Report - ZeroBOX

ScreenShot

Info
Location map


Created	2023.11.08 09:51	Machine	s1_win7_x6402
Filename	File.rar
Type	RAR archive data, v5
AI Score	Not founds	Behavior Score	6.6
ZERO API	file : malware
VT API (file)
md5	c49151503a28c917e2857760532d8ef0
sha256	fd92e6daaea8dc6455c139bdb823e7a2fb303bbf8c3fb3bc0d2b8a4744dee9a7
ssdeep	786432:AMzmr2E/DujK2RhOD2lbbPZwqusGDfoOPK0A2TYJgcSsR7:dSaLIMblNgop0A2TYZn7
imphash
impfuzzy

Network IP location

Signature (14cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
watch	Communicates with host for which no DNS query was performed
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol
notice	Creates executable files on the filesystem
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Resolves a suspicious Top Level Domain (TLD)
notice	Sends data using the HTTP POST Method
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger

Rules (11cnts)

Level	Name	Description	Collection
notice	Escalate_priviledges	Escalate priviledges	memory
notice	Generic_PWS_Memory_Zero	PWS Memory	memory
notice	KeyLogger	Run a KeyLogger	memory
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Network (137cnts) ?

Request	ASN Co	IP4	Rule ?	ZERO ?
http://195.201.251.173/ whois	Hetzner Online GmbH	195.201.251.173		clean
http://195.201.251.173/vcruntime140.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://195.201.251.173/msvcp140.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://195.201.251.173/mozglue.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://194.169.175.118/xinchao.exe whois		194.169.175.118	38117	malware
http://gons11fc.top/build.exe whois	Limited Liability Company Relcom-spb	212.113.122.87		malware
http://194.49.94.97/download/Services.exe whois		194.49.94.97	38118	malware
http://45.15.156.229/api/tracemap.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	33783	mailcious
http://195.201.251.173/freebl3.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://45.15.156.229/api/firegate.php whois	CJSC Kolomna-Sviaz TV	45.15.156.229	36052	mailcious
http://jaimemcgee.top/40d570f44e84a454.php whois	IQHost Ltd	193.106.175.190	38121	mailcious
http://94.142.138.131/api/firegate.php whois	Ihor Hosting LLC	94.142.138.131	32650	mailcious
http://91.92.243.151/api/tracemap.php whois		91.92.243.151	37889	mailcious
http://195.201.251.173/sqlite3.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=MO990stgnECCXm487Ttm1ga6.exe&platform=0009&osver=5&isServer=0 whois	America Movil Peru S.A.C.	23.209.110.57		clean
http://94.142.138.131/api/firecom.php whois	Ihor Hosting LLC	94.142.138.131	36179	mailcious
http://195.201.251.173/nss3.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://94.142.138.131/api/tracemap.php whois	Ihor Hosting LLC	94.142.138.131	28311	mailcious
http://194.49.94.48/timeSync.exe whois		194.49.94.48	38122	malware
http://195.201.251.173/softokn3.dll whois	Hetzner Online GmbH	195.201.251.173		clean
http://185.172.128.69/latestumma.exe whois	OOO Nadym Svyaz Service	185.172.128.69	38123	malware
http://stim.graspalace.com/order/tuc19.exe whois	CLOUDFLARENET	104.21.20.155	38124	malware
http://176.113.115.84:8080/4.php whois	OOO Network of data-centers Selectel	176.113.115.84	34795	mailcious
