Observed Activity: Suspicious Text File from Shanghai
Executive Summary
- SGI sensors detected a low-severity text file, ‘EligibilityCheck.txt,’ originating from IP address 101.35.151.132 in Shanghai, China.
- The file was flagged due to its filename and origin, although VirusTotal analysis showed no malicious detections.
- The likely objective is currently unknown but could involve reconnaissance or delivery of further malicious payloads.
- The business risk is currently low but warrants further investigation and monitoring.
- We anticipate an increase in similar reconnaissance probes targeting various organizations in the coming months; vigilance is crucial.
Observed Activity (SGI Sensors)
| ObservedAt | SensorName | SourceIP | SourceASN | SourceGeo | Protocol/Port | PayloadPresence | Hash |
|---|---|---|---|---|---|---|---|
| 2025-10-15T06:14:22.586Z | [Redacted] | 101.35.151.XXX | AS45090 | CN | tcp/[Redacted] | Yes | 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865 |
On October 15, 2025, at 06:14:22 UTC, an SGI sensor detected a TCP connection originating from IP address 101.35.151.132, located in Shanghai, China. The connection included a payload identified as ‘EligibilityCheck.txt.’ Although the file was not flagged as malicious by VirusTotal, its unusual name and origin prompted further analysis. The ASN associated with the IP address is AS45090, belonging to Shenzhen Tencent Computer Systems Company Limited.
Malware/Technique Overview
The observed file is categorized as a low-severity text file with the name ‘EligibilityCheck.txt.’ Due to the lack of malicious detections and limited information, the precise purpose of this file is unknown. However, the suspicious filename suggests a potential attempt to gather information or deliver instructions for further actions. The fact that the file is delivered over TCP suggests a targeted attempt.
- T1595 – Active Scanning: Attempts to gather information that can be used during targeting.
- T1105 – Remote File Download: Could be a precursor to downloading further malicious payloads.
VirusTotal Snapshot
VirusTotal analysis of the file with SHA256 hash 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865 shows:
- Malicious detections: 0
- Undetected: 62
- Harmless: 0
VirusTotal identifies the file type as Text. It is important to note that the lack of malicious detections does not guarantee the file’s safety, as it could be a zero-day exploit or a reconnaissance tool. The VirusTotal reputation score is 25.
Indicators of Compromise (IoCs)
| Type | Value | Confidence | FirstSeen | Notes |
|---|---|---|---|---|
| ip | 101.35.151.XXX | medium | 2025-10-15T06:14:22.586Z | AS45090 Shenzhen Tencent Computer Systems Company Limited |
| hash | 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865 | high | 2025-10-15T06:14:22.586Z | SHA256 from VirusTotal |
We recommend monitoring these IoCs for at least 30 days.
Detection & Hunting
Use the following queries to detect similar activity within your environment:
Splunk SPL
index=* hash="4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865" OR src_ip="101.35.151.0/24"This query searches for events containing the identified SHA256 hash or originating from the 101.35.151.0/24 network. Be aware of potential false positives from legitimate traffic within the same network range.
Elastic/Kibana KQL
hash:"4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865" OR source.ip:"101.35.151.0/24"This query searches for events containing the identified SHA256 hash or originating from the 101.35.151.0/24 network. Be aware of potential false positives from legitimate traffic within the same network range.
Containment, Eradication & Recovery
- Isolate the affected systems from the network to prevent further potential compromise.
- Block the identified IP address (101.35.151.132) at the firewall level.
- Scan all systems for the presence of the identified file hash (4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865).
- If the file is found on any system, consider reimaging the affected system to ensure complete eradication.
- Reset user credentials on any systems that interacted with the suspicious IP or file.
Ensure clear communication between IT and leadership throughout the containment and eradication process. Preserve any relevant evidence for potential forensic analysis.
Hardening & Preventive Controls
- Implement Multi-Factor Authentication (MFA) for all user accounts (NIST CSF PR.AC-1, CIS Control 6).
- Tune Endpoint Detection and Response (EDR) systems to detect suspicious file activity and network connections (NIST CSF DE.CM-1, CIS Control 10).
- Implement Network Segmentation to limit the lateral movement of potential attackers (NIST CSF PR.DS-7, CIS Control 14).
- Enforce Least Privilege access controls to limit the impact of compromised accounts (NIST CSF PR.AC-3, CIS Control 5).
- Establish Patch SLAs to ensure timely patching of vulnerabilities (NIST CSF PR.PT-1, CIS Control 7).
Business Impact & Risk Outlook
The potential business impact is currently low. However, if this activity is a precursor to a more significant attack, the operational, legal, and reputational risks could increase substantially. We anticipate an increase in reconnaissance attempts from various sources in the next 3-6 months. Organizations should enhance their monitoring and detection capabilities to identify and respond to such threats effectively.
Appendix
The payload file was a simple text file.
Assumptions & Data Gaps
- We assume the provided VirusTotal report is accurate and up-to-date.
- We lack information about the specific content of the ‘EligibilityCheck.txt’ file.
- The exact port used in the TCP connection is unavailable.
- The sensor name was redacted for privacy.
References
Stay ahead of emerging threats with Sentry Global Intelligence & Consulting Group. Our expert team provides comprehensive threat intelligence and proactive security solutions to protect your organization.
Request an Incident Readiness Review | 24/7 Monitoring with Sentry365™ | vCISO Advisory