{"report_id":"54afc33d-4a42-4c6b-80b3-5defe0be7284","version":6,"status":"done","tags":[],"date":"2024-11-29T22:26:08Z","url":{"schema":"http","addr":"135.148.28.56:5001/VTOLPACK.exe","fqdn":"135.148.28.56","domain":"135.148.28.56","tld":""},"ip":{"addr":"135.148.28.56","port":0,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T22:26:08Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"135.148.28.56","ip":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":2,"request_count":1,"received_data":35017,"sent_data":401,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"60ad4cdb6a158a97137836e93de1d471","sha1":"cff530742f66c71e641f7f02b8e79df9825f5595","sha256":"ff1d006d94932102061a38d503831df23775ce6963fe7a75d7c6c0bf9f0226fb","sha512":"90528ae65b41571d6055054f4853108d2f34cce4d61eede15f6dffe3c9750e350b27744c88aa80cb2351527f5db8f120ea0591ca6af4ba350ce43e370ab6b11d","magic":"PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":34816,"url":{"schema":"http","addr":"135.148.28.56:5001/VTOLPACK.exe","fqdn":"135.148.28.56","domain":"135.148.28.56","tld":""},"ip":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"135.148.28.56:5001/VTOLPACK.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"60ad4cdb6a158a97137836e93de1d471","sha1":"cff530742f66c71e641f7f02b8e79df9825f5595","sha256":"ff1d006d94932102061a38d503831df23775ce6963fe7a75d7c6c0bf9f0226fb","sha512":"90528ae65b41571d6055054f4853108d2f34cce4d61eede15f6dffe3c9750e350b27744c88aa80cb2351527f5db8f120ea0591ca6af4ba350ce43e370ab6b11d","magic":"PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":34816,"url":{"schema":"http","addr":"135.148.28.56:5001/VTOLPACK.exe","fqdn":"135.148.28.56","domain":"135.148.28.56","tld":""},"ip":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"135.148.28.56:5001/VTOLPACK.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T22:25:43Z","timestamp":1732919143,"ip_dst":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"ip_src":{"addr":"172.18.0.17","port":39426,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2024-11-29T22:25:43.930236+0000\",\"flow_id\":1875192375110830,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.17\",\"src_port\":39426,\"dest_ip\":\"135.148.28.56\",\"dest_port\":5001,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"135.148.28.56\",\"http_port\":5001,\"url\":\"/VTOLPACK.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":0},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":2,\"bytes_toserver\":675,\"bytes_toclient\":343,\"start\":\"2024-11-29T22:25:43.748718+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T22:25:44Z","timestamp":1732919144,"ip_dst":{"addr":"172.18.0.17","port":39426,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-11-29T22:25:44.113154+0000\",\"flow_id\":1875192375110830,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"135.148.28.56\",\"src_port\":5001,\"dest_ip\":\"172.18.0.17\",\"dest_port\":39426,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"135.148.28.56\",\"http_port\":5001,\"url\":\"/VTOLPACK.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":34816},\"files\":[{\"filename\":\"/VTOLPACK.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":34816,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":28,\"bytes_toserver\":1863,\"bytes_toclient\":36875,\"start\":\"2024-11-29T22:25:43.748718+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-11-29T22:25:44Z","timestamp":1732919144,"ip_dst":{"addr":"172.18.0.17","port":39426,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2024-11-29T22:25:44.113154+0000\",\"flow_id\":1875192375110830,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"135.148.28.56\",\"src_port\":5001,\"dest_ip\":\"172.18.0.17\",\"dest_port\":39426,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.Meterpreter.Receiving\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"135.148.28.56\",\"http_port\":5001,\"url\":\"/VTOLPACK.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":34816},\"files\":[{\"filename\":\"/VTOLPACK.exe\",\"sid\":[],\"gaps\":false,\"state\":\"CLOSED\",\"stored\":false,\"size\":34816,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":28,\"bytes_toserver\":1863,\"bytes_toclient\":36875,\"start\":\"2024-11-29T22:25:43.748718+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"135.148.28.56:5001/VTOLPACK.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"135.148.28.56","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"135.148.28.56:5001/VTOLPACK.exe","fqdn":"135.148.28.56","domain":"135.148.28.56","tld":""},"ip":{"addr":"135.148.28.56","port":5001,"asn":16276,"as":"OVH SAS","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T22:25:43.755Z","timestamp":1732919143755,"http_version":"HTTP/1.0","security_state":"insecure","security_info":null,"request":{"raw":"GET /VTOLPACK.exe HTTP/1.1\r\nHost: 135.148.28.56:5001\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/3.13.0\r\nDate: Fri, 29 Nov 2024 22:25:43 GMT\r\nContent-type: application/x-msdownload\r\nContent-Length: 34816\r\nLast-Modified: Sat, 23 Nov 2024 22:51:39 GMT\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":34816,"size_decoded":34816,"mime_type":"application/x-msdownload","magic":"PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","md5":"60ad4cdb6a158a97137836e93de1d471","sha1":"cff530742f66c71e641f7f02b8e79df9825f5595","sha256":"ff1d006d94932102061a38d503831df23775ce6963fe7a75d7c6c0bf9f0226fb","sha512":"90528ae65b41571d6055054f4853108d2f34cce4d61eede15f6dffe3c9750e350b27744c88aa80cb2351527f5db8f120ea0591ca6af4ba350ce43e370ab6b11d","ssdeep":"384:/2y+WJwy1/pvENBcpXKf/2HEGk3QO2tXqRVxt8Vaxb1KZGQ5VSueDQEX:/3PJwO/95Kf/234QO2xqRCYCGUYy","tlshash":"4bf2830577ed0511f6bf9b7ca87242034a73f993a83de30d95adf1893b6364068d0b6a","first_seen":"2024-11-29T22:26:12.379981Z","last_seen":"2024-11-29T22:26:12.379981Z","times_seen":1,"resource_available":false,"data":null}},"time_used":358,"timings":{"blocked":84,"dns":0,"connect":90,"send":0,"wait":91,"receive":92,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-29","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"135.148.28.56:5001/VTOLPACK.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-29","alert":"Sinkholed","trigger":"135.148.28.56","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}