{"report_id":"69bd9d60-f63c-4475-9610-23cb7a97f0f1","version":6,"status":"done","tags":[],"date":"2024-11-21T23:05:45Z","url":{"schema":"http","addr":"gcdn.thunderstore.io/live/repository/packages/SkinwalkerModTeam-SkinWalkerMods-1.0.0.zip","fqdn":"gcdn.thunderstore.io","domain":"thunderstore.io","tld":"io"},"ip":{"addr":"185.244.209.62","port":0,"asn":199524,"as":"G-Core Labs S.A.","country":"Norway","country_code":"NO"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-01-30T23:05:45Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"gcdn.thunderstore.io","ip":{"addr":"185.244.209.62","port":443,"asn":199524,"as":"G-Core Labs S.A.","country":"Norway","country_code":"NO"},"domain_registered":"2019-04-05","domain_rank":595395,"first_seen":"2021-08-08T10:24:31Z","last_seen":"2024-11-21T03:04:59.467116Z","alert_count":0,"request_count":1,"received_data":438843,"sent_data":542,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"19db62c04b1f30a019ac3a6eae94d3b2","sha1":"b087bdc48172bb46f8e18183cd04296f1ebc06cf","sha256":"5e1923eb965c7cee219817016ce0336f0907f5112f8a28e159620b7e80aa77ce","sha512":"c1c81fd0c3b0d70b14320df9a932679f931f98631eaaf751e0c11b4ca9ec767b25cddcf380d4a842e56067ffbc014fcdc026e32714d1bb9a883ee3d68112e284","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":438047,"url":{"schema":"https","addr":"gcdn.thunderstore.io/live/repository/packages/SkinwalkerModTeam-SkinWalkerMods-1.0.0.zip","fqdn":"gcdn.thunderstore.io","domain":"thunderstore.io","tld":"io"},"ip":{"addr":"185.244.209.62","port":443,"asn":199524,"as":"G-Core Labs S.A.","country":"Norway","country_code":"NO"},"archive":[{"path":"SkinWalker.dll","filename":"SkinWalker.dll","modified":"","Modified":"2023-12-25T14:24:55-06:00","magic":"PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":2857472,"md5":"ee9cd8657560c102441d15ac13053c67","sha1":"8a22d432d7976dad3b1709d9b2729a8221e4f69d","sha256":"03f1ceab19e0f25b91a4f8b570b6689de8f7b0ceb04246ebdde5163b53ed9706","sha512":"0fd574145f870133be9e5517bf14fa12a46c3fb93a0f1d9642c578d3cc0a83c520e1d52f62acb9eb31f0e3f027d7eb97cd6513e8082ac528f7381a7260a4f77a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-21","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"SkinWalker.dll","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}},{"path":"icon.png","filename":"icon.png","modified":"","Modified":"2023-12-25T13:52:44-06:00","magic":"PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced","size":2635,"md5":"fd0f5271a1c1b16218a2632b32d60766","sha1":"6077c06b8e96ff46f7059a1f1e31e97d7d7457f5","sha256":"c50ca6a807a27a3834d2f0ff7ee04f264bf8f102bd02b9a07e5239f1e0cceb42","sha512":"dab69e85377d9ca8805f5dc5019048e2958b686c3f9e44e8f8c84eb0ed8b02f23f1dc229729e3b645d1e70b141760a170d2e6fc4a2b45bf46fce0ec31d6053b9","alerts":{"urlquery":null,"analyzer":null}},{"path":"manifest.json","filename":"manifest.json","modified":"","Modified":"2023-12-25T14:27:18-06:00","magic":"JSON text data","size":203,"md5":"037524162ae83ce6f08d1598022e053b","sha1":"87117d58bddfa5b693c8c344e7e5885e407f81f9","sha256":"ab603be8a443a9bdfb5707b3876281a0a68272556f04f0d45e6837b3958bb00c","sha512":"ca248a42df3e86a719fc0d87b88bc8ec99120815ccff271e2e66c3ec7c73374e985e75282a3f11e0f90394125afff380bfd83c41721198cef72a0e168001f9ec","alerts":{"urlquery":null,"analyzer":null}},{"path":"README.md","filename":"README.md","modified":"","Modified":"2023-12-25T13:51:22-06:00","magic":"","size":0,"md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-21","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"SkinWalker.dll","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"19db62c04b1f30a019ac3a6eae94d3b2","sha1":"b087bdc48172bb46f8e18183cd04296f1ebc06cf","sha256":"5e1923eb965c7cee219817016ce0336f0907f5112f8a28e159620b7e80aa77ce","sha512":"c1c81fd0c3b0d70b14320df9a932679f931f98631eaaf751e0c11b4ca9ec767b25cddcf380d4a842e56067ffbc014fcdc026e32714d1bb9a883ee3d68112e284","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":438047,"url":{"schema":"https","addr":"gcdn.thunderstore.io/live/repository/packages/SkinwalkerModTeam-SkinWalkerMods-1.0.0.zip","fqdn":"gcdn.thunderstore.io","domain":"thunderstore.io","tld":"io"},"ip":{"addr":"185.244.209.62","port":443,"asn":199524,"as":"G-Core Labs S.A.","country":"Norway","country_code":"NO"},"archive":[{"path":"SkinWalker.dll","filename":"SkinWalker.dll","modified":"","Modified":"2023-12-25T14:24:55-06:00","magic":"PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections","size":2857472,"md5":"ee9cd8657560c102441d15ac13053c67","sha1":"8a22d432d7976dad3b1709d9b2729a8221e4f69d","sha256":"03f1ceab19e0f25b91a4f8b570b6689de8f7b0ceb04246ebdde5163b53ed9706","sha512":"0fd574145f870133be9e5517bf14fa12a46c3fb93a0f1d9642c578d3cc0a83c520e1d52f62acb9eb31f0e3f027d7eb97cd6513e8082ac528f7381a7260a4f77a","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-21","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"SkinWalker.dll","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}},{"path":"icon.png","filename":"icon.png","modified":"","Modified":"2023-12-25T13:52:44-06:00","magic":"PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced","size":2635,"md5":"fd0f5271a1c1b16218a2632b32d60766","sha1":"6077c06b8e96ff46f7059a1f1e31e97d7d7457f5","sha256":"c50ca6a807a27a3834d2f0ff7ee04f264bf8f102bd02b9a07e5239f1e0cceb42","sha512":"dab69e85377d9ca8805f5dc5019048e2958b686c3f9e44e8f8c84eb0ed8b02f23f1dc229729e3b645d1e70b141760a170d2e6fc4a2b45bf46fce0ec31d6053b9","alerts":{"urlquery":null,"analyzer":null}},{"path":"manifest.json","filename":"manifest.json","modified":"","Modified":"2023-12-25T14:27:18-06:00","magic":"JSON text data","size":203,"md5":"037524162ae83ce6f08d1598022e053b","sha1":"87117d58bddfa5b693c8c344e7e5885e407f81f9","sha256":"ab603be8a443a9bdfb5707b3876281a0a68272556f04f0d45e6837b3958bb00c","sha512":"ca248a42df3e86a719fc0d87b88bc8ec99120815ccff271e2e66c3ec7c73374e985e75282a3f11e0f90394125afff380bfd83c41721198cef72a0e168001f9ec","alerts":{"urlquery":null,"analyzer":null}},{"path":"README.md","filename":"README.md","modified":"","Modified":"2023-12-25T13:51:22-06:00","magic":"","size":0,"md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-11-21","alert":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","trigger":"SkinWalker.dll","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2021-10-12","description":"Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)","reference":"Internal Research","rule":"SUSP_PE_Discord_Attachment_Oct21_1","score":"70"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"gcdn.thunderstore.io/live/repository/packages/SkinwalkerModTeam-SkinWalkerMods-1.0.0.zip","fqdn":"gcdn.thunderstore.io","domain":"thunderstore.io","tld":"io"},"ip":{"addr":"185.244.209.62","port":443,"asn":199524,"as":"G-Core Labs S.A.","country":"Norway","country_code":"NO"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-21T23:05:19.857Z","timestamp":1732230319857,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"gcdn.thunderstore.io","organization":""},"issuer":{"commonName":"E6","organization":"Let's Encrypt"},"validity":{"start":"Tue, 01 Oct 2024 04:20:09 GMT","end":"Mon, 30 Dec 2024 04:20:08 GMT"},"fingerprint":{"sha1":"59:EC:18:DC:F0:51:C7:3C:34:A7:FA:99:35:DC:BA:60:9F:6F:00:04","sha256":"DB:1A:8F:02:45:BD:90:7D:DB:CA:D6:50:F5:3B:2D:96:87:25:29:FA:42:70:91:63:05:0C:F9:F1:36:8C:E0:F6"}}},"request":{"raw":"GET /live/repository/packages/SkinwalkerModTeam-SkinWalkerMods-1.0.0.zip HTTP/1.1\r\nHost: gcdn.thunderstore.io\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\nserver: nginx\r\ndate: Thu, 21 Nov 2024 23:05:19 GMT\r\ncontent-type: application/zip\r\ncontent-length: 438047\r\nlast-modified: Mon, 25 Dec 2023 20:27:50 GMT\r\nx-rgw-object-type: Normal\r\netag: \"19db62c04b1f30a019ac3a6eae94d3b2\"\r\ncache-control: max-age=2592000\r\nx-amz-request-id: tx000007cef54fc95add087-00673fb9e2-117b7455d-fra1b\r\nvary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method\r\nstrict-transport-security: max-age=15552000; includeSubDomains; preload\r\nx-envoy-upstream-healthchecked-cluster: \r\nx-id-shield: am3-hw-edge-gc88\r\nage: 717\r\nx-cached-since: 2024-11-21T22:53:22+00:00\r\ntraceparent: 00-a945ce505b5abde4e2d5856276e42961-48c77107eb66f6cf-01\r\nx-id: osix-hw-edge-gc4\r\ncache: HIT, MISS\r\naccept-ranges: bytes\r\nx-id-fe: osix-hw-edge-gc4\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":438047,"size_decoded":438047,"mime_type":"application/zip","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","md5":"19db62c04b1f30a019ac3a6eae94d3b2","sha1":"b087bdc48172bb46f8e18183cd04296f1ebc06cf","sha256":"5e1923eb965c7cee219817016ce0336f0907f5112f8a28e159620b7e80aa77ce","sha512":"c1c81fd0c3b0d70b14320df9a932679f931f98631eaaf751e0c11b4ca9ec767b25cddcf380d4a842e56067ffbc014fcdc026e32714d1bb9a883ee3d68112e284","ssdeep":"6144:EeWQf+GHGAg+KKbvCJgNRMlY0o2oEhccEKY+BcgRGEEaUUkRu8iSOapvexIrEMEP:ErQfnmUKKbKeNR1v2x2+B9YL/2qO","tlshash":"c6946e4872d7cf9ab3b0bbb915c25e141db941db60034a7fa83226d7a3c135d962a23d","first_seen":"2023-12-25T21:29:54Z","last_seen":"2024-11-21T23:05:46.628545Z","times_seen":4,"resource_available":false,"data":null}},"time_used":249,"timings":{"blocked":23,"dns":0,"connect":1,"send":0,"wait":83,"receive":118,"ssl":22},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}