{"report_id":"0efe5bc0-e6aa-4741-8127-ffa76226f42d","version":6,"status":"done","tags":[],"date":"2023-10-24T03:07:25Z","url":{"schema":"http","addr":"192.3.232.37/windows/HMT.txt","fqdn":"192.3.232.37","domain":"192.3.232.37","tld":""},"ip":{"addr":"192.3.232.37","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"final":{"url":{"schema":"http","addr":"192.3.232.37/windows/HMT.txt","fqdn":"192.3.232.37","domain":"192.3.232.37","tld":"37"},"title":"192.3.232.37/windows/HMT.txt"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T18:15:28Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"192.3.232.37","ip":{"addr":"192.3.232.37","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2019-04-23 06:11:32","last_seen":"2023-09-02 17:44:00","alert_count":4,"request_count":2,"received_data":361933,"sent_data":752,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-10-24T03:07:09Z","timestamp":1698116829,"ip_dst":{"addr":"Client IP","port":59424,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.3.232.37","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"severity":"high","alert":"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1","source":"{\"timestamp\":\"2023-10-24T03:07:09.639285+0000\",\"flow_id\":87555942694409,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.3.232.37\",\"src_port\":80,\"dest_ip\":\"10.70.215.220\",\"dest_port\":59424,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2020423,\"rev\":2,\"signature\":\"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1\",\"category\":\"Exploit Kit Activity Detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2015_02_16\"],\"updated_at\":[\"2015_02_16\"]}},\"http\":{\"hostname\":\"192.3.232.37\",\"url\":\"/windows/HMT.txt\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":93124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":66,\"bytes_toserver\":1610,\"bytes_toclient\":98476,\"start\":\"2023-10-24T03:07:08.835081+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-24","alert":"Detects an base64 encoded executable with reversed characters","trigger":"192.3.232.37/windows/HMT.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-10-24","alert":"Sinkholed","trigger":"192.3.232.37","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-10-24","alert":"Sinkholed","trigger":"192.3.232.37","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"192.3.232.37/windows/HMT.txt","fqdn":"192.3.232.37","domain":"192.3.232.37","tld":"37"},"ip":{"addr":"192.3.232.37","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-10-24T03:07:08.844Z","timestamp":1698116828844,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /windows/HMT.txt HTTP/1.1\r\nHost: 192.3.232.37\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Tue, 24 Oct 2023 03:07:08 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17\r\nLast-Modified: Tue, 24 Oct 2023 00:59:16 GMT\r\nETag: \"50aac-6086bd908beeb\"\r\nAccept-Ranges: bytes\r\nContent-Length: 330412\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/plain\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":330412,"size_decoded":0,"mime_type":"text/plain","magic":"ASCII text, with very long lines (65536), with no line terminators","md5":"9a479974dc68997506564e6f1d201692","sha1":"bf85c6a9b863ca9d1a0e459175968cffd6e9de16","sha256":"a2d3432de611238c141e15297746c246e02677a91bc492245e2c9e806cf67b87","sha512":"cfbfdea6e67414b29460f066433d16fa0b5f8aade3649a5dcb14d3b704248f1a907868ac05bd6247e1c55d3215011acf3ba57ac6ea9acd2d996946ae5a61e04d","ssdeep":"6144:390FVo4g8Wur2u6mFzNw88RURpsgBprtAcGD/6f:3uFVobwFBwnRURBAd6f","tlshash":"ed6475fa6036ed8a86370e84e1043f179c299ecf667887f8778815d1c19c68c6de75b8","first_seen":"2023-10-24T05:07:25Z","last_seen":"2023-10-24T05:07:25Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1283,"timings":{"blocked":151,"dns":0,"connect":160,"send":0,"wait":163,"receive":809,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-10-24T03:07:09Z","timestamp":1698116829,"ip_dst":{"addr":"10.70.215.220","port":59424,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"192.3.232.37","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"severity":"high","alert":"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1","source":"{\"timestamp\":\"2023-10-24T03:07:09.639285+0000\",\"flow_id\":87555942694409,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"192.3.232.37\",\"src_port\":80,\"dest_ip\":\"10.70.215.220\",\"dest_port\":59424,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2020423,\"rev\":2,\"signature\":\"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1\",\"category\":\"Exploit Kit Activity Detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2015_02_16\"],\"updated_at\":[\"2015_02_16\"]}},\"http\":{\"hostname\":\"192.3.232.37\",\"url\":\"/windows/HMT.txt\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":93124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":66,\"bytes_toserver\":1610,\"bytes_toclient\":98476,\"start\":\"2023-10-24T03:07:08.835081+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-10-24","alert":"Detects an base64 encoded executable with reversed characters","trigger":"192.3.232.37/windows/HMT.txt","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-10-24","alert":"Sinkholed","trigger":"192.3.232.37","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"192.3.232.37/favicon.ico","fqdn":"192.3.232.37","domain":"192.3.232.37","tld":"37"},"ip":{"addr":"192.3.232.37","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://192.3.232.37/windows/HMT.txt","date":"2023-10-24T03:07:09.993Z","timestamp":1698116829993,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: 192.3.232.37\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://192.3.232.37/windows/HMT.txt\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Tue, 24 Oct 2023 03:07:09 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17\r\nLast-Modified: Thu, 16 Jul 2015 15:32:32 GMT\r\nETag: \"78ae-51affc7a4c400\"\r\nAccept-Ranges: bytes\r\nContent-Length: 30894\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\nContent-Type: image/x-icon\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":30894,"size_decoded":0,"mime_type":"image/x-icon","magic":"MS Windows icon resource - 3 icons, 64x64, 32 bits/pixel, 48x48, 32 bits/pixel\\012- data","md5":"6eb4a43cb64c97f76562af703893c8fd","sha1":"c50c4273b9d2433c6069454f971ed6653e07c126","sha256":"1d7c95c5eea00a8083a95810f902682f9e26e7fbb7876b022a403642d776d0c9","sha512":"3bae9380d8f0d45617ecf9d0d43818b7f8f83b61ecbd5e6dbd189c19d5853f92aa47965ad257cf712e49c03652f129dca47e8a8dbd86d62e614acc99ea931181","ssdeep":"384:BfFLlWD0KZIndnXmkoA4arnP/bGADEsTHZUA7hlrNemjwyinzLBXP1s3:B9Ls4qQXvqarnP/bV4iHNdHinzl1s3","tlshash":"1ed22f48c1a249c4fe902fb484b768620c7f7e757db83b4dad54b512867bcfa34b6422","first_seen":"2023-05-01T05:11:10Z","last_seen":"2026-04-04T00:20:33.76008Z","times_seen":7231,"resource_available":false,"data":null}},"time_used":163,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":162,"receive":1,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-10-24","alert":"Sinkholed","trigger":"192.3.232.37","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}