http://apps.identrust.com/roots/dstrootcax3.p7c whois	CCCH-3	23.43.165.66		clean
http://www.maxmind.com/geoip/v2.1/city/me whois	CLOUDFLARENET	104.18.146.235		clean
https://db-ip.com/demo/home.php?s=175.208.134.152 whois	CLOUDFLARENET	172.67.75.166		clean
https://vk.com/doc26060933_667223635?hash=qzxpj41H7aJKGYAkotcS9kwFdHSU9KQawZjeS9cVst4&dl=iEliVZrkZcesylYAmZs8zvhVjQpPOUAfyAIZcvJVbPH&api=1&no_preview=1#ww11 whois	VKontakte Ltd	93.186.225.194		mailcious
https://vk.com/doc26060933_667443076?hash=bDMwfuwwa4Bhfk5iGf4pMZfzUuBZI01JVp5BaGnL6ks&dl=iT71Bl3sZ2372hed0nHcWcvZK3ySxQ2nVKfHeXmS1cs&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		clean
https://sun6-21.userapi.com/c235031/u26060933/docs/d60/f6b4409db97c/BotClients.bmp?extra=XyDUtDw2kxfm9jE5QPM6GZyXP63jc58qFBlzPoTu75dHPn2dPLNikHfM4-g1wqdz4Qhn-mieiLcm4O7701M8WzPInDI5tOdQiWkYAR7YTs7NQMs0If_al1cKjhF-2gxL8v3LtRBMskS4po52 whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#stats whois	VKontakte Ltd	93.186.225.194		mailcious
https://vk.com/doc26060933_667461496?hash=egdyyVbzZ1RrLg0G1GnF2OIAfOHjZ6QvOr9xjiWPRzk&dl=R2dHcfkklHZC6QWDijipWsfDaBcPGk1TJodmHYqQ8fk&api=1&no_preview=1#setup whois	VKontakte Ltd	93.186.225.194		clean
https://sun6-20.userapi.com/c237031/u26060933/docs/d15/93b5ea113936/32ssh7832haf.bmp?extra=J-reDmr00Qi8f6YZm72J-tJgjmoCfEc-kLljTjGdbr7yd3ZtlIOg3fyUoePkg0_0EreB5QB3smN1utxlWgRUlTPXJxmUl4Ef6z0DqxE6gf1mYYxCqOFW2_VFxHJGWv5aSGPvcnYvnjg0VlPT whois	VKontakte Ltd	95.142.206.0		clean
https://api.ip.sb/ip whois	CLOUDFLARENET	104.26.12.31		clean
https://fdjbgkhjrpfvsdf.online/setup294.exe whois	CLOUDFLARENET	104.21.87.5	37897	malware
https://iplogger.com/2lhi52 whois	CLOUDFLARENET	104.21.12.138	38127	mailcious
https://db-ip.com/ whois	CLOUDFLARENET	104.26.5.15		clean
https://sso.passport.yandex.ru/push?uuid=43ef0eff-f7be-4313-b10e-1ec1849baf48&retpath=https%3A%2F%2Fdzen.ru%2F%3Fyredirect%3Dtrue whois	YANDEX LLC	213.180.204.24		clean
https://iplis.ru/1Gemv7.mp3 whois	CLOUDFLARENET	104.21.63.150		clean
https://vk.com/doc26060933_667452800?hash=pIiQI9ESvqLAvoJupWTJlr3ieUjnzDC7zAeymHyxjK4&dl=fBx5ZRcRnIbGHZBA56w0xzNAmq8tMCJq2fh7enTkokw&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc26060933_667234651?hash=Rv3y1hZYldejZNTzjJxgzdYVgzKs0azR7LT5gowzNJT&dl=fEH5j2bjnO3mwDbqODuUYTgMkVbKBYVrBOOWxCsJzJ0&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		mailcious
https://dzen.ru/?yredirect=true whois	Invest Mobile LLC	62.217.160.2		clean
https://sun6-21.userapi.com/c236331/u26060933/docs/d11/cc5a543357b1/Risepro.bmp?extra=98_LY8vGNbS9n8jSiu71V9JFct5W3jtQnqs7zTkGzJ2VoWwR0gmMISoiXczTZwrYuIzMg5qkHCPbFf4Q3cEmf3sR1dLKKxadp-QPLDW3m9o_qkYCehW0skIUIziOjMKu5cM-we-_6iJsrRtg whois	VKontakte Ltd	95.142.206.1		clean
https://sun6-23.userapi.com/c237331/u26060933/docs/d29/2565ea094508/RisePro.bmp?extra=jFaOgj7cGIe-uGIOZ7lfR_Sd3YndWWjgA5lFsVisLy5737qzplpz6ZEiBIYYlZaSxi2kIEWvlPOFxmNcvl8yyYK-pQaIVIk-R8q67opgjFsmjXqTOdlFcXmdcMkmcY7GUIepDJWwPvH_ID0D whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc746114504_647280747?hash=cvDFKP5q0CQEjBCbeoeHvPNrWE0xbMxZEmrkIeNKcET&dl=G42DMMJRGQ2TANA:1661413520:uZNj68vRUvQaydRD8wpAK8zluN0I7otw5AHbA1ZlN9T&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-22.userapi.com/c909328/u26060933/docs/d14/3afe51af0e45/setup.bmp?extra=o6tSkvo3WJHNkWYV4m7MHb8rsWSS52VYICmzrxdaqtDHYoAtuXrvi3UTsiLcKTPhxiQfxNVblrwU_g8L_xHhVX--gZd0YSMm7dNG0AvZ1mBIeczOoQRPJoWtUq0MsJg1piA3KFKvYuuYDMSd whois	VKontakte Ltd	95.142.206.2		clean
https://api.2ip.ua/geo.json whois	CLOUDFLARENET	172.67.139.220		clean
https://sun6-21.userapi.com/c235031/u26060933/docs/d17/87bf67900bd3/WWW11_32.bmp?extra=XOZlXgdd3bUWej72lwSyK7qAk7zr_0peJo1GKofvOna2ONZ-yM3AA7oSx1TPy4cCQCQ6wRJvbdwU0IDcAro_6SJj7dZA4ahsjH82rHaDVLTvh9HnCoPfpgPA-3FqdegwuIXON0YffOUWk9tl whois	VKontakte Ltd	95.142.206.1		clean
https://vk.com/doc26060933_667452525?hash=Gh9FdvMkZAv4GqS13jZPZHB5Pcx92djGdjwawRPGUH8&dl=T8IbErzc4mt11RokDKvo5O7LhWRnbzRIZQAIKyuFbVg&api=1&no_preview=1#1 whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc26060933_667442538?hash=mmgXWXsNqbKLvdAt9zehqkuJnMdb3X5PCDebEMwwvAw&dl=GGDaPNTZqZV3JZoFm1DNOMglxPYcMg1N3m7iaSGEzDs&api=1&no_preview=1#maf whois	VKontakte Ltd	93.186.225.194		clean
https://vk.com/doc26060933_667379359?hash=RBD5wFZgphBd3Ltpr4zpvlKC5PFFn4lKiLxULYoChgD&dl=BKPDJrFBQ4b0FMpKZWHc5lZ9DL91O9orwTtaREbcz98&api=1&no_preview=1#rise10 whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-22.userapi.com/c235131/u26060933/docs/d1/ba97dca153ca/PL_Clientp.bmp?extra=i9THH3O8H4N_In69cCrUwR_eiU_x753MLTgoyyEPloC8fZBdB6WCrl2-6U0HOjiXL0gVmHe5NRuWccWK8pQGs1aevQpjvkIDvlBwrUwWdZPzdfj2J3XI-ZRUk4lHhrhqOT43mVOCVXLCRwRa whois	VKontakte Ltd	95.142.206.2		clean
https://sun6-23.userapi.com/c235131/u26060933/docs/d50/60b44504e085/file071123.bmp?extra=trC4U7plV8McjHNCq8dYdsz5Rg0fFfP-eFZscrLGXmck8alwfzoEtDSa_Dz1ix3m6Ygy37-jq-4lRumXt32zfR7uYa5jP5DsRgLG05cUZLLjgisywUwEdd4T4YFkaRkPTPqy4CgG3gqYi3db whois	VKontakte Ltd	95.142.206.3		clean
https://vk.com/doc26060933_667439449?hash=vzkbG8bKfHAO2x625lZNXBKXCuAvPBZzPx9sufiaWx0&dl=3zz9ZDFfOKnbcxNR19mrKyOTob271CPE08u0D3OPGzw&api=1&no_preview=1#risepro whois	VKontakte Ltd	93.186.225.194		clean
https://sun6-20.userapi.com/c909618/u26060933/docs/d28/cb4943e7d785/crypted.bmp?extra=-NWW48wNXl3YvNe-AnEflBbZHTLY4_N5lcHl5XP0D7TPUq6fpITpdKXfjR51pSITnAqWwBNo10QoTngMnWeyVzqu5nmAOqHsrjXwRKxHJOEo36gaOnosP9E15RLICh_lxm7oqnp74_g6XDzi whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc26060933_667364987?hash=BHX3WK0Px3UZYC6KUcanvJ8pCPk0aSa1CJ1a0crl1aL&dl=Y5COLZGRCC7rDCjMPJPVPA4Y0k1NZaZCa4v1PlcGmn8&api=1&no_preview=1 whois	VKontakte Ltd	93.186.225.194		mailcious
https://vk.com/doc791620691_663065029?hash=Efubo9FQtw3Bdj42XJVcJwymfIH3PazMKz8g5wJ0dZX&dl=G44TCNRSGA3DSMI:1682787066:QgrgzF33wDt9bwmmOgWCYTv61J7HwhLVZOXGaEdWiKP&api=1&no_preview=1#test whois	VKontakte Ltd	93.186.225.194		mailcious
https://sun6-20.userapi.com/c909418/u26060933/docs/d53/2538a0bc40f7/1MG.bmp?extra=S9vmGUX-pZ2meKHDX1Rz8vKYbPeXST17jDUsID2ZPP61PtEiwHzq3i-4xYLRq4qD_Cy53LPosP8ep3g9pTZYtfLqcEUgPO3ZG8R-WrerRlw_AJOHy9LADl1Uin3Rwz6N3mCX2NdcR8p1Q9nM whois	VKontakte Ltd	95.142.206.0		clean
https://vk.com/doc26060933_667462812?hash=BNWNUlhfnsvUW8vuJOkR6wETTQRQYSEXqD7FAHmgIoH&dl=Zt1uh0kla8CEullAPIbT2Uyh8Gn9CHZtt3EEdBcLJYD&api=1&no_preview=1#test22 whois	VKontakte Ltd	93.186.225.194		clean
https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self whois	CLOUDFLARENET	104.26.4.15		clean
https://sun6-20.userapi.com/c235131/u26060933/docs/d3/e0bc894d3f39/tmvwr.bmp?extra=PaStbbEwQZf_4ZOMtpbva-yY57KOQbmYSM0Zr6WbebuMjhlFCSsuwkBN0TlyCkjb2FqRcQEtgQpKtxniYw2yVB8_pp0JDAU_T_63OIZ4vYm70NbsbooB-1_iGzJNLdD9jJmvd9iOR4gY0Q2i whois	VKontakte Ltd	95.142.206.0		clean
https://steamcommunity.com/profiles/76561199568528949 whois	Akamai International B.V.	104.76.78.101		clean
stim.graspalace.com whois	CLOUDFLARENET	104.21.20.155		malware
db-ip.com whois	CLOUDFLARENET	104.26.4.15		clean
sun6-23.userapi.com whois	VKontakte Ltd	95.142.206.3		mailcious
vanaheim.cn whois		158.160.73.47		mailcious
t.me whois	Telegram Messenger Inc	149.154.167.99		mailcious
ipinfo.io whois	GOOGLE	34.117.59.81		clean
yandex.ru whois	YANDEX LLC	5.255.255.70		clean
jaimemcgee.top whois	IQHost Ltd	193.106.175.190		mailcious
dzen.ru whois	Invest Mobile LLC	62.217.160.2		clean
medfioytrkdkcodlskeej.net whois	Petersburg Internet Network ltd.	91.215.85.209		malware
learn.microsoft.com whois	Akamai International B.V.	104.75.1.96		clean
gons11fc.top whois	Limited Liability Company Relcom-spb	212.113.122.87		malware
api.2ip.ua whois	CLOUDFLARENET	172.67.139.220		clean
steamcommunity.com whois	Akamai International B.V.	104.75.41.21		mailcious
iplogger.org whois	Hetzner Online GmbH	148.251.234.83		mailcious
twitter.com whois	TWITTER	104.244.42.1		clean
telegram.org whois	Telegram Messenger Inc	149.154.167.99		clean
sun6-20.userapi.com whois	VKontakte Ltd	95.142.206.0		mailcious
api.db-ip.com whois	CLOUDFLARENET	104.26.5.15		clean
ironhost.io whois	CLOUDFLARENET	104.21.57.237		clean
sso.passport.yandex.ru whois	YANDEX LLC	213.180.204.24		clean
api.ip.sb whois	CLOUDFLARENET	104.26.13.31		clean
iplogger.com whois	CLOUDFLARENET	172.67.194.188		mailcious
fdjbgkhjrpfvsdf.online whois	CLOUDFLARENET	104.21.87.5		malware
iplis.ru whois	CLOUDFLARENET	104.21.63.150		mailcious
sun6-21.userapi.com whois	VKontakte Ltd	95.142.206.1		mailcious
sun6-22.userapi.com whois	VKontakte Ltd	95.142.206.2		mailcious
www.maxmind.com whois	CLOUDFLARENET	104.18.145.235		clean
vk.com whois	VKontakte Ltd	87.240.129.133		mailcious
api.myip.com whois	CLOUDFLARENET	104.26.8.59		clean
194.169.175.128 whois		194.169.175.128		mailcious
104.18.145.235 whois	CLOUDFLARENET	104.18.145.235		clean
93.186.225.194 whois	VKontakte Ltd	93.186.225.194		mailcious
91.215.85.209 whois	Petersburg Internet Network ltd.	91.215.85.209		mailcious
62.217.160.2 whois	Invest Mobile LLC	62.217.160.2		clean
104.244.42.1 whois	TWITTER	104.244.42.1		suspicious
104.26.5.15 whois	CLOUDFLARENET	104.26.5.15		clean
149.154.167.99 whois	Telegram Messenger Inc	149.154.167.99		mailcious
213.180.204.24 whois	YANDEX LLC	213.180.204.24		clean
172.67.75.166 whois	CLOUDFLARENET	172.67.75.166		clean
104.21.12.138 whois	CLOUDFLARENET	104.21.12.138		clean
104.26.12.31 whois	CLOUDFLARENET	104.26.12.31		clean
23.210.37.172 whois	AKAMAI-AS	23.210.37.172		clean
185.216.70.232 whois		185.216.70.232		clean
185.173.38.57 whois	Altagen JSC	185.173.38.57		clean
194.49.94.41 whois		194.49.94.41		mailcious
212.113.122.87 whois	Limited Liability Company Relcom-spb	212.113.122.87		malware
194.49.94.48 whois		194.49.94.48		malware
34.117.59.81 whois	GOOGLE	34.117.59.81		clean
158.160.73.47 whois		158.160.73.47		clean
176.113.115.84 whois	OOO Network of data-centers Selectel	176.113.115.84		mailcious
