popup

Report - amers.exe

Amadey Emotet HermeticWiper Gen1 RedLine stealer RedlineStealer NPKI SmokeLoader Generic Malware UltraVNC PhysicalDrive Suspicious_Script_Bin EnigmaProtector NSIS Buhtrap Group Downloader Malicious Library Antivirus UPX Malicious Packer Admin Tool (Sy
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.05.31 08:18 Machine s1_win7_x6403
Filename amers.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
40.8
ZERO API file : malware
VT API (file) 41 detected (AIDetectMalware, malicious, high confidence, score, GenericKDZ, Themida, Attribute, HighConfidence, Generic@AI, RDML, XbIasFlFnAFTaDRvZjlizw, Real Protect, high, Generic ML PUA, Detected, Wacatac, R640651, ZexaF, 1DWaaGu9hAgi, TScope, Probably Heur, ExeHeaderL, Deyma, ai score=89, confidence, 100%)
md5 f55d40b74d38f0fcea654437183a7b1e
sha256 d107ed3dadd9d5544a569bd16e0c9eecee52f4f136e1def03c06de46267b4bec
ssdeep 24576:Nd/IWY2dGH6WZhJp44K5Yr7VeTpteCm5LpdldO9mnIBB3UEM98uEyoYudVFUNAZk:N9LY26bLJHrwptLm9avu8xTV+NiRy
imphash 2eabe9054cad5152567f0699947a2c5b
impfuzzy 3:sBv:A
  Network IP location

Signature (79cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
danger Disables Windows Security features
danger Executed a process and injected code into it
danger Stops Windows services
warning Generates some ICMP traffic
watch A process attempted to delay the analysis task.
watch Allocates execute permission to another process indicative of possible code injection
watch Appends a known multi-family ransomware file extension to files that have been encrypted
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Attempts to identify installed AV products by registry key
watch Checks for the presence of known devices from debuggers and forensic tools
watch Checks for the presence of known windows from debuggers and forensic tools
watch Checks the CPU name from registry
watch Checks the version of Bios
watch Code injection by writing an executable or DLL to the memory of another process
watch Collects information about installed applications
watch Communicates with host for which no DNS query was performed
watch Connects to an IRC server
watch Created a service where a service was also not started
watch Creates a suspicious Powershell process
watch Detects Virtual Machines through their custom firmware
watch Detects VirtualBox using WNetGetProviderName trick
watch Detects VMWare through the in instruction feature
watch Drops 196 unknown file mime types indicative of ransomware writing encrypted files back to disk
watch Executes one or more WMI queries
watch Harvests credentials from local FTP client softwares
watch Installs itself for autorun at Windows startup
watch Loads a driver
watch Network activity contains more than one unique useragent
watch One or more non-whitelisted processes were created
watch One or more of the buffers contains an embedded PE file
watch Operates on local firewall's policies and settings
watch Potential code injection by writing to the memory of another process
watch Powershell script adds registry entries
watch Queries information on disks
watch Resumed a suspended thread in a remote process potentially indicative of process injection
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
watch Zeus P2P (Banking Trojan)
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the processes axplont.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for known Chinese AV sofware registry keys
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Checks whether any human activity is being performed by constantly checking whether the foreground window changed
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Expresses interest in specific running processes
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Potentially malicious URLs were found in the process memory dump
notice Queries for potentially installed applications
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Repeatedly searches for a not-found process
notice Searches running processes potentially to identify processes for sandbox evasion
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info Tries to locate where the browsers are installed
info Uses Windows APIs to generate a cryptographic key

Rules (70cnts)

Level Name Description Collection
danger detect_Redline_Stealer_V2 (no description) binaries (download)
danger HermeticWiper_Zero HermeticWiper binaries (download)
danger NPKI_Zero File included NPKI binaries (download)
danger RedLine_Stealer_b_Zero RedLine stealer binaries (download)
danger Win32_Trojan_Emotet_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_1_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_2_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Emotet_RL_Gen_Zero Win32 Trojan Emotet binaries (download)
danger Win32_Trojan_Gen_1_0904B0_Zero Win32 Trojan Emotet binaries (download)
danger win_smokeloader_auto Detects win.smokeloader. binaries (download)
warning Buhtrap_Group_IN Buhtrap Group binaries (download)
warning EnigmaProtector_IN EnigmaProtector binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Microsoft_Office_File_Downloader_Zero Microsoft Office File Downloader binaries (download)
warning NSIS_Installer Null Soft Installer binaries (download)
warning PhysicalDrive_20181001 (no description) binaries (download)
warning Suspicious_Obfuscation_Script_2 Suspicious obfuscation script (e.g. executable files) binaries (download)
warning UltraVNC_Zero UltraVNC binaries (download)
watch Admin_Tool_IN_Zero Admin Tool Sysinternals binaries (download)
watch Antivirus Contains references to security software binaries (download)
watch ASPack_Zero ASPack packed file binaries (download)
watch ConfuserEx_Zero Confuser .NET binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch Network_Downloader File Downloader binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice Javascript_Blob use blob(Binary Large Objec) javascript binaries (download)
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info CAB_file_format CAB archive file binaries (download)
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info DllRegisterServer_Zero execute regsvr32.exe binaries (download)
info ftp_command ftp command binaries (download)
info HWP_file_format HWP Document File binaries (download)
info icon_file_format icon file format binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info IsPE64 (no description) binaries (download)
info JPEG_Format_Zero JPEG Format binaries (download)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (download)
info Lnk_Format_Zero LNK Format binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info mzp_file_format MZP(Delphi) file format binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info PowerShell PowerShell script scripts
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info zip_file_format ZIP file format binaries (download)

