ScreenShot
| Created | 2025.04.02 10:07 | Machine | s1_win7_x6401 |
| Filename | newnew.url | ||
| Type | MS Windows 95 Internet shortcut text (URL= |
||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : mailcious | ||
| VT API (file) | 8 detected (WinINF, UrlDownloader, ezohxo) | ||
| md5 | 53af7ebed1ba61fb8f303affcba618c7 | ||
| sha256 | 354629a8ae9015c45cadcec9372bc3722ad661c349964deaf9248bbe34087bd2 | ||
| ssdeep | 3:HRAbABGQYmhKR6dXFfyV61G69ALJMBHKs7V25YdimVVG/VClAWHyn:HRYFVmhKIdhyAyJMQs7A54vVG/4xHy | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (19cnts)
| Level | Description |
|---|---|
| watch | One or more non-whitelisted processes were created |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | An executable file was downloaded by the process iexplore.exe |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | File has been identified by 8 AntiVirus engines on VirusTotal as malicious |
| notice | One or more potentially interesting buffers were extracted |
| notice | Performs some HTTP requests |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (13cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | Microsoft_Office_File_Zero | Microsoft Office File | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | url_file_format | Microsoft Windows Internet Shortcut File Format | binaries (upload) |
Network (6cnts) ?
Suricata ids
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING Successful PROPFIND Response for Application Media Type
ET INFO LNK File Downloaded via HTTP
ET INFO Observed trycloudflare .com Domain in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
ET HUNTING Successful PROPFIND Response for Application Media Type
ET INFO LNK File Downloaded via HTTP