77.88.55.60 whois	YANDEX LLC	77.88.55.60		clean
148.251.234.83 whois	Hetzner Online GmbH	148.251.234.83		clean
104.26.8.59 whois	CLOUDFLARENET	104.26.8.59		clean
194.33.191.60 whois	Aqua Jump Srl	194.33.191.60		mailcious
194.169.175.118 whois		194.169.175.118		mailcious
91.92.243.151 whois		91.92.243.151		mailcious
91.103.252.189 whois	Hostglobal.plus Inc	91.103.252.189		malware
185.172.128.69 whois	OOO Nadym Svyaz Service	185.172.128.69		malware
104.21.57.237 whois	CLOUDFLARENET	104.21.57.237		mailcious
94.142.138.131 whois	Ihor Hosting LLC	94.142.138.131		mailcious
195.201.251.173 whois	Hetzner Online GmbH	195.201.251.173		clean
121.254.136.9 whois	LG DACOM Corporation	121.254.136.9		clean
194.49.94.97 whois		194.49.94.97		malware
45.15.156.229 whois	CJSC Kolomna-Sviaz TV	45.15.156.229		mailcious
104.26.4.15 whois	CLOUDFLARENET	104.26.4.15		clean
104.21.87.5 whois	CLOUDFLARENET	104.21.87.5		malware
104.21.63.150 whois	CLOUDFLARENET	104.21.63.150		clean
95.142.206.2 whois	VKontakte Ltd	95.142.206.2		mailcious
172.67.139.220 whois	CLOUDFLARENET	172.67.139.220		clean
95.142.206.0 whois	VKontakte Ltd	95.142.206.0		mailcious
95.142.206.3 whois	VKontakte Ltd	95.142.206.3		mailcious
104.21.20.155 whois	CLOUDFLARENET	104.21.20.155		malware
193.106.175.190 whois	IQHost Ltd	193.106.175.190		malware
95.142.206.1 whois	VKontakte Ltd	95.142.206.1		mailcious
104.76.78.101 whois	Akamai International B.V.	104.76.78.101		mailcious

Suricata ids

ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)
SURICATA Applayer Mismatch protocol both directions
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET DNS Query to a *.top domain - Likely Hostile
ET DROP Spamhaus DROP Listed Traffic Inbound group 19
ET INFO Executable Download from dotted-quad Host
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET HUNTING Suspicious services.exe in URI
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 7
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET INFO HTTP Request to a *.top domain
ET INFO EXE - Served Attached HTTP
ET INFO Packed Executable Download
ET HUNTING Possible EXE Download From Suspicious TLD
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
ET INFO TLS Handshake Failure
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)
ET INFO Microsoft net.tcp Connection Initialization Activity
ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Outbound)
ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)
ET POLICY IP Check Domain (iplogger .org in DNS Lookup)
ET POLICY IP Check Domain (iplogger .org in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET INFO Observed Telegram Domain (t .me in TLS SNI)
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
ET MALWARE Redline Stealer Activity (Response)
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
ET INFO Dotted Quad Host DLL Request
ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
ET MALWARE Redline Stealer TCP CnC Activity - MSValue (Response)
ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity
ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity

Report - File.rar

Signature (14cnts)

Rules (11cnts)

Network (137cnts) ?

Suricata ids

Similarity measure (PE file only) - Checking for service failure