{"report_id":"26a84be7-f050-4fd1-9625-b94c69531d80","version":6,"status":"done","tags":["dyndns"],"date":"2024-11-29T20:57:16Z","url":{"schema":"http","addr":"nine.ddns.net/x/Registry.exe","fqdn":"nine.ddns.net","domain":"nine.ddns.net","tld":"ddns.net"},"ip":{"addr":"103.230.121.124","port":0,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T20:57:16Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"nine.ddns.net","ip":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"domain_registered":"2001-06-28","domain_rank":0,"first_seen":"2024-11-26T00:32:12.216684Z","last_seen":"2024-11-26T00:32:12.216684Z","alert_count":10,"request_count":1,"received_data":83270,"sent_data":398,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"b9d926e45876e79e38406d31fca91cf5","sha1":"d92bda449d795e48293a8b41104b00eb01ae5214","sha256":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","sha512":"1624845b6728e4f194b62b9104d1f1af41f7882e861407066738c6f4513f83e50f9c95b60814b7c7fbcbd84fb4260951e370c74d57087959c5d82c616e48890a","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":82944,"url":{"schema":"http","addr":"nine.ddns.net/x/Registry.exe","fqdn":"nine.ddns.net","domain":"nine.ddns.net","tld":"ddns.net"},"ip":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"RussianPanda public YARA rules","scan_date":"2024-11-29","alert":"Detects XWorm RAT","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/RussianPanda95/Yara-Rules","meta":{"author":"RussianPanda","date":"3/11/2024","description":"Detects XWorm RAT","hash":"fc422800144383ef6e2e0eee37e7d6ba","rule":"win_mal_XWorm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"EXE_RAT_XWorm_April2024","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"Credits":"@ShanHolo for the discovery of Open Dir serving XWorm RAT and for sharing the malware hash","Description":"Detects XWorm RAT malware based on the matched strings","File_Hash":"e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8","Reference":"https://twitter.com/ShanHolo/status/1776550052871242089","author":"Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell","date":"2024-04-06","malpedia_family":"win.xworm","rule":"EXE_RAT_XWorm_April2024","yarahub_author_twitter":"@RustyNoob619","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6b438a52d60887a534e6e38f72ededff","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"dfd44930-7deb-4458-ab22-7a6f122e2589"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-29","alert":"Scan result 49/59","trigger":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","verdict":"malicious","severity":"","comment":"malicious - 49/59","link":"https://www.virustotal.com/gui/file/e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"b9d926e45876e79e38406d31fca91cf5","sha1":"d92bda449d795e48293a8b41104b00eb01ae5214","sha256":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","sha512":"1624845b6728e4f194b62b9104d1f1af41f7882e861407066738c6f4513f83e50f9c95b60814b7c7fbcbd84fb4260951e370c74d57087959c5d82c616e48890a","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":82944,"url":{"schema":"http","addr":"nine.ddns.net/x/Registry.exe","fqdn":"nine.ddns.net","domain":"nine.ddns.net","tld":"ddns.net"},"ip":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"RussianPanda public YARA rules","scan_date":"2024-11-29","alert":"Detects XWorm RAT","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/RussianPanda95/Yara-Rules","meta":{"author":"RussianPanda","date":"3/11/2024","description":"Detects XWorm RAT","hash":"fc422800144383ef6e2e0eee37e7d6ba","rule":"win_mal_XWorm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"EXE_RAT_XWorm_April2024","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"Credits":"@ShanHolo for the discovery of Open Dir serving XWorm RAT and for sharing the malware hash","Description":"Detects XWorm RAT malware based on the matched strings","File_Hash":"e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8","Reference":"https://twitter.com/ShanHolo/status/1776550052871242089","author":"Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell","date":"2024-04-06","malpedia_family":"win.xworm","rule":"EXE_RAT_XWorm_April2024","yarahub_author_twitter":"@RustyNoob619","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6b438a52d60887a534e6e38f72ededff","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"dfd44930-7deb-4458-ab22-7a6f122e2589"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-29","alert":"Scan result 49/59","trigger":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","verdict":"malicious","severity":"","comment":"malicious - 49/59","link":"https://www.virustotal.com/gui/file/e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"ip_src":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain","source":"{\"timestamp\":\"2024-11-29T20:56:52.239123+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":36372,\"dest_ip\":\"103.230.121.124\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042806,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_14\"],\"deployment\":[\"Perimeter\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_03_02\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1072},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":636,\"bytes_toclient\":7336,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"ip_src":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ETPRO