Today's quick #malware analysis with #SecurityOnion: FAKEBAT, REDLINE STEALER, and GOZI/ISFB/URSNIF pcap from 2023-02-03!

Thanks to @malware_traffic for sharing this pcap!

More screenshots:
blog.securityonion.net/2023/02/quick-…

#infosec
#infosecurity
#ThreatHunting
#IncidentResponse

@malware_traffic Let's review some of the data that #SecurityOnion generates from this traffic!

When you import the pcap using so-import-pcap, it will generate a hyperlink that will take you to the Overview dashboard:

@malware_traffic Here are the NIDS alerts:

@malware_traffic Let's review some of the more interesting NIDS alerts. We'll start with the initial HTTP request and pivot to PCAP transcript:

@malware_traffic Next, let's take a look at the first EXE downloaded:

@malware_traffic Now let's look at the second EXE downloaded:

Let's also look at the RedLine Stealer alert and pivot to PCAP transcript:

There is also a Zeek Notice for the second EXE download since it triggered a Team Cymru Malware Hash Registry match:

Now let's review some of the protocol metadata. We'll start with HTTP:

Next let's look at files transferred:

Here are the SSL connections:

DNS lookups:

Finally, here is an overview of all external connections including GeoIP lookups: