{"report_id":"19eb09f3-6e40-41f9-a99f-a31e89b16f1e","version":6,"status":"done","tags":[],"date":"2024-10-14T10:14:09Z","url":{"schema":"http","addr":"107.175.73.38/ransomware.exe","fqdn":"107.175.73.38","domain":"107.175.73.38","tld":""},"ip":{"addr":"107.175.73.38","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2026-12-23T10:14:09Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"107.175.73.38","ip":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":6,"request_count":1,"received_data":259982,"sent_data":398,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06T21:45:11Z","last_seen":"2024-10-13T11:01:32.822962Z","alert_count":0,"request_count":4,"received_data":3552,"sent_data":1308,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r11.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-07T07:43:57Z","last_seen":"2024-10-13T11:01:32.826898Z","alert_count":0,"request_count":4,"received_data":3552,"sent_data":1308,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"90109ee185f4739ea25b371fb580576f","sha1":"3a04885b481e61e184375ffaad685d7c0ac9e5ce","sha256":"2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","sha512":"7dc6ddf6c790c9d8f3cf5c851b18672aae86797796720674cf830b5054c0b169d0619384f31b0be7a4d4cd9d51f78f4d69a00ac2756592b447164e5dea3c9937","magic":"PE32+ executable (console) x86-64, for MS Windows, 20 sections","size":259733,"url":{"schema":"http","addr":"107.175.73.38/ransomware.exe","fqdn":"107.175.73.38","domain":"107.175.73.38","tld":""},"ip":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-14","alert":"Scan result 41/72","trigger":"2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","verdict":"malicious","severity":"","comment":"malicious - 41/72","link":"https://www.virustotal.com/gui/file/2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"ip_src":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2024-10-14T10:13:45.056394+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.13\",\"src_port\":33044,\"dest_ip\":\"107.175.73.38\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1197},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":672,\"bytes_toclient\":7710,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"low","alert":"ET INFO Packed Executable Download","source":"{\"timestamp\":\"2024-10-14T10:13:45.056466+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2014819,\"rev\":5,\"signature\":\"ET INFO Packed Executable Download\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2012_05_30\"],\"performance_impact\":[\"Moderate\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_08\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":6989},\"files\":[{\"filename\":\"/ransomware.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":6989,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":8,\"bytes_toserver\":936,\"bytes_toclient\":9224,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-10-14T10:13:45.634483+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43189},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1728,\"bytes_toclient\":47074,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2024-10-14T10:13:45.634483+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43189},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1728,\"bytes_toclient\":47074,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-14","alert":"Sinkholed","trigger":"107.175.73.38","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:43.175768884Z","timestamp":1728900823175,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"1839E2EB73C24C27FDA8E6BF4715B73CE52CC1C059BD1DFD9B739E71409CDA3B\"\r\nLast-Modified: Mon, 14 Oct 2024 08:07:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=16299\r\nExpires: Mon, 14 Oct 2024 14:45:22 GMT\r\nDate: Mon, 14 Oct 2024 10:13:43 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"8c678121da7ea2edc90ea014cf3552af","sha1":"3d76ebd2a3aba8dab56e3c15310551e9b226e249","sha256":"1839e2eb73c24c27fda8e6bf4715b73ce52cc1c059bd1dfd9b739e71409cda3b","sha512":"d65acc8dbb99bfcaf08fc62c6a72e2c21b0766ca87743ea61c20036d4aa917dd728dcfe88acff4b1ceab8fcfa93a4590addd511360c68b0a8bf7b478338b4163","ssdeep":"","tlshash":"c9f005e56297784047eb680715fcf035bf1159b434043bf4b4c592769c13bf458440cc","first_seen":"2024-10-14T08:50:39.802212Z","last_seen":"2024-10-15T07:44:44.950369Z","times_seen":9989,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:43.230556957Z","timestamp":1728900823230,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"DD3368B109660E2AD4D41E0454B8A57636C39B539E9E20DA7CEBFFDB1ED3EB09\"\r\nLast-Modified: Mon, 14 Oct 2024 07:57:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=16385\r\nExpires: Mon, 14 Oct 2024 14:46:48 GMT\r\nDate: Mon, 14 Oct 2024 10:13:43 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"55ba07a71a62bbad2ddcc748da0561df","sha1":"93e163eae818fff5965c4e08f77a30009a4c85d4","sha256":"dd3368b109660e2ad4d41e0454b8a57636c39b539e9e20da7cebffdb1ed3eb09","sha512":"ffba71a465813fcb2a35fd14719d0e693ae7f5b69d838abde88a0b159aff1aa4d1f16de3a9d681cd771d1eb87f492dbdabed73c7e8b93336c6dabbdf3d62a2fc","ssdeep":"","tlshash":"f9f00e5721f1fa1267f809057eb2de370e24afae360c65c206c84ff66852bf9d10881a","first_seen":"2024-10-14T08:49:13.313976Z","last_seen":"2024-10-14T14:16:26.621911Z","times_seen":2270,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:43.658087569Z","timestamp":1728900823658,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"8B02810ECC47D5F71219990370D9538BFFF6E45C5FF895E7A3C60392423C5ADB\"\r\nLast-Modified: Sat, 12 Oct 2024 08:15:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=16715\r\nExpires: Mon, 14 Oct 2024 14:52:18 GMT\r\nDate: Mon, 14 Oct 2024 10:13:43 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"0047c90c620c7ae5d6e899dbcd92d7f9","sha1":"b40765060b59aa1231b7e4c552c7657c957a505e","sha256":"8b02810ecc47d5f71219990370d9538bfff6e45c5ff895e7a3c60392423c5adb","sha512":"3bfce57c46f25b72e75082b2b1c77e10307f154fce4ed16165c524440682111a59a9ea79beceee72bffd2797754aa76038d78fa618bf05492bbdcb24f6613ff1","ssdeep":"","tlshash":"6af0548612e639a073730726bc38ee2ebc33a9ad748a125121c383b03811bf843cc05d","first_seen":"2024-10-12T10:17:26Z","last_seen":"2024-10-14T14:16:26.622764Z","times_seen":14152,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:43.800775966Z","timestamp":1728900823800,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"5438EE24C6B0170E7FA46E12C21B8A3BAC1EB29BC86B1810A267DD3C72EA95AE\"\r\nLast-Modified: Mon, 14 Oct 2024 06:24:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=16397\r\nExpires: Mon, 14 Oct 2024 14:47:00 GMT\r\nDate: Mon, 14 Oct 2024 10:13:43 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"7d3f40edab25e8d6b700410399e281dd","sha1":"5abaaed5e9ea61626fd4d67b7c817195302b43a8","sha256":"5438ee24c6b0170e7fa46e12c21b8a3bac1eb29bc86b1810a267dd3c72ea95ae","sha512":"14e9e79733fcb18f467994a11465284192cd1753a65898b27dedec4bfe04cb235a181a5c9362c490e8e6b5bf84797e071646da7a039e9eb6b5f7baca44e2720a","ssdeep":"","tlshash":"6af09ed60e8ab90567634f613821d525bdb0fae668d2a69657e013f1306affcb9c900c","first_seen":"2024-10-14T08:47:36.826639Z","last_seen":"2024-10-15T06:25:22.421078Z","times_seen":6645,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:45.785406373Z","timestamp":1728900825785,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E\"\r\nLast-Modified: Sat, 12 Oct 2024 11:02:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17745\r\nExpires: Mon, 14 Oct 2024 15:09:30 GMT\r\nDate: Mon, 14 Oct 2024 10:13:45 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"241105d8fc709e6bd1be3519f5b7866f","sha1":"fa41e9781f5c9c82f9a3feb36e44ed02216c1011","sha256":"49a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e","sha512":"45ac86b4cc2b756348e5864bd11b313562bcc125d62da720b4702bc392770c6839cf6cfbb40e5d625efb054f2891727d656e623f17dcbb77cddbfe209b5e26bb","ssdeep":"","tlshash":"60f0c90539247d5497aa86be8a90f02b29679ee428a142ca61e042e62c06bfe0688848","first_seen":"2024-10-13T01:25:03.891565Z","last_seen":"2024-10-14T19:59:47.395071Z","times_seen":5289,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:45.786360391Z","timestamp":1728900825786,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E\"\r\nLast-Modified: Sat, 12 Oct 2024 11:02:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17745\r\nExpires: Mon, 14 Oct 2024 15:09:30 GMT\r\nDate: Mon, 14 Oct 2024 10:13:45 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"241105d8fc709e6bd1be3519f5b7866f","sha1":"fa41e9781f5c9c82f9a3feb36e44ed02216c1011","sha256":"49a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e","sha512":"45ac86b4cc2b756348e5864bd11b313562bcc125d62da720b4702bc392770c6839cf6cfbb40e5d625efb054f2891727d656e623f17dcbb77cddbfe209b5e26bb","ssdeep":"","tlshash":"60f0c90539247d5497aa86be8a90f02b29679ee428a142ca61e042e62c06bfe0688848","first_seen":"2024-10-13T01:25:03.891565Z","last_seen":"2024-10-14T19:59:47.395071Z","times_seen":5289,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:45.787239739Z","timestamp":1728900825787,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E\"\r\nLast-Modified: Sat, 12 Oct 2024 11:02:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17745\r\nExpires: Mon, 14 Oct 2024 15:09:30 GMT\r\nDate: Mon, 14 Oct 2024 10:13:45 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"241105d8fc709e6bd1be3519f5b7866f","sha1":"fa41e9781f5c9c82f9a3feb36e44ed02216c1011","sha256":"49a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e","sha512":"45ac86b4cc2b756348e5864bd11b313562bcc125d62da720b4702bc392770c6839cf6cfbb40e5d625efb054f2891727d656e623f17dcbb77cddbfe209b5e26bb","ssdeep":"","tlshash":"60f0c90539247d5497aa86be8a90f02b29679ee428a142ca61e042e62c06bfe0688848","first_seen":"2024-10-13T01:25:03.891565Z","last_seen":"2024-10-14T19:59:47.395071Z","times_seen":5289,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-14T10:13:45.78810894Z","timestamp":1728900825788,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"49A0D47BC68BECFB87EFB3D9271F71A04B3FB324F50BB793A9D012DBE3F0030E\"\r\nLast-Modified: Sat, 12 Oct 2024 11:02:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17745\r\nExpires: Mon, 14 Oct 2024 15:09:30 GMT\r\nDate: Mon, 14 Oct 2024 10:13:45 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"241105d8fc709e6bd1be3519f5b7866f","sha1":"fa41e9781f5c9c82f9a3feb36e44ed02216c1011","sha256":"49a0d47bc68becfb87efb3d9271f71a04b3fb324f50bb793a9d012dbe3f0030e","sha512":"45ac86b4cc2b756348e5864bd11b313562bcc125d62da720b4702bc392770c6839cf6cfbb40e5d625efb054f2891727d656e623f17dcbb77cddbfe209b5e26bb","ssdeep":"","tlshash":"60f0c90539247d5497aa86be8a90f02b29679ee428a142ca61e042e62c06bfe0688848","first_seen":"2024-10-13T01:25:03.891565Z","last_seen":"2024-10-14T19:59:47.395071Z","times_seen":5289,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"107.175.73.38/ransomware.exe","fqdn":"107.175.73.38","domain":"107.175.73.38","tld":""},"ip":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-10-14T10:13:44.479Z","timestamp":1728900824479,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /ransomware.exe HTTP/1.1\r\nHost: 107.175.73.38\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Mon, 14 Oct 2024 10:13:44 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 259733\r\nLast-Modified: Wed, 09 Oct 2024 12:26:08 GMT\r\nConnection: keep-alive\r\nETag: \"67067660-3f695\"\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":259733,"size_decoded":259733,"mime_type":"application/octet-stream","magic":"PE32+ executable (console) x86-64, for MS Windows, 20 sections","md5":"90109ee185f4739ea25b371fb580576f","sha1":"3a04885b481e61e184375ffaad685d7c0ac9e5ce","sha256":"2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","sha512":"7dc6ddf6c790c9d8f3cf5c851b18672aae86797796720674cf830b5054c0b169d0619384f31b0be7a4d4cd9d51f78f4d69a00ac2756592b447164e5dea3c9937","ssdeep":"3072:vdaHeHGxK5YYBraSFN49TTcNo1nEhgm1sgIkDHQtoW1CftZiuvzuz3Ta6cri10LL:v0aIKpaLquEWSSmtc3Ta6crqIIF+","tlshash":"12444d86efcabdd6c615523199af83293334fad117874b172d2872341e07ae0fe4a746","first_seen":"2024-10-12T13:57:24.195963Z","last_seen":"2024-10-14T10:14:14.200572Z","times_seen":3,"resource_available":false,"data":null}},"time_used":2327,"timings":{"blocked":277,"dns":0,"connect":281,"send":0,"wait":301,"receive":1468,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"ip_src":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2024-10-14T10:13:45.056394+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.13\",\"src_port\":33044,\"dest_ip\":\"107.175.73.38\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1197},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":7,\"bytes_toserver\":672,\"bytes_toclient\":7710,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"low","alert":"ET INFO Packed Executable Download","source":"{\"timestamp\":\"2024-10-14T10:13:45.056466+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2014819,\"rev\":5,\"signature\":\"ET INFO Packed Executable Download\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2012_05_30\"],\"performance_impact\":[\"Moderate\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_08\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":6989},\"files\":[{\"filename\":\"/ransomware.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":6989,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":8,\"pkts_toclient\":8,\"bytes_toserver\":936,\"bytes_toclient\":9224,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-10-14T10:13:45.634483+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43189},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1728,\"bytes_toclient\":47074,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-14T10:13:45Z","timestamp":1728900825,"ip_dst":{"addr":"172.18.0.13","port":33044,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"107.175.73.38","port":80,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2024-10-14T10:13:45.634483+0000\",\"flow_id\":110006709534442,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"107.175.73.38\",\"src_port\":80,\"dest_ip\":\"172.18.0.13\",\"dest_port\":33044,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"107.175.73.38\",\"url\":\"/ransomware.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43189},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":33,\"bytes_toserver\":1728,\"bytes_toclient\":47074,\"start\":\"2024-10-14T10:13:44.474858+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-14","alert":"Sinkholed","trigger":"107.175.73.38","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-14","alert":"Scan result 41/72","trigger":"2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","verdict":"malicious","severity":"","comment":"malicious - 41/72","link":"https://www.virustotal.com/gui/file/2378b573c7799fac6884657f5df6d524f47aed4e5348c9104a4943ce6276653b","meta":null}],"urlquery":null}}]}