Analysis

Category Package Started Completed Duration Log
PCAP 2020-10-02 08:26:32 2020-10-02 08:26:32 0 seconds Show Log

    


Signatures

Created network traffic indicative of malicious activity
signature: ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2

Hosts

No hosts contacted.

DNS

No domains contacted.


Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-05-20 09:05:56.559 45.87.80.66 [VT] 80 192.168.100.179 [VT] 49897 TCP 1 2018959 4 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation 1
2020-05-20 09:05:56.559 45.87.80.66 [VT] 80 192.168.100.179 [VT] 49897 TCP 1 2022053 2 ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 A Network Trojan was detected 1
2020-05-20 09:05:57.093 45.87.80.66 [VT] 80 192.168.100.179 [VT] 49897 TCP 1 2015744 5 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity 3

Suricata TLS

No Suricata TLS

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-05-20 09:05:10.085 192.168.100.179 [VT] 49201 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /latest/version/secure/download/ None Microsoft Office Protocol Discovery None 0
2020-05-20 09:05:10.451 192.168.100.179 [VT] 49204 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /latest/version/secure/download/IN4447832 None Microsoft Office Existence Discovery None 0
2020-05-20 09:05:49.938 192.168.100.179 [VT] 49795 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /latest/version/secure/download/IN4447832 None Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; ms-office; MSOffice 14) None 12243
2020-05-20 09:05:50.008 192.168.100.179 [VT] 49795 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /latest/version/secure/download/IN4447832 None Microsoft Office Existence Discovery None 0
2020-05-20 09:05:50.500 192.168.100.179 [VT] 49806 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /latest/updte None Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) None 44
2020-05-20 09:05:56.455 192.168.100.179 [VT] 49806 45.87.80.66 [VT] 80 None the-moondelight.96.lt [VT] /optra/sant.gif None Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) None 0
2020-05-20 09:05:56.499 192.168.100.179 [VT] 49897 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /optra/sant.gif image/gif Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) None 710
2020-05-20 09:05:57.108 192.168.100.179 [VT] 49897 45.87.80.66 [VT] 80 200 the-moondelight.96.lt [VT] /windw-sec/append None Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) None 1051136
Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Processing ( 6.285 seconds )

  • 5.221 Suricata
  • 0.959 CAPE
  • 0.099 AnalysisInfo
  • 0.005 Debug
  • 0.001 BehaviorAnalysis

Signatures ( 0.06100000000000001 seconds )

  • 0.013 ransomware_files
  • 0.008 ransomware_extensions
  • 0.006 antiav_detectreg
  • 0.004 antiav_detectfile
  • 0.003 persistence_autorun
  • 0.003 antianalysis_detectfile
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_ftp
  • 0.003 territorial_disputes_sigs
  • 0.002 infostealer_im
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 geodo_banking_trojan
  • 0.001 browser_security
  • 0.001 disables_backups
  • 0.001 disables_browser_warn
  • 0.001 azorult_mutexes
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name
  • 0.001 revil_mutexes

Reporting ( 0.221 seconds )

  • 0.221 PCAP2CERT