{"report_id":"284194e7-ff69-45a4-bcf2-64fc671a66cf","version":6,"status":"done","tags":[],"date":"2023-12-04T09:07:19Z","url":{"schema":"http","addr":"185.215.113.66/pei.exe","fqdn":"185.215.113.66","domain":"185.215.113.66","tld":""},"ip":{"addr":"185.215.113.66","port":0,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T09:13:26Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"185.215.113.66","ip":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2022-10-13 00:04:23","last_seen":"2023-10-20 05:53:23","alert_count":9,"request_count":1,"received_data":9990,"sent_data":404,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"2ea6c5e97869622dfe70d2b34daf564e","sha1":"45500603bf8093676b66f056924a71e04793827a","sha256":"5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","sha512":"f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43","magic":"PE32 executable (GUI) Intel 80386, for MS Windows\\012- data","size":9728,"url":{"schema":"http","addr":"185.215.113.66/pei.exe","fqdn":"185.215.113.66","domain":"185.215.113.66","tld":"66"},"ip":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-11-02","alert":"Scan result 59/72","trigger":"5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","verdict":"malicious","severity":"","comment":"malicious - 59/72","link":"https://www.virustotal.com/gui/file/5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"Client IP","port":33482,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":443,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"medium","alert":"ET DROP Spamhaus DROP Listed Traffic Inbound group 21","source":"{\"timestamp\":\"2023-12-04T09:07:07.056750+0000\",\"flow_id\":885865303392586,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":443,\"dest_ip\":\"10.70.215.190\",\"dest_port\":33482,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2400020,\"rev\":3818,\"signature\":\"ET DROP Spamhaus DROP Listed Traffic Inbound group 21\",\"category\":\"Misc Attack\",\"severity\":2,\"metadata\":{\"affected_product\":[\"Any\"],\"attack_target\":[\"Any\"],\"created_at\":[\"2010_12_30\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Minor\"],\"tag\":[\"Dshield\"],\"updated_at\":[\"2023_12_01\"]}},\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":1,\"bytes_toserver\":74,\"bytes_toclient\":54,\"start\":\"2023-12-04T09:07:06.934218+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"URLhaus Known malware download URL detected (2530828)","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":83393928,\"rev\":1,\"signature\":\"URLhaus Known malware download URL detected (2530828)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2023_02_05\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":8,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_09_14\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019714,\"rev\":12,\"signature\":\"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2014_11_15\"],\"former_category\":[\"CURRENT_EVENTS\"],\"updated_at\":[\"2020_09_16\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_08_19\"],\"former_category\":[\"POLICY\"],\"updated_at\":[\"2017_02_01\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2015_05_08\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"low","alert":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2015744,\"rev\":6,\"signature\":\"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2012_09_28\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_05_03\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"Client IP","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"high","alert":"ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2853272,\"rev\":1,\"signature\":\"ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2023_02_01\"],\"former_category\":[\"MALWARE\"],\"updated_at\":[\"2023_02_01\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-03","alert":"Sinkholed","trigger":"185.215.113.66","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"185.215.113.66/pei.exe","fqdn":"185.215.113.66","domain":"185.215.113.66","tld":"66"},"ip":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-12-04T09:07:07.254Z","timestamp":1701680827254,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /pei.exe HTTP/1.1\r\nHost: 185.215.113.66\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Mon, 04 Dec 2023 09:07:01 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 9728\r\nLast-Modified: Wed, 16 Aug 2023 14:20:05 GMT\r\nConnection: keep-alive\r\nETag: \"64dcdb15-2600\"\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":9728,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows\\012- data","md5":"2ea6c5e97869622dfe70d2b34daf564e","sha1":"45500603bf8093676b66f056924a71e04793827a","sha256":"5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","sha512":"f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43","ssdeep":"96:zM4LwN8GXhc1I+a8gnYFdj9DSYp+BYA8v7cVO15uJxGE9YUBz2qh3C7tCE4ecp:AwwNfC1TUYv9p+OF8JxTmUBzthcqp","tlshash":"50121a0abdca40b0e3a08cf057f58b4a8abe5063179672dfb7b3c5494f5039184677e5","first_seen":"2023-08-17T07:23:53Z","last_seen":"2024-12-19T16:00:50.648915Z","times_seen":292,"resource_available":false,"data":null}},"time_used":362,"timings":{"blocked":108,"dns":0,"connect":124,"send":0,"wait":127,"receive":2,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"URLhaus Known malware download URL detected (2530828)","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":83393928,\"rev\":1,\"signature\":\"URLhaus Known malware download URL detected (2530828)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2023_02_05\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":8,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_09_14\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:07Z","timestamp":1701680827,"ip_dst":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"ip_src":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile","source":"{\"timestamp\":\"2023-12-04T09:07:07.489028+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"10.70.215.190\",\"src_port\":44246,\"dest_ip\":\"185.215.113.66\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019714,\"rev\":12,\"signature\":\"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2014_11_15\"],\"former_category\":[\"CURRENT_EVENTS\"],\"updated_at\":[\"2020_09_16\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1124},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":3,\"bytes_toserver\":678,\"bytes_toclient\":1594,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_08_19\"],\"former_category\":[\"POLICY\"],\"updated_at\":[\"2017_02_01\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"former_category\":[\"INFO\"],\"updated_at\":[\"2015_05_08\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"low","alert":"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2015744,\"rev\":6,\"signature\":\"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)\",\"category\":\"Misc activity\",\"severity\":3,\"metadata\":{\"created_at\":[\"2012_09_28\"],\"former_category\":[\"INFO\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2022_05_03\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-04T09:07:17Z","timestamp":1701680837,"ip_dst":{"addr":"10.70.215.190","port":44246,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"185.215.113.66","port":80,"asn":51381,"as":"1337team Limited","country":"Seychelles","country_code":"SC"},"severity":"high","alert":"ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound","source":"{\"timestamp\":\"2023-12-04T09:07:17.707649+0000\",\"flow_id\":1799649660477908,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"185.215.113.66\",\"src_port\":80,\"dest_ip\":\"10.70.215.190\",\"dest_port\":44246,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"ET.Evil\",\"ET.DROPIP\",\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2853272,\"rev\":1,\"signature\":\"ETPRO MALWARE Win32/Phorpiex Bot Executable Payload Inbound\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2023_02_01\"],\"former_category\":[\"MALWARE\"],\"updated_at\":[\"2023_02_01\"]}},\"http\":{\"hostname\":\"185.215.113.66\",\"url\":\"/pei.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":9728},\"files\":[{\"filename\":\"/pei.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":9728,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":12,\"pkts_toclient\":11,\"bytes_toserver\":1206,\"bytes_toclient\":10726,\"start\":\"2023-12-04T09:07:07.238036+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-03","alert":"Sinkholed","trigger":"185.215.113.66","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2023-11-02","alert":"Scan result 59/72","trigger":"5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","verdict":"malicious","severity":"","comment":"malicious - 59/72","link":"https://www.virustotal.com/gui/file/5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3","meta":null}],"urlquery":null}}]}