{"report_id":"365a11db-3a93-4cdb-bbd2-579979387e56","version":6,"status":"done","tags":[],"date":"2024-02-06T01:07:23Z","url":{"schema":"http","addr":"www.sordum.org/files/download/windows-update-blocker/Wub_v1.8.zip","fqdn":"www.sordum.org","domain":"sordum.org","tld":"org"},"ip":{"addr":"185.146.22.240","port":0,"asn":55293,"as":"A2HOSTING","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T00:51:51Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"www.sordum.org","ip":{"addr":"185.146.22.240","port":443,"asn":55293,"as":"A2HOSTING","country":"United States","country_code":"US"},"domain_registered":"2013-01-30","domain_rank":0,"first_seen":"2013-02-02 12:06:18","last_seen":"2024-02-03 15:13:45","alert_count":0,"request_count":1,"received_data":1069429,"sent_data":519,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"5fd1b0e659656435c16f04215c4623ae","sha1":"7ef526b3288b0bfa3fb4043c56e84b293041a410","sha256":"3615d31687a6138633066b260caff25efde86890b76d85911a4a927c46d87f8d","sha512":"cff15a0ed6016a3286acf1fe800323f01120b2c90d7977b3e8cec182392e46bc2cb0cee6f536c56c7995f85394bdce603efd5cb014d786010af8f32cf305f0b6","magic":"Zip archive data, at least v2.0 to extract, compression method=store","size":1068831,"url":{"schema":"https","addr":"www.sordum.org/files/download/windows-update-blocker/Wub_v1.8.zip","fqdn":"www.sordum.org","domain":"sordum.org","tld":"org"},"ip":{"addr":"185.146.22.240","port":443,"asn":55293,"as":"A2HOSTING","country":"United States","country_code":"US"},"archive":[{"path":"Wub/ReadMe.txt","filename":"ReadMe.txt","modified":"","Modified":"2023-06-08T21:35:39+03:00","magic":"ISO-8859 text, with CRLF line terminators","size":2823,"md5":"e5316699929d6736e9c0c3b638ec8c2a","sha1":"1cccac2dbd1d745b0c9977dec3fa51b5bb91358e","sha256":"7e2b60095d07e98c6c827a1047beb7b2ee649ae84e19acf3eddb46911c972fab","sha512":"414ddd3768f8f88cfaf2430f1f9adf014fd833cf84585f762341b13841de2ee93d859b0f84952cf7c7dd9f57612d8cee94787a591e83410cf10f5271eb38632e","alerts":{"urlquery":null,"analyzer":null}},{"path":"Wub/Wub.exe","filename":"Wub.exe","modified":"","Modified":"2023-06-09T21:57:22+03:00","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","size":810000,"md5":"82aff8883099cf75462057c4e47e88ac","sha1":"68e2939f59b3869e9bd3ecc4aca3947649631bf8","sha256":"aac1123f17f8569a36bf93876cea30e15103fd2379b401a79129a2a6e7285ac2","sha512":"212ac940a1f8bdd805813c279d471efc53b858bc35c5edad182dfde3c29c37854618a507a0a0839e5a383d1ba4fe317c0b3c8275d023c86ecfa36f221560b96d","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-02-06","alert":"meth_get_eip","trigger":"Wub/Wub.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-02-06","alert":"Identifies compiled AutoIT script (as EXE).","trigger":"Wub/Wub.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies compiled AutoIT script (as EXE).","fingerprint":"7d7623207492860e4196e8c8a493b874bb3042c83f19e61e1d958e79a09bc8f8","first_imported":"2021-12-30","id":"1HD8y9jsBZi1HDN82XCpZx","last_modified":"2021-12-30","rule":"AutoIT_Compiled","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}},{"path":"Wub/Wub.ini","filename":"Wub.ini","modified":"","Modified":"2023-10-15T22:12:33+03:00","magic":"Unicode text, UTF-16, little-endian text, with CRLF line terminators","size":99914,"md5":"a16bf55cd2ef7d9e56565b0ed1aa208a","sha1":"19edddaa24f73d9d01150babd58b1bcc0ff5d849","sha256":"30eb977d58106050818626b9b556a3badc7b7d012462903120a0663987c74c0b","sha512":"ab87d94620b0d77bfa8ff3e721bbb68a28185245b173be7b62195588e2a3b3d3a9ee085497300c14876118dff4edca7fea202328f3156a76c53f786b8d5b6118","alerts":{"urlquery":null,"analyzer":null}},{"path":"Wub/Wub_x64.exe","filename":"Wub_x64.exe","modified":"","Modified":"2023-06-09T21:57:23+03:00","magic":"PE32+ executable (GUI) x86-64, for MS Windows, 5 sections","size":961600,"md5":"9d6778f7f274f7ecd4e7e875a7268b64","sha1":"452fa439f1cc0b9fcc37cf4b8cfff96e8cc348aa","sha256":"187eeee9e518011de1b87cfb0ed03e12ea551e9011f0c8defdd0e4535e672da2","sha512":"d51df55a5f903ec624550e847459bfa52fb19e892a58fe2de41251d9d98890b36f26a4950ad75f900de0311b5330066aaece11ec5e549d5b3867a61a344e0b87","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-02-06","alert":"Identifies compiled AutoIT script (as EXE).","trigger":"Wub/Wub_x64.