{"report_id":"4538ae27-70e4-4ebe-aa69-810fee2dda05","version":6,"status":"done","tags":[],"date":"2024-04-07T23:36:45Z","url":{"schema":"http","addr":"198.12.70.119/top1hbt.arm5","fqdn":"198.12.70.119","domain":"198.12.70.119","tld":""},"ip":{"addr":"198.12.70.119","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T20:29:41Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"198.12.70.119","ip":{"addr":"198.12.70.119","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2015-12-15 09:08:03","last_seen":"2016-01-31 14:45:10","alert_count":3,"request_count":1,"received_data":130055,"sent_data":396,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"9bb90751af6edd3eb9d81bd52f3e3bf0","sha1":"61ff6dac575da556184300623ba59611ade1e5c3","sha256":"89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","sha512":"0b9fcea5f2759b0d76e6837344ff44d62bcd844e41d151009e80045b5f7722022f7bed805aff6279e31ef37f8de4abac3cac77486a9bfc9aa5629e776270f4f1","magic":"ELF 32-bit LSB executable, ARM, version 1 (ARM)","size":129792,"url":{"schema":"https","addr":"198.12.70.119/top1hbt.arm5","fqdn":"198.12.70.119","domain":"198.12.70.119","tld":"119"},"ip":{"addr":"198.12.70.119","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-04-07","alert":"Linux.Trojan.Gafgyt","trigger":"198.12.70.119/top1hbt.arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-04-07","alert":"Scan result 28/63","trigger":"89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","verdict":"malicious","severity":"","comment":"malicious - 28/63","link":"https://www.virustotal.com/gui/file/89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-04-07","alert":"Linux.Trojan.Gafgyt","trigger":"198.12.70.119/top1hbt.arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-04-07","alert":"Sinkholed","trigger":"198.12.70.119","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"198.12.70.119/top1hbt.arm5","fqdn":"198.12.70.119","domain":"198.12.70.119","tld":"119"},"ip":{"addr":"198.12.70.119","port":0,"asn":36352,"as":"AS-COLOCROSSING","country":"Canada","country_code":"CA"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-04-07T23:36:20.281Z","timestamp":1712532980281,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /top1hbt.arm5 HTTP/1.1\r\nHost: 198.12.70.119\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Sun, 07 Apr 2024 23:36:20 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nLast-Modified: Wed, 27 Mar 2024 15:54:34 GMT\r\nETag: \"1fb00-614a66c4fe0ea\"\r\nAccept-Ranges: bytes\r\nContent-Length: 129792\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":129792,"size_decoded":129792,"mime_type":"","magic":"ELF 32-bit LSB executable, ARM, version 1 (ARM)","md5":"9bb90751af6edd3eb9d81bd52f3e3bf0","sha1":"61ff6dac575da556184300623ba59611ade1e5c3","sha256":"89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","sha512":"0b9fcea5f2759b0d76e6837344ff44d62bcd844e41d151009e80045b5f7722022f7bed805aff6279e31ef37f8de4abac3cac77486a9bfc9aa5629e776270f4f1","ssdeep":"1536:J9v+s43G5bUWkkRAhSh71QAFMxK4VIGUT2yNKtO/G8A46nztplk2wyw1FrR7TVIy:Dv+XQnRig71QNE43UqyNKtO+46zdtbP","tlshash":"27c31a55fc405b13c6d212b7fb5e428d3b2a17a8d3ee72039d256f60378b96b0e36942","first_seen":"2024-04-08T01:36:46Z","last_seen":"2024-08-20T05:31:40.8447Z","times_seen":4,"resource_available":false,"data":null}},"time_used":124,"timings":{"blocked":124,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-04-07","alert":"Linux.Trojan.Gafgyt","trigger":"198.12.70.119/top1hbt.arm5","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-01-12","fingerprint":"a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead","id":"28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd","last_modified":"2021-09-16","license":"Elastic License v2","os":"linux","rule":"Linux_Trojan_Gafgyt_28a2fe0c","scan_context":"file, memory","severity":"100","threat_name":"Linux.Trojan.Gafgyt"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-04-07","alert":"Sinkholed","trigger":"198.12.70.119","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-04-07","alert":"Scan result 28/63","trigger":"89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","verdict":"malicious","severity":"","comment":"malicious - 28/63","link":"https://www.virustotal.com/gui/file/89071c5ffe243000bd03d254e77ee0b59df2d56ff2a5b8a846f5e1afb9d3ef7f","meta":null}],"urlquery":null}}]}