{"report_id":"3af38590-3e19-41f6-81d6-98a7f889fe79","version":6,"status":"done","tags":[],"date":"2023-12-01T18:04:05Z","url":{"schema":"http","addr":"34.67.9.172/quiobu","fqdn":"34.67.9.172","domain":"34.67.9.172","tld":""},"ip":{"addr":"34.67.9.172","port":0,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"final":{"url":{"schema":"http","addr":"34.67.9.172/quiobu","fqdn":"34.67.9.172","domain":"34.67.9.172","tld":"172"},"title":"34.67.9.172/quiobu"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T09:40:38Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"34.67.9.172","ip":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2023-09-19 10:55:28","last_seen":"2023-12-01 12:52:41","alert_count":4,"request_count":2,"received_data":803,"sent_data":858,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2023-12-01T18:03:53Z","timestamp":1701453833,"ip_dst":{"addr":"Client IP","port":43984,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2023-12-01T18:03:53.221895+0000\",\"flow_id\":1671618988910000,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"34.67.9.172\",\"src_port\":80,\"dest_ip\":\"10.70.215.95\",\"dest_port\":43984,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"34.67.9.172\",\"url\":\"/quiobu\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":740,\"bytes_toclient\":798,\"start\":\"2023-12-01T18:03:52.763312+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-01T18:03:53Z","timestamp":1701453833,"ip_dst":{"addr":"Client IP","port":43984,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2023-12-01T18:03:53.221895+0000\",\"flow_id\":1671618988910000,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"34.67.9.172\",\"src_port\":80,\"dest_ip\":\"10.70.215.95\",\"dest_port\":43984,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"34.67.9.172\",\"url\":\"/quiobu\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":740,\"bytes_toclient\":798,\"start\":\"2023-12-01T18:03:52.763312+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-01","alert":"Sinkholed","trigger":"34.67.9.172","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-01","alert":"Sinkholed","trigger":"34.67.9.172","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"34.67.9.172/quiobu","fqdn":"34.67.9.172","domain":"34.67.9.172","tld":"172"},"ip":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-12-01T18:03:52.768Z","timestamp":1701453832768,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /quiobu HTTP/1.1\r\nHost: 34.67.9.172\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Fri, 01 Dec 2023 18:03:48 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=10d1e57c67374b45e5fb94c8a8eeef1a|91.90.42.154|1701453828|1701453828|0|1|0; path=/; domain=34.67.9.172; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\nsnkz=91.90.42.154; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":20,"size_decoded":0,"mime_type":"text/html","magic":"gzip compressed data, from Unix\\012- data","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":454,"timings":{"blocked":148,"dns":0,"connect":153,"send":0,"wait":153,"receive":0,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2023-12-01T18:03:53Z","timestamp":1701453833,"ip_dst":{"addr":"10.70.215.95","port":43984,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2023-12-01T18:03:53.221895+0000\",\"flow_id\":1671618988910000,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"34.67.9.172\",\"src_port\":80,\"dest_ip\":\"10.70.215.95\",\"dest_port\":43984,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"34.67.9.172\",\"url\":\"/quiobu\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":740,\"bytes_toclient\":798,\"start\":\"2023-12-01T18:03:52.763312+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2023-12-01T18:03:53Z","timestamp":1701453833,"ip_dst":{"addr":"10.70.215.95","port":43984,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2023-12-01T18:03:53.221895+0000\",\"flow_id\":1671618988910000,\"in_iface\":\"lxdbr0\",\"event_type\":\"alert\",\"src_ip\":\"34.67.9.172\",\"src_port\":80,\"dest_ip\":\"10.70.215.95\",\"dest_port\":43984,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"34.67.9.172\",\"url\":\"/quiobu\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":740,\"bytes_toclient\":798,\"start\":\"2023-12-01T18:03:52.763312+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-01","alert":"Sinkholed","trigger":"34.67.9.172","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"34.67.9.172/favicon.ico","fqdn":"34.67.9.172","domain":"34.67.9.172","tld":"172"},"ip":{"addr":"34.67.9.172","port":80,"asn":15169,"as":"GOOGLE","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://34.67.9.172/quiobu","date":"2023-12-01T18:03:53.209Z","timestamp":1701453833209,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: 34.67.9.172\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://34.67.9.172/quiobu\r\nCookie: btst=10d1e57c67374b45e5fb94c8a8eeef1a|91.90.42.154|1701453828|1701453828|0|1|0; snkz=91.90.42.154\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Fri, 01 Dec 2023 18:03:48 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=10d1e57c67374b45e5fb94c8a8eeef1a|91.90.42.154|1701453828|1701453828|0|2|0; path=/; domain=34.67.9.172; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":20,"size_decoded":0,"mime_type":"text/html","magic":"gzip compressed data, from Unix\\012- data","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":310,"timings":{"blocked":0,"dns":0,"connect":156,"send":0,"wait":154,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-12-01","alert":"Sinkholed","trigger":"34.67.9.172","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}