Report - xmsecu.com:8080/ocx/NewActive.exe

Report Overview

Visitedpublic

2024-10-14 11:05:06

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
r10.o.lencr.org	unknown	2020-06-29	2024-06-06	2024-10-13	1.3 kB	3.6 kB	184.51.252.176
r11.o.lencr.org	unknown	2020-06-29	2024-06-07	2024-10-13	654 B	1.8 kB	23.33.119.57
xmsecu.com	247383	2010-11-18	2012-07-13	2024-01-20	403 B	5.1 MB	49.4.84.205

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2024-10-14 11:04:41	high	Client IP	49.4.84.205	URLhaus Known malware download URL detected (3225160)
2024-10-14 11:04:41	high	49.4.84.205	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP
2024-10-14 11:04:41	low	49.4.84.205	Client IP	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Mnemonic Secure DNS

Scan Date	Severity	Indicator	Alert
2024-10-14	medium	xmsecu.com	Sinkholed

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2024-10-14	medium	xmsecu.com	Sinkholed

ThreatFox

No alerts detected

File detected

URL

xmsecu.com:8080/ocx/NewActive.exe

IP / ASN

49.4.84.205

#55990 Huawei Cloud Service data center

File Overview

File TypePE32 executable (GUI) Intel 80386, for MS Windows, 5 sections

Size5.1 MB (5069003 bytes)

MD548646c40120925c774754e5de36c33cc

SHA135b7cf02001365714a75861809ba59c462e253d8

SHA256d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad

Detections

Analyzer	Verdict	Alert
VirusTotal	suspicious	VirusTotal - Scan result 2/73

JavaScript (0)

HTTP Transactions (7)

URL IP Response Size

r10.o.lencr.org/

184.51.252.176

200 OK

504 B

URL HTTP

r10.o.lencr.org/

IP / ASN

184.51.252.176

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-14

Last Seen2024-10-15

Times Seen9989

Size504 B (504 bytes)

MD58c678121da7ea2edc90ea014cf3552af

SHA13d76ebd2a3aba8dab56e3c15310551e9b226e249

SHA2561839e2eb73c24c27fda8e6bf4715b73ce52cc1c059bd1dfd9b739e71409cda3b

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "1839E2EB73C24C27FDA8E6BF4715B73CE52CC1C059BD1DFD9B739E71409CDA3B"
Last-Modified: Mon, 14 Oct 2024 08:07:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13182
Expires: Mon, 14 Oct 2024 14:44:21 GMT
Date: Mon, 14 Oct 2024 11:04:39 GMT
Connection: keep-alive

r10.o.lencr.org/

184.51.252.176

200 OK

504 B

URL HTTP

r10.o.lencr.org/

IP / ASN

184.51.252.176

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-14

Last Seen2024-10-14

Times Seen2270

Size504 B (504 bytes)

MD555ba07a71a62bbad2ddcc748da0561df

SHA193e163eae818fff5965c4e08f77a30009a4c85d4

SHA256dd3368b109660e2ad4d41e0454b8a57636c39b539e9e20da7cebffdb1ed3eb09

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "DD3368B109660E2AD4D41E0454B8A57636C39B539E9E20DA7CEBFFDB1ED3EB09"
Last-Modified: Mon, 14 Oct 2024 07:57:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13359
Expires: Mon, 14 Oct 2024 14:47:18 GMT
Date: Mon, 14 Oct 2024 11:04:39 GMT
Connection: keep-alive

r10.o.lencr.org/

184.51.252.176

200 OK

504 B

URL HTTP

r10.o.lencr.org/

IP / ASN

184.51.252.176

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-12

Last Seen2024-10-14

Times Seen14152

Size504 B (504 bytes)

MD50047c90c620c7ae5d6e899dbcd92d7f9

SHA1b40765060b59aa1231b7e4c552c7657c957a505e

SHA2568b02810ecc47d5f71219990370d9538bfff6e45c5ff895e7a3c60392423c5adb

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "8B02810ECC47D5F71219990370D9538BFFF6E45C5FF895E7A3C60392423C5ADB"
Last-Modified: Sat, 12 Oct 2024 08:15:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13598
Expires: Mon, 14 Oct 2024 14:51:18 GMT
Date: Mon, 14 Oct 2024 11:04:40 GMT
Connection: keep-alive

r10.o.lencr.org/

184.51.252.176

200 OK

504 B

URL HTTP

r10.o.lencr.org/

IP / ASN

184.51.252.176

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-14

Last Seen2024-10-15

Times Seen6645

Size504 B (504 bytes)

MD57d3f40edab25e8d6b700410399e281dd

SHA15abaaed5e9ea61626fd4d67b7c817195302b43a8

SHA2565438ee24c6b0170e7fa46e12c21b8a3bac1eb29bc86b1810a267dd3c72ea95ae

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "5438EE24C6B0170E7FA46E12C21B8A3BAC1EB29BC86B1810A267DD3C72EA95AE"
Last-Modified: Mon, 14 Oct 2024 06:24:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13318
Expires: Mon, 14 Oct 2024 14:46:38 GMT
Date: Mon, 14 Oct 2024 11:04:40 GMT
Connection: keep-alive

r11.o.lencr.org/

23.33.119.57

200 OK

504 B

URL HTTP

r11.o.lencr.org/

IP / ASN

23.33.119.57

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-13

Last Seen2024-10-14

Times Seen5289

Size504 B (504 bytes)

MD5241105d8fc709e6bd1be3519f5b7866f

SHA1fa41e9781f5c9c82f9a3feb36e44ed02216c1011

SHA25649a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E"
Last-Modified: Sat, 12 Oct 2024 11:02:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=14694
Expires: Mon, 14 Oct 2024 15:09:36 GMT
Date: Mon, 14 Oct 2024 11:04:42 GMT
Connection: keep-alive

r11.o.lencr.org/

23.33.119.57

200 OK

504 B

URL HTTP

r11.o.lencr.org/

IP / ASN

23.33.119.57

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-10-13

Last Seen2024-10-14

Times Seen5289

Size504 B (504 bytes)

MD5241105d8fc709e6bd1be3519f5b7866f

SHA1fa41e9781f5c9c82f9a3feb36e44ed02216c1011

SHA25649a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e

HTTP Headers

POST / HTTP/1.1
Host: r11.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E"
Last-Modified: Sat, 12 Oct 2024 11:02:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=14694
Expires: Mon, 14 Oct 2024 15:09:36 GMT
Date: Mon, 14 Oct 2024 11:04:42 GMT
Connection: keep-alive

GET xmsecu.com:8080/ocx/NewActive.exe

49.4.84.205

200 OK

5.1 MB

URL User Request GET HTTP

xmsecu.com:8080/ocx/NewActive.exe

IP / ASN

49.4.84.205

#55990 Huawei Cloud Service data center

Requested byN/A

Resource Info

File typePE32 executable (GUI) Intel 80386, for MS Windows, 5 sections

First Seen2023-06-13

Last Seen2024-10-21

Times Seen82

Size5.1 MB (5069003 bytes)

MD548646c40120925c774754e5de36c33cc

SHA135b7cf02001365714a75861809ba59c462e253d8

SHA256d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad

Detections

Analyzer	Verdict	Alert
Mnemonic Secure DNS	malicious	Sinkholed
Quad9 DNS	malicious	Sinkholed
VirusTotal	suspicious	VirusTotal - Scan result 2/73

HTTP Headers

GET /ocx/NewActive.exe HTTP/1.1
Host: xmsecu.com:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 14 Oct 2024 11:04:40 GMT
Content-Type: application/octet-stream
Content-Length: 5069003
Last-Modified: Mon, 13 Feb 2023 12:57:37 GMT
Connection: keep-alive
ETag: "63ea33c1-4d58cb"
Accept-Ranges: bytes