Report - r57txt.org/wsoshell/wso.zip

Report Overview

Visited public
2024-06-11 21:46:31
Tags
URL
r57txt.org/wsoshell/wso.zip
Finishing URL
about:privatebrowsing
IP / ASN
172.67.214.199
#13335 CLOUDFLARENET
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
r57txt.org	unknown	2022-05-21	2012-11-29 22:29:16	2024-02-21 06:35:42	481 B	220 kB	172.67.214.199

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
r57txt.org/wsoshell/wso.zip
IP
172.67.214.199
ASN
#13335 CLOUDFLARENET

File type
Zip archive data, at least v2.0 to extract, compression method=store
Size
220 kB (219613 bytes)
Hash
e6a8de2da8ee22a4007064d48d05eb69
3ff4f5d725a579ae3e1ee21695d439a01376ab65
22f5b4d0fb19d857b9699c27d7914fde7c65f73b8d4f98cb050771422c635bfc

Archive (2)

Filename

Md5

File type

pass.txt

60a4cd57adeee7e538d8e024af2bbd34

ASCII text, with no line terminators

wso2023.php

817755e08a086fbdf0fa83f383915d0b

PHP script, ASCII text, with very long lines (65264), with CRLF line terminators

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	PHP webshell obfuscated by encoding of mixed hex and dec
Public Nextron YARA rules	malware	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
Public Nextron YARA rules	malware	PHP webshell using some kind of eval with encoded blob to decode

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

	URL	IP	Response	Size
	r57txt.org/wsoshell/wso.zip	172.67.214.199	200 OK	220 kB
URL User Request GET HTTP/2 r57txt.org/wsoshell/wso.zip IP 172.67.214.199:443 ASN #13335 CLOUDFLARENET Certificate IssuerGoogle Trust Services LLC Subjectr57txt.org FingerprintF3:D7:84:11:3D:D1:B8:10:F9:E6:3F:A3:97:88:66:DD:3B:57:3E:AD ValidityFri, 19 Apr 2024 15:18:43 GMT - Thu, 18 Jul 2024 15:18:42 GMT File type Zip archive data, at least v2.0 to extract, compression method=store Size 220 kB (219613 bytes) Hash e6a8de2da8ee22a4007064d48d05eb69 3ff4f5d725a579ae3e1ee21695d439a01376ab65 22f5b4d0fb19d857b9699c27d7914fde7c65f73b8d4f98cb050771422c635bfc HTTP Headers `GET /wsoshell/wso.zip HTTP/1.1 Host: r57txt.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Upgrade-Insecure-Requests: 1 Connection: keep-alive Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache` HTTP/2 200 OK date: Tue, 11 Jun 2024 21:46:07 GMT content-type: application/zip content-length: 219613 last-modified: Tue, 20 Jun 2023 18:20:06 GMT cache-control: max-age=14400 cf-cache-status: MISS accept-ranges: bytes report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FHNoNWov1eeCZucJcchWJOTWJ%2FD6ps2USJx8FVbnkL3KlfTLWQ3R8eT9dZT9KslZ%2BMXIbNn1bekezBiZgWb2fzj6G65lSKqNs%2FVGiOLJfBZOYk5LLmFU9iupIEWS"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} vary: Accept-Encoding server: cloudflare cf-ray: 8924cac07b9392a9-CPH alt-svc: h3=":443"; ma=86400 X-Firefox-Spdy: h2

r57txt.org/wsoshell/wso.zip

172.67.214.199

200 OK

220 kB

URL User Request GET HTTP/2
r57txt.org/wsoshell/wso.zip
IP
172.67.214.199:443
ASN
#13335 CLOUDFLARENET

Certificate
IssuerGoogle Trust Services LLC
Subjectr57txt.org
FingerprintF3:D7:84:11:3D:D1:B8:10:F9:E6:3F:A3:97:88:66:DD:3B:57:3E:AD
ValidityFri, 19 Apr 2024 15:18:43 GMT - Thu, 18 Jul 2024 15:18:42 GMT

File type
Zip archive data, at least v2.0 to extract, compression method=store
Size
220 kB (219613 bytes)
Hash
e6a8de2da8ee22a4007064d48d05eb69
3ff4f5d725a579ae3e1ee21695d439a01376ab65
22f5b4d0fb19d857b9699c27d7914fde7c65f73b8d4f98cb050771422c635bfc

HTTP Headers

GET /wsoshell/wso.zip HTTP/1.1
Host: r57txt.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Tue, 11 Jun 2024 21:46:07 GMT
content-type: application/zip
content-length: 219613
last-modified: Tue, 20 Jun 2023 18:20:06 GMT
cache-control: max-age=14400
cf-cache-status: MISS
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FHNoNWov1eeCZucJcchWJOTWJ%2FD6ps2USJx8FVbnkL3KlfTLWQ3R8eT9dZT9KslZ%2BMXIbNn1bekezBiZgWb2fzj6G65lSKqNs%2FVGiOLJfBZOYk5LLmFU9iupIEWS"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 8924cac07b9392a9-CPH
alt-svc: h3=":443"; ma=86400
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Archive (2)

Detections

JavaScript (0)

HTTP Transactions (1)

URL User Request GET HTTP/2

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers