{"report_id":"2bf8807a-777a-4ca4-9401-e1bb67017e45","version":6,"status":"done","tags":[],"date":"2025-05-09T23:43:33Z","url":{"schema":"http","addr":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","fqdn":"local5.yesmessenger.com","domain":"yesmessenger.com","tld":"com"},"ip":{"addr":"163.172.244.138","port":0,"asn":12876,"as":"Scaleway S.a.s.","country":"France","country_code":"FR"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-07-18T23:43:33Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"local5.yesmessenger.com","ip":{"addr":"163.172.244.138","port":443,"asn":12876,"as":"Scaleway S.a.s.","country":"France","country_code":"FR"},"domain_registered":"2007-03-12","domain_rank":0,"first_seen":"2012-08-13T08:59:18Z","last_seen":"2025-05-09T05:19:18.988215Z","alert_count":2,"request_count":1,"received_data":7528138,"sent_data":539,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"8d72828a1642d572f776c0965e6d1f20","sha1":"dc46697534b7a07f52d5769c91dc5ccdb402df54","sha256":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","sha512":"56e44a39ce723553eb9a4518bf0579c635dc41a35335d245623b28c5c4ac2a9e360187ac047778cf9d1706ac22d2088b6d5be90adae13e5e7cde9aeb8ec25da0","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections","size":7527872,"url":{"schema":"https","addr":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","fqdn":"local5.yesmessenger.com","domain":"yesmessenger.com","tld":"com"},"ip":{"addr":"163.172.244.138","port":443,"asn":12876,"as":"Scaleway S.a.s.","country":"France","country_code":"FR"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-09","alert":"Detect files is `SliverFox` malware","trigger":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"huoji","date":"2023-12-25","description":"Detect files is `SliverFox` malware","rule":"Detect_SliverFox_String","yarahub_license":"CC0 1.0","yarahub_reference_md5":"CDD9564A48975F25E846BD3DD3B958EF","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e4cc5dd0-c314-41c0-8bcf-abb5b6b228fa"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2020-09-23","alert":"Scan result 1/71","trigger":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","verdict":"suspicious","severity":"","comment":"suspicious - 1/71","link":"https://www.virustotal.com/gui/file/1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"8d72828a1642d572f776c0965e6d1f20","sha1":"dc46697534b7a07f52d5769c91dc5ccdb402df54","sha256":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","sha512":"56e44a39ce723553eb9a4518bf0579c635dc41a35335d245623b28c5c4ac2a9e360187ac047778cf9d1706ac22d2088b6d5be90adae13e5e7cde9aeb8ec25da0","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections","size":7527872,"url":{"schema":"https","addr":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","fqdn":"local5.yesmessenger.com","domain":"yesmessenger.com","tld":"com"},"ip":{"addr":"163.172.244.138","port":443,"asn":12876,"as":"Scaleway S.a.s.","country":"France","country_code":"FR"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-09","alert":"Detect files is `SliverFox` malware","trigger":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"huoji","date":"2023-12-25","description":"Detect files is `SliverFox` malware","rule":"Detect_SliverFox_String","yarahub_license":"CC0 1.0","yarahub_reference_md5":"CDD9564A48975F25E846BD3DD3B958EF","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e4cc5dd0-c314-41c0-8bcf-abb5b6b228fa"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2020-09-23","alert":"Scan result 1/71","trigger":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","verdict":"suspicious","severity":"","comment":"suspicious - 1/71","link":"https://www.virustotal.com/gui/file/1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-09","alert":"Detect files is `SliverFox` malware","trigger":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"huoji","date":"2023-12-25","description":"Detect files is `SliverFox` malware","rule":"Detect_SliverFox_String","yarahub_license":"CC0 1.0","yarahub_reference_md5":"CDD9564A48975F25E846BD3DD3B958EF","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e4cc5dd0-c314-41c0-8bcf-abb5b6b228fa"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","fqdn":"local5.yesmessenger.com","domain":"yesmessenger.com","tld":"com"},"ip":{"addr":"163.172.244.138","port":443,"asn":12876,"as":"Scaleway S.a.s.","country":"France","country_code":"FR"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-09T23:43:00.191Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"local5.yesmessenger.com","organization":""},"issuer":{"commonName":"E6","organization":"Let's Encrypt"},"validity":{"start":"Sat, 26 Apr 2025 13:52:19 GMT","end":"Fri, 25 Jul 2025 13:52:18 GMT"},"fingerprint":{"sha1":"77:E9:67:41:65:14:C9:56:DC:B7:0A:A6:78:DB:86:AF:AB:0B:DA:59","sha256":"A3:4B:6D:D0:83:82:94:37:CA:6D:E0:6F:D6:00:CD:EA:84:00:09:93:9A:66:DC:0E:1A:15:11:E6:8C:F4:3D:8E"}}},"request":{"raw":"GET /messenger/workset/update/3606/setup-3606-v4.exe HTTP/1.1\r\nHost: local5.yesmessenger.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nserver: nginx\r\ndate: Fri, 09 May 2025 23:43:00 GMT\r\ncontent-type: application/octet-stream\r\ncontent-length: 7527872\r\nlast-modified: Mon, 30 Nov 2015 10:37:02 GMT\r\netag: \"565c26ce-72ddc0\"\r\nx-server: php6-1\r\naccept-ranges: bytes\r\nconnection: close\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":7527872,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections","md5":"8d72828a1642d572f776c0965e6d1f20","sha1":"dc46697534b7a07f52d5769c91dc5ccdb402df54","sha256":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","sha512":"56e44a39ce723553eb9a4518bf0579c635dc41a35335d245623b28c5c4ac2a9e360187ac047778cf9d1706ac22d2088b6d5be90adae13e5e7cde9aeb8ec25da0","ssdeep":"196608:g1wFZ0h57cBnfTZ8U9E1Ph35mAw3EgWT9GoQl+HRjd:gnh57SfT6UM35VpGXE","tlshash":"f076334165cb5ad2f1454570d413c133a2ef6e4a0b62a7334ee63e3e317a9a2c4a7e1f","first_seen":"2025-04-26T23:41:53.227253Z","last_seen":"2025-05-27T05:56:34.608179Z","times_seen":9,"resource_available":false,"data":null}},"time_used":1205,"timings":{"blocked":84,"dns":0,"connect":27,"send":0,"wait":55,"receive":982,"ssl":52},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-09","alert":"Detect files is `SliverFox` malware","trigger":"local5.yesmessenger.com/messenger/workset/update/3606/setup-3606-v4.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"huoji","date":"2023-12-25","description":"Detect files is `SliverFox` malware","rule":"Detect_SliverFox_String","yarahub_license":"CC0 1.0","yarahub_reference_md5":"CDD9564A48975F25E846BD3DD3B958EF","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"e4cc5dd0-c314-41c0-8bcf-abb5b6b228fa"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2020-09-23","alert":"Scan result 1/71","trigger":"1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","verdict":"suspicious","severity":"","comment":"suspicious - 1/71","link":"https://www.virustotal.com/gui/file/1e84dadeafcf2a0b5d7e0a9fe2ab2aef290e9fa67e10cace167eb3ea7646311c","meta":null}],"urlquery":null}}]}