Report - 18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass

Report Overview

Visited public
2023-12-08 00:32:48
Tags
URL
18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst=
Finishing URL
about:privatebrowsing
IP / ASN
24.38.68.98
#6128 CABLE-NET-1
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
ocsp.starfieldtech.com	6616	2003-03-06	2012-06-22 20:08:50	2023-12-07 05:10:23	346 B	2.7 kB	192.124.249.24
18264462.cst.lightpath.net	unknown	1997-08-21	2022-08-25 15:18:26	2023-12-03 02:01:15	562 B	790 kB	24.38.68.98

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2023-12-08 00:32:37	high	24.38.68.98	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP
2023-12-08 00:32:37	low	24.38.68.98	Client IP	ET INFO EXE - Served Inline HTTP

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2023-12-08	medium	18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst=	files - file ~tmp01925d3f.exe

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst=
IP
24.38.68.98
ASN
#6128 CABLE-NET-1

File type
PE32 executable (GUI) Intel 80386, for MS Windows\012- data
Size
790 kB (790064 bytes)
Hash
fd575a36c86d3ec3331e3b7cf3c68a5f
23431e65c27dc17ea222aa06b14559372ea53981
e784e1ae377e53c8fe1456490da379407dd659151769af375f2131ba3ce5b5b8

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
VirusTotal	suspicious	VirusTotal - Scan result 3/72

JavaScript (0)

HTTP Transactions (2)

URL IP Response Size

ocsp.starfieldtech.com/

192.124.249.24

2.1 kB

URL
ocsp.starfieldtech.com/
IP
192.124.249.24:0
ASN
#30148 SUCURI-SEC

File type
data
Size
2.1 kB (2148 bytes)
Hash
3410eb798551ba03c953e2f0808f36f4
7eb28a6a512a21f14f01ec3ede06522e43a6428c
d96286bd80c35ff75d33d62e55ce4fc7d5d5e8456802b12de55c3666117001c7

HTTP Headers

POST / HTTP/1.1
Host: ocsp.starfieldtech.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 75
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Sucuri/Cloudproxy
Date: Fri, 08 Dec 2023 00:32:30 GMT
Content-Type: application/ocsp-response
Content-Length: 2148
Connection: keep-alive
X-Sucuri-ID: 19024
Content-Transfer-Encoding: Binary
Cache-Control: public, no-transform, must-revalidate
Last-Modified: Thu, 07 Dec 2023 14:01:35 GMT
Expires: Fri, 08 Dec 2023 14:01:35 GMT
ETag: "7eb28a6a512a21f14f01ec3ede06522e43a6428c"
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"

18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst=

24.38.68.98

790 kB

URL User Request GET
18264462.cst.lightpath.net/as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst=
IP
24.38.68.98:0
ASN
#6128 CABLE-NET-1

File type
PE32 executable (GUI) Intel 80386, for MS Windows\012- data
Size
790 kB (790064 bytes)
Hash
fd575a36c86d3ec3331e3b7cf3c68a5f
23431e65c27dc17ea222aa06b14559372ea53981
e784e1ae377e53c8fe1456490da379407dd659151769af375f2131ba3ce5b5b8

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
VirusTotal	suspicious	VirusTotal - Scan result 3/72

NIDS	Severity	Alert
suricata	high	ET POLICY PE EXE or DLL Windows file download HTTP
suricata	low	ET INFO EXE - Served Inline HTTP

HTTP Headers

GET /as/wapi/TurboMeetingStarter.exe?role=attendee&name=&email=&meeting_id=&user_password=&meeting_password=&meeting_type=0&pass_through=&ram=1699596579&plst= HTTP/1.1
Host: 18264462.cst.lightpath.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.0 200 OK
Date: Thu, 07 Dec 2023 16:32:31 GMT
Cache-Control: no-store
CAccept-Ranges: bytes
Connection: close
Content-Type: application/octet-stream
Last-Modified: Thu, 07 Dec 2023 16:32:31 GMT
Content-Length: 790064
content-disposition: inline; filename=TurboMeetingStarter.exe
X-Frame-Options: SAMEORIGIN

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Detections

JavaScript (0)

HTTP Transactions (2)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL User Request GET

IP

ASN

File type

Size

Hash

Detections

HTTP Headers