popup

Report - File.7z

PrivateLoader Stealc Amadey Escalate priviledges PWS KeyLogger AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.30 09:53 Machine s1_win7_x6402
Filename File.7z
Type 7-zip archive data, version 0.4
AI Score Not founds Behavior Score
7.0
ZERO API file : malware
VT API (file)
md5 af9d7f78e54912ec053e221309ce9288
sha256 5c700333023d6d15e155268554f233337f1266abf6583612edd79763de2f7029
ssdeep 98304:SmZi0RogWN27Mf8jhZ+CfzcDU8CpNO1PREmbyZuly3qGiqw+t/MnD:SmMKogwxHCLcDU8CYPSmbyFSqz/M
imphash
impfuzzy
  Network IP location

Signature (14cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning Generates some ICMP traffic
watch Communicates with host for which no DNS query was performed
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates executable files on the filesystem
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Sends data using the HTTP POST Method
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger

Rules (11cnts)

Level Name Description Collection
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (169cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://171.22.28.226/download/WWW14_64.exe
whois
DE CMCS 171.22.28.226 36907 malware
http://gobo06fc.top/build.exe
whois
RU TimeWeb Ltd. 176.57.208.22 clean
http://109.107.182.2/race/bus50.exe
whois
RU Teleport-TV Ltd 109.107.182.2 37496 malware
http://zexeq.com/test2/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true
whois
KR LG DACOM Corporation 115.88.24.200 27911 mailcious
http://85.217.144.143/files/My2.exe
whois
Unknown 85.217.144.143 34643 malware
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.209.95.50 clean
http://185.172.128.69/newumma.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.69 37499 malware
http://45.15.156.229/api/firegate.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 36052 mailcious
http://194.169.175.233/setup.exe
whois
Unknown 194.169.175.233 37614 malware
http://171.22.28.221/files/Ads.exe
whois
DE CMCS 171.22.28.221 37468 malware
http://94.142.138.113/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.113 28877 mailcious
http://193.42.32.118/api/firegate.php
whois
Unknown 193.42.32.118 36458 mailcious
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=N8ipci53dhrAtaIs0Z9qUQyn.exe&platform=0009&osver=5&isServer=0
whois
US AKAMAI-AS 23.207.42.151 clean
http://171.22.28.226/download/Services.exe
whois
DE CMCS 171.22.28.226 37064 malware
http://howardwood.top/e9c345fc99a4e67e.php
whois
Unknown 37.139.129.88 37562 mailcious
http://pic.himanfast.com/order/tuc15.exe
whois
US CLOUDFLARENET 172.67.135.47 clean
http://galandskiyher5.com/downloads/toolspub1.exe
whois
DE CMCS 95.214.26.28 37396 malware
http://94.142.138.131/api/tracemap.php
whois
RU Ihor Hosting LLC 94.142.138.131 28311 mailcious
http://193.42.32.118/api/tracemap.php
whois
Unknown 193.42.32.118 36180 mailcious
http://albertwashington.icu/timeSync.exe
whois
Unknown 37.139.129.88 malware
http://77.91.124.1/theme/index.php
whois
RU Foton Telecom CJSC 77.91.124.1 37040 mailcious
http://45.15.156.229/api/tracemap.php
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 33783 mailcious
http://193.233.255.73/loghub/master
whois
RU OOO FREEnet Group 193.233.255.73 37500 mailcious
http://94.142.138.113/api/firegate.php
whois
RU Ihor Hosting LLC 94.142.138.113 36152 mailcious
http://lakuiksong.known.co.ke/netTimer.exe
whois
Unknown 146.59.70.14 37358 malware
http://193.42.32.118/api/firecom.php
whois
Unknown 193.42.32.118 36700 mailcious
http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
whois
US OPERASOFTWARE 107.167.110.216 clean
http://www.maxmind.com/geoip/v2.1/city/me
whois
US CLOUDFLARENET 104.18.145.235 clean
http://171.22.28.213/3.exe
whois
DE CMCS 171.22.28.213 37068 malware
https://vk.com/doc493219498_672749745?hash=vAQNipawtX2M4kWLArPas0dqtYNjH5RFCiVEd2pEIu4&dl=zs8nRnVXgwetD0qYQFA8MtFtd4cvDsVE0LU7wM7ccnc&api=1&no_preview=1#2nc
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-22.userapi.com/c237331/u493219498/docs/d49/b66400c9570a/2ncbjsgb.bmp?extra=p2I3_ac90QTyfY6tbGK3zTRsl8m01Mz5djnbH0Ck0s4rGpSkCVCS7E6ustd-k9k2DFGN53ueucr7M4QfOa63zoJ2ZD_KMLnUwsW4_sqVLCJy-JNcMyNXNYbofQd9M3HyKPO58VhCujni2lOB3g
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://experiment.pw/setup294.exe
whois
US CLOUDFLARENET 104.21.34.37 37436 malware
https://vk.com/doc825067038_675094078?hash=yy528d2cdSWh8Qb1vjKZzrbg9uO0tUhBgbnW8xFFc7g&dl=fzvSk2lE8vQ96mfYErqNUoJZiKQg6dRgeIDz0UiA5W8&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://vk.com/doc493219498_672788896?hash=qnDUhqn6hBDJzFWRnaSA0Z01GHFgFVba0yvHW6T79g0&dl=z7JZ3UTuMeYJqYgthVY47dZ7u7lnpTKYGCV9OgRhcJk&api=1&no_preview=1#ww11
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-23.userapi.com/c909518/u52355237/docs/d59/a7848d68c935/d432j89adg.bmp?extra=DOXVoEGDlhZ3qZpcWGZKTe_UaEJzSsHgQykmKEMHGAGyIwckz27zGXQn5e3tFqhKgAR5VwnJ7-mFCcKTAreATgHzptPdOONZ7bj5sYWy5TncTuLhz72Y4EkRR9-tgpmWSr316irJ85QgRDn2
whois
RU VKontakte Ltd 95.142.206.3 clean
https://api.myip.com/
whois
US CLOUDFLARENET 104.26.9.59 clean
https://vk.com/doc493219498_672804512?hash=k6gVocJtWMIGa4eR2u3BEQexXtjJzptcjPX2TpQvyHP&dl=RdWtWX0NOjUuv5jSqHuHLHgdyH9LhrvA8lQtBVZeJGP&api=1&no_preview=1#test22
whois
RU VKontakte Ltd 87.240.132.78 clean
https://pastebin.com/raw/xYhKBupz
whois
US CLOUDFLARENET 104.20.67.143 36780 mailcious
https://sun6-22.userapi.com/c237331/u493219498/docs/d54/558531b87f51/tmvwr.bmp?extra=H9R0hZa8Qk6cfwzu-uVl0xdtbNwDJ_qVhAKxlWQvT7ZL7P0K9If8jRa1oF86go-dE3dA08rsIQveSpHe-iiv1ThMDn3G4QIaLwGnvIAV4Ph6fiw5h0YEo-GD94rsUiKYsaf82cfzGyrdCn4tPA
whois
RU VKontakte Ltd 95.142.206.2 clean
https://vk.com/doc493219498_672768541?hash=tpdx8YXg91Y3FlT5s0RAbnPmPS1Zzyo9eLqcOzyWZYc&dl=WDy5pNA0ek7levBiA9WZCVFsr80DioWsqEq14iAXX84&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://yip.su/RNWPd.exe
whois
US CLOUDFLARENET 172.67.169.89 37623 malware
https://sun6-22.userapi.com/c909328/u825067038/docs/d10/dbd8180ea057/red.bmp?extra=1JmdCVOFWNFJ4b0PUaHk6aYVa-GAdpx4zCub1qMiqMDHFtHWM6rVmhZlRPJIQoo9YC7rLCtbjS-B_Ifo79si4vee5Y0mjPAb6f5isYmV2i-Zkew_BPBG9xDPvdfknsmAM5HCGCNmC6fq1Zz_5Q
whois
RU VKontakte Ltd 95.142.206.2 clean
https://neuralshit.net/d90081187817a6ae1976603702b44d57/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.134.35 clean
https://sun6-22.userapi.com/c909518/u493219498/docs/d15/cb31b59ccd86/crypted.bmp?extra=4kM18eBBAFBYEBmT5K7ny9mwreXTxNP8Pc37HIDLBK5ek10xCo2u4vHn3EGEVScsV_bwEm_dCfHZHlPo00U0xxggi6bYqXDx-w-CAA82GXgAYpeBC2H64fDflmGqWK4BrgxVFxzdUb3hNKsJwA
whois
RU VKontakte Ltd 95.142.206.2 clean
https://dzen.ru/?yredirect=true
whois
RU Invest Mobile LLC 62.217.160.2 clean
https://potatogoose.com/d90081187817a6ae1976603702b44d57/baf14778c246e15550645e30ba78ce1c.exe
whois
US CLOUDFLARENET 104.21.35.235 clean
https://sso.passport.yandex.ru/push?uuid=edf1cf2f-872e-44da-a11f-d65d4aa510cb&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue
whois
RU YANDEX LLC 213.180.204.24 clean
https://vk.com/doc493219498_672808934?hash=3h4ko75BxWR7bDzmYDEVeLjJ3bMDZMmqJwpesGGRjEk&dl=3LiOPpNlxlxNezlWVYBcUr4wZeMfTqteUGyDAC5FvTH&api=1&no_preview=1#risepro
whois
RU VKontakte Ltd 87.240.137.164 clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
whois
US OPERASOFTWARE 107.167.110.211 clean
https://sun6-21.userapi.com/c237031/u493219498/docs/d9/f44badf38306/file291023.bmp?extra=7GE1C-EwQJy_8FKCjjzYwfovOf4Pj0g-Cl_UrB7R49OFcoW7unCyKfxTxR_7WcIlEFwgS1BpZkRO6_IxFUMs9s1dkCAxEl2iW6ipYPPcF8YpO894lNyZj98WPNuVnpJRwiX5zkQEf0sM6bBO6w
whois
RU VKontakte Ltd 95.142.206.1 clean
https://api.2ip.ua/geo.json
whois
US CLOUDFLARENET 172.67.139.220 clean
https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
whois
US CLOUDFLARENET 104.21.93.225 36783 malware
https://vk.com/doc825067038_675096729?hash=qSZS9aM0ivWNtijm1zaWyzA7J0bEJfI7RF562vpg2qP&dl=Di89rUJwazaYzfGe5B8jQKQ6f8sDEfxK1AwIneVf478&api=1&no_preview=1#redcl
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://sun6-20.userapi.com/c237331/u825067038/docs/d49/62f94930727d/PL_Client.bmp?extra=WKl12ZsgAl5B4caqcSa25bxYZG3KBVnP2hYZwJDXWNs_yGCBkyjXZTNurElPkE9In2UcIRR-dFstveJcJExDb_UzJWORx7bCJ8KJ7BEJIg3Q36N2Ph-OCyoWZvJ8c1crDANitolP42kcuubVrA
whois
RU VKontakte Ltd 95.142.206.0 clean
https://vk.com/doc493219498_672795139?hash=7g3rgnU3d1p1j83fiPQfRd7uuNjdLnKy3K6hXX8CtxX&dl=MA21iZj9gcnP18Dr8zFAZlCUyOz91OUA5qwGoDcp2x8&api=1&no_preview=1#1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test
whois
RU VKontakte Ltd 87.240.132.78 mailcious
https://vk.com/doc52355237_667323207?hash=ZkIwTTYNTwNDXLt5Gs5EEchtp6n7cf7VmKRYfvfVcZc&dl=ZTGusJZiietYLrS13VtWmnhjrFLGcXrZJST1wXSwTtP&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.137.164 mailcious
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
whois
US CLOUDFLARENET 104.26.4.15 clean
https://vk.com/doc493219498_672789104?hash=wRQw6qpepE0sgtYf8bKOdwqZHHaauqkqH01POIsTcu0&dl=sxCzUpMz5PwDpI7atdJZ9Qxm6xZkLHmABBIpqrCKNNz&api=1&no_preview=1
whois
RU VKontakte Ltd 87.240.132.78 clean
https://sun6-21.userapi.com/c909418/u493219498/docs/d37/87bca5c0f023/WWW11_32.bmp?extra=n16gKuSgFdbzbUndRH-3kdNwVpz2zKmV3LlQchJqLUsE-c9iUv7t_p_pR0w79iXmFpT0lWfj7boucWuSJsujP5mwBohC4ZZWZ_T1e-fFJr_bwekVyE48EtEJJWgTD5KaXmtFbI1JiwT0CNI8iw
whois
RU VKontakte Ltd 95.142.206.1 clean
https://sun6-23.userapi.com/c909228/u493219498/docs/d37/c664a593c9eb/RisePro.bmp?extra=UvO5MwYWbFe33V5P002LfJF3-ELPApRSrucm2DXQv0XU-cC5kXzn71n2lGd9PIPpkmCr04vYXMlGRFZVyUNF7HTCzkx3_PsxIozMLvqZivMASXprmQ-K5cEk-WFG4lVzUVpkFY8cnnOkVLkUxA
whois
RU VKontakte Ltd 95.142.206.3 clean
https://octocrabs.com/7725eaa6592c80f8124e769b4e8a07f7.exe
whois
US CLOUDFLARENET 172.67.200.10 36716 mailcious
neuralshit.net
whois
US CLOUDFLARENET 172.67.134.35 malware
gobo06fc.top
whois
RU TimeWeb Ltd. 176.57.208.22 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
www.paypal.com
whois
US FASTLY 151.101.193.21 clean
ipinfo.io
whois
US GOOGLE 34.117.59.81 clean
accounts.google.com
whois
US GOOGLE 142.250.206.205 clean
sun6-23.userapi.com
whois
RU VKontakte Ltd 95.142.206.3 mailcious
galandskiyher5.com
whois
DE CMCS 95.214.26.28 malware
potatogoose.com
whois
US CLOUDFLARENET 104.21.35.235 malware
dzen.ru
whois
RU Invest Mobile LLC 62.217.160.2 clean
medfioytrkdkcodlskeej.net
whois
RU Petersburg Internet Network ltd. 91.215.85.209 malware
learn.microsoft.com
whois
US Telenor Norge AS 23.52.33.172 clean
api.2ip.ua
whois
US CLOUDFLARENET 172.67.139.220 clean
iplogger.org
whois
DE Hetzner Online GmbH 148.251.234.83 mailcious
laubenstein.space
whois
Unknown mailcious
twitter.com
whois
US TWITTER 104.244.42.193 clean
telegram.org
whois
GB Telegram Messenger Inc 149.154.167.99 clean
yip.su
whois
US CLOUDFLARENET 172.67.169.89 mailcious
sun6-20.userapi.com
whois
RU VKontakte Ltd 95.142.206.0 mailcious
octocrabs.com
whois
US CLOUDFLARENET 104.21.21.189 mailcious
pic.himanfast.com
whois
US CLOUDFLARENET 172.67.135.47 clean
sun6-21.userapi.com
whois
RU VKontakte Ltd 95.142.206.1 mailcious
sso.passport.yandex.ru
whois
RU YANDEX LLC 213.180.204.24 clean
lakuiksong.known.co.ke
whois
Unknown 146.59.70.14 malware
experiment.pw
whois
US CLOUDFLARENET 172.67.167.220 malware
www.youtube.com
whois
US GOOGLE 142.250.206.206 mailcious
net.geo.opera.com
whois
US OPERASOFTWARE 107.167.110.211 clean
dl1-broomcleaner.online
whois
Unknown clean
iplogger.com
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
zexeq.com
whois
AR Telecom Argentina S.A. 190.224.203.37 malware
api.db-ip.com
whois
US CLOUDFLARENET 172.67.75.166 clean
albertwashington.icu
whois
Unknown 37.139.129.88 malware
632432.space
whois
DE CMCS 171.22.28.204 clean
yandex.ru
whois
RU YANDEX LLC 77.88.55.88 clean
api.myip.com
whois
US CLOUDFLARENET 104.26.8.59 clean
sun6-22.userapi.com
whois
RU VKontakte Ltd 95.142.206.2 mailcious
howardwood.top
whois
Unknown 37.139.129.88 mailcious
pastebin.com
whois
US CLOUDFLARENET 104.20.67.143 mailcious
flyawayaero.net
whois
US CLOUDFLARENET 104.21.93.225 malware
www.maxmind.com
whois
US CLOUDFLARENET 104.18.145.235 clean
vk.com
whois
RU VKontakte Ltd 87.240.129.133 mailcious
iplis.ru
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
lycheepanel.info
whois
US CLOUDFLARENET 172.67.187.122 malware
148.251.234.93
whois
DE Hetzner Online GmbH 148.251.234.93 mailcious
194.169.175.128
whois
Unknown 194.169.175.128 mailcious
142.250.66.110
whois
US GOOGLE 142.250.66.110 clean
104.18.146.235
whois
US CLOUDFLARENET 104.18.146.235 clean
172.67.187.122
whois
US CLOUDFLARENET 172.67.187.122 malware
77.91.124.1
whois
RU Foton Telecom CJSC 77.91.124.1 malware
194.169.175.220
whois
Unknown 194.169.175.220 clean
62.217.160.2
whois
RU Invest Mobile LLC 62.217.160.2 clean
104.244.42.1
whois
US TWITTER 104.244.42.1 suspicious
193.233.255.73
whois
RU OOO FREEnet Group 193.233.255.73 mailcious
85.217.144.143
whois
Unknown 85.217.144.143 malware
208.67.104.60
whois
Unknown 208.67.104.60 mailcious
172.67.169.89
whois
US CLOUDFLARENET 172.67.169.89 clean
104.20.67.143
whois
US CLOUDFLARENET 104.20.67.143 mailcious
104.21.6.189
whois
US CLOUDFLARENET 104.21.6.189 clean
193.42.32.118
whois
Unknown 193.42.32.118 mailcious
104.21.34.37
whois
US CLOUDFLARENET 104.21.34.37 phishing
142.251.130.13
whois
US GOOGLE 142.251.130.13 clean
91.215.85.209
whois
RU Petersburg Internet Network ltd. 91.215.85.209 mailcious
95.214.26.28
whois
DE CMCS 95.214.26.28 clean
121.254.136.18
whois
KR LG DACOM Corporation 121.254.136.18 clean
190.187.52.42
whois
PE AMERICATEL PERU S.A. 190.187.52.42 clean
171.22.28.226
whois
DE CMCS 171.22.28.226 malware
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