Network (128cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://85.192.56.26/api/flash.php
whois
RU LLC Digital Network 85.192.56.26 clean
http://147.45.47.70/lend/lumma1234.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://147.45.47.70/lend/CoMachina.exe
whois
RU OOO FREEnet Group 147.45.47.70 malware
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=BA320C501D0312BEC018E22653081CCD&p2p=1&t_id=360TS_Setup.exe&tads=14824882&tdl=103774176&tds=14571280&terr=0&tes=Status|1,ErrorCode|0,DnCount|23,Http
whois
SG AMAZON-02 54.255.136.181 clean
http://185.172.128.69/download.php?pub=inte
whois
RU OOO Nadym Svyaz Service 185.172.128.69 clean
http://sd.p.360safe.com/AC05282966EF28F0BC58DFBBE2E9591EF2A43BD6.trt
whois
US AMAZON-02 13.225.129.65 clean
http://185.172.128.159/dl.php
whois
RU OOO Nadym Svyaz Service 185.172.128.159 malware
http://85.192.56.26/api/bing_release.php
whois
RU LLC Digital Network 85.192.56.26 clean
http://147.45.47.70/lend/file300un.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://5.42.66.10/download/123p.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.10 clean
http://5.42.66.10/download/th/retail.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.10 malware
http://185.172.128.19/FirstZ.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.19 malware
http://5.42.66.47/files/setup.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.47 malware
http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIaE8ANQABAACIxljg%2Bs3AO%2B0eWhzT0CCPWqvYqoW%2FAXsYCkM61lI%2BjOdsVPZofosJfkCESIQRWuogw%2Bxnis1yNTX%2BrFjUu6Agqzr7kjY%2FLdgky7wDkGwc1XBOmQC4lKBxt2mIp6Ntq%2FaVMIjGmvkz3VZAnrlTdRwC6RQbG5%2BLDjWJ1p%2FmKx
whois
SG AMAZON-02 54.255.136.181 clean
http://147.45.47.70/lend/swizzzz.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://x1.i.lencr.org/
whois
US Telenor Norge AS 23.52.33.11 clean
http://fleur-de-lis.sbs/jhgfd
whois
US CLOUDFLARENET 172.67.213.39 clean
http://147.45.47.70/lend/fileosn.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
whois
TM M247 Ltd 91.202.233.232 mailcious
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=9&dt=7&size=103774176&ds=14824882.29
whois
SG AMAZON-02 54.255.136.181 clean
http://147.45.47.149:54674/shop/kino.exe
whois
RU OOO FREEnet Group 147.45.47.149 clean
http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
whois
Unknown 54.230.61.65 clean
http://185.172.128.19/ghsdh39s/index.php
whois
RU OOO Nadym Svyaz Service 185.172.128.19 38300 mailcious
http://185.172.128.19/Newoff.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.19 39892 mailcious
http://5.42.66.47/files/kpow.exe
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.47 malware
http://147.45.47.70/lend/gold.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://185.172.128.82/server/12/AppGate2103v01.exe
whois
RU OOO Nadym Svyaz Service 185.172.128.82 malware
http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=153
whois
SG AMAZON-02 54.255.136.181 clean
http://77.91.77.33/current.exe
whois
RU Foton Telecom CJSC 77.91.77.33 malware
http://judgecaption.hair/load/download.php?c=1002
whois
SE GleSYS AB 194.54.164.123 clean
http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1103.exe
whois
Unknown 18.244.61.49 clean
http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=656&terr=0&tes=Status|1,ErrorCode|0,DnCount|6,HttpNum|1,Dn
whois
SG AMAZON-02 54.255.136.181 clean
http://judgecaption.hair/load/download.php?c=1001
whois
SE GleSYS AB 194.54.164.123 clean
http://147.45.47.70/lend/33333.exe
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://5.42.66.10/download/th/space.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.10 malware
