Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.10.27 12:25	Machine	s1_win7_x6402
Filename	File.7z
Type	7-zip archive data, version 0.4
AI Score	Not founds	Behavior Score	6.8
ZERO API	file : clean
VT API (file)
md5	3c62d34e99c4d0766c6a30aff0ff00d4
sha256	f819c330f74d731a950a047426d21bb4a13ce631fb9a1ccdc48f8b75e1ecc167
ssdeep	98304:xKxN63OC4piLrYTly9FOm/Zbz/Z8YAD4K0i9CfbWFG/2gMa:xu63j4pqYTk/B/Zv/iYU0i2bWMl
imphash
impfuzzy

Network IP location

Signature (14cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (154cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://171.22.28.226/download/WWW14_64.exe whois	CMCS	171.22.28.226	36907	malware
http://109.107.182.2/race/bus50.exe whois	Teleport-TV Ltd	109.107.182.2	37496	malware
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true whois	LG DACOM Corporation	211.119.84.111	27911	mailcious
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rHs0an9bdrTIaDtaE0Df9rlg.exe&platform=0009&osver=5&isServer=0 whois	AKAMAI-AS	23.45.53.206		clean
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c whois	Akamai International B.V.	23.67.53.17		clean
http://185.172.128.69/newumma.exe whois	OOO Nadym Svyaz Service	185.172.128.69	37499	malware
http://45.15.156.229/api/firegate.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	36052	mailcious
http://194.169.175.233/setup.exe whois		194.169.175.233	37614	malware
http://roberthamilton.top/timeSync.exe whois		37.139.129.88		malware
http://171.22.28.221/files/Ads.exe whois	CMCS	171.22.28.221	37468	malware
http://94.142.138.113/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.113	28877	mailcious
http://94.142.138.131/api/firegate.php whois	Ihor Hosting LLC	94.142.138.131	32650	mailcious
http://193.42.32.118/api/firegate.php whois		193.42.32.118	36458	mailcious
http://171.22.28.226/download/Services.exe whois	CMCS	171.22.28.226	37064	malware
http://howardwood.top/e9c345fc99a4e67e.php whois		37.139.129.88	37562	mailcious
http://lakuiksong.known.co.ke/netTimer.exe whois		146.59.70.14	37358	malware
http://193.42.32.118/api/tracemap.php whois		193.42.32.118	36180	mailcious
http://77.91.124.1/theme/index.php whois	Foton Telecom CJSC	77.91.124.1	37040	mailcious
http://176.113.115.84:8080/4.php whois	OOO Network of data-centers Selectel	176.113.115.84	34795	mailcious
http://193.233.255.73/loghub/master whois	OOO FREEnet Group	193.233.255.73	37500	mailcious
http://94.142.138.131/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.131	28311	mailcious
http://193.42.32.118/api/firecom.php whois		193.42.32.118	36700	mailcious
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.18.146.235		clean
http://171.22.28.213/3.exe whois	CMCS	171.22.28.213	37068	malware
http://www.google.com/ whois	GOOGLE	142.250.76.132		clean
https://sun6-20.userapi.com/c237331/u825067038/docs/d49/2fa5bb09a502/PL_Client.bmp?extra=hoE_PGrrkY5d2NqippbG-UTIRwu_h48s7-Mi86qburxYxYP2a4nfRxp8kaKBiRxuro79vWtZxNk0QuVAV280jjii1nd_0ovq3qK0e2f0q64HOWQQ6l8DT724JVMNbiPaXVLRXVti3oXOXSvj6A whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc825067038_675084444?hash=k5PecVfBQzPaee7oBSXUMlbMI8WyGwsz9sC7fI90JQs&dl=KIXZTpWuxh6zhpZ3P1E5BeGpD6wWJ27NEZ8qKC46TGL&api=1&no_preview=1#good whois	VKontakte Ltd	87.240.132.72		clean
https://www.google.com/favicon.ico whois	GOOGLE	142.250.66.100		clean
https://sun6-23.userapi.com/c909518/u52355237/docs/d59/1bb094138bd6/d432j89adg.bmp?extra=uZ0kz3xyyLQRpHyiIUVDgzVuc8ISnjGwzHU3Zj5l6-kOEBCA2aVwbMUmknHcD5WrU8GfP7b98J-VdksDqOUosQfPqiGhAbCxWrH-Idsh_1XZ-Z0T00Y9APKnURqnh4Q2r8vMm2YUqVDohxSj whois	VKontakte Ltd	95.142.206.3		clean
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F whois	GOOGLE	142.250.204.109		clean
https://accounts.google.com/_/bscframe whois	GOOGLE	142.250.204.109		clean
https://vk.com/doc825067038_675120414?hash=ofV8tZWtQDknSObErFUq2rnV3Esz6p3eJRLOo5yZ3Bg&dl=3JL9LytHzeNyclBz9CDzoiw11Ovw4rTGzbKz11MEPvw&api=1&no_preview=1#1 whois	VKontakte Ltd	87.240.132.72		clean
https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=AVQVeyzdzet-5bFdLPdUq1j1uDurwe6kz_lHlw7J7WHjbFlxuWq7DWllN0DrN9yErviFid87F_Tyrw&passive=1209600&flowName=WebLi whois	GOOGLE	142.250.204.109		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	87.240.132.72		mailcious
https://sun6-22.userapi.com/c909218/u52355237/docs/d42/5ea1ce9e9941/WWW11_32.bmp?extra=ytZfQv4RrE3t_njKlOfujRBbAbSsxpWTLHad68C6dj6dfnRUGMYwA5OymD16HSt28U1ha3InbqaN3PeokRDsnMPVFZj8LjDGWM_FUjVdq1bZYMxrIHBkE9qZnO3K1PZLO5_oK1_vX6oi9fyX whois	VKontakte Ltd	95.142.206.2		clean
https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png whois	GOOGLE	142.250.199.67		clean
https://sun6-23.userapi.com/c909618/u52355237/docs/d9/623cc18b4685/tmvwr.bmp?extra=5WUKP60iriNLZAh7S4FosuziGQcjWCkFZZ4x7xp8sOkXLhbwvbH5419WeD9RJCKirsxra8PHrHOD5PoaLYO4q-OZRkssRi22_oLTccilnyFnSWLZiks4PJxdOyEvR3dhcPSVd4aQv4cBG1g9 whois	VKontakte Ltd	95.142.206.3		clean
https://experiment.pw/setup294.exe whois	CLOUDFLARENET	104.21.34.37	37436	malware
https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		clean
https://accounts.google.com/ whois	GOOGLE	142.250.204.109		clean
https://vk.com/doc825067038_675107888?hash=p1edxhMap9ebzzyYu0bwG8SRx7fNg9lc730omI4QiGL&dl=7VNr97gwpMxX5zCHlKbDwt20Nh6MmLxWO6FX8g4zAqL&api=1&no_preview=1#s6 whois	VKontakte Ltd	93.186.225.194		clean
https://sso.passport.yandex.ru/push?uuid=a0c92fe7-42c2-4613-b8b7-fa00a304410a&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue whois	YANDEX LLC	213.180.204.24		clean
https://accounts.google.com/generate_204?YDaA_g whois	GOOGLE	142.250.204.109		clean
https://dzen.ru/?yredirect=true whois	Invest Mobile LLC	62.217.160.2		clean
https://sun6-20.userapi.com/c909618/u825067038/docs/d56/53e217f03c63/s6d7rtfygiftu57e8r6tfjgcfxdsreturyit.bmp?extra=iGkHoDjsILLIjBMdJJUo6FgOpO-KtPGICJdjT4FoefBp4bB2jgAGKbjdQXtnA_ThsSCU5i5bS3Lg6d6Y6Wf4CrjFyErGfuQ_v5XoImwRYBfYh-JyYGa34C7_VJ6Qs-x-Dt8GVlJ3J5X whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc52355237_667205062?hash=Svqj7zCdrED1hyD81lRt9NeObuiSXNy8bJzdPsMUx1w&dl=zCXthZXeky7MxZ1PAEfvkLNfEWm2gZlF4zhzbI8exz4&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.78		mailcious
https://sun6-22.userapi.com/c909328/u825067038/docs/d10/fd086603287f/red.bmp?extra=zYTCTjDurMXD3dgkI5bHy3cXnZBNncN4I8n51Y9hk8bLzF3Dv1aePJ8XfT539FOwfZjMjTIKqvS07bnzor215dPE1aiIH1IuV444DOz8_yaiOt5TK6-4XGc9sUBOTdmW7tFv7qTLjhBAWTg-TQ whois	VKontakte Ltd	95.142.206.2		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-21.userapi.com/c235031/u825067038/docs/d20/a29a3db0069e/fresh1.bmp?extra=1dRSa-0TgJXqa93p4EbSQk90rNhKUH9so_jMimdjR_fNC7yh-U0RyUPFHhbKcUIbyspnMp2_-SsDdNtn56RI5ilXyOziZCizDJ2AoOkqCch-5X1wkTeC416YOe_GFTo7wCHGV03e__SBLuJNdQ whois	VKontakte Ltd	95.142.206.1		clean
https://api.2ip.ua/geo.json whois	CLOUDFLARENET	172.67.139.220		clean
https://vk.com/doc825067038_675098543?hash=fDGebbbbT59ZXUS0aTzHqJh9k55SUFqRxrdzJALVzSP&dl=VyQDbVL7k7q0VT6QORxGuLdfGzZ7nqAOWUJBLGBju7c&api=1&no_preview=1#test22 whois	VKontakte Ltd	87.240.132.72		clean
https://vk.com/doc825067038_675096729?hash=qSZS9aM0ivWNtijm1zaWyzA7J0bEJfI7RF562vpg2qP&dl=Di89rUJwazaYzfGe5B8jQKQ6f8sDEfxK1AwIneVf478&api=1&no_preview=1#redcl whois	VKontakte Ltd	93.186.225.194		clean
https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AVQVeywG5Ca3_U5z3i17rpBqe5XQmjKFOYO0l9YmCbXIH8Z7L2QC49OAi4jslnwM1-fvL4i20vS36Q whois	GOOGLE	142.250.204.109		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	87.240.132.72		mailcious
