{"report_id":"87d739b4-9df3-4fb5-a090-8bf2070526c3","version":6,"status":"done","tags":[],"date":"2024-06-17T14:04:41Z","url":{"schema":"http","addr":"dezlwerqy1h00.cloudfront.net/Media/Drivers/25036_02.zip","fqdn":"dezlwerqy1h00.cloudfront.net","domain":"dezlwerqy1h00.cloudfront.net","tld":"cloudfront.net"},"ip":{"addr":"108.157.217.129","port":0,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T13:02:59Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-06-15 18:30:36","alert_count":0,"request_count":4,"received_data":3551,"sent_data":1308,"comment":"","tags":null,"fingerprints":null},{"fqdn":"dezlwerqy1h00.cloudfront.net","ip":{"addr":"108.157.217.129","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"domain_registered":"2008-04-25","domain_rank":0,"first_seen":"2017-02-28 07:01:47","last_seen":"2024-06-05 10:31:38","alert_count":0,"request_count":1,"received_data":2543431,"sent_data":509,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"5059f11b070357b8a9c8c7888ac0cb0f","sha1":"af986fce13745084f3d7f5ab6e12a390a8ad998c","sha256":"49fb4c51fcfd4c148813b185339983425597e83e302a237c54b82fab07a2d38f","sha512":"4a09207c97b16f1f6432162cd11fdf934ecca85d62caa90333e7cc202f8169252bb4bbf647aa1a0e4923f9ce25b4ab9a5069386099cae987ebbf54b9520198b2","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":2542929,"url":{"schema":"https","addr":"dezlwerqy1h00.cloudfront.net/Media/Drivers/25036_02.zip","fqdn":"dezlwerqy1h00.cloudfront.net","domain":"dezlwerqy1h00.cloudfront.net","tld":"cloudfront.net"},"ip":{"addr":"108.157.217.129","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"archive":[{"path":"25036_02.exe","filename":"25036_02.exe","modified":"","Modified":"2023-03-02T12:01:55+02:00","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections","size":2913232,"md5":"e7b8e6ea067bc18803a6aeed9a168551","sha1":"c4a1b953e5d942478c26cf528010efadef69498a","sha256":"d071f9a75b6eeb7d5bff3c507cd98ccfe8e2d3fcbe33d59816e925545d3cad7b","sha512":"64dd3f77e0b3e766ecc963dd9d63cb05277e32257e05613bf7cec8674905456dc4c07e957e26631e73c6d57f93de9de2819a53101d39aefc0aaf10fe68efc87e","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-06-17","alert":"meth_stackstrings","trigger":"25036_02.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-02-02","alert":"Scan result 1/70","trigger":"d071f9a75b6eeb7d5bff3c507cd98ccfe8e2d3fcbe33d59816e925545d3cad7b","verdict":"suspicious","severity":"","comment":"suspicious - 1/70","link":"https://www.virustotal.com/gui/file/d071f9a75b6eeb7d5bff3c507cd98ccfe8e2d3fcbe33d59816e925545d3cad7b","meta":null}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-06-17","alert":"meth_stackstrings","trigger":"25036_02.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-06-17T14:04:15.240167227Z","timestamp":1718633055240,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"146FE131CF8436E3DE4832A23B351400B4819DBD9B9716302248D3AB447F000C\"\r\nLast-Modified: Sat, 15 Jun 2024 13:53:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=3755\r\nExpires: Mon, 17 Jun 2024 15:06:50 GMT\r\nDate: Mon, 17 Jun 2024 14:04:15 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"5c35a3180482afadf4e89f4cc249fa7b","sha1":"8a088c184606fe3e4e0da8cd90b6eb5e6d30fb97","sha256":"146fe131cf8436e3de4832a23b351400b4819dbd9b9716302248d3ab447f000c","sha512":"69ceef04fe4f86da5a1c84e5d5ba164db85d4817e66cd8dabecf0df8ac7d47749f2d6cbed7ac33345f6fb6c984fe97caecec446f5a0914841ca524b9f435c8d9","ssdeep":"","tlshash":"1cf00e1210a6b8f06af101205ff9ed182c64ac9d3c1234e03ce8bdf2a4657e40f8c098","first_seen":"2024-06-15T15:57:10Z","last_seen":"2024-08-19T19:55:02.755491Z","times_seen":41629,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-06-17T14:04:15.729908902Z","timestamp":1718633055729,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"F9A59EBEF1EE608C709B274E1C7BE1320323232CDC79B17BDBF453A5A5AEAD09\"\r\nLast-Modified: Mon, 17 Jun 2024 11:47:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=13401\r\nExpires: Mon, 17 Jun 2024 17:47:36 GMT\r\nDate: Mon, 17 Jun 2024 14:04:15 