http://147.45.47.70/tr8nomy/index.php
whois
RU OOO FREEnet Group 147.45.47.70 clean
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.210.247.48 clean
http://94.232.45.38/eee01/eee01.exe
whois
BY eTOP sp. z o.o. 94.232.45.38 malware
http://5.42.66.10/download/th/getimage12.php
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.10 malware
https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
whois
US AMAZON-02 54.192.175.109 clean
https://fleur-de-lis.sbs/jhgfd
whois
US CLOUDFLARENET 172.67.213.39 clean
https://db-ip.com/demo/home.php?s=
whois
US CLOUDFLARENET 104.26.5.15 clean
https://dj1a9dwix5pje.cloudfront.net/load/ddl.php?c=1001
whois
Unknown 18.64.13.203 clean
https://bitbucket.org/qwizzi/tt522222/downloads/GroceryExtensive.exe
whois
US ATLASSIAN PTY LTD 104.192.141.1 39693 malware
https://pastebin.com/raw/E0rY26ni
whois
US CLOUDFLARENET 172.67.19.24 37702 mailcious
https://fleur-de-lis.sbs/post/File_294/setup294.exe
whois
US CLOUDFLARENET 172.67.213.39 clean
https://orion.ts.360.com/installapp?c=&ch=WW.Marketator.CPI20230405&sch=0&ver=11.0.0.1103&lan=en&os=6.1-x64&mid=3b96717f137ac716bab250f817240788&time=1717128845&checksum=7B01354214C41247269FE750
whois
GB Opera Software AS 82.145.215.156 clean
https://lop.foxesjoy.com/ssl/crt.exe
whois
US CLOUDFLARENET 104.21.66.124 malware
https://yip.su/RNWPd.exe
whois
US CLOUDFLARENET 172.67.169.89 37623 malware
https://monoblocked.com/525403/setup.exe
whois
RU Beget LLC 45.130.41.108 malware
https://dj1a9dwix5pje.cloudfront.net/load/loader-1001.exe
whois
Unknown 18.64.13.203 clean
free.360totalsecurity.com
whois
US AMAZON-02 54.192.175.109 clean
db-ip.com
whois
US CLOUDFLARENET 104.26.4.15 clean
sd.p.360safe.com
whois
US AMAZON-02 13.225.129.154 clean
lop.foxesjoy.com
whois
US CLOUDFLARENET 104.21.66.124 malware
fleur-de-lis.sbs
whois
US CLOUDFLARENET 172.67.213.39 clean
ipinfo.io
whois
US GOOGLE 34.117.186.192 clean
gigapub.ma
whois
FR OVH SAS 51.75.247.100 clean
yip.su
whois
US CLOUDFLARENET 172.67.169.89 mailcious
st.p.360safe.com
whois
IE AMAZON-02 54.77.42.29 clean
iup.360safe.com
whois
Unknown 54.230.61.95 clean
s.360safe.com
whois
SG AMAZON-02 54.255.136.181 clean
xmr-eu1.nanopool.org
whois
FR OVH SAS 54.37.137.114 mailcious
monoblocked.com
whois
RU Beget LLC 45.130.41.108 malware
download.winzip.com
whois
US CCCH-3 23.43.165.155 clean
dj1a9dwix5pje.cloudfront.net
whois
Unknown 18.64.13.95 clean
int.down.360safe.com
whois
Unknown 18.244.61.79 clean
x1.i.lencr.org
whois
US AKAMAI-AS 23.35.220.247 clean
f000.backblazeb2.com
whois
US UNWIRED 104.153.233.177 mailcious
bitbucket.org
whois
US ATLASSIAN PTY LTD 104.192.141.1 malware
zeph-eu2.nanopool.org
whois
FR OVH SAS 51.68.137.186 mailcious
orion.ts.360.com
whois
GB Opera Software AS 82.145.215.152 clean
f.123654987.xyz
whois
LT Sampling Line-servicos E Internet, Lda 37.221.125.202 clean
api64.ipify.org
whois
US WEBNX 104.237.62.213 clean
api.myip.com
whois
US CLOUDFLARENET 172.67.75.163 clean
tr.p.360safe.com
whois
IE AMAZON-02 54.76.174.118 clean
judgecaption.hair
whois
SE GleSYS AB 194.54.164.123 clean
pastebin.com
whois
US CLOUDFLARENET 104.20.3.235 mailcious
vk.com
whois
RU VKontakte Ltd 87.240.132.67 mailcious
54.230.61.65
whois
Unknown 54.230.61.65 clean
94.232.45.38
whois
BY eTOP sp. z o.o. 94.232.45.38 malware
54.77.42.29
whois
IE AMAZON-02 54.77.42.29 clean
104.20.3.235
whois
US CLOUDFLARENET 104.20.3.235 malware
54.230.61.95
whois
Unknown 54.230.61.95 clean
64.185.227.155
whois
US WEBNX 64.185.227.155 clean
104.26.5.15
whois
US CLOUDFLARENET 104.26.5.15 clean
18.244.61.37
whois
Unknown 18.244.61.37 clean
172.67.169.89
whois
US CLOUDFLARENET 172.67.169.89 clean
185.215.113.67
whois
Unknown 185.215.113.67 mailcious
77.91.77.33
whois
RU Foton Telecom CJSC 77.91.77.33 malware
34.117.186.192
whois
US GOOGLE 34.117.186.192 clean
185.172.128.19
whois
RU OOO Nadym Svyaz Service 185.172.128.19 mailcious
147.45.47.149
whois
RU OOO FREEnet Group 147.45.47.149 clean
18.244.61.79
whois
Unknown 18.244.61.79 clean
51.195.138.197
whois
FR OVH SAS 51.195.138.197 clean
5.42.66.47
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.47 mailcious
18.64.13.203
whois
Unknown 18.64.13.203 clean
54.230.61.39
whois
Unknown 54.230.61.39 clean
54.230.61.34
whois
Unknown 54.230.61.34 clean
91.202.233.232
whois
TM M247 Ltd 91.202.233.232 mailcious
45.130.41.108
whois
RU Beget LLC 45.130.41.108 malware
172.67.19.24
whois
US CLOUDFLARENET 172.67.19.24 mailcious
104.153.233.177
whois
US UNWIRED 104.153.233.177 mailcious
51.75.247.100
whois
FR OVH SAS 51.75.247.100 clean
54.255.136.181
whois
SG AMAZON-02 54.255.136.181 clean
18.244.61.7
whois
Unknown 18.244.61.7 clean
23.52.33.11
whois
US Telenor Norge AS 23.52.33.11 clean
194.54.164.123
whois
SE GleSYS AB 194.54.164.123 malware
13.225.129.190
whois
US AMAZON-02 13.225.129.190 clean
104.21.66.124
whois
US CLOUDFLARENET 104.21.66.124 malware
37.221.125.202
whois
LT Sampling Line-servicos E Internet, Lda 37.221.125.202 clean
185.172.128.69
whois
RU OOO Nadym Svyaz Service 185.172.128.69 malware
5.42.66.10
whois
RU CJSC Kolomna-Sviaz TV 5.42.66.10 malware
104.192.141.1
whois
US ATLASSIAN PTY LTD 104.192.141.1 mailcious
172.67.213.39
whois
US CLOUDFLARENET 172.67.213.39 clean
121.254.136.9
whois
KR LG DACOM Corporation 121.254.136.9 clean
104.26.9.59
whois
US CLOUDFLARENET 104.26.9.59 clean
54.76.174.118
whois
IE AMAZON-02 54.76.174.118 clean
54.192.175.109
whois
US AMAZON-02 54.192.175.109 clean
18.244.61.49
whois
Unknown 18.244.61.49 clean
82.145.215.156
whois
GB Opera Software AS 82.145.215.156 clean
87.240.132.78
whois
RU VKontakte Ltd 87.240.132.78 mailcious
185.172.128.82
whois
RU OOO Nadym Svyaz Service 185.172.128.82 malware
185.172.128.159
whois
RU OOO Nadym Svyaz Service 185.172.128.159 malware
23.43.165.153
whois
US CCCH-3 23.43.165.153 clean
85.192.56.26
whois
RU LLC Digital Network 85.192.56.26 clean
147.45.47.70
whois
RU OOO FREEnet Group 147.45.47.70 malware
51.15.65.182
whois
NL Online S.a.s. 51.15.65.182 mailcious

Suricata ids

ET DROP Spamhaus DROP Listed Traffic Inbound group 23
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
ET INFO Microsoft net.tcp Connection Initialization Activity
ET INFO Packed Executable Download
ET MALWARE Redline Stealer TCP CnC Activity
ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)
ET MALWARE Redline Stealer TCP CnC - Id1Response
ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)
ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
ET INFO TLS Handshake Failure
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
ET MALWARE Amadey Bot Activity (POST)
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)
SURICATA Applayer Mismatch protocol both directions
ET MALWARE Private Loader Related Activity (GET)
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET INFO EXE - Served Attached HTTP
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)
ET MALWARE Suspected PrivateLoader Activity (POST)
ET DROP Spamhaus DROP Listed Traffic Inbound group 14

PE API

IAT(Import Address Table) Library

kernel32.dll
 0x468034 lstrcpy

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure