{"report_id":"096a623c-b5eb-427f-8e62-5bc64c018c13","version":6,"status":"done","tags":[],"date":"2024-11-29T21:05:54Z","url":{"schema":"http","addr":"89.169.4.44/bot.x86","fqdn":"89.169.4.44","domain":"89.169.4.44","tld":""},"ip":{"addr":"89.169.4.44","port":0,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T21:05:54Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"89.169.4.44","ip":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":13,"request_count":1,"received_data":196605,"sent_data":389,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"cd2b09f67594d5adcea3d1aeb9deff28","sha1":"6ca4b36bf387f384229f69ed5e36503ebdfff576","sha256":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","sha512":"a5979439e797f372caae3db23d8efd115ea040d9038dc8284b2835165fe7188b520326a3612dea3761a16d3524ae3adf024b79164c56be6a631de9d70c64cba1","magic":"ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)","size":196340,"url":{"schema":"http","addr":"89.169.4.44/bot.x86","fqdn":"89.169.4.44","domain":"89.169.4.44","tld":""},"ip":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects multiple Mirai variants","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-08-09","description":"Detects multiple Mirai variants","malpedia_family":"elf.mirai","rule":"ELF_Mirai","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7f5d67a7309d7ff399247f1c43a92ad4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"386c1b6c-c5f9-4a9c-a83f-1f940f4d2c2e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-05-11","description":"Detects Gafgyt","malpedia_family":"elf.bashlite","rule":"Linux_Gafgyt_May_2024","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7ac9673e951d038c2c10c230393b6f0a","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"41b684bf-6dd2-48a4-9a16-143f0b1439fa"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Yakuza botnet","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348","id":"122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4","rule":"Linux_Trojan_Mirai_122ff2e6","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88","id":"fa48b592-8d80-45af-a3e4-232695b8f5dd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee","rule":"Linux_Trojan_Mirai_fa48b592","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-05","fingerprint":"02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444","id":"8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f","rule":"Linux_Trojan_Mirai_8aa7b5d3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"Linux_Trojan_Mirai_122ff2e6","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348","id":"122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4","rule":"Linux_Trojan_Mirai_122ff2e6","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"Linux_Trojan_Mirai_fa48b592","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88","id":"fa48b592-8d80-45af-a3e4-232695b8f5dd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee","rule":"Linux_Trojan_Mirai_fa48b592","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"Linux_Trojan_Mirai_8aa7b5d3","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-05","fingerprint":"02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444","id":"8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f","rule":"Linux_Trojan_Mirai_8aa7b5d3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"Linux_Trojan_Gafgyt_28a2fe0c","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"Linux_Trojan_Gafgyt_ea92cca8","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"user_499l7sx19am3m53","sensor_type":"yara","title":"","description":"Private YARA rules","scan_date":"2024-11-29","alert":"botnet_Yakuza","trigger":"89.169.4.44/bot.x86","verdict":"audit","severity":"audit","comment":"","link":"","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 40/65","trigger":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","verdict":"malicious","severity":"","comment":"malicious - 40/65","link":"https://www.virustotal.com/gui/file/e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"cd2b09f67594d5adcea3d1aeb9deff28","sha1":"6ca4b36bf387f384229f69ed5e36503ebdfff576","sha256":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","sha512":"a5979439e797f372caae3db23d8efd115ea040d9038dc8284b2835165fe7188b520326a3612dea3761a16d3524ae3adf024b79164c56be6a631de9d70c64cba1","magic":"ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)","size":196340,"url":{"schema":"http","addr":"89.169.4.44/bot.x86","fqdn":"89.169.4.44","domain":"89.169.4.44","tld":""},"ip":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects multiple Mirai variants","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-08-09","description":"Detects multiple Mirai variants","malpedia_family":"elf.mirai","rule":"ELF_Mirai","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7f5d67a7309d7ff399247f1c43a92ad4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"386c1b6c-c5f9-4a9c-a83f-1f940f4d2c2e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-05-11","description":"Detects Gafgyt","malpedia_family":"elf.bashlite","rule":"Linux_Gafgyt_May_2024","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7ac9673e951d038c2c10c230393b6f0a","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"41b684bf-6dd2-48a4-9a16-143f0b1439fa"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Yakuza