{"report_id":"6a3f9105-8624-4e45-904a-dd00bf00e7dd","version":6,"status":"done","tags":[],"date":"2024-10-28T17:02:18Z","url":{"schema":"http","addr":"139.162.102.163/me.exe","fqdn":"139.162.102.163","domain":"139.162.102.163","tld":""},"ip":{"addr":"139.162.102.163","port":0,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-01-06T17:02:18Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"139.162.102.163","ip":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":15,"request_count":1,"received_data":69958,"sent_data":392,"comment":"","tags":null,"fingerprints":null},{"fqdn":"aus5.mozilla.org","ip":{"addr":"35.244.181.201","port":0,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"domain_registered":"1998-01-24","domain_rank":2548,"first_seen":"2015-10-27T08:06:24Z","last_seen":"2024-10-23T01:34:38.902317Z","alert_count":0,"request_count":1,"received_data":1221,"sent_data":512,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"04485ee0f0313f990255aa4a06546abb","sha1":"fa87b9a7b914c11fb75b775e391a3ad46d4eb432","sha256":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","sha512":"d95011d0bbae4c63ab0acf26568d0759990f26ed87dbc60ed01fdb840477519adb931feff6a6029c0b32d4ba4623ef2951ca260fcfabc609b364f51f775f024b","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","size":69632,"url":{"schema":"http","addr":"139.162.102.163/me.exe","fqdn":"139.162.102.163","domain":"139.162.102.163","tld":""},"ip":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects Running RAT from Gold Dragon report","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-03","description":"Detects Running RAT from Gold Dragon report","hash1":"0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88","hash2":"2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863","hash3":"7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/rW1yvZ","rule":"GoldDragon_RunningRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects a ZxShell related sample from a CN threat group","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell related sample from a CN threat group","hash1":"ef56c2609bc1b90f3e04745890235e6052a4be94e35e38b6f69b64fb17a7064e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Related_Malware_CN_Group_Jul17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects typical strings in a reversed or otherwise modified form","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-31","description":"Detects typical strings in a reversed or otherwise modified form","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Typical_Malware_String_Transforms","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-28","alert":"meth_stackstrings","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-28","alert":"Scan result 57/73","trigger":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","verdict":"malicious","severity":"","comment":"malicious - 57/73","link":"https://www.virustotal.com/gui/file/b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2024-10-28","alert":"Win.Trojan.Farfli-9755023-0","trigger":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:54Z","timestamp":1730134914,"ip_dst":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"ip_src":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2024-10-28T17:01:54.838191+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.21\",\"src_port\":55238,\"dest_ip\":\"139.162.102.163\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1120},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":666,\"bytes_toclient\":6196,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:54Z","timestamp":1730134914,"ip_dst":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"ip_src":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile","source":"{\"timestamp\":\"2024-10-28T17:01:54.838191+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.21\",\"src_port\":55238,\"dest_ip\":\"139.162.102.163\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019714,\"rev\":13,\"signature\":\"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2014_11_15\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_22\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1120},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":666,\"bytes_toclient\":6196,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Observed Suspicious Reversed String Inbound (ExpandEnvironmentStrings)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2841562,\"rev\":2,\"signature\":\"ETPRO HUNTING Observed Suspicious Reversed String Inbound (ExpandEnvironmentStrings)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_03_18\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_11_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Observed Suspicious Reversed String Inbound (Microsoft)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2841565,\"rev\":2,\"signature\":\"ETPRO HUNTING Observed Suspicious Reversed String Inbound (Microsoft)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_03_18\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_11_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Suspicious Reversed String Inbound (kernel32.dll)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2849681,\"rev\":1,\"signature\":\"ETPRO HUNTING Suspicious Reversed String Inbound (kernel32.dll)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_08_17\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_08_17\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"high","alert":"ETPRO MALWARE Observed Reversed EXE String Inbound (This Program...)","source":"{\"timestamp\":\"2024-10-28T17:01:55.843169+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2848901,\"rev\":2,\"signature\":\"ETPRO MALWARE Observed Reversed EXE String Inbound (This Program...)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_06_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2022_08_04\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":65536},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":32,\"pkts_toclient\":53,\"bytes_toserver\":2514,\"bytes_toclient\":70818,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects Running RAT from Gold Dragon report","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-03","description":"Detects Running RAT from Gold Dragon report","hash1":"0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88","hash2":"2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863","hash3":"7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/rW1yvZ","rule":"GoldDragon_RunningRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects a ZxShell related sample from a CN threat group","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell related sample from a CN threat group","hash1":"ef56c2609bc1b90f3e04745890235e6052a4be94e35e38b6f69b64fb17a7064e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Related_Malware_CN_Group_Jul17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects typical strings in a reversed or otherwise modified form","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-31","description":"Detects typical strings in a reversed or otherwise modified form","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Typical_Malware_String_Transforms","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-28","alert":"meth_stackstrings","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-28","alert":"Sinkholed","trigger":"139.162.102.163","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"139.162.102.163/me.exe","fqdn":"139.162.102.163","domain":"139.162.102.163","tld":""},"ip":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-10-28T17:01:54.260Z","timestamp":1730134914260,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /me.exe HTTP/1.1\r\nHost: 139.162.102.163\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Mon, 28 Oct 2024 09:01:54 GMT\r\nServer: Apache/2.2.21 (Win32) PHP/5.2.17\r\nLast-Modified: Sun, 27 Oct 2024 08:56:03 GMT\r\nETag: \"a00000001732d-11000-6257185a1959a\"\r\nAccept-Ranges: bytes\r\nContent-Length: 69632\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdownload\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":69632,"size_decoded":69632,"mime_type":"application/x-msdownload","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","md5":"04485ee0f0313f990255aa4a06546abb","sha1":"fa87b9a7b914c11fb75b775e391a3ad46d4eb432","sha256":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","sha512":"d95011d0bbae4c63ab0acf26568d0759990f26ed87dbc60ed01fdb840477519adb931feff6a6029c0b32d4ba4623ef2951ca260fcfabc609b364f51f775f024b","ssdeep":"768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI4V:BHJaAoHoc2x7bZoYBAcQlwJdME","tlshash":"43636c02b780c07bce0123b22c65936e596abfa46bdc2587f7e9cb0f07359d17919923","first_seen":"2024-10-28T17:02:22.746947Z","last_seen":"2024-10-28T17:02:22.746947Z","times_seen":1,"resource_available":false,"data":null}},"time_used":1913,"timings":{"blocked":325,"dns":0,"connect":328,"send":0,"wait":254,"receive":1005,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:54Z","timestamp":1730134914,"ip_dst":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"ip_src":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2024-10-28T17:01:54.838191+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.21\",\"src_port\":55238,\"dest_ip\":\"139.162.102.163\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1120},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":666,\"bytes_toclient\":6196,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:54Z","timestamp":1730134914,"ip_dst":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"ip_src":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile","source":"{\"timestamp\":\"2024-10-28T17:01:54.838191+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.21\",\"src_port\":55238,\"dest_ip\":\"139.162.102.163\",\"dest_port\":80,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2019714,\"rev\":13,\"signature\":\"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2014_11_15\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_22\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1120},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":6,\"bytes_toserver\":666,\"bytes_toclient\":6196,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":4,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2023_04_12\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"created_at\":[\"2015_05_08\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Observed Suspicious Reversed String Inbound (ExpandEnvironmentStrings)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2841562,\"rev\":2,\"signature\":\"ETPRO HUNTING Observed Suspicious Reversed String Inbound (ExpandEnvironmentStrings)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_03_18\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_11_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Observed Suspicious Reversed String Inbound (Microsoft)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2841565,\"rev\":2,\"signature\":\"ETPRO HUNTING Observed Suspicious Reversed String Inbound (Microsoft)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2020_03_18\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2020_11_09\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"medium","alert":"ETPRO HUNTING Suspicious Reversed String Inbound (kernel32.dll)","source":"{\"timestamp\":\"2024-10-28T17:01:55.591843+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2849681,\"rev\":1,\"signature\":\"ETPRO HUNTING Suspicious Reversed String Inbound (kernel32.dll)\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_08_17\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2021_08_17\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":51800},\"files\":[{\"filename\":\"/me.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":51800,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":22,\"pkts_toclient\":43,\"bytes_toserver\":1854,\"bytes_toclient\":56422,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-10-28T17:01:55Z","timestamp":1730134915,"ip_dst":{"addr":"172.18.0.21","port":55238,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"139.162.102.163","port":80,"asn":63949,"as":"Akamai Connected Cloud","country":"Japan","country_code":"JP"},"severity":"high","alert":"ETPRO MALWARE Observed Reversed EXE String Inbound (This Program...)","source":"{\"timestamp\":\"2024-10-28T17:01:55.843169+0000\",\"flow_id\":1182205913263060,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"139.162.102.163\",\"src_port\":80,\"dest_ip\":\"172.18.0.21\",\"dest_port\":55238,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2848901,\"rev\":2,\"signature\":\"ETPRO MALWARE Observed Reversed EXE String Inbound (This Program...)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2021_06_10\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2022_08_04\"]}},\"http\":{\"hostname\":\"139.162.102.163\",\"url\":\"/me.exe\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"application/x-msdownload\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":65536},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":32,\"pkts_toclient\":53,\"bytes_toserver\":2514,\"bytes_toclient\":70818,\"start\":\"2024-10-28T17:01:54.256980+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects Running RAT from Gold Dragon report","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2018-02-03","description":"Detects Running RAT from Gold Dragon report","hash1":"0852f2c5741997d8899a34bb95c349d7a9fb7277cd0910656c3ce37a6f11cb88","hash2":"2981e1a1b3c395cee6e4b9e6c46d062cf6130546b04401d724750e4c8382c863","hash3":"7aa99ebc49a130f07304ed25655862a04cc20cb59d129e1416a7dfa04f7d3e51","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://goo.gl/rW1yvZ","rule":"GoldDragon_RunningRAT"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects a ZxShell related sample from a CN threat group","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-07-08","description":"Detects a ZxShell related sample from a CN threat group","hash1":"ef56c2609bc1b90f3e04745890235e6052a4be94e35e38b6f69b64fb17a7064e","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"https://blogs.rsa.com/cat-phishing/","rule":"ZxShell_Related_Malware_CN_Group_Jul17_1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-10-28","alert":"Detects typical strings in a reversed or otherwise modified form","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-07-31","description":"Detects typical strings in a reversed or otherwise modified form","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Typical_Malware_String_Transforms","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-28","alert":"meth_stackstrings","trigger":"139.162.102.163/me.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-28","alert":"Sinkholed","trigger":"139.162.102.163","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-28","alert":"Scan result 57/73","trigger":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","verdict":"malicious","severity":"","comment":"malicious - 57/73","link":"https://www.virustotal.com/gui/file/b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","meta":null},{"sensor_name":"clamav","sensor_type":"antivirus","title":"","description":"ClamAV","scan_date":"2024-10-28","alert":"Win.Trojan.Farfli-9755023-0","trigger":"b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"aus5.mozilla.org/update/3/GMP/111.0a1/20240129201730/Linux_x86_64-gcc3/null/default/Linux%205.15.0-102-generic%20(GTK%203.24.37%2Clibpulse%20not-available)/default/default/update.xml","fqdn":"aus5.mozilla.org","domain":"mozilla.org","tld":"org"},"ip":{"addr":"35.244.181.201","port":0,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-28T17:02:12.573036397Z","timestamp":1730134932573,"http_version":"","security_state":"","security_info":null,"request":{"raw":"GET /update/3/GMP/111.0a1/20240129201730/Linux_x86_64-gcc3/null/default/Linux%205.15.0-102-generic%20(GTK%203.24.37%2Clibpulse%20not-available)/default/default/update.xml HTTP/1.1\r\nHost: aus5.mozilla.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: cross-site\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/2 200 OK\r\nserver: nginx\r\nrule-id: unknown\r\nrule-data-version: unknown\r\ncontent-signature: x5u=https://content-signature-2.cdn.mozilla.net/chains/202402/aus.content-signature.mozilla.org-2024-12-12-13-36-01.chain; p384ecdsa=chUHMvFSwR9pJyNLjooFuPppCryEbb3ChR99vUbvjmxsc3m-gVnR4QwdfybCyxSx8R5eZlgJi-hxBr4bLiK3oxbXGpOnaWCY-ec14mSPcmfsBQp9IyfFbexjVYdhSBxj\r\nstrict-transport-security: max-age=31536000;\r\nx-content-type-options: nosniff\r\ncontent-security-policy: default-src 'none'; frame-ancestors 'none'\r\nx-proxy-cache-status: EXPIRED\r\ncontent-encoding: gzip\r\nvia: 1.1 google\r\ndate: Mon, 28 Oct 2024 17:01:44 GMT\r\ncontent-type: text/xml; charset=utf-8\r\nvary: Accept-Encoding\r\ncontent-length: 444\r\nage: 28\r\ncache-control: public,max-age=90\r\nalt-svc: clear\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":444,"size_decoded":721,"mime_type":"text/xml; charset=utf-8","magic":"XML 1.0 document, ASCII text, with very long lines (332)","md5":"3b324dec137a87ef7e24a30a65b13dd0","sha1":"c0faa95b2f1018e264b3a14aaf50d1003e6c27b3","sha256":"6cd0b591d9239fc8564627e92a804fc261951b1cbaf5fa58a8ada3cc13f51463","sha512":"eee5d0a6354c5cfafdba69236359dbb38be1d7cbfd841230c07617fa3d8982751d8ddbe4f3b9c533a277e836b28a2f483d8ddc79aa09573ca9d49fc16341c061","ssdeep":"","tlshash":"54011069bdb5f89100860aa76626c8015a232287e1541888b8df5fc04f9b9b4536f09d","first_seen":"2023-10-13T18:17:52Z","last_seen":"2025-06-20T01:29:36.566077Z","times_seen":185315,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}