https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-20.userapi.com/c235031/u825067038/docs/d50/da83a607ce58/file261023.bmp?extra=oZYPM_XOV2yUnI1OIkqXvssiCX90LOMpdatPJ3Mo-Iy7KPl61syaohofhhshJ3MqAGzAGOOjyd2hns--mq7Yi8XIYXFJZP2JkQdW10m1262TpjTS9wualsTezDU7MTljJq1XP6azEUjxwVkt_Q whois	VKontakte Ltd	95.142.206.0		clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.5.15		clean
https://sun6-20.userapi.com/c909418/u825067038/docs/d26/484476cefcda/crypted.bmp?extra=xKumbx-TTXs_1he4_Ei0XOGCQ7hjCAmh0Tfxiar8m_-yHzKu8fpiKEbsBT6lBgNyPmwVvmrnWrMWcYvr0uDWeewVVOX6C76OSOO6saJLa-Sb0UvH22ikkXipev0DFE-_kzKEApKnwBDNKESMfw whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc52355237_666778887?hash=MsypGwgfzH9k8tAFuGqJl0MJgVVDiak3EKsK8zRZBXP&dl=zbnEaURFd1h1t5v6QgcpBauCKgnVbU0YGtRdWYWulE8&api=1&no_preview=1 whois	VKontakte Ltd	87.240.132.72		mailcious
https://neuralshit.net/8b54e3f23ea4df83b44da9add06c973d/7725eaa6592c80f8124e769b4e8a07f7.exe whois	CLOUDFLARENET	172.67.134.35		clean
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe whois	CLOUDFLARENET	104.21.21.189	36716	mailcious
https://vk.com/doc52355237_667299917?hash=ZBXZXgvR0VGrrHhRL8ouG0pmaOgq5CMqSVSg07KQ3kD&dl=VP4eeCrZnI7ZSJlYk7MTGWNlWtWgIwQmPzfjoXznkSD&api=1&no_preview=1#ww11 whois	VKontakte Ltd	87.240.132.72		mailcious
neuralshit.net whois	CLOUDFLARENET	172.67.134.35		malware
db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
roberthamilton.top whois		37.139.129.88		malware
vanaheim.cn whois	Yandex.Cloud LLC	84.201.152.220		mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
accounts.google.com whois	GOOGLE	142.250.206.205		clean
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		mailcious
yandex.ru whois	YANDEX LLC	77.88.55.88		clean
dzen.ru whois	Invest Mobile LLC	62.217.160.2		clean
medfioytrkdkcodlskeej.net whois	Petersburg Internet Network ltd.	91.215.85.209		malware
learn.microsoft.com whois	AKAMAI-AS	23.40.45.69		clean
api.2ip.ua whois	CLOUDFLARENET	104.21.65.24		clean
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
twitter.com whois	TWITTER	104.244.42.1		clean
telegram.org whois	Telegram Messenger Inc	149.154.167.99		clean
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
api.db-ip.com whois	CLOUDFLARENET	172.67.75.166		clean
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
sso.passport.yandex.ru whois	YANDEX LLC	213.180.204.24		clean
lakuiksong.known.co.ke whois		146.59.70.14		malware
experiment.pw whois	CLOUDFLARENET	172.67.167.220		malware
ssl.gstatic.com whois	GOOGLE	142.250.207.99		clean
howardwood.top whois		37.139.129.88		mailcious
iplogger.com whois	Hetzner Online GmbH	148.251.234.93		mailcious
zexeq.com whois	SK Broadband Co Ltd	123.213.233.131		malware
octocrabs.com whois	CLOUDFLARENET	172.67.200.10		mailcious
www.google.com whois	GOOGLE	142.250.76.132		clean
iplis.ru whois	Hetzner Online GmbH	148.251.234.93		mailcious
sun6-22.userapi.com whois	VKontakte Ltd	95.142.206.2		mailcious
www.maxmind.com whois	CLOUDFLARENET	104.18.146.235		clean
vk.com whois	VKontakte Ltd	87.240.129.133		mailcious
api.myip.com whois	CLOUDFLARENET	104.26.8.59		clean
148.251.234.93 whois	Hetzner Online GmbH	148.251.234.93		mailcious
87.240.132.78 whois	VKontakte Ltd	87.240.132.78		mailcious
84.201.152.220 whois	Yandex.Cloud LLC	84.201.152.220		clean
104.18.145.235 whois	CLOUDFLARENET	104.18.145.235		clean
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
93.186.225.194 whois	VKontakte Ltd	93.186.225.194		mailcious
172.67.167.220 whois	CLOUDFLARENET	172.67.167.220		malware
185.225.75.171 whois	Mayak Smart Services Ltd.	185.225.75.171		mailcious
