom CJSC 77.91.68.249 malware
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
49.12.118.149
whois
DE Hetzner Online GmbH 49.12.118.149 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
146.59.70.14
whois
Unknown 146.59.70.14 malware
104.244.42.193
whois
US TWITTER 104.244.42.193 suspicious
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
104.76.78.101
whois
US Akamai International B.V. 104.76.78.101 mailcious
171.22.28.213
whois
DE CMCS 171.22.28.213 malware
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious

Suricata ids

ET DNS Query to a *.top domain - Likely Hostile
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE Win32/Stealc Requesting plugins Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with plugins Config
ET MALWARE Win32/Stealc Submitting System Information to C2
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO Microsoft net.tcp Connection Initialization Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE Win32/Stealc Requesting browsers Config from C2
ET MALWARE Win32/Stealc Active C2 Responding with browsers Config
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET INFO Packed Executable Download
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET INFO Dotted Quad Host ZIP Request
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
ET MALWARE Possible Kelihos.F EXE Download Common Structure

Similarity measure (PE file only) - Checking for service failure