{"report_id":"1872fccb-b09e-4f23-8455-cb01c0beea69","version":6,"status":"done","tags":[],"date":"2023-11-19T06:40:49Z","url":{"schema":"http","addr":"paste.ee/d/i7gEv/0","fqdn":"paste.ee","domain":"paste.ee","tld":"ee"},"ip":{"addr":"188.114.97.1","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"Colombia","country_code":"CO"},"final":{"url":{"schema":"https","addr":"paste.ee/d/i7gEv/0","fqdn":"paste.ee","domain":"paste.ee","tld":"ee"},"title":"paste.ee/d/i7gEv/0"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T12:42:11Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"paste.ee","ip":{"addr":"188.114.97.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"Colombia","country_code":"CO"},"domain_registered":"2012-06-14","domain_rank":528416,"first_seen":"2013-05-07 19:06:50","last_seen":"2023-11-18 20:41:34","alert_count":1,"request_count":2,"received_data":103012,"sent_data":898,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-11-19T06:40:33Z","timestamp":1700376033,"ip_dst":{"addr":"188.114.97.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"Colombia","country_code":"CO"},"ip_src":{"addr":"Client IP","port":60198,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ET POLICY Pastebin-style Service (paste .ee) in TLS SNI","source":"{\"timestamp\":\"2023-11-19T06:40:33.324723+0000\",\"flow_id\":597162285190391,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.84\",\"src_port\":60198,\"dest_ip\":\"188.114.97.1\",\"dest_port\":443,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2034978,\"rev\":1,\"signature\":\"ET POLICY Pastebin-style Service (paste .ee) in TLS SNI\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_01_26\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_01_26\"]}},\"tls\":{\"sni\":\"paste.ee\",\"version\":\"TLS 1.3\",\"ja3\":{\"hash\":\"650c82854aed91a22996035b295a0c3e\",\"string\":\"771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-28-21,29-23-24-25-256-257,0\"},\"ja3s\":{\"hash\":\"eb1d94daa7e0344597e756a1fb6e7054\",\"string\":\"771,4865,51-43\"}},\"app_proto\":\"tls\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":789,\"bytes_toclient\":5569,\"start\":\"2023-11-19T06:40:33.314615+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-11-19","alert":"Detects an base64 encoded executable with reversed characters","trigger":"paste.ee/d/i7gEv/0","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"paste.ee/d/i7gEv/0","fqdn":"paste.ee","domain":"paste.ee","tld":"ee"},"ip":{"addr":"188.114.97.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"Colombia","country_code":"CO"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-11-19T06:40:33.319Z","timestamp":1700376033319,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"paste.ee","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Mon, 30 Oct 2023 14:26:29 GMT","end":"Sun, 28 Jan 2024 14:26:28 GMT"},"fingerprint":{"sha1":"75:09:97:90:38:AD:DD:CC:0D:1B:D8:8B:02:AB:5D:A9:3B:7A:1F:1D","sha256":"32:C8:13:4E:D3:AD:91:D5:44:7A:A1:07:73:AD:D1:BB:A5:95:58:A0:3F:24:61:62:C8:BE:55:3F:1E:8B:C5:93"}}},"request":{"raw":"GET /d/i7gEv/0 HTTP/1.1\r\nHost: paste.ee\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Sun, 19 Nov 2023 06:40:32 GMT\r\ncontent-type: text/plain; charset=utf-8\r\ncache-control: max-age=2592000\r\nstrict-transport-security: max-age=63072000\r\nx-frame-options: DENY\r\nx-content-type-options: nosniff\r\nx-xss-protection: 1; mode=block\r\ncontent-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'\r\ncf-cache-status: DYNAMIC\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=1gbzP6P6bqd2sUSrSBzPIUVqNZa%2B%2BnxX0nfE03bNe%2Bv%2BzVboTE66%2B3OWUVGwSpJL8D74wGl4bHLxv5M2CQJFq0CdF6xQXCQE2yI%2BcrHOVhb6CEAq5BYRUpccHg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 82867657eeb656bf-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":101036,"size_decoded":0,"mime_type":"text/plain; charset=utf-8","magic":"ASCII text, with very long lines (65536), with no line terminators","md5":"1558df28b8945072ade3a2912f351a36","sha1":"e77c1360d0f7ada8422d2932dfe85e21945646c1","sha256":"bf62d0dc2f0eefea9cebeef55f7c7ec7ca15d41c38b14e48ef76c64a440516c1","sha512":"41386899cc89326fc093e96e82daaab33fa50f2ab6559f2f144a2c572d169ead13e06170ec58360e66afd3cc6b454305856051b85a69b533a52ce78da6dc5ba6","ssdeep":"3072:UuDGRwFva+YiA6518vUef7IxtX5OxtYAaro:QwJa+fWUefCX5OxtYNo","tlshash":"33a35bf64216ae9f4b2b0d61e90c1320ecad64b763d494e8ff490a925fb5458cdb4cf8","first_seen":"2023-11-19T07:40:49Z","last_seen":"2023-11-19T07:40:49Z","times_seen":1,"resource_available":false,"data":null}},"time_used":558,"timings":{"blocked":12,"dns":0,"connect":2,"send":0,"wait":530,"receive":0,"ssl":11},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2023-11-19","alert":"Detects an base64 encoded executable with reversed characters","trigger":"paste.ee/d/i7gEv/0","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2020-04-06","description":"Detects an base64 encoded executable with reversed characters","hash1":"7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8","reference":"Internal Research","rule":"SUSP_Reversed_Base64_Encoded_EXE","score":"80"}}],"urlquery":null}},{"url":{"schema":"https","addr":"paste.ee/favicon.ico","fqdn":"paste.ee","domain":"paste.ee","tld":"ee"},"ip":{"addr":"188.114.97.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"Colombia","country_code":"CO"},"is_navigation_request":false,"resource_type":"img","requested_by":"https://paste.ee/d/i7gEv/0","date":"2023-11-19T06:40:34.261Z","timestamp":1700376034261,"http_version":"HTTP/3","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"paste.ee","organization":""},"issuer":{"commonName":"GTS CA 1P5","organization":"Google Trust Services LLC"},"validity":{"start":"Mon, 30 Oct 2023 14:26:29 GMT","end":"Sun, 28 Jan 2024 14:26:28 GMT"},"fingerprint":{"sha1":"75:09:97:90:38:AD:DD:CC:0D:1B:D8:8B:02:AB:5D:A9:3B:7A:1F:1D","sha256":"32:C8:13:4E:D3:AD:91:D5:44:7A:A1:07:73:AD:D1:BB:A5:95:58:A0:3F:24:61:62:C8:BE:55:3F:1E:8B:C5:93"}}},"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: paste.ee\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://paste.ee/d/i7gEv/0\r\nSec-Fetch-Dest: image\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 404 Not Found\r\ndate: Sun, 19 Nov 2023 06:40:33 GMT\r\ncontent-type: text/html\r\ncache-control: max-age=14400\r\ncf-cache-status: EXPIRED\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=rDeADVm6%2B1wZbdXj1CpOBgeDStz1i%2Bf4oP2UTX4OE2rjCH9xZLed%2BaDbKj6vCI8Hn3DHzwNTFMpgzqD6uKlmyvL0pRZpQX4K4TAX3pmJiylw0e0PF%2FIJAcbuvA%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nvary: Accept-Encoding\r\nserver: cloudflare\r\ncf-ray: 8286765dcfee0b51-OSL\r\ncontent-encoding: br\r\nalt-svc: h3=\":443\"; ma=86400\r\n\r\n","headers":null,"cookies":null,"status_code":"404","status_text":"Not Found","fingerprints":null,"data":{"size":155,"size_decoded":0,"mime_type":"text/html","magic":"HTML document text\\012- HTML document text\\012- HTML document, ASCII text, with no line terminators","md5":"b3eeccc1a8b43c71bfbd4d7dc6138cf3","sha1":"4c85c157342951b7b96109b2fe021fb9ff7df322","sha256":"7de2fef142197e68c53779112d9b83a9468b36d90d896b6315ea43a26353fae5","sha512":"f30c34aa67811241461075419b60cc7dba4bc9398fd189f7ff52ab0e5f95ce4a098979b9e391c31e6088fda0828e4906cca8d1484e11f86da23d9f4966e7ce56","ssdeep":"","tlshash":"a6c08c4c3d23b144865319e113c33882c08f93f7a4da4831088d8253b0ce2aa98eb3d5","first_seen":"2023-04-05T16:06:26Z","last_seen":"2024-10-23T16:07:17.923145Z","times_seen":857,"resource_available":false,"data":null}},"time_used":526,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":526,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}