77.91.124.1 whois	Foton Telecom CJSC	77.91.124.1		malware
62.122.184.92 whois		62.122.184.92		mailcious
193.233.255.73 whois	OOO FREEnet Group	193.233.255.73		mailcious
104.26.5.15 whois	CLOUDFLARENET	104.26.5.15		clean
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99		mailcious
193.42.32.118 whois		193.42.32.118		mailcious
104.21.34.37 whois	CLOUDFLARENET	104.21.34.37		phishing
62.217.160.2 whois	Invest Mobile LLC	62.217.160.2		clean
142.250.204.109 whois	GOOGLE	142.250.204.109		clean
83.97.73.44 whois	Limitless Mobile GmbH	83.97.73.44		clean
171.22.28.226 whois	CMCS	171.22.28.226		malware
142.250.76.132 whois	GOOGLE	142.250.76.132		clean
171.22.28.221 whois	CMCS	171.22.28.221		malware
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
104.21.21.189 whois	CLOUDFLARENET	104.21.21.189		clean
142.250.199.67 whois	GOOGLE	142.250.199.67		clean
77.88.55.60 whois	YANDEX LLC	77.88.55.60		clean
104.244.42.65 whois	TWITTER	104.244.42.65		suspicious
104.26.8.59 whois	CLOUDFLARENET	104.26.8.59		clean
142.250.66.100 whois	GOOGLE	142.250.66.100		clean
37.139.129.88 whois		37.139.129.88		mailcious
172.67.134.35 whois	CLOUDFLARENET	172.67.134.35		malware
213.180.204.24 whois	YANDEX LLC	213.180.204.24		clean
77.91.124.86 whois	Foton Telecom CJSC	77.91.124.86		clean
176.113.115.135 whois	OOO Network of data-centers Selectel	176.113.115.135		mailcious
190.141.134.150 whois	Cable Onda	190.141.134.150		clean
176.113.115.136 whois	OOO Network of data-centers Selectel	176.113.115.136		mailcious
185.172.128.69 whois	OOO Nadym Svyaz Service	185.172.128.69		malware
45.143.201.238 whois		45.143.201.238		mailcious
172.67.75.166 whois	CLOUDFLARENET	172.67.75.166		clean
194.169.175.233 whois		194.169.175.233		malware
94.142.138.131 whois	Ihor Hosting LLC	94.142.138.131		mailcious
94.142.138.113 whois	Ihor Hosting LLC	94.142.138.113		mailcious
91.215.85.209 whois	Petersburg Internet Network ltd.	91.215.85.209		mailcious
23.67.53.17 whois	Akamai International B.V.	23.67.53.17		clean
23.40.45.69 whois	AKAMAI-AS	23.40.45.69		clean
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		mailcious
176.113.115.84 whois	OOO Network of data-centers Selectel	176.113.115.84		mailcious
172.67.139.220 whois	CLOUDFLARENET	172.67.139.220		clean
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
80.66.75.4 whois	Alexander Valerevich Mokhonko	80.66.75.4		mailcious
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
146.59.70.14 whois		146.59.70.14		malware
194.169.175.234 whois		194.169.175.234		clean
23.45.53.206 whois	AKAMAI-AS	23.45.53.206		clean
95.142.206.2 whois	VKontakte Ltd	95.142.206.2		mailcious
87.240.132.72 whois	VKontakte Ltd	87.240.132.72		mailcious
80.66.75.77 whois	Alexander Valerevich Mokhonko	80.66.75.77		mailcious
109.107.182.2 whois	Teleport-TV Ltd	109.107.182.2		malware
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
171.22.28.213 whois	CMCS	171.22.28.213		malware

Suricata ids

ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET DNS Query to a *.pw domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
SURICATA Applayer Mismatch protocol both directions
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET DNS Query to a *.top domain - Likely Hostile
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO EXE - Served Attached HTTP
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET INFO Packed Executable Download
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Redline Stealer Activity (Response)
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)

Report - File.7z

Signature (14cnts)

Rules (11cnts)

Network (154cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure