popup

Report - setup.7z

PrivateLoader Vidar Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.23 15:35 Machine s1_win7_x6402
Filename setup.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.0
ZERO API file : malware
VT API (file)
md5 bf2d71ede12b007cdabbf513b081fcb7
sha256 ef5a84b99c3cf3ddee7bee52d3c93b27359885d86c793508f4a5fd93cad07629
ssdeep 98304:83gN7/RELZZuO5ZWKTQks90N0KOijQT24Trld+cyckQT:8vZZuCwksq0KO+Hclqfy
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (137cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://171.22.28.226/download/WWW14_64.exe
whois
DE CMCS 171.22.28.226 36907 malware
http://109.107.182.2/race/bus50.exe
whois
RU Teleport-TV Ltd 109.107.182.2 malware
http://193.42.33.68/vpnmhcvbszad/boblspsqgegf.exe
whois
Unknown 193.42.33.68 malware
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
AR Techtel LMDS Comunicaciones Interactivas S.A. 186.13.17.220 27911 mailcious
http://jackantonio.top/timeSync.exe
whois
Unknown 37.139.129.88 37357 malware
http://colisumy.com/dl/build2.exe
whois
AR Telecom Argentina S.A. 181.170.86.159 31026 malware
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
http://wyattsebastian.top/e9c345fc99a4e67e.php
whois
Unknown 37.139.129.88 clean
http://185.172.128.69/newumma.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.69 malware
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://zexeq.com/files/1/build3.exe
whois
Unknown 169.148.95.39 27913 malware
http://171.22.28.221/files/Ads.exe
whois
DE CMCS 171.22.28.221 37468 malware
http://193.42.32.118/api/firegate.php
whois
Unknown 193.42.32.118 36458 mailcious
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
http://lakuiksong.known.co.ke/netTimer.exe
whois
Unknown 146.59.70.14 37358 malware
http://193.42.32.118/api/tracemap.php
whois
Unknown 193.42.32.118 36180 mailcious
http://176.113.115.84:8080/4.php
whois
RU OOO Network of data-centers Selectel 176.113.115.84 34795 mailcious
http://193.233.255.73/loghub/master
whois
RU OOO FREEnet Group 193.233.255.73 clean
http://193.42.32.118/api/firecom.php
whois
Unknown 193.42.32.118 36700 mailcious
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.146.235 clean
http://171.22.28.213/3.exe
whois
DE CMCS 171.22.28.213 37068 malware
http://www.google.com/
whois
US GOOGLE 142.250.76.132 clean
https://sun6-23.userapi.com/c235031/u52355237/docs/d21/7cb744cd40e6/crypted.bmp?extra=ijasbvJahzXSeNdqXSXLMGpGHvjz4jGBIbrjMTotAwPSDg7ZJWoTCMEgnrXhoT-UPrEIyIsw-zYLJvngWwPvMPOtEmMltl6PXIlTO5aNN0Qq0AxSs2IHuMhtvwLx9L6tHIS68UidODUbnFg9
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_667021459?hash=JwfD1ZCA6QgwzFekXEx3DZwJrazNVwknSJ4vBCdj3Ys&dl=GOvejb9TzKE4gYCzHfWoYwfHsCK1bKByDgPNozGoPQ0&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://db-ip.com/demo/home.php?s=175.208.134.152
whois
US CLOUDFLARENET 104.26.4.15 clean
https://sun6-20.userapi.com/c909518/u52355237/docs/d7/9d03fcd9d5bd/test2222.bmp?extra=Wry9QF8NRzHXFhuAyX10K2cUiDS0DTKoIRmO3Gdqy2Pqlg5wpKdUMJGOb4-PdzAqr5weQJRr6xl0yQWHUlmTdrUW1y_n1wiM2ewm5-R5m1ExpU4IOBI5iaaLryf706xSsUxP-5VzIAtPBVSa
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.67 mailcious
https://sun6-20.userapi.com/c237131/u52355237/docs/d23/7cd7043f8e90/New_crypt_test.bmp?extra=vYj8TsuI4Mh2GARpTfNUmOIhtAIFlk_aV6rN4fuV8RoazN2oSjvkW3gF0yYbSbvEdEIhlBKvLFNzrDhjXjuLtzBxm3t7UAjcRP6wVkJIC2mfq9v9-KN2np5vLrprxlhF01Lp6ir3imRMRJdu
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc52355237_667162081?hash=4BgzraSUlIskCw5J6xGm3ViPzq8b7svHxEssqfvoCPH&dl=LANzNVd3qg51q6TImeUt70feNJmp9qZlTmWM3bxixcD&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.67 mailcious
https://experiment.pw/setup294.exe
whois
US CLOUDFLARENET 172.67.167.220 37436 malware
https://sun6-23.userapi.com/c235131/u52355237/docs/d29/d447d9047e01/2.bmp?extra=G5NjMO4sTn6SbCFGk7CD_SOlopWCbJMwNATWfk18b8h6W5KpzIWtQpereK3vm9yQmMyGT0c1IH0TTJppN4VFVi2l828xcy6v8sK2jl4z9PQdlNlCAdF3ABRJJbdaK_NhK3WUEg1Xih3dkvYN
