{ "payload_printable": "....Y...U..g:.......X..8..b...f].u3f4x..o#. .!.......k.......2.)H.....a..zRT....\r.................n...j..g..d0..`0............S...R.p0\r..*.H..\r.....0I1.0...U....XX1\n0...U....11\n0...U....11\n0...U.\n..11\n0...U....11\n0...U....*0..\r190704140758Z.\r290701140758Z0I1.0...U....XX1\n0...U....11\n0...U....11\n0...U.\n..11\n0...U....11\n0...U....*0..0\r..*.H..\r.........0..............M.-...~...&O...l.Y6S.V...+....Q........p..[...=l.9..7|..i.. .r.J..0{...68l...>9...L@!...W&]\r!....:b..s..'.;u`..g......).......P0N0...U......q.%..X......V..O.)..0...U.#..0...q.%..X......V..O.)..0...U....0....0\r..*.H..\r.............k....o..y.<........dN.L..H:k.a...3......a..[.....1M$..3.L-;.n..k9....#.?oq.2%.eX.v.....3.DZ7....\\,+\"rt.b.j.+.,Y.@G..b..V................A.e..m6w..m.W|..z..;....}.....6,&2dk..H.U.....L|3j.....A.F'N.@...........Z....#i..KD.*&...7.....Q.....Sw...pD!..=...........).9..d.....EnKWN.5./.c...m..fa.Q..G........&..q;..e...x.+.6..\"....*eK..*f..........", "src_ip": "185.251.38.235", "stream": 1, "proto": "TCP", "geoip": { "longitude": 6.191, "continent": { "code": "EU", "geoname_id": 6255148, "name": "Europe" }, "country_name": "Netherlands", "latitude": 52.6961, "ip": "185.251.38.235", "country_code3": "NL", "country": { "is_in_european_union": true, "iso_code": "NL", "geoname_id": 2750405, "name": "Netherlands" }, "provider": { "autonomous_system_organization": "McHost.Ru", "autonomous_system_number": 48282 }, "location": { "lat": 52.6961, "lon": 6.191 }, "postal": { "code": "7941" }, "registered_country": { "is_in_european_union": true, "iso_code": "NL", "geoname_id": 2750405, "name": "Netherlands" }, "country_code2": "NL", "coordinate": [ 6.191, 52.6961 ], "timezone": "Europe/Amsterdam", "city": { "geoname_id": 2750947, "name": "Meppel" }, "subdivisions": [ { "iso_code": "DR", "geoname_id": 2756631, "name": "Provincie Drenthe" } ], "continent_code": "EU", "city_name": "Meppel" }, "ether": { "src_mac": "20:e5:2a:b6:93:f1", "dest_mac": "00:08:02:1c:47:ae" }, "tenant": 63, "type": "json-log", "app_proto": "tls", "hostname_info": { "domain_without_tld": "c54rng3686", "domain": "c54rng3686.com", "tld": "com", "url": "c54rng3686.com", "host": "c54rng3686.com" }, "dest_ip": "10.7.5.101", "packet_info": { "linktype": 1 }, "@version": "1", "@timestamp": "2023-10-25T03:32:16.697Z", "flow_id": 2251281946496552, "tls": { "subject": "C=XX, ST=1, L=1, O=1, OU=1, CN=*", "ja3s": { "string": "771,49172,65281-11", "hash": "f47b284bf7f61821a407e4f140a02686" }, "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "notafter": "2029-07-01T14:07:58", "serial": "00:9B:53:84:91:9E:52:B0:70", "sni": "c54rng3686.com", "issuerdn": "C=XX, ST=1, L=1, O=1, OU=1, CN=*", "fingerprint": "5b:14:93:e9:8f:c8:e7:7a:2e:a9:69:34:b3:da:83:b3:21:83:b1:9c", "notbefore": "2019-07-04T14:07:58", "version": "TLS 1.2", "ja3": { "agent": [ "Tofsee (from abuse.ch)" ], "hash": "4d7a28d6f2263ed61de88ca66eb011e3", "string": "771,60-47-61-53-5-10-49191-49171-49172-49195-49187-49196-49188-49161-49162-64-50-106-56-19-4,65281-0-10-11-13,23-24,0" }, "ja4": { "hash": "a12d1340h3_5b80db13ef18_e61ac43eb88f", "agent": [ "Chrome Version 60/61.0.3163, Google Chrome" ] }, "alpn_ts": [ "h2", "http/1.1" ], "alpn_tc": "h2", "cipher_security": "insecure" }, "net_info": { "src": [ "BAD_ACTOR.sbqcl.bad", "Internet" ], "src_agg": "bad_actor.sbqcl.bad.internet", "dest": [ "Accounting", "Site-A", "RemoteVPN", "Clients" ], "dest_agg": "accounting.site-a.remotevpn.clients" }, "timestamp": "2023-10-25T05:32:16.697996+0200", "in_iface": "dummy0", "see_name": "stamus-central-server", "alert": { "target": { "net_info_agg": "accounting.site-a.remotevpn.clients", "port": 50006, "ip": "10.7.5.101", "net_info": [ "Accounting", "Site-A", "RemoteVPN", "Clients" ] }, "metadata": { "performance_impact": [ "Low" ], "former_category": [ "MALWARE" ], "mitre_tactic_name": [ "Resource_Development" ], "signature_severity": [ "Major" ], "attack_target": [ "Client_and_Server" ], "mitre_tactic_id": [ "TA0042" ], "updated_at": [ "2018_11_16" ], "created_at": [ "2017_01_06" ], "tag": [ "SSL_Malicious_Cert" ], "deployment": [ "Perimeter" ], "mitre_technique_id": [ "T1587" ], "malware_family": [ "Zeus_Panda" ], "mitre_technique_name": [ "Develop_Capabilities" ], "affected_product": [ "Windows_XP_Vista_7_8_10_Server_32_64_Bit" ] }, "gid": 1, "signature": "ETPRO MALWARE Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected", "source": { "net_info_agg": "bad_actor.sbqcl.bad.internet", "port": 443, "ip": "185.251.38.235", "net_info": [ "BAD_ACTOR.sbqcl.bad", "Internet" ] }, "severity": 1, "category": "Domain Observed Used for C2 Detected", "signature_id": 2824248, "action": "allowed", "rev": 4 }, "host": "sn-probe-aws-2", "sig": { "updated": "2018-11-16", "created": "2017-01-06", "source": "ET Pro Source" }, "input": { "type": "log" }, "packet": "AAgCHEeuIOUqtpPxCABFAAAoeQIAAIAG0Xu5+ybrCgcFZQG7w1ZWJQpeP8/sQVAQ+vBy6wAA", "tags": [ "beats_input_codec_json_applied" ], "capture_file": "/var/log/suricata/pcaps//log-1698200928-1.pcap", "alerted": true, "see_id": "0a570e66842a", "logger": "logstash-manager", "agent": { "id": "9f305fa4-6db1-485c-81f9-598dce1469e3", "ephemeral_id": "bc89d735-5790-413b-b14e-b67d6d0d8cb2", "type": "filebeat", "name": "sn-probe-aws-2", "version": "7.17.10", "hostname": "sn-probe-aws-2" }, "flow": { "start": "2023-10-25T05:32:15.851847+0200", "src_ip": "10.7.5.101", "src_port": 50006, "pkts_toclient": 4, "dest_port": 443, "bytes_toserver": 620, "bytes_toclient": 1160, "dest_ip": "185.251.38.235", "pkts_toserver": 5 }, "src_port": 443, "dest_port": 50006, "log": { "offset": 117671368, "file": { "path": "/var/log/suricata/eve-alert.json" } }, "event_type": "alert", "_id": "wgXjZIsBBg4-tY684IFH" }