{"report_id":"822930f2-5a1d-41da-8cb6-b28f4b03e605","version":6,"status":"done","tags":[],"date":"2024-11-28T00:14:28Z","url":{"schema":"https","addr":"80.76.51.231/Samarik","fqdn":"80.76.51.231","domain":"80.76.51.231","tld":""},"ip":{"addr":"80.76.51.231","port":0,"asn":401116,"as":"NYBULA","country":"The Netherlands","country_code":"NL"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":["urlhaus"],"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-06T00:14:28Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"80.76.51.231","ip":{"addr":"80.76.51.231","port":443,"asn":216156,"as":"Epikwire Broadband Limited","country":"Brazil","country_code":"BR"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2022-12-10T22:37:10Z","last_seen":"2024-01-14T15:30:19Z","alert_count":3,"request_count":1,"received_data":454280,"sent_data":474,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"e8c68f1ef3006a3e728a61893e21c13c","sha1":"74e10b769e413d5387daa63cd263e01cd9ffde88","sha256":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","sha512":"ed51458d489c1d169b6ef8cad3becf0f4dcc6fd5fdc1e9995845a9df1d4f4242cbbb351d0750d189f0fe67a154d2b8d4953e129412dc115166d0ea913199bf75","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections","size":453911,"url":{"schema":"https","addr":"80.76.51.231/Samarik","fqdn":"80.76.51.231","domain":"80.76.51.231","tld":""},"ip":{"addr":"80.76.51.231","port":443,"asn":216156,"as":"Epikwire Broadband Limited","country":"Brazil","country_code":"BR"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-28","alert":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","trigger":"80.76.51.231/Samarik","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-30","description":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","malpedia_family":"win.emmenhtal","rule":"IDATDropper","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC BY 4.0","yarahub_reference_link":"https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/","yarahub_reference_md5":"db1ae063d1be2bcb6af8f4afb145cdc4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"9dbff40b-6257-438d-8932-e7fb652a4d6a"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-26","alert":"Scan result 34/70","trigger":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","verdict":"malicious","severity":"","comment":"malicious - 34/70","link":"https://www.virustotal.com/gui/file/40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"e8c68f1ef3006a3e728a61893e21c13c","sha1":"74e10b769e413d5387daa63cd263e01cd9ffde88","sha256":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","sha512":"ed51458d489c1d169b6ef8cad3becf0f4dcc6fd5fdc1e9995845a9df1d4f4242cbbb351d0750d189f0fe67a154d2b8d4953e129412dc115166d0ea913199bf75","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections","size":453911,"url":{"schema":"https","addr":"80.76.51.231/Samarik","fqdn":"80.76.51.231","domain":"80.76.51.231","tld":""},"ip":{"addr":"80.76.51.231","port":443,"asn":216156,"as":"Epikwire Broadband Limited","country":"Brazil","country_code":"BR"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-28","alert":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","trigger":"80.76.51.231/Samarik","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-30","description":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","malpedia_family":"win.emmenhtal","rule":"IDATDropper","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC BY 4.0","yarahub_reference_link":"https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/","yarahub_reference_md5":"db1ae063d1be2bcb6af8f4afb145cdc4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"9dbff40b-6257-438d-8932-e7fb652a4d6a"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-26","alert":"Scan result 34/70","trigger":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","verdict":"malicious","severity":"","comment":"malicious - 34/70","link":"https://www.virustotal.com/gui/file/40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-28","alert":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","trigger":"80.76.51.231/Samarik","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-30","description":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","malpedia_family":"win.emmenhtal","rule":"IDATDropper","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC BY 4.0","yarahub_reference_link":"https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/","yarahub_reference_md5":"db1ae063d1be2bcb6af8f4afb145cdc4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"9dbff40b-6257-438d-8932-e7fb652a4d6a"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-28","alert":"Sinkholed","trigger":"80.76.51.231","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"80.76.51.231/Samarik","fqdn":"80.76.51.231","domain":"80.76.51.231","tld":""},"ip":{"addr":"80.76.51.231","port":443,"asn":216156,"as":"Epikwire Broadband Limited","country":"Brazil","country_code":"BR"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-28T00:14:02.584Z","timestamp":1732752842584,"http_version":"HTTP/1.1","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_256_GCM_SHA384","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"80.76.51.231","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Thu, 17 Oct 2024 00:00:00 GMT","end":"Fri, 17 Oct 2025 23:59:59 GMT"},"fingerprint":{"sha1":"A7:3E:F0:20:CB:20:95:67:E4:05:97:42:F3:E5:AB:83:90:54:7E:9E","sha256":"51:46:CA:1E:2D:4C:7A:04:8C:A2:60:36:8A:0F:83:E9:53:46:8A:38:FA:30:62:D5:6F:FC:E1:9D:0F:7A:E1:AE"}}},"request":{"raw":"GET /Samarik HTTP/1.1\r\nHost: 80.76.51.231\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nX-Powered-By: Express\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Allow-Methods: POST, GET, OPTIONS\r\nAccess-Control-Allow-Headers: Content-Type\r\nContent-Disposition: attachment; filename=Samarik\r\nContent-Type: application/octet-stream\r\nDate: Thu, 28 Nov 2024 00:14:02 GMT\r\nConnection: keep-alive\r\nKeep-Alive: timeout=5\r\nTransfer-Encoding: chunked\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":453911,"size_decoded":453911,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections","md5":"e8c68f1ef3006a3e728a61893e21c13c","sha1":"74e10b769e413d5387daa63cd263e01cd9ffde88","sha256":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","sha512":"ed51458d489c1d169b6ef8cad3becf0f4dcc6fd5fdc1e9995845a9df1d4f4242cbbb351d0750d189f0fe67a154d2b8d4953e129412dc115166d0ea913199bf75","ssdeep":"6144:e+WoC/IdkUPq5l+WoC/IdkUPq50+WoC/IdkUPq5L+WoC/IdkUPq5b+WoC/IdkUPO:epOkVpOkkpOk7pOkrpOk","tlshash":"8aa43921b6d80179e4e2e274257d3e7191bfe8778f2a50db1b300799a6b4bc0ac74793","first_seen":"2024-11-28T00:14:29.079484Z","last_seen":"2025-02-04T12:49:10.438379Z","times_seen":8,"resource_available":false,"data":null}},"time_used":613,"timings":{"blocked":212,"dns":1,"connect":29,"send":0,"wait":64,"receive":124,"ssl":176},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-28","alert":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","trigger":"80.76.51.231/Samarik","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"NDA0E","date":"2024-07-30","description":"Detects files containing embedded JavaScript; the JS executes a PowerShell command which either downloads IDATLoader in an archive, or an executable (not IDATLoader) which is loaded into memory. The modified PE will only run if it's executed as an HTML Application (.hta).","malpedia_family":"win.emmenhtal","rule":"IDATDropper","yarahub_author_twitter":"@NDA0E","yarahub_license":"CC BY 4.0","yarahub_reference_link":"https://cyble.com/blog/increase-in-the-exploitation-of-microsoft-smartscreen-vulnerability-cve-2024-21412/","yarahub_reference_md5":"db1ae063d1be2bcb6af8f4afb145cdc4","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"9dbff40b-6257-438d-8932-e7fb652a4d6a"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-11-28","alert":"Sinkholed","trigger":"80.76.51.231","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-11-26","alert":"Scan result 34/70","trigger":"40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","verdict":"malicious","severity":"","comment":"malicious - 34/70","link":"https://www.virustotal.com/gui/file/40b80287ba2af16daaf8e74a9465a0b876ab39f68c7ba6405cfcb41601eeec15","meta":null}],"urlquery":null}}]}