Thursday, February 16, 2023

Quick Malware Analysis: FAKEBAT, REDLINE STEALER, and GOZI/ISFB/URSNIF pcap from 2023-02-03

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2023/02/03/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

The screenshots below show some of the interesting Suricata alerts, Zeek logs, and session transcripts.

About Security Onion

Security Onion is a versatile and scalable platform that can run on small virtual machines and can also scale up to the opposite end of the hardware spectrum to take advantage of extremely powerful server-class machines.  Security Onion can also scale horizontally, growing from a standalone single-machine deployment to a full distributed deployment with tens or hundreds of machines as dictated by your enterprise visibility needs.

To learn more about Security Onion, please see:
https://securityonion.net
https://securityonion.net/docs

More Samples

Find all of our Quick Malware posts at:
https://blog.securityonion.net/search/label/quick%20malware%20analysis

Screenshots

Click the first image to start the screenshot tour:

Overview Dashboard

Alert Overview

Pivot to PCAP for initial HTTP request

PCAP transcript showing initial HTTP request

Pivot to PCAP for first EXE download

PCAP transcript showing first EXE download

Pivot to PCAP for second EXE download

PCAP transcript showing second EXE download

Pivot to PCAP for RedLine Stealer init

PCAP transcript showing RedLine Stealer init

Zeek Notices showing Team Cymru Malware Hash Registry Match for second EXE

HTTP logs

File transfers

SSL/TLS logs

DNS lookups

Connections including GeoIP lookups


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.