171.22.28.221
whois
DE CMCS 171.22.28.221 malware
34.117.59.81
whois
US GOOGLE 34.117.59.81 clean
171.22.28.204
whois
DE CMCS 171.22.28.204 clean
172.67.200.10
whois
US CLOUDFLARENET 172.67.200.10 mailcious
176.57.208.22
whois
RU TimeWeb Ltd. 176.57.208.22 clean
104.21.35.235
whois
US CLOUDFLARENET 104.21.35.235 malware
77.88.55.60
whois
RU YANDEX LLC 77.88.55.60 clean
148.251.234.83
whois
DE Hetzner Online GmbH 148.251.234.83 clean
185.225.75.171
whois
DE Mayak Smart Services Ltd. 185.225.75.171 mailcious
74.119.239.234
whois
US PUBLIC-DOMAIN-REGISTRY 74.119.239.234 mailcious
37.139.129.88
whois
Unknown 37.139.129.88 mailcious
172.67.134.35
whois
US CLOUDFLARENET 172.67.134.35 malware
213.180.204.24
whois
RU YANDEX LLC 213.180.204.24 clean
77.91.124.86
whois
RU Foton Telecom CJSC 77.91.124.86 clean
185.172.128.69
whois
RU OOO Nadym Svyaz Service 185.172.128.69 malware
172.67.75.166
whois
US CLOUDFLARENET 172.67.75.166 clean
194.169.175.233
whois
Unknown 194.169.175.233 malware
94.142.138.131
whois
RU Ihor Hosting LLC 94.142.138.131 mailcious
149.154.167.99
whois
GB Telegram Messenger Inc 149.154.167.99 mailcious
192.229.232.89
whois
US EDGECAST 192.229.232.89 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
107.167.110.211
whois
US OPERASOFTWARE 107.167.110.211 clean
45.15.156.229
whois
RU CJSC Kolomna-Sviaz TV 45.15.156.229 mailcious
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
104.26.4.15
whois
US CLOUDFLARENET 104.26.4.15 clean
87.240.137.164
whois
RU VKontakte Ltd 87.240.137.164 mailcious
95.142.206.3
whois
RU VKontakte Ltd 95.142.206.3 mailcious
95.142.206.2
whois
RU VKontakte Ltd 95.142.206.2 mailcious
172.67.139.220
whois
US CLOUDFLARENET 172.67.139.220 clean
95.142.206.0
whois
RU VKontakte Ltd 95.142.206.0 mailcious
104.21.93.225
whois
US CLOUDFLARENET 104.21.93.225 phishing
146.59.70.14
whois
Unknown 146.59.70.14 malware
194.169.175.234
whois
Unknown 194.169.175.234 mailcious
94.142.138.113
whois
RU Ihor Hosting LLC 94.142.138.113 mailcious
23.52.33.172
whois
US Telenor Norge AS 23.52.33.172 clean
109.107.182.2
whois
RU Teleport-TV Ltd 109.107.182.2 malware
95.142.206.1
whois
RU VKontakte Ltd 95.142.206.1 mailcious
171.22.28.213
whois
DE CMCS 171.22.28.213 malware

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 7
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.pw domain - Likely Hostile
ET INFO DNS Query for Suspicious .icu Domain
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET MALWARE [ANY.RUN] Win32/Stealc Checkin (POST)
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET DNS Query to a *.top domain - Likely Hostile
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET INFO HTTP Request to a *.top domain
ET MALWARE Redline Stealer Activity (Response)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET MALWARE Amadey CnC Check-In
ET MALWARE Win32/Amadey Bot Activity (POST) M2
ET MALWARE Single char EXE direct download likely trojan (multiple families)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET INFO Packed Executable Download
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET HUNTING Request to .TOP Domain with Minimal Headers
ET INFO EXE - Served Attached HTTP
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
SURICATA HTTP unable to match response to request

Similarity measure (PE file only) - Checking for service failure