51 engines detected this file SHA-256 3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e File name AU.EXE File size 572.5 KB Last analysis 2017-11-29 21:23:27 UTC Ad-Aware Trojan.Crypt.Agent.BF AegisLab Gen.Variant.Razy!c AhnLab-V3 Trojan/Win32.Locky.C2242537 ALYac Trojan.Crypt.Agent.BF Antiy-AVL Trojan/Win32.TSGeneric Arcabit Trojan.Crypt.Agent.BF Avast Win32:Malware-gen AVG Win32:Malware-gen Avira TR/Crypt.Xpack.binkq AVware Trojan.Win32.Generic!BT Baidu Win32.Trojan.WisdomEyes.16070401.9500.9999 BitDefender Trojan.Crypt.Agent.BF CAT-QuickHeal TrojanSpy.SpyEyes Comodo Backdoor.Win32.Poison.FYRG   References: https://www.hybrid-analysis.com/sample/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e?environmentId=100 https://www.virustotal.com/#/file/3bf071be282d16696584af13dc38e1c730f127f1b49504408676225d42874e1e/detection Snort Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“MALWARE-CNC Win.Trojan.Gamarue variant outbound connection”; flow:to_server,established; content:“POST”; http_method; content:“panel1/gate.php”; content:” HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|”; fast_pattern:only; content:“+”; depth:15; http_client_body; metadata:impact_flag red, policy security–ips drop, ruleset community, service http; sid:1234; rev:1😉 2017-11-29 19:34:59.673041 IP 192.168.1.102.50951 > 198.54.116.113.80: Flags [P.], seq 3095874245:3095874726, […]