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"9d139a09a36fce99ece1fb963d49d2a9","sha1":"a7d96d8755d02c7204c147daade1b1168a6ddb73","sha256":"f9a59ebef1ee608c709b274e1c7be1320323232cdc79b17bdbf453a5a5aead09","sha512":"2f3b4b35676cee60aa69c986ce24912bdf1e5d2f893b69833a84884b248c5b16659f4b176d5f289e4c798bc29f13bfad918894f1d1efbde50713dcde03eff35a","ssdeep":"","tlshash":"5cf0c96122e6f89099622202fcc9e20c8fd2ad7f3840a2a0256883d2e0417b283840a8","first_seen":"2024-06-17T13:51:28Z","last_seen":"2024-08-19T19:42:29.906975Z","times_seen":39533,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"dezlwerqy1h00.cloudfront.net/Media/Drivers/25036_02.zip","fqdn":"dezlwerqy1h00.cloudfront.net","domain":"dezlwerqy1h00.cloudfront.net","tld":"cloudfront.net"},"ip":{"addr":"108.157.217.129","port":443,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-06-17T14:04:15.818Z","timestamp":1718633055818,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.cloudfront.net","organization":""},"issuer":{"commonName":"Amazon RSA 2048 M01","organization":"Amazon"},"validity":{"start":"Tue, 10 Oct 2023 00:00:00 GMT","end":"Thu, 19 Sep 2024 23:59:59 GMT"},"fingerprint":{"sha1":"FA:21:45:DC:4D:94:03:A3:09:77:51:78:4A:21:F2:C5:6D:94:BE:52","sha256":"E9:59:5B:FB:7B:3B:3F:96:AE:46:70:B0:A0:33:9A:0E:15:23:16:45:47:E4:D7:05:52:4B:6B:08:84:7B:BA:1D"}}},"request":{"raw":"GET /Media/Drivers/25036_02.zip HTTP/1.1\r\nHost: dezlwerqy1h00.cloudfront.net\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: application/zip\r\ncontent-length: 2542929\r\ndate: Mon, 17 Jun 2024 09:42:15 GMT\r\nlast-modified: Tue, 24 Oct 2023 09:16:37 GMT\r\netag: \"5059f11b070357b8a9c8c7888ac0cb0f\"\r\nx-amz-server-side-encryption: AES256\r\naccept-ranges: bytes\r\nserver: AmazonS3\r\nx-cache: Hit from cloudfront\r\nvia: 1.1 d84d4103926180da8f8abcb90515db0c.cloudfront.net (CloudFront)\r\nx-amz-cf-pop: ARN56-P1\r\nx-amz-cf-id: 9Sk56jDq5oPn3WQwAX0KriP7Xj_P79TQfOrywJOiajF0ge8aEHO3ZA==\r\nage: 15721\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2542929,"size_decoded":2542929,"mime_type":"application/zip","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","md5":"5059f11b070357b8a9c8c7888ac0cb0f","sha1":"af986fce13745084f3d7f5ab6e12a390a8ad998c","sha256":"49fb4c51fcfd4c148813b185339983425597e83e302a237c54b82fab07a2d38f","sha512":"4a09207c97b16f1f6432162cd11fdf934ecca85d62caa90333e7cc202f8169252bb4bbf647aa1a0e4923f9ce25b4ab9a5069386099cae987ebbf54b9520198b2","ssdeep":"49152:I7SqZaVB2QSuuyotBOeYGNqb07Bwb/94WQ29OEb0:IHZaKQSusJYQqbWwx4wzb0","tlshash":"bfc533d1f90a8b173025aa7b4838b0533d450ffa4a49deb5dc99b11d309ed5bb0b83b9","first_seen":"2024-08-19T19:41:56.03495Z","last_seen":"2024-08-19T19:41:56.03495Z","times_seen":1,"resource_available":false,"data":null}},"time_used":392,"timings":{"blocked":27,"dns":1,"connect":8,"send":0,"wait":11,"receive":327,"ssl":15},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-06-17T14:04:18.190791356Z","timestamp":1718633058190,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"18FFB58DA62F40B37A43B0BAACEEFE8BC3EF83CCDF9EE19FF874CCB0D802C9F2\"\r\nLast-Modified: Sat, 15 Jun 2024 17:32:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17089\r\nExpires: Mon, 17 Jun 2024 18:49:07 GMT\r\nDate: Mon, 17 Jun 2024 14:04:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"ede0b27def700f18bb6d4eb4c1d97352","sha1":"c802c366cb2eee6b9339349aa21677fdb1bd5fa5","sha256":"18ffb58da62f40b37a43b0baaceefe8bc3ef83ccdf9ee19ff874ccb0d802c9f2","sha512":"b1261e87645eb6cd74edb193283924e437ec388df9d45bad1eb6840a7de3584ca9e0e7ddd04a78b542d85733e76b02f839339e75691cecaf7b1894a7cd0bd35b","ssdeep":"","tlshash":"c8f054021098f99565a306121dfbe3053fb47cf8791c9ac014e488d128a0feca7c4009","first_seen":"2024-06-15T19:33:51Z","last_seen":"2024-08-19T19:54:20.816757Z","times_seen":41892,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.76.226","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-06-17T14:04:18.196063559Z","timestamp":1718633058196,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"18FFB58DA62F40B37A43B0BAACEEFE8BC3EF83CCDF9EE19FF874CCB0D802C9F2\"\r\nLast-Modified: Sat, 15 Jun 2024 17:32:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=17089\r\nExpires: Mon, 17 Jun 2024 18:49:07 GMT\r\nDate: Mon, 17 Jun 2024 14:04:18 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"ede0b27def700f18bb6d4eb4c1d97352","sha1":"c802c366cb2eee6b9339349aa21677fdb1bd5fa5","sha256":"18ffb58da62f40b37a43b0baaceefe8bc3ef83ccdf9ee19ff874ccb0d802c9f2","sha512":"b1261e87645eb6cd74edb193283924e437ec388df9d45bad1eb6840a7de3584ca9e0e7ddd04a78b542d85733e76b02f839339e75691cecaf7b1894a7cd0bd35b","ssdeep":"","tlshash":"c8f054021098f99565a306121dfbe3053fb47cf8791c9ac014e488d128a0feca7c4009","first_seen":"2024-06-15T19:33:51Z","last_seen":"2024-08-19T19:54:20.816757Z","times_seen":41892,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}