botnet","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348","id":"122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4","rule":"Linux_Trojan_Mirai_122ff2e6","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88","id":"fa48b592-8d80-45af-a3e4-232695b8f5dd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee","rule":"Linux_Trojan_Mirai_fa48b592","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-05","fingerprint":"02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444","id":"8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f","rule":"Linux_Trojan_Mirai_8aa7b5d3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 40/65","trigger":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","verdict":"malicious","severity":"","comment":"malicious - 40/65","link":"https://www.virustotal.com/gui/file/e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"ip_src":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO x86 File Download Request from IP Address","source":"{\"timestamp\":\"2024-11-29T21:05:29.126280+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":38366,\"dest_ip\":\"89.169.4.44\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2025126,\"rev\":3,\"signature\":\"ET INFO x86 File Download Request from IP Address\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"IoT\"],\"created_at\":[\"2017_12_05\"],\"updated_at\":[\"2020_09_16\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":663,\"bytes_toclient\":3168,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"ip_src":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .x86","source":"{\"timestamp\":\"2024-11-29T21:05:29.126280+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":38366,\"dest_ip\":\"89.169.4.44\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2032924,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .x86\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"affected_product\":[\"IoT\",\"Linux\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_05_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_05_10\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":663,\"bytes_toclient\":3168,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2024-11-29T21:05:29.182764+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"89.169.4.44\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":38366,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_09_25\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/bot.x86\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":33,\"bytes_toserver\":1851,\"bytes_toclient\":47074,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects multiple Mirai variants","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-08-09","description":"Detects multiple Mirai variants","malpedia_family":"elf.mirai","rule":"ELF_Mirai","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7f5d67a7309d7ff399247f1c43a92ad4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"386c1b6c-c5f9-4a9c-a83f-1f940f4d2c2e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-05-11","description":"Detects Gafgyt","malpedia_family":"elf.bashlite","rule":"Linux_Gafgyt_May_2024","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7ac9673e951d038c2c10c230393b6f0a","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"41b684bf-6dd2-48a4-9a16-143f0b1439fa"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Yakuza botnet","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348","id":"122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4","rule":"Linux_Trojan_Mirai_122ff2e6","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88","id":"fa48b592-8d80-45af-a3e4-232695b8f5dd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee","rule":"Linux_Trojan_Mirai_fa48b592","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-05","fingerprint":"02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444","id":"8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f","rule":"Linux_Trojan_Mirai_8aa7b5d3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"89.169.4.44","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"89.169.4.44/bot.x86","fqdn":"89.169.4.44","domain":"89.169.4.44","tld":""},"ip":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T21:05:29.069Z","timestamp":1732914329069,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /bot.x86 HTTP/1.1\r\nHost: 89.169.4.44\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Fri, 29 Nov 2024 21:05:29 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 196340\r\nLast-Modified: Thu, 28 Nov 2024 19:54:53 GMT\r\nConnection: keep-alive\r\nETag: \"6748ca8d-2fef4\"\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":196340,"size_decoded":196340,"mime_type":"application/octet-stream","magic":"ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV)","md5":"cd2b09f67594d5adcea3d1aeb9deff28","sha1":"6ca4b36bf387f384229f69ed5e36503ebdfff576","sha256":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","sha512":"a5979439e797f372caae3db23d8efd115ea040d9038dc8284b2835165fe7188b520326a3612dea3761a16d3524ae3adf024b79164c56be6a631de9d70c64cba1","ssdeep":"3072:ivmxdLVT7jFlZGgcbzScS3+P79c1vC9u9XXFHVByqqnnL/u:iuxddjFlZGgcbzmuP79c1vC9u9HFHvqS","tlshash":"e0147b86e762c9bbc44a0779069b97354637e4a2072f5b02e36cbeb06e13391f585f0d","first_seen":"2024-11-28T17:49:19.751368Z","last_seen":"2024-12-05T10:08:49.665301Z","times_seen":7,"resource_available":false,"data":null}},"time_used":179,"timings":{"blocked":28,"dns":0,"connect":28,"send":0,"wait":29,"receive":94,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"ip_src":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO x86 File Download Request from IP Address","source":"{\"timestamp\":\"2024-11-29T21:05:29.126280+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":38366,\"dest_ip\":\"89.169.4.44\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2025126,\"rev\":3,\"signature\":\"ET INFO x86 File Download Request from IP Address\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"IoT\"],\"created_at\":[\"2017_12_05\"],\"updated_at\":[\"2020_09_16\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":663,\"bytes_toclient\":3168,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"ip_src":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET HUNTING Suspicious GET Request for .x86","source":"{\"timestamp\":\"2024-11-29T21:05:29.126280+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":38366,\"dest_ip\":\"89.169.4.44\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2032924,\"rev\":1,\"signature\":\"ET HUNTING Suspicious GET Request for .x86\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"affected_product\":[\"IoT\",\"Linux\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_05_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_05_10\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":4,\"bytes_toserver\":663,\"bytes_toclient\":3168,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T21:05:29Z","timestamp":1732914329,"ip_dst":{"addr":"172.18.0.17","port":38366,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"89.169.4.44","port":80,"asn":31514,"as":"OOO Trivon Networks","country":"Russia","country_code":"RU"},"severity":"high","alert":"ET POLICY Executable and linking format (ELF) file download Over HTTP","source":"{\"timestamp\":\"2024-11-29T21:05:29.182764+0000\",\"flow_id\":1632839939984529,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"89.169.4.44\",\"src_port\":80,\"dest_ip\":\"172.18.0.17\",\"dest_port\":38366,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\",\"ET.ELFDownload\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019240,\"rev\":14,\"signature\":\"ET POLICY Executable and linking format (ELF) file download Over HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_09_25\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"89.169.4.44\",\"url\":\"/bot.x86\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/bot.x86\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":33,\"bytes_toserver\":1851,\"bytes_toclient\":47074,\"start\":\"2024-11-29T21:05:29.068753+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects multiple Mirai variants","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-08-09","description":"Detects multiple Mirai variants","malpedia_family":"elf.mirai","rule":"ELF_Mirai","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7f5d67a7309d7ff399247f1c43a92ad4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"386c1b6c-c5f9-4a9c-a83f-1f940f4d2c2e"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detects Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-05-11","description":"Detects Gafgyt","malpedia_family":"elf.bashlite","rule":"Linux_Gafgyt_May_2024","yarahub_license":"CC0 1.0","yarahub_reference_md5":"7ac9673e951d038c2c10c230393b6f0a","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"41b684bf-6dd2-48a4-9a16-143f0b1439fa"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Yakuza botnet","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-22","description":"Yakuza botnet","rule":"botnet_Yakuza","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6dde652b28f73f978e834412b835a740","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"c0ed7b7d-f8f5-4301-812d-aaca80577c97"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Gafgyt","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e","id":"ea92cca8-bba7-4a1c-9b88-a2d051ad0021","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_ea92cca8","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"3c9ffd7537e30a21eefa6c174f801264b92a85a1bc73e34e6dc9e29f84658348","id":"122ff2e6-56e6-4aa8-a3ec-c19d31eb1f80","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c7dd999a033fa3edc1936785b87cd69ce2f5cac5a084ddfaf527a1094e718bc4","rule":"Linux_Trojan_Mirai_122ff2e6","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"8838d2752b310dbf7d12f6cf023244aaff4fdf5b55cf1e3b71843210df0fcf88","id":"fa48b592-8d80-45af-a3e4-232695b8f5dd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","reference_sample":"c9e33befeec133720b3ba40bb3cd7f636aad80f72f324c5fe65ac7af271c49ee","rule":"Linux_Trojan_Mirai_fa48b592","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-11-29","alert":"Linux.Trojan.Mirai","trigger":"89.169.4.44/bot.x86","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2022-01-05","fingerprint":"02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444","id":"8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9","last_modified":"2022-01-26","license":"Elastic License v2","os":"linux","reference_sample":"5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f","rule":"Linux_Trojan_Mirai_8aa7b5d3","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Mirai"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"89.169.4.44","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-28","alert":"Scan result 40/65","trigger":"e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","verdict":"malicious","severity":"","comment":"malicious - 40/65","link":"https://www.virustotal.com/gui/file/e98a0c4210f503c3d34c06b61fde78323b6c7c22e623e813a1e5b292b5a4c6a3","meta":null}],"urlquery":null}}]}