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies compiled AutoIT script (as EXE).","fingerprint":"7d7623207492860e4196e8c8a493b874bb3042c83f19e61e1d958e79a09bc8f8","first_imported":"2021-12-30","id":"1HD8y9jsBZi1HDN82XCpZx","last_modified":"2021-12-30","rule":"AutoIT_Compiled","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-02-06","alert":"meth_get_eip","trigger":"Wub/Wub.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-02-06","alert":"Identifies compiled AutoIT script (as EXE).","trigger":"Wub/Wub.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies compiled AutoIT script (as EXE).","fingerprint":"7d7623207492860e4196e8c8a493b874bb3042c83f19e61e1d958e79a09bc8f8","first_imported":"2021-12-30","id":"1HD8y9jsBZi1HDN82XCpZx","last_modified":"2021-12-30","rule":"AutoIT_Compiled","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2024-02-06","alert":"Identifies compiled AutoIT script (as EXE).","trigger":"Wub/Wub_x64.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"MALWARE","creation_date":"2020-09-01","description":"Identifies compiled AutoIT script (as EXE).","fingerprint":"7d7623207492860e4196e8c8a493b874bb3042c83f19e61e1d958e79a09bc8f8","first_imported":"2021-12-30","id":"1HD8y9jsBZi1HDN82XCpZx","last_modified":"2021-12-30","rule":"AutoIT_Compiled","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"www.sordum.org/files/download/windows-update-blocker/Wub_v1.8.zip","fqdn":"www.sordum.org","domain":"sordum.org","tld":"org"},"ip":{"addr":"185.146.22.240","port":443,"asn":55293,"as":"A2HOSTING","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-02-06T01:06:58.129Z","timestamp":1707181618129,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"sordum.org","organization":""},"issuer":{"commonName":"cPanel, Inc. Certification Authority","organization":"cPanel, Inc."},"validity":{"start":"Fri, 12 Jan 2024 00:00:00 GMT","end":"Thu, 11 Apr 2024 23:59:59 GMT"},"fingerprint":{"sha1":"E1:43:E5:58:2A:DB:A7:82:09:99:5D:27:5F:E6:0D:FE:D6:C7:43:26","sha256":"1D:00:68:93:05:C1:87:51:B4:0D:33:BF:FE:52:BB:82:3D:72:45:E7:DE:0F:FC:5D:F1:C1:C2:3A:D2:00:CA:64"}}},"request":{"raw":"GET /files/download/windows-update-blocker/Wub_v1.8.zip HTTP/1.1\r\nHost: www.sordum.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncache-control: public, max-age=2592000\r\nexpires: Thu, 07 Mar 2024 01:06:58 GMT\r\ncontent-type: application/zip\r\nlast-modified: Sun, 15 Oct 2023 19:16:29 GMT\r\naccept-ranges: bytes\r\ncontent-length: 1068831\r\ndate: Tue, 06 Feb 2024 01:06:58 GMT\r\nserver: LiteSpeed\r\nstrict-transport-security: max-age=31536000\r\nx-frame-options: SAMEORIGIN\r\nx-content-type-options: nosniff\r\nvary: User-Agent\r\nalt-svc: h3=\":443\"; ma=2592000, h3-29=\":443\"; ma=2592000, h3-Q050=\":443\"; ma=2592000, h3-Q046=\":443\"; ma=2592000, h3-Q043=\":443\"; ma=2592000, quic=\":443\"; ma=2592000; v=\"43,46\"\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":1068831,"size_decoded":1068831,"mime_type":"application/zip","magic":"Zip archive data, at least v2.0 to extract, compression method=store","md5":"5fd1b0e659656435c16f04215c4623ae","sha1":"7ef526b3288b0bfa3fb4043c56e84b293041a410","sha256":"3615d31687a6138633066b260caff25efde86890b76d85911a4a927c46d87f8d","sha512":"cff15a0ed6016a3286acf1fe800323f01120b2c90d7977b3e8cec182392e46bc2cb0cee6f536c56c7995f85394bdce603efd5cb014d786010af8f32cf305f0b6","ssdeep":"24576:SXjs/m0+zE4fVLKu+CGS1vUsBY9lQYF0z2frs5S:ojdE4N531JBoQYFrv","tlshash":"a735336c27eb3a45c30f56fe0848a6bf13244eda4a9519f8cd82334ec8df72979c51a5","first_seen":"2023-12-12T03:20:39Z","last_seen":"2025-05-23T04:13:35.911605Z","times_seen":45,"resource_available":false,"data":null}},"time_used":320,"timings":{"blocked":56,"dns":0,"connect":21,"send":0,"wait":21,"receive":187,"ssl":29},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}