whois
RU VKontakte Ltd 95.142.206.3 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.9.59 clean
https://steamcommunity.com/profiles/76561199563297648
whois
US Akamai International B.V. 104.75.41.21 37362 mailcious
https://vk.com/doc52355237_667233820?hash=ksqvnpPOTVnZUBQvgNWMHz7b34SlhrJYzyLwhjI3p2w&dl=9z5K5NGG8CQyYYjYV1UsyBwEjOrCNpWsf0ZuYRFDUpz&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.67 clean
https://sun6-23.userapi.com/c909518/u52355237/docs/d49/5c0d068b2eac/PL_Client.bmp?extra=b8v6B06HpzoI3tSK0mTSwwXQMXnLc3q1jWsNUxfrUhg37IPgrTLUxJuXVjoqdaD6wxqd5omwvfT1I4ifIHPUpzMI6CdiRlp1tMXpPcZQCoixxWWU54uu8GW5XHCV-7gyutSx4UrNDbW1iV20
whois
RU VKontakte Ltd 95.142.206.3 clean
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://vk.com/doc52355237_667128433?hash=c75kTaBvy8XsGUHj9nZuWnwfdY9ZY2Vr0W0kqMRZKj4&dl=yd0Kt5iJ7qiHq1ne4m1DmzhCyz12TwydRCTVOZYwpg8&api=1&no_preview=1#redcl
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://vk.com/doc52355237_667205062?hash=Svqj7zCdrED1hyD81lRt9NeObuiSXNy8bJzdPsMUx1w&dl=zCXthZXeky7MxZ1PAEfvkLNfEWm2gZlF4zhzbI8exz4&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.67 clean
https://vk.com/doc52355237_666904463?hash=UxTczsuPw9hubob0BlwxReQuXuRVMu7K4lkIHd53nfc&dl=pL6TKclvjp9CpzQWGzva7G0EpGDeSydWo0xKWmJnj6o&api=1&no_preview=1#WW11
whois
RU VKontakte Ltd 87.240.132.67 mailcious
https://vk.com/doc52355237_667276452?hash=wkBRUPYuo43rYtxIzQc6pAfTM1sBDD9zNWcmfsnUyZk&dl=pSqUmbLaVdyliolYK30HXXznJ7HpQH0ZxzieEabZe7k&api=1&no_preview=1#zxc
whois
RU VKontakte Ltd 87.240.132.67 clean
https://sso.passport.yandex.ru/push?uuid=33a6194a-fa11-4731-a21f-ec40a5c9dbcf&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
https://vk.com/doc52355237_666996873?hash=DTmX6GpQzg0mSZJ3QBf9KMyoAQLjAN2VneVoP2TiOB8&dl=3T0LCAZCJSJEhCRk9I2GHnvey9MXQk00H3a77N9btwD&api=1&no_preview=1
whois
RU VKontakte Ltd 93.186.225.194 mailcious
https://sun6-23.userapi.com/c909228/u52355237/docs/d50/f10f18a7f79c/RisePro.bmp?extra=Xyda-uNNyJmyTQ5S8ByoXlhlokLU9vlSrjsRGgjAiDtxiqFtWK4WlDj9f-W0msD9rV2oEuDwnqK7I8iKgaM_YsJkIyFSOZrP_X0lYZZwVAEqwL_9-5UHTgq9slIJgndIgK_zQLX_bwz3QVfA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://vk.com/doc52355237_667260318?hash=5fIVbEMD7QFCeMOR3scNeKxSNfqeBg9KoduBU4Y3tID&dl=koAos1zT2zeVbUu3VEeFdVGaQOOEBZEWHNqrz2p7C1k&api=1&no_preview=1#rise
whois
RU VKontakte Ltd 93.186.225.194 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.67 mailcious
https://neuralshit.net/c31ff1e4370f1f902d97430832cc5f56/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 104.21.6.10 clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.5.15 clean
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.67 mailcious
https://sun6-23.userapi.com/c909618/u52355237/docs/d9/334aaa965d98/tmvwr.bmp?extra=8vKP1hUU8FXC9Qe8mMCGvUfa8Cp8pOwsD2JU4mCuyllGkHmKNdLdm5pJBH5n8fLgBYOEugKzlYD-S8BALhWt6cB4_4dQu6dsu8wxVcZgawhp4z7JOXKqL-PS8fMBHOwRaKXgnQ3G9H9UZ2cQ
whois
RU VKontakte Ltd 95.142.206.3 clean
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.200.10 36716 mailcious
neuralshit.net
whois
US CLOUDFLARENET 172.67.134.35 malware
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
jackantonio.top
whois
Unknown 37.139.129.88 malware
vanaheim.cn
whois
RU RETN Limited 45.11.27.150 mailcious
t.me
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
steamcommunity.com
whois
US Akamai International B.V. 104.76.78.101 mailcious
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
twitter.com
whois
US TWITTER 104.244.42.129 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
api.db-ip.com
whois
US CLOUDFLARENET 104.26.5.15 clean
lrefjviufewmcd.org
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
lakuiksong.known.co.ke
whois
Unknown 146.59.70.14 malware
experiment.pw
whois
US CLOUDFLARENET 104.21.34.37 malware
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
colisumy.com
whois
AR Telecom Argentina S.A. 181.170.86.159 malware
zexeq.com
whois
AR Techtel LMDS Comunicaciones Interactivas S.A. 186.13.17.220 malware
wyattsebastian.top
whois
Unknown 37.139.129.88 clean
octocrabs.com
whois
US CLOUDFLARENET 104.21.21.189 mailcious
yandex.ru
whois
RU YANDEX LLC 77.88.55.88 clean
www.google.com
whois
US GOOGLE 142.250.76.132 clean
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
i.instagram.com
whois
IE FACEBOOK 31.13.82.52 clean
pastebin.com
whois
US CLOUDFLARENET 104.20.67.143 mailcious
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
vk.com
whois
RU VKontakte Ltd 87.240.132.67 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.9.59 clean
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
37.139.129.88
whois
Unknown 37.139.129.88 clean
104.18.145.235
whois
US CLOUDFLARENET 104.18.145.235 clean
182.162.106.33
whois
KR LG DACOM Corporation 182.162.106.33 malware
93.186.225.194
whois
RU VKontakte Ltd 93.186.225.194 mailcious
172.67.167.220
whois
US CLOUDFLARENET 172.67.167.220 malware
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
62.122.184.92
whois
Unknown 62.122.184.92 mailcious
193.233.255.73
whois
RU OOO FREEnet Group 193.233.255.73 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
157.240.215.63
whois
US FACEBOOK 157.240.215.63 clean
80.66.75.77
whois
RU Alexander Valerevich Mokhonko 80.66.75.77 mailcious
104.244.42.193
whois
US TWITTER 104.244.42.193 suspicious
45.11.27.150
whois
RU RETN Limited 45.11.27.150 clean
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
87.240.132.67
whois
RU VKontakte Ltd 87.240.132.67 mailcious
171.22.28.221
whois
DE CMCS 171.22.28.221 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
172.67.200.10
whois
US CLOUDFLARENET 172.67.200.10 mailcious
176.113.115.84
whois
RU OOO Network of data-centers Selectel 176.113.115.84 mailcious
172.67.34.170
whois
US CLOUDFLARENET 172.67.34.170 mailcious
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
104.26.8.59
whois
US CLOUDFLARENET 104.26.8.59 clean
104.21.6.10
whois
US CLOUDFLARENET 104.21.6.10 malware
83.97.73.44
whois
DE Limitless Mobile GmbH 83.97.73.44 clean
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
176.113.115.135
whois
RU OOO Network of data-centers Selectel 176.113.115.135 mailcious
104.75.41.21
whois
US Akamai International B.V. 104.75.41.21 mailcious
176.113.115.136
whois
RU OOO Network of data-centers Selectel 176.113.115.136 mailcious
185.172.128.69
whois
RU OOO Nadym Svyaz Service 185.172.128.69 malware
45.143.201.238
whois
Unknown 45.143.201.238 mailcious
193.42.33.68
whois
Unknown 193.42.33.68 malware
181.170.86.159
whois
AR Telecom Argentina S.A. 181.170.86.159 clean
190.12.87.61
whois
PE OPTICAL TECHNOLOGIES S.A.C. 190.12.87.61 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
80.66.75.4
whois
RU Alexander Valerevich Mokhonko 80.66.75.4 mailcious
146.59.70.14
whois
Unknown 146.59.70.14 malware
171.22.28.239
whois
DE CMCS 171.22.28.239 mailcious
172.217.24.228
whois
US GOOGLE 172.217.24.228 clean
77.88.55.60
whois
RU YANDEX LLC 77.88.55.60 clean
109.107.182.2
whois
RU Teleport-TV Ltd 109.107.182.2 malware
171.22.28.236
whois
DE CMCS 171.22.28.236 mailcious
171.22.28.213
whois
DE CMCS 171.22.28.213 malware

Suricata ids

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DNS Query to a *.pw domain - Likely Hostile
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO EXE - Served Attached HTTP
ET INFO TLS Handshake Failure
ET HUNTING Possible EXE Download From Suspicious TLD
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Redline Stealer Activity (Response)
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ET MALWARE Win32/Vodkagats Loader Requesting Payload
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Get_settings)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET INFO Packed Executable Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)

Similarity measure (PE file only) - Checking for service failure