{"report_id":"6afd4407-cdad-4a33-93d2-1521332cdcf9","version":6,"status":"done","tags":[],"date":"2023-09-19T05:21:10Z","url":{"schema":"http","addr":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","fqdn":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org","domain":"primeworldwide.org","tld":"org"},"ip":{"addr":"44.214.93.91","port":0,"asn":14618,"as":"AMAZON-AES","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T23:12:50Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org","ip":{"addr":"44.214.93.91","port":443,"asn":14618,"as":"AMAZON-AES","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":4,"request_count":1,"received_data":2440,"sent_data":541,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies executable artefacts in shortcut (LNK) files.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies executable artefacts in shortcut (LNK) files.","fingerprint":"f169fab39da34f827cdff5ee022374f7c1cc0b171da9c2bb718d8fee9657d7a3","first_imported":"2021-12-30","id":"3SSZmnnXU0l4qoc9wubdhN","last_modified":"2021-12-30","rule":"EXE_in_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies execution artefacts in shortcut (LNK) files.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies execution artefacts in shortcut (LNK) files.","fingerprint":"cf4910d057f099ef2d2b6fc80739a41e3594c500e6b4eca0fc8f64e48f6dcefb","first_imported":"2021-12-30","id":"77XnooZUMUCCdEuppmQ0My","last_modified":"2021-12-30","rule":"Execution_in_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.","fingerprint":"4b822248bade98d0528ab13549797c225784d7f953fe9c14d178c9d530fb3e55","first_imported":"2021-12-30","id":"2ogEIXl8u2qUbIgxTmruYX","last_modified":"2021-12-30","rule":"Long_RelativePath_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-19","alert":"Sinkholed","trigger":"primeworldwide.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","fqdn":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org","domain":"primeworldwide.org","tld":"org"},"ip":{"addr":"44.214.93.91","port":443,"asn":14618,"as":"AMAZON-AES","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2023-09-19T05:20:53.569Z","timestamp":1695100853569,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org","organization":""},"issuer":{"commonName":"R3","organization":"Let's Encrypt"},"validity":{"start":"Tue, 29 Aug 2023 15:18:53 GMT","end":"Mon, 27 Nov 2023 15:18:52 GMT"},"fingerprint":{"sha1":"73:24:95:74:C6:02:BA:3D:B2:58:D6:7F:FB:F8:05:10:53:4B:C4:1C","sha256":"42:6F:81:68:92:AF:EC:DE:F8:AD:CB:48:52:5B:DA:44:A8:BD:16:A3:1D:50:6D:05:E6:E6:CE:7E:B0:B1:9D:6D"}}},"request":{"raw":"GET /PostOnce/PostOnce.lnk HTTP/1.1\r\nHost: uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nContent-Length: 2173\r\nLast-Modified: Mon, 28 Aug 2023 18:17:02 GMT\r\nContent-Type: application/octet-stream\r\nDate: Tue, 19 Sep 2023 05:20:53 GMT\r\nETag: \"133295-1693246622-2173\"\r\nAccept-Ranges: bytes\r\nServer: WsgiDAV/4.2.0 Cheroot/10.0.0 Python 3.7.3\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2173,"size_decoded":0,"mime_type":"application/octet-stream","magic":"MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=316, Archive, ctime=Wed Mar 31 19:12:33 2021, mtime=Tue May  3 23:10:59 2022, atime=Wed Mar 31 19:12:33 2021, length=289792, window=hidenormalshowminimized\\012-  Windows shortcut file\\012- data","md5":"73eeee06cec1e6d6656840d58d3f6038","sha1":"68e6db5d864ba57f49170195f8ed6f0bc6cecb1f","sha256":"386cc8cdbfed4ea436d934d4cf6f211d66d41eeaa37b8b6f57fa8a108a512b20","sha512":"2418f69434ccba70cca247fb75162119497395d48bac29d5f9e39652ea1eaf9a191241a9290fa48601b779efe2c69aa343075d6910d9074a8425854cc9203f10","ssdeep":"","tlshash":"4d41021217c66724e3fd4e32587ae2118a33bc16ed57cb5c558851851c94718ec36f37","first_seen":"2023-09-19T07:21:17Z","last_seen":"2023-09-19T07:21:17Z","times_seen":1,"resource_available":false,"data":null}},"time_used":970,"timings":{"blocked":430,"dns":0,"connect":101,"send":0,"wait":100,"receive":0,"ssl":336},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies executable artefacts in shortcut (LNK) files.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies executable artefacts in shortcut (LNK) files.","fingerprint":"f169fab39da34f827cdff5ee022374f7c1cc0b171da9c2bb718d8fee9657d7a3","first_imported":"2021-12-30","id":"3SSZmnnXU0l4qoc9wubdhN","last_modified":"2021-12-30","rule":"EXE_in_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies execution artefacts in shortcut (LNK) files.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies execution artefacts in shortcut (LNK) files.","fingerprint":"cf4910d057f099ef2d2b6fc80739a41e3594c500e6b4eca0fc8f64e48f6dcefb","first_imported":"2021-12-30","id":"77XnooZUMUCCdEuppmQ0My","last_modified":"2021-12-30","rule":"Execution_in_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public InfoSec YARA rules","scan_date":"2023-09-19","alert":"Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.","trigger":"uhc.xn--comsharing-c1vdkb-enus1067u-c1wb-nem.primeworldwide.org/PostOnce/PostOnce.lnk","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/bartblaze/Yara-rules","meta":{"author":"@bartblaze","category":"INFO","creation_date":"2020-01-01","description":"Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.","fingerprint":"4b822248bade98d0528ab13549797c225784d7f953fe9c14d178c9d530fb3e55","first_imported":"2021-12-30","id":"2ogEIXl8u2qUbIgxTmruYX","last_modified":"2021-12-30","rule":"Long_RelativePath_LNK","sharing":"TLP:WHITE","source":"BARTBLAZE","status":"RELEASED","version":"1.0"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2023-09-19","alert":"Sinkholed","trigger":"primeworldwide.org","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}