{"report_id":"1c06d785-d39d-4546-a3b3-7b47c337f7a7","version":6,"status":"done","tags":[],"date":"2024-12-10T23:46:30Z","url":{"schema":"http","addr":"huyanhnongdo.io.vn/XClient.bin","fqdn":"huyanhnongdo.io.vn","domain":"io.vn","tld":"vn"},"ip":{"addr":"103.200.23.126","port":0,"asn":135905,"as":"VIETNAM POSTS AND TELECOMMUNICATIONS GROUP","country":"Vietnam","country_code":"VN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":["urlhaus"],"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-18T23:46:30Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"huyanhnongdo.io.vn","ip":{"addr":"103.200.23.126","port":443,"asn":135905,"as":"VIETNAM POSTS AND TELECOMMUNICATIONS GROUP","country":"Vietnam","country_code":"VN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2024-10-18T15:16:47.003178Z","last_seen":"2024-12-03T02:32:32.208548Z","alert_count":2,"request_count":1,"received_data":66227,"sent_data":484,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-12-10","alert":"Windows.Trojan.Donutloader","trigger":"huyanhnongdo.io.vn/XClient.bin","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7","id":"f40e3759-2531-4e21-946a-fb55104814c0","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Donutloader_f40e3759","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Donutloader"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"huyanhnongdo.io.vn/XClient.bin","fqdn":"huyanhnongdo.io.vn","domain":"io.vn","tld":"vn"},"ip":{"addr":"103.200.23.126","port":443,"asn":135905,"as":"VIETNAM POSTS AND TELECOMMUNICATIONS GROUP","country":"Vietnam","country_code":"VN"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-12-10T23:46:05.141Z","timestamp":1733874365141,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"huyanhnongdo.io.vn","organization":""},"issuer":{"commonName":"R10","organization":"Let's Encrypt"},"validity":{"start":"Mon, 09 Dec 2024 18:32:46 GMT","end":"Sun, 09 Mar 2025 18:32:45 GMT"},"fingerprint":{"sha1":"1F:14:AC:7D:64:6F:9B:1F:95:1F:C1:B6:92:95:C6:73:A5:1B:9D:1C","sha256":"65:DE:B3:09:BE:35:35:DA:0D:0C:4C:C4:2E:EB:09:6C:EF:51:A7:26:5B:0D:77:C0:90:9F:67:68:6E:DA:10:9D"}}},"request":{"raw":"GET /XClient.bin HTTP/1.1\r\nHost: huyanhnongdo.io.vn\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: application/octet-stream\r\nlast-modified: Mon, 12 Aug 2024 11:49:34 GMT\r\naccept-ranges: bytes\r\ncontent-length: 66005\r\ndate: Tue, 10 Dec 2024 23:46:05 GMT\r\nserver: LiteSpeed\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":66005,"size_decoded":66005,"mime_type":"application/octet-stream","magic":"data","md5":"78db04ba2e9e9bffd0169fd9728f3660","sha1":"c9489a1a6415a909ca715f1fecb182b95991f625","sha256":"061990c144e212330ff5615ea7ab26e4b6656d01f5d7baa6f5994ae3ae1eb399","sha512":"590af929dfd8883b4a9c3557354e88e01f3f4a8ba5159fd965d803bde2beaa54469c2212c4387fce930b35498483017724eda6058c60f859da464b4a849e1603","ssdeep":"1536:9bSWlnYBhtVzKQ6FPg93caPLXmsUyN4/7cS7i9u6yeNejY6yFOB:9bSqYztVl6FPg9jLX+7cS7DZW6yFOB","tlshash":"d153d0a2f2b281d0ba71c052bc64a71bffb5318e85199597ab445d90a733e20bb0d7dc","first_seen":"2024-08-19T13:22:57.818484Z","last_seen":"2025-01-28T09:15:41.414864Z","times_seen":12,"resource_available":false,"data":null}},"time_used":3204,"timings":{"blocked":1252,"dns":631,"connect":233,"send":0,"wait":232,"receive":464,"ssl":386},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-12-10","alert":"Windows.Trojan.Donutloader","trigger":"huyanhnongdo.io.vn/XClient.bin","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-09-15","fingerprint":"6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7","id":"f40e3759-2531-4e21-946a-fb55104814c0","last_modified":"2022-01-13","license":"Elastic License v2","os":"windows","rule":"Windows_Trojan_Donutloader_f40e3759","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Donutloader"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2024-12-10","alert":"Win.Loader.DonutLoader-10036546-0","trigger":"061990c144e212330ff5615ea7ab26e4b6656d01f5d7baa6f5994ae3ae1eb399","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}}]}