{"report_id":"2a2c1005-15d3-4874-a31f-242438ab3919","version":6,"status":"done","tags":[],"date":"2024-04-03T01:06:17Z","url":{"schema":"http","addr":"installpack.net/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439","fqdn":"installpack.net","domain":"installpack.net","tld":"net"},"ip":{"addr":"176.99.5.252","port":0,"asn":49352,"as":"Domain names registrar REG.RU, Ltd","country":"Russia","country_code":"RU"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T20:46:02Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"installpack.net","ip":{"addr":"176.99.5.252","port":443,"asn":49352,"as":"Domain names registrar REG.RU, Ltd","country":"Russia","country_code":"RU"},"domain_registered":"2015-07-03","domain_rank":0,"first_seen":"2015-07-04 17:12:10","last_seen":"2024-03-28 04:29:20","alert_count":0,"request_count":1,"received_data":568,"sent_data":565,"comment":"","tags":null,"fingerprints":null},{"fqdn":"scdn.softcdn.ru","ip":{"addr":"195.201.247.90","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"domain_registered":"2015-08-26","domain_rank":0,"first_seen":"2016-03-22 14:58:16","last_seen":"2024-03-28 04:29:00","alert_count":0,"request_count":1,"received_data":740,"sent_data":583,"comment":"","tags":null,"fingerprints":null},{"fqdn":"ip.apps-windows.com","ip":{"addr":"195.201.247.90","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"domain_registered":"2018-11-13","domain_rank":0,"first_seen":"2019-02-20 02:31:46","last_seen":"2024-03-28 11:42:16","alert_count":2,"request_count":1,"received_data":2799308,"sent_data":776,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"7501d485f2602bb23f5bdd9e1c1ba45c","sha1":"65020b17ac53fc7bb4a8db723220f9a2bc11a547","sha256":"915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","sha512":"ab7350fd53bfaa8fc05a2fde30e1a5b9950612b7b74a404db44a18a52c0709e86e428ff51938c096cc3b178f9ab8f4e77fa1825f3ba0cd07afd8622494079673","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","size":2798808,"url":{"schema":"https","addr":"ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1","fqdn":"ip.apps-windows.com","domain":"apps-windows.com","tld":"com"},"ip":{"addr":"195.201.247.90","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-04-03","alert":"Detects suspicious SFX as used by Gamaredon group","trigger":"ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-09-27","description":"Detects suspicious SFX as used by Gamaredon group","hash1":"e3bb02c5985fc64759b9c2d3c5474d46237ce472b4a0101c6313dafa939de5a9","hash2":"0ecf88d4b32895b4819dec3acb62eaaa7035aa6292499d903f76af60fcec0d6a","hash3":"a7a48f5220bd1ebe04de258d71fdd001711c165d162bd45e8cfbe8964eddf01c","hash4":"b6fa4889d8a87d45706d92714d716025bf223c01929755321faac1ab0db94a88","hash5":"7117b39890659c7dd11e15092c5e5ea9495bec0ff2b6e25254f6e343ed6ca33d","hash6":"ec2afb63555986fa55b7f98ae57c57e1138acb404a0dd2fe4f3d315730b9898e","reference":"Internal Research","rule":"SUSP_SFX_RunProgram_WScript"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-04-03","alert":"Scan result 26/71","trigger":"915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","verdict":"malicious","severity":"","comment":"malicious - 26/71","link":"https://www.virustotal.com/gui/file/915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-04-03","alert":"Detects suspicious SFX as used by Gamaredon group","trigger":"ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-09-27","description":"Detects suspicious SFX as used by Gamaredon group","hash1":"e3bb02c5985fc64759b9c2d3c5474d46237ce472b4a0101c6313dafa939de5a9","hash2":"0ecf88d4b32895b4819dec3acb62eaaa7035aa6292499d903f76af60fcec0d6a","hash3":"a7a48f5220bd1ebe04de258d71fdd001711c165d162bd45e8cfbe8964eddf01c","hash4":"b6fa4889d8a87d45706d92714d716025bf223c01929755321faac1ab0db94a88","hash5":"7117b39890659c7dd11e15092c5e5ea9495bec0ff2b6e25254f6e343ed6ca33d","hash6":"ec2afb63555986fa55b7f98ae57c57e1138acb404a0dd2fe4f3d315730b9898e","reference":"Internal Research","rule":"SUSP_SFX_RunProgram_WScript"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"installpack.net/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439","fqdn":"installpack.net","domain":"installpack.net","tld":"net"},"ip":{"addr":"176.99.5.252","port":443,"asn":49352,"as":"Domain names registrar REG.RU, Ltd","country":"Russia","country_code":"RU"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-03T01:05:52.421Z","timestamp":1712106352421,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"installpack.net","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Mon, 11 Mar 2024 07:53:55 GMT","end":"Sun, 09 Jun 2024 07:53:54 GMT"},"fingerprint":{"sha1":"A6:97:52:11:39:E5:48:97:34:A2:20:F8:54:BD:86:B6:82:01:AC:93","sha256":"9F:C7:70:5F:01:AF:CE:DD:69:FB:5C:92:89:B5:F3:EA:86:29:03:AE:78:45:B8:46:0B:AF:6A:32:DE:B6:58:79"}}},"request":{"raw":"GET /InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439 HTTP/1.1\r\nHost: installpack.net\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Moved Temporarily\r\nServer: nginx\r\nDate: Wed, 03 Apr 2024 01:05:52 GMT\r\nContent-Type: text/html\r\nContent-Length: 138\r\nConnection: keep-alive\r\nLocation: https://scdn.softcdn.ru/10.html?parameter=InstallPack.exe\u0026preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nAccess-Control-Allow-Origin: *\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Moved Temporarily","fingerprints":null,"data":{"size":138,"size_decoded":138,"mime_type":"application/octet-stream","magic":"HTML document, ASCII text, with CRLF line terminators","md5":"aff950cab4c0265e21d401db15f1026d","sha1":"f03e18461817f7a6546c8bf8fa8d686d7e30aca0","sha256":"753e0dd54f28c4f7009b9c0b18a68aed175416bd8b7d134858264586eaac56f0","sha512":"a1f0f6f3dd6788a1d7c922c6a8fc81d4709dbd0bf28433023fb8fbd151f645daa096c6e9dd670fb7f86c1699942514a11c183aa09f0018142f823668fb2a0aa2","ssdeep":"","tlshash":"a5c092af79533c8cc8f33a3954c3a298d1ed92726ba8960096408553b2c72568ec3363","first_seen":"2023-04-05T03:40:47Z","last_seen":"2026-03-26T18:06:03.990474Z","times_seen":38808,"resource_available":false,"data":null}},"time_used":167,"timings":{"blocked":69,"dns":0,"connect":29,"send":0,"wait":28,"receive":1,"ssl":37},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"scdn.softcdn.ru/10.html?parameter=InstallPack.exe\u0026preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439","fqdn":"scdn.softcdn.ru","domain":"softcdn.ru","tld":"ru"},"ip":{"addr":"195.201.247.90","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-03T01:05:52.523Z","timestamp":1712106352523,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"softcdn.ru","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Mon, 11 Mar 2024 08:54:58 GMT","end":"Sun, 09 Jun 2024 08:54:57 GMT"},"fingerprint":{"sha1":"1E:15:A4:24:CF:F4:D2:90:53:D6:2A:36:62:CC:7B:4C:54:4E:5A:D4","sha256":"D8:C8:77:4A:A0:45:48:D6:63:A8:8E:41:12:90:99:39:83:A3:A2:6F:4E:DF:AE:8C:73:9D:B2:8F:5E:32:7E:E3"}}},"request":{"raw":"GET /10.html?parameter=InstallPack.exe\u0026preselecteditems=wise-disk-cleaner\u0026ga_cn=direct\u0026ga_cs=isg\u0026cid=50393950.88419439 HTTP/1.1\r\nHost: scdn.softcdn.ru\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 302 Moved Temporarily\r\nServer: nginx\r\nDate: Wed, 03 Apr 2024 01:05:52 GMT\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nSet-Cookie: mvwtl=oqUcADEwAAIAOABwqwxm__9wqwxmQAABAAAAcKsMZgA-; expires=Thu, 03-Apr-2025 01:05:52 GMT; path=/; domain=scdn.softcdn.ru\r\nLocation: https://ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1\r\nAccess-Control-Allow-Origin: *\r\nX-Frame-Options: SAMEORIGIN\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Moved Temporarily","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"application/octet-stream","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-05-06T13:45:52.642927Z","times_seen":14737748,"resource_available":true,"data":null}},"time_used":299,"timings":{"blocked":124,"dns":34,"connect":41,"send":0,"wait":49,"receive":1,"ssl":46},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1","fqdn":"ip.apps-windows.com","domain":"apps-windows.com","tld":"com"},"ip":{"addr":"195.201.247.90","port":443,"asn":24940,"as":"Hetzner Online GmbH","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-03T01:05:52.704Z","timestamp":1712106352704,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"apps-windows.com","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Mon, 11 Mar 2024 08:52:58 GMT","end":"Sun, 09 Jun 2024 08:52:57 GMT"},"fingerprint":{"sha1":"A6:9F:49:B5:4C:B3:8A:6F:D9:72:B1:BE:12:8D:82:E4:35:DD:6D:4E","sha256":"95:32:99:81:BE:3B:E5:B7:54:BE:20:CA:94:DC:D7:A0:F7:AB:CD:7D:CA:80:68:B9:03:25:3F:6D:FD:C2:FA:1A"}}},"request":{"raw":"GET /InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1 HTTP/1.1\r\nHost: ip.apps-windows.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Wed, 03 Apr 2024 01:05:52 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 2798808\r\nLast-Modified: Thu, 02 Mar 2023 00:10:56 GMT\r\nConnection: keep-alive\r\nContent-Disposition: attachment; filename=\"Wise-Disk-Cleaner_InstallPack_06f699.exe\"\r\nETag: \"63ffe990-2ab4d8\"\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Allow-Headers: Content-Type\r\nAccess-Control-Allow-Methods: GET\r\nAccess-Control-Expose-Headers: Content-Disposition\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2798808,"size_decoded":2798808,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","md5":"7501d485f2602bb23f5bdd9e1c1ba45c","sha1":"65020b17ac53fc7bb4a8db723220f9a2bc11a547","sha256":"915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","sha512":"ab7350fd53bfaa8fc05a2fde30e1a5b9950612b7b74a404db44a18a52c0709e86e428ff51938c096cc3b178f9ab8f4e77fa1825f3ba0cd07afd8622494079673","ssdeep":"49152:VdW6CPtO5e/dsjaYb/Yny94UD70nqZuzY20krYQEJxLM0sE5xFROnc1Czg:VdyP85e+jaYbwmXzZuWkgxLBencQzg","tlshash":"cfd53364bb8584f5d2d13a350c9d765e81eed30687004edba3e02e6f2a14ed8ee7d2d1","first_seen":"2023-04-06T19:38:04Z","last_seen":"2025-04-07T12:32:38.779391Z","times_seen":4470,"resource_available":false,"data":null}},"time_used":781,"timings":{"blocked":91,"dns":1,"connect":41,"send":0,"wait":247,"receive":352,"ssl":46},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-04-03","alert":"Detects suspicious SFX as used by Gamaredon group","trigger":"ip.apps-windows.com/InstallPack.exe?preselecteditems=wise-disk-cleaner\u0026cid=\u0026uid=\u0026type=ip\u0026ga_ci=blknstl_ruopera\u0026singleRename=1\u0026sign=1\u0026ga_an=\u0026ga_cn=direct\u0026ga_cs=isg\u0026ga_cm=\u0026ga_ck=isg\u0026ga_cc=\u0026utm_source=\u0026utm_campaign=\u0026utm_medium=\u0026uagent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A96.0%29+Gecko%2F20100101+Firefox%2F96.0\u0026abs=1","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-09-27","description":"Detects suspicious SFX as used by Gamaredon group","hash1":"e3bb02c5985fc64759b9c2d3c5474d46237ce472b4a0101c6313dafa939de5a9","hash2":"0ecf88d4b32895b4819dec3acb62eaaa7035aa6292499d903f76af60fcec0d6a","hash3":"a7a48f5220bd1ebe04de258d71fdd001711c165d162bd45e8cfbe8964eddf01c","hash4":"b6fa4889d8a87d45706d92714d716025bf223c01929755321faac1ab0db94a88","hash5":"7117b39890659c7dd11e15092c5e5ea9495bec0ff2b6e25254f6e343ed6ca33d","hash6":"ec2afb63555986fa55b7f98ae57c57e1138acb404a0dd2fe4f3d315730b9898e","reference":"Internal Research","rule":"SUSP_SFX_RunProgram_WScript"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-04-03","alert":"Scan result 26/71","trigger":"915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","verdict":"malicious","severity":"","comment":"malicious - 26/71","link":"https://www.virustotal.com/gui/file/915deb6fb5559c5feaf1991f13ecda7f42c6fba8c1ceea99b701ed4ae95b8fd1","meta":null}],"urlquery":null}}]}