ScreenShot
| Created | 2025.03.28 09:52 | Machine | s1_win7_x6401 |
| Filename | windscribe.msi | ||
| Type | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Nexora Technologies Ltd 0.0.0.0, Subject: Nexora Technologies Ltd, Author: Software Development & IT Solutions, Keywords: Installer, Templ | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | |||
| VT API (file) | 1 detected (xbxkhp) | ||
| md5 | 3ec402cf37b62c46d70e993af8390d04 | ||
| sha256 | 3d8cc95269698d32111529afc8943ea96f46f309d35b8563575c599397a3cabf | ||
| ssdeep | 12288:ytVRQ+gjpjegDro8GHdjUO0gOrEhI5+LNAU4C7KcnwGx:yt9cpVDhAjpy+I5k88nwK | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (8cnts)
| Level | Description |
|---|---|
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | File has been identified by one AntiVirus engine on VirusTotal as malicious |
| notice | Performs some HTTP requests |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Queries for the computername |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| info | CAB_file_format | CAB archive file | binaries (upload) |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
Suricata ids
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET INFO Observed trycloudflare .com Domain in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)