URL User Request GET HTTP/1.1IP51.158.151.173:443 ASN#12876 Scaleway S.a.s.
CertificateIssuerLet's Encrypt Subjectkosred.com Fingerprint03:B8:7C:15:AC:53:8F:F2:2C:26:F7:90:4A:88:51:2F:3F:77:8D:21 ValidityTue, 13 Feb 2024 05:47:35 GMT - Mon, 13 May 2024 05:47:34 GMT
File typePHP script, ASCII text, with very long lines (19425), with CRLF line terminators Size131 kB (131176 bytes) Hash6225e894e6b25fa9e5a7e5c03f5d40be ae3d85a05222f0c19c7eb46ffcfd730f14695396 44445f29393a1d9fb083f2649dec867472c97bfc71943ad8966f7016d58b4887
Analyzer | Verdict | Alert | Public Nextron YARA rules | malware | Detects a set of reconnaissance commands on Windows systems | Public Nextron YARA rules | malware | php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings | Public Nextron YARA rules | malware | PHP webshell which directly eval()s obfuscated string | Public Nextron YARA rules | malware | PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k | Public Nextron YARA rules | malware | Web Shell - file r57142.php |
GET /a/kpnvfx.txt HTTP/1.1
Host: kosred.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 28 Mar 2024 09:21:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Tue, 17 Oct 2023 23:38:10 GMT
ETag: "713ae-607f203fea4b7-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain
|
IP51.158.151.173:443 ASN#12876 Scaleway S.a.s.
Requested byhttps://kosred.com/a/kpnvfx.txt CertificateIssuerLet's Encrypt Subjectkosred.com Fingerprint03:B8:7C:15:AC:53:8F:F2:2C:26:F7:90:4A:88:51:2F:3F:77:8D:21 ValidityTue, 13 Feb 2024 05:47:35 GMT - Mon, 13 May 2024 05:47:34 GMT
File typeMS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel Size131 kB (130767 bytes) Hash2003db3f84e2d4fb3e059b568607c061 4eead5a216b26ae7113cbfd989b94058b2a10d22 5a8117904d931231dd0e8f6c3ed8c37754df89007d15e2a500b491a94273b348
GET /favicon.ico HTTP/1.1
Host: kosred.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: https://kosred.com/a/kpnvfx.txt
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 28 Mar 2024 09:21:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Wed, 11 Nov 2020 15:51:12 GMT
ETag: "1fecf-5b3d6c3c9892c"
Accept-Ranges: bytes
Content-Length: 130767
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/vnd.microsoft.icon
|