HUNTING EXE Request to NOIP DynDNS Domain","source":"{\"timestamp\":\"2024-11-29T20:56:52.239123+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":36372,\"dest_ip\":\"103.230.121.124\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2842563,\"rev\":1,\"signature\":\"ETPRO HUNTING EXE Request to NOIP DynDNS Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_05_14\"],\"deployment\":[\"Perimeter\"],\"reviewed_at\":[\"2024_03_05\"],\"signature_severity\":[\"Minor\"],\"updated_at\":[\"2020_05_14\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1072},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":636,\"bytes_toclient\":7336,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-11-29T20:56:52.670810+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"103.230.121.124\",\"src_port\":80,\"dest_ip\":\"172.18.0.3\",\"dest_port\":36372,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":47272},\"files\":[{\"filename\":\"/x/Registry.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":47272,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":36,\"bytes_toserver\":1662,\"bytes_toclient\":50956,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"severity":"low","alert":"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)","source":"{\"timestamp\":\"2024-11-29T20:56:52.671048+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"103.230.121.124\",\"src_port\":80,\"dest_ip\":\"172.18.0.3\",\"dest_port\":36372,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2015745,\"rev\":2,\"signature\":\"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2012_09_28\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":61272},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":46,\"bytes_toserver\":1770,\"bytes_toclient\":65496,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"RussianPanda public YARA rules","scan_date":"2024-11-29","alert":"Detects XWorm RAT","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/RussianPanda95/Yara-Rules","meta":{"author":"RussianPanda","date":"3/11/2024","description":"Detects XWorm RAT","hash":"fc422800144383ef6e2e0eee37e7d6ba","rule":"win_mal_XWorm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"EXE_RAT_XWorm_April2024","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"Credits":"@ShanHolo for the discovery of Open Dir serving XWorm RAT and for sharing the malware hash","Description":"Detects XWorm RAT malware based on the matched strings","File_Hash":"e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8","Reference":"https://twitter.com/ShanHolo/status/1776550052871242089","author":"Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell","date":"2024-04-06","malpedia_family":"win.xworm","rule":"EXE_RAT_XWorm_April2024","yarahub_author_twitter":"@RustyNoob619","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6b438a52d60887a534e6e38f72ededff","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"dfd44930-7deb-4458-ab22-7a6f122e2589"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"nine.ddns.net","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"nine.ddns.net/x/Registry.exe","fqdn":"nine.ddns.net","domain":"nine.ddns.net","tld":"ddns.net"},"ip":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T20:56:51.808Z","timestamp":1732913811808,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /x/Registry.exe HTTP/1.1\r\nHost: nine.ddns.net\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Fri, 29 Nov 2024 20:56:52 GMT\r\nServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30\r\nLast-Modified: Mon, 18 Nov 2024 13:39:11 GMT\r\nETag: \"14400-627300aad7691\"\r\nAccept-Ranges: bytes\r\nContent-Length: 82944\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdownload\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":82944,"size_decoded":82944,"mime_type":"application/x-msdownload","magic":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","md5":"b9d926e45876e79e38406d31fca91cf5","sha1":"d92bda449d795e48293a8b41104b00eb01ae5214","sha256":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","sha512":"1624845b6728e4f194b62b9104d1f1af41f7882e861407066738c6f4513f83e50f9c95b60814b7c7fbcbd84fb4260951e370c74d57087959c5d82c616e48890a","ssdeep":"1536:ZVPK8pjbqLh/jSe4HYXsqlcJbDMdI6w6U/KOFrmd5HndMV:np0jS1Y3iJbDi+yOVmd5aV","tlshash":"e0837c6c77ea4125e1ff9bb42df17212ca39fb232a03d65f60c5428b0a27985cd417e9","first_seen":"2024-11-26T00:32:43.694331Z","last_seen":"2024-11-29T20:57:16.855498Z","times_seen":5,"resource_available":false,"data":null}},"time_used":1084,"timings":{"blocked":215,"dns":1,"connect":216,"send":0,"wait":217,"receive":435,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"ip_src":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain","source":"{\"timestamp\":\"2024-11-29T20:56:52.239123+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":36372,\"dest_ip\":\"103.230.121.124\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2042806,\"rev\":2,\"signature\":\"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .net Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2022_12_14\"],\"deployment\":[\"Perimeter\"],\"mitre_tactic_id\":[\"TA0011\"],\"mitre_tactic_name\":[\"Command_And_Control\"],\"mitre_technique_id\":[\"T1568\"],\"mitre_technique_name\":[\"Dynamic_Resolution\"],\"performance_impact\":[\"Low\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_03_02\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1072},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":636,\"bytes_toclient\":7336,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"ip_src":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ETPRO HUNTING EXE Request to NOIP DynDNS Domain","source":"{\"timestamp\":\"2024-11-29T20:56:52.239123+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.3\",\"src_port\":36372,\"dest_ip\":\"103.230.121.124\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2842563,\"rev\":1,\"signature\":\"ETPRO HUNTING EXE Request to NOIP DynDNS Domain\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_05_14\"],\"deployment\":[\"Perimeter\"],\"reviewed_at\":[\"2024_03_05\"],\"signature_severity\":[\"Minor\"],\"updated_at\":[\"2020_05_14\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1072},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":636,\"bytes_toclient\":7336,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-11-29T20:56:52.670810+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"103.230.121.124\",\"src_port\":80,\"dest_ip\":\"172.18.0.3\",\"dest_port\":36372,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":47272},\"files\":[{\"filename\":\"/x/Registry.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":47272,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":36,\"bytes_toserver\":1662,\"bytes_toclient\":50956,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T20:56:52Z","timestamp":1732913812,"ip_dst":{"addr":"172.18.0.3","port":36372,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"103.230.121.124","port":80,"asn":58955,"as":"Bangmod Enterprise Co., Ltd.","country":"Thailand","country_code":"TH"},"severity":"low","alert":"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)","source":"{\"timestamp\":\"2024-11-29T20:56:52.671048+0000\",\"flow_id\":2087863773777280,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"103.230.121.124\",\"src_port\":80,\"dest_ip\":\"172.18.0.3\",\"dest_port\":36372,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2015745,\"rev\":2,\"signature\":\"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2012_09_28\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"nine.ddns.net\",\"url\":\"/x/Registry.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":61272},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":25,\"pkts_toclient\":46,\"bytes_toserver\":1770,\"bytes_toclient\":65496,\"start\":\"2024-11-29T20:56:51.806272+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"RussianPanda public YARA rules","scan_date":"2024-11-29","alert":"Detects XWorm RAT","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/RussianPanda95/Yara-Rules","meta":{"author":"RussianPanda","date":"3/11/2024","description":"Detects XWorm RAT","hash":"fc422800144383ef6e2e0eee37e7d6ba","rule":"win_mal_XWorm"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"iam-py-test","date":"2022-11-19","description":"Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen","false_positives":"Files modifying Defender for legitimate purposes, files containing registry keys related to Defender (i.e. diagnostic tools)","rule":"Disable_Defender","yarahub_author_twitter":"@iam_py_test","yarahub_license":"CC0 1.0","yarahub_reference_md5":"799a7f1507e5e7328081a038987e9a6f","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"1fcd3702-cf5b-47b4-919d-6372c5412151"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"EXE_RAT_XWorm_April2024","trigger":"nine.ddns.net/x/Registry.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"Credits":"@ShanHolo for the discovery of Open Dir serving XWorm RAT and for sharing the malware hash","Description":"Detects XWorm RAT malware based on the matched strings","File_Hash":"e761f2d9049734373c12c97aa557183081403e792b40028c410e4a6c0646c2b8","Reference":"https://twitter.com/ShanHolo/status/1776550052871242089","author":"Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell","date":"2024-04-06","malpedia_family":"win.xworm","rule":"EXE_RAT_XWorm_April2024","yarahub_author_twitter":"@RustyNoob619","yarahub_license":"CC0 1.0","yarahub_reference_md5":"6b438a52d60887a534e6e38f72ededff","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"dfd44930-7deb-4458-ab22-7a6f122e2589"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"nine.ddns.net","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-29","alert":"Scan result 49/59","trigger":"e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","verdict":"malicious","severity":"","comment":"malicious - 49/59","link":"https://www.virustotal.com/gui/file/e3b1fa657566100b107510a7946025310cdaea05571c0fd475a0f27a36b78289","meta":null}],"urlquery":[{"sensor_name":"urlquery","alert":"Suspicious - DynDNS domain","verdict":"suspicious","severity":"low","comment":"","tags":["dyndns"],"meta":null}]}}]}