Report - nwmie.nwmiedown.conacola.cn:6088/azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728

Report Overview

Visited public
2023-12-10 09:30:55
Tags
URL
nwmie.nwmiedown.conacola.cn:6088/azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728
Finishing URL
about:privatebrowsing
IP / ASN
116.162.85.121
#4837 CHINA UNICOM China169 Backbone
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
	unknown				464 B	5.4 MB	116.162.85.121
aus5.mozilla.org	2548	1998-01-24	2015-10-27 08:06:24	2023-12-09 05:09:35	523 B	1.2 kB	35.244.181.201
ciscobinary.openh264.org	40822	2013-10-19	2014-10-07 07:43:56	2023-12-09 05:09:36	305 B	512 kB	62.115.252.113

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2023-12-10 09:30:32	high	116.162.85.121	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
nwmie.nwmiedown.conacola.cn:6088/azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728
IP
116.162.85.121
ASN
#4837 CHINA UNICOM China169 Backbone

File type
PE32 executable (GUI) Intel 80386, for MS Windows - data
Size
5.4 MB (5426224 bytes)
Hash
2f7c10e774b6b801d24c124ac4b3dda0
c349d2e7b7ccb6cf0dd90b53704b441d80e0715e
2729c05f75c2930b7013b691b32a0a68dcc28bb4e133cb1e35e150e1be74a68f

Detections

Analyzer	Verdict	Alert
VirusTotal	suspicious	VirusTotal - Scan result 1/70

URL
ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
IP
62.115.252.113
ASN
#1299 Telia Company AB

File type
Zip archive data, at least v2.0 to extract, compression method=deflate - data
Size
512 kB (511815 bytes)
Hash
152eda253e242e18443ef3282495bc7c
ff0fa85565f21ec4931baad4573b4c0bd08c4019
8e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

Archive (2)

Modified	Filename	Size	Md5	File type
2019-03-02 16:47	gmpopenh264.info	116 B	3d33cdc0b3d281e67dd52e14435dd04f	ASCII text
2019-03-02 16:47	libgmpopenh264.so	1.4 MB	b2c1253e8a09cfe03b3d7f37de12dff7	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)

JavaScript (0)

HTTP Transactions (3)

URL IP Response Size

nwmie.nwmiedown.conacola.cn:6088/azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728

116.162.85.121

200 OK

5.4 MB

URL User Request GET HTTP/1.1
nwmie.nwmiedown.conacola.cn:6088/azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728
IP
116.162.85.121:6088
ASN
#4837 CHINA UNICOM China169 Backbone

File type
PE32 executable (GUI) Intel 80386, for MS Windows - data
Size
5.4 MB (5426224 bytes)
Hash
2f7c10e774b6b801d24c124ac4b3dda0
c349d2e7b7ccb6cf0dd90b53704b441d80e0715e
2729c05f75c2930b7013b691b32a0a68dcc28bb4e133cb1e35e150e1be74a68f

Detections

Analyzer	Verdict	Alert
VirusTotal	suspicious	VirusTotal - Scan result 1/70

HTTP Headers

GET /azgame/XunLeiWebSetup11.4.8.2122dl.exe?sid=286728 HTTP/1.1
Host: nwmie.nwmiedown.conacola.cn:6088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: openresty
Date: Sun, 10 Dec 2023 09:30:31 GMT
Content-Type: application/x-msdownload
Content-Length: 5426224
Connection: keep-alive
Content-Security-Policy: block-all-mixed-content
ETag: "2f7c10e774b6b801d24c124ac4b3dda0"
Last-Modified: Fri, 17 Nov 2023 04:32:56 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin, Accept-Encoding
X-Amz-Request-Id: 179F654A36B6EF1C
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Expires: Sun, 10 Dec 2023 09:40:31 GMT
Cache-Control: max-age=600
X-Via: 117.48.143.12, 116.162.85.121
X-Cache: HIT
Accept-Ranges: bytes

aus5.mozilla.org/update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml

35.244.181.201

444 B

URL
aus5.mozilla.org/update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml
IP
35.244.181.201:0
ASN
#15169 GOOGLE

File type
XML 1.0 document text - XML document, ASCII text, with very long lines (332)
Size
444 B (444 bytes)
Hash
3b324dec137a87ef7e24a30a65b13dd0
c0faa95b2f1018e264b3a14aaf50d1003e6c27b3
6cd0b591d9239fc8564627e92a804fc261951b1cbaf5fa58a8ada3cc13f51463

HTTP Headers

GET /update/3/GMP/111.0a1/20230218104546/Linux_x86_64-gcc3/null/default/Linux%205.15.0-76-generic%20(GTK%203.24.34%2Clibpulse%20not-available)/default/default/update.xml HTTP/1.1
Host: aus5.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
Pragma: no-cache
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: cross-site

HTTP/2 200 OK
server: nginx
rule-id: unknown
rule-data-version: unknown
content-signature: x5u=https://content-signature-2.cdn.mozilla.net/chains/aus.content-signature.mozilla.org-2024-01-19-16-42-22.chain; p384ecdsa=QaJg7ptCjRo0FQFQEQZjeay6LcpVi_UUdMNeXIQo-nyPhj_aVEZcyTrkhaXN8JGt7kRbT-U8K9bWvnXiDBepMwIzooRYji_YU9qaudZoepZEYBZv1DLnn3UU-HN7Dvsb
strict-transport-security: max-age=31536000;
x-content-type-options: nosniff
content-security-policy: default-src 'none'; frame-ancestors 'none'
x-proxy-cache-status: EXPIRED
content-encoding: gzip
via: 1.1 google
content-length: 444
date: Sun, 10 Dec 2023 09:29:29 GMT
age: 80
content-type: text/xml; charset=utf-8
vary: Accept-Encoding
cache-control: public,max-age=90
alt-svc: clear
X-Firefox-Spdy: h2

ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip

62.115.252.113

512 kB

URL
ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip
IP
62.115.252.113:0
ASN
#1299 Telia Company AB

File type
Zip archive data, at least v2.0 to extract, compression method=deflate - data
Size
512 kB (511815 bytes)
Hash
152eda253e242e18443ef3282495bc7c
ff0fa85565f21ec4931baad4573b4c0bd08c4019
8e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

HTTP Headers

GET /openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip HTTP/1.1
Host: ciscobinary.openh264.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

HTTP/1.1 200 OK
Last-Modified: Thu, 16 Nov 2023 07:38:15 GMT
ETag: 152eda253e242e18443ef3282495bc7c
Content-Length: 511815
Accept-Ranges: bytes
X-Timestamp: 1700120294.87662
Content-Type: application/zip
X-Trans-Id: tx15b69f172b404fa58b2bb-006555fb11dfw1
Cache-Control: public, max-age=178181
Expires: Tue, 12 Dec 2023 11:00:30 GMT
Date: Sun, 10 Dec 2023 09:30:49 GMT
Connection: keep-alive

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Detections

URL

IP

ASN

File type

Size

Hash

Archive (2)

JavaScript (0)

HTTP Transactions (3)

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers