{"report_id":"92e7f4e5-ab63-43a9-b22a-eee75623f24b","version":6,"status":"done","tags":[],"date":"2025-10-25T23:15:41Z","url":{"schema":"http","addr":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","fqdn":"120.25.163.165","domain":"120.25.163.165","tld":""},"ip":{"addr":"120.25.163.165","port":0,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"http","addr":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","fqdn":"120.25.163.165","domain":"120.25.163.165","tld":""},"ip":{"addr":"120.25.163.165","port":0,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-11-29T23:15:41Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":6,"urlquery":0,"analyzer":8}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ETPRO MALWARE Observed GET Request for mimikatz.exe","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2845089,\"rev\":1,\"signature\":\"ETPRO MALWARE Observed GET Request for mimikatz.exe\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2020_10_22\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2020_10_22\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"URLhaus Known malware download URL detected (3192568)","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":84055668,\"rev\":1,\"signature\":\"URLhaus Known malware download URL detected (3192568)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2024_09_26\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"confidence\":[\"High\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-10-25T23:15:17.960472+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":32,\"bytes_toserver\":1801,\"bytes_toclient\":47008,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-10-25T23:15:17.960472+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":32,\"bytes_toserver\":1801,\"bytes_toclient\":47008,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:21Z","timestamp":1761434121,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"high","alert":"ET MALWARE Mimikatz x86 Executable Download Over HTTP","source":"{\"timestamp\":\"2025-10-25T23:15:21.080563+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2029334,\"rev\":2,\"signature\":\"ET MALWARE Mimikatz x86 Executable Download Over HTTP\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2020_01_29\"],\"deployment\":[\"Internal\",\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2021_04_28\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1023469},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":402,\"pkts_toclient\":518,\"bytes_toserver\":27897,\"bytes_toclient\":778468,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"mimikatz","modified":"2022-11-16","rule":"mimikatz","tool_author":"Benjamin DELPY (gentilkiwi)"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects Mimikatz strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"Mimikatz_Strings","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects mimikatz icon in PE file","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-02-18","description":"Detects mimikatz icon in PE file","hash1":"61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1","hash2":"1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925","hash3":"c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85","hash4":"721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab","hash5":"c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"https://blog.gentilkiwi.com/mimikatz","rule":"HKTL_mimikatz_icon","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-05","description":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","hash1":"c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae","hash2":"1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0","hash3":"49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"PowerKatz Analysis","rule":"Powerkatz_DLL_Generic","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz by using some special strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-19","description":"Detects Mimikatz by using some special strings","hash1":"058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4","hash2":"eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85","hash3":"f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Mimikatz_Gen_Strings","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-10-25","alert":"meth_stackstrings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-10-25","alert":"Windows.Hacktool.Mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-13","fingerprint":"dbbdc492c07e3b95d677044751ee4365ec39244e300db9047ac224029dfe6ab7","id":"1388212a-2146-4565-b93d-4555a110364f","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a","rule":"Windows_Hacktool_Mimikatz_1388212a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-10-25","alert":"Win.Dropper.Mimikatz-9778171-1","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null},"summary":[{"fqdn":"120.25.163.165","ip":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":8,"request_count":1,"received_data":1084683,"sent_data":437,"comment":"","tags":null,"fingerprints":[{"name":"Microsoft ASP.NET","description":"ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages.","website":"https://www.asp.net","common_platform_enumeration":"cpe:2.3:a:microsoft:asp.net:*:*:*:*:*:*:*:*","icon":"Microsoft ASP.NET.svg","categories":["Web frameworks"]},{"name":"IIS:10.0","description":"Internet Information Services (IIS) is an extensible web server software created by Microsoft for use with the Windows NT family.","website":"https://www.iis.net","common_platform_enumeration":"cpe:2.3:a:microsoft:internet_information_server:*:*:*:*:*:*:*:*","icon":"Microsoft.svg","categories":["Web servers"]},{"name":"Windows Server","description":"Windows Server is a brand name for a group of server operating systems.","website":"https://microsoft.com/windowsserver","common_platform_enumeration":"","icon":"WindowsServer.png","categories":["Operating systems"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"ab9b9561a7c762f4d4f6b4f0f1d0e76d","sha1":"65587aebc325f61602a3a74ef84b6e7d8657e9c3","sha256":"bdba08454ca87888e69b7c9bfa7d3d44c697026198a1026097015d6e6e2a4daa","sha512":"a5988cc25f3b48b9e78e307429131e736454040644fd10ad4bb5b6d5003f03b1de89780c0b49faee9326b37c5cee9080d5ef29bb58671711162b5eeeeb3600df","magic":"PE32 executable (console) Intel 80386, for MS Windows, 5 sections","size":1084416,"url":{"schema":"http","addr":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","fqdn":"120.25.163.165","domain":"120.25.163.165","tld":""},"ip":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"mimikatz","modified":"2022-11-16","rule":"mimikatz","tool_author":"Benjamin DELPY (gentilkiwi)"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects Mimikatz strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"Mimikatz_Strings","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects mimikatz icon in PE file","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-02-18","description":"Detects mimikatz icon in PE file","hash1":"61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1","hash2":"1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925","hash3":"c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85","hash4":"721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab","hash5":"c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"https://blog.gentilkiwi.com/mimikatz","rule":"HKTL_mimikatz_icon","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-05","description":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","hash1":"c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae","hash2":"1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0","hash3":"49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"PowerKatz Analysis","rule":"Powerkatz_DLL_Generic","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz by using some special strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-19","description":"Detects Mimikatz by using some special strings","hash1":"058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4","hash2":"eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85","hash3":"f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Mimikatz_Gen_Strings","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-10-25","alert":"meth_stackstrings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-10-25","alert":"Windows.Hacktool.Mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-13","fingerprint":"dbbdc492c07e3b95d677044751ee4365ec39244e300db9047ac224029dfe6ab7","id":"1388212a-2146-4565-b93d-4555a110364f","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a","rule":"Windows_Hacktool_Mimikatz_1388212a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-10-25","alert":"Win.Dropper.Mimikatz-9778171-1","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ETPRO MALWARE Observed GET Request for mimikatz.exe","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2845089,\"rev\":1,\"signature\":\"ETPRO MALWARE Observed GET Request for mimikatz.exe\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2020_10_22\"],\"deployment\":[\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2020_10_22\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"URLhaus Known malware download URL detected (3192568)","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":84055668,\"rev\":1,\"signature\":\"URLhaus Known malware download URL detected (3192568)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2024_09_26\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"ip_src":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"medium","alert":"ET INFO Executable Download from dotted-quad Host","source":"{\"timestamp\":\"2025-10-25T23:15:17.459367+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.16\",\"src_port\":37948,\"dest_ip\":\"120.25.163.165\",\"dest_port\":8080,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2016141,\"rev\":9,\"signature\":\"ET INFO Executable Download from dotted-quad Host\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"attack_target\":[\"Client_and_Server\"],\"confidence\":[\"High\"],\"created_at\":[\"2013_01_03\"],\"deployment\":[\"Perimeter\"],\"performance_impact\":[\"Significant\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2024_04_09\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1181},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":4,\"pkts_toclient\":5,\"bytes_toserver\":709,\"bytes_toclient\":6130,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-10-25T23:15:17.960472+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":32,\"bytes_toserver\":1801,\"bytes_toclient\":47008,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:17Z","timestamp":1761434117,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"medium","alert":"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response","source":"{\"timestamp\":\"2025-10-25T23:15:17.960472+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2021076,\"rev\":2,\"signature\":\"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\",\"category\":\"Potentially Bad Traffic\",\"severity\":2,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2015_05_08\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2019_07_26\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":43173},\"files\":[{\"filename\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"sid\":[],\"gaps\":false,\"state\":\"TRUNCATED\",\"stored\":false,\"size\":43173,\"tx_id\":0}],\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":20,\"pkts_toclient\":32,\"bytes_toserver\":1801,\"bytes_toclient\":47008,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-10-25T23:15:21Z","timestamp":1761434121,"ip_dst":{"addr":"172.18.0.16","port":37948,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"severity":"high","alert":"ET MALWARE Mimikatz x86 Executable Download Over HTTP","source":"{\"timestamp\":\"2025-10-25T23:15:21.080563+0000\",\"flow_id\":1502759027514691,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"120.25.163.165\",\"src_port\":8080,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37948,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"http.dottedquadhost\",\"ET.http.binary\"]},\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2029334,\"rev\":2,\"signature\":\"ET MALWARE Mimikatz x86 Executable Download Over HTTP\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"affected_product\":[\"Windows_XP_Vista_7_8_10_Server_32_64_Bit\"],\"attack_target\":[\"Client_Endpoint\"],\"confidence\":[\"High\"],\"created_at\":[\"2020_01_29\"],\"deployment\":[\"Internal\",\"Perimeter\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2021_04_28\"]}},\"http\":{\"hostname\":\"120.25.163.165\",\"http_port\":8080,\"url\":\"/mimikatz_trunk/Win32/mimikatz.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"application/octet-stream\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":1023469},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":402,\"pkts_toclient\":518,\"bytes_toserver\":27897,\"bytes_toclient\":778468,\"start\":\"2025-10-25T23:15:16.957763+0000\"}}"}]}],"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","fqdn":"120.25.163.165","domain":"120.25.163.165","tld":""},"ip":{"addr":"120.25.163.165","port":8080,"asn":37963,"as":"Hangzhou Alibaba Advertising Co.,Ltd.","country":"China","country_code":"CN"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-10-25T23:15:16.961Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /mimikatz_trunk/Win32/mimikatz.exe HTTP/1.1\r\nHost: 120.25.163.165:8080\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nContent-Type: application/octet-stream\r\nLast-Modified: Mon, 19 Sep 2022 15:43:55 GMT\r\nAccept-Ranges: bytes\r\nETag: \"af4943a03eccd81:0\"\r\nServer: Microsoft-IIS/10.0\r\nX-Powered-By: ASP.NET\r\nDate: Sat, 25 Oct 2025 23:15:17 GMT\r\nContent-Length: 1084416\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Microsoft ASP.NET","description":"ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages.","website":"https://www.asp.net","common_platform_enumeration":"cpe:2.3:a:microsoft:asp.net:*:*:*:*:*:*:*:*","icon":"Microsoft ASP.NET.svg","categories":["Web frameworks"]},{"name":"IIS:10.0","description":"Internet Information Services (IIS) is an extensible web server software created by Microsoft for use with the Windows NT family.","website":"https://www.iis.net","common_platform_enumeration":"cpe:2.3:a:microsoft:internet_information_server:*:*:*:*:*:*:*:*","icon":"Microsoft.svg","categories":["Web servers"]},{"name":"Windows Server","description":"Windows Server is a brand name for a group of server operating systems.","website":"https://microsoft.com/windowsserver","common_platform_enumeration":"","icon":"WindowsServer.png","categories":["Operating systems"]}],"data":{"size":1084416,"size_decoded":0,"mime_type":"application/octet-stream","magic":"PE32 executable (console) Intel 80386, for MS Windows, 5 sections","md5":"ab9b9561a7c762f4d4f6b4f0f1d0e76d","sha1":"65587aebc325f61602a3a74ef84b6e7d8657e9c3","sha256":"bdba08454ca87888e69b7c9bfa7d3d44c697026198a1026097015d6e6e2a4daa","sha512":"a5988cc25f3b48b9e78e307429131e736454040644fd10ad4bb5b6d5003f03b1de89780c0b49faee9326b37c5cee9080d5ef29bb58671711162b5eeeeb3600df","ssdeep":"24576:uiDjF7X3YoGq4tC1YJk+3nWBkDeq26iLutKcEY8:u05YjqakE3Aq2vu7Et","tlshash":"f325284177e64015f5b32ab16ef2aa11ce77b9e21831d54f029c854f1ab3e819e39b33","first_seen":"2025-08-22T09:50:42.342537Z","last_seen":"2025-10-25T23:15:46.495984Z","times_seen":4,"resource_available":false,"data":null}},"time_used":4657,"timings":{"blocked":248,"dns":5,"connect":251,"send":0,"wait":251,"receive":3902,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Benjamin DELPY (gentilkiwi)","description":"mimikatz","modified":"2022-11-16","rule":"mimikatz","tool_author":"Benjamin DELPY (gentilkiwi)"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-06-08","description":"Detects Mimikatz strings","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"not set","rule":"Mimikatz_Strings","score":"65"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects mimikatz icon in PE file","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2023-02-18","description":"Detects mimikatz icon in PE file","hash1":"61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1","hash2":"1c3f584164ef595a37837701739a11e17e46f9982fdcee020cf5e23bad1a0925","hash3":"c6bb98b24206228a54493274ff9757ce7e0cbb4ab2968af978811cc4a98fde85","hash4":"721d3476cdc655305902d682651fffbe72e54a97cd7e91f44d1a47606bae47ab","hash5":"c0f3523151fa307248b2c64bdaac5f167b19be6fccff9eba92ac363f6d5d2595","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"https://blog.gentilkiwi.com/mimikatz","rule":"HKTL_mimikatz_icon","score":"60"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2016-02-05","description":"Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible)","hash1":"c20f30326fcebad25446cf2e267c341ac34664efad5c50ff07f0738ae2390eae","hash2":"1e67476281c1ec1cf40e17d7fc28a3ab3250b474ef41cb10a72130990f0be6a0","hash3":"49e7bac7e0db87bf3f0185e9cf51f2539dbc11384fefced465230c4e5bce0872","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"PowerKatz Analysis","rule":"Powerkatz_DLL_Generic","score":"80","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Nextron YARA rules","description":"Public Nextron YARA rules","scan_date":"2025-10-25","alert":"Detects Mimikatz by using some special strings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Florian Roth (Nextron Systems)","date":"2017-06-19","description":"Detects Mimikatz by using some special strings","hash1":"058cc8b3e4e4055f3be460332a62eb4cbef41e3a7832aceb8119fd99fea771c4","hash2":"eefd4c038afa0e80cf6521c69644e286df08c0883f94245902383f50feac0f85","hash3":"f35b589c1cc1c98c4c4a5123fd217bdf0d987c00d2561992cbfb94bd75920159","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","reference":"Internal Research","rule":"Mimikatz_Gen_Strings","super_rule":"1"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-10-25","alert":"meth_stackstrings","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"Elastic Security YARA rules","description":"Elastic Security YARA Rules","scan_date":"2025-10-25","alert":"Windows.Hacktool.Mimikatz","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-04-13","fingerprint":"dbbdc492c07e3b95d677044751ee4365ec39244e300db9047ac224029dfe6ab7","id":"1388212a-2146-4565-b93d-4555a110364f","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"66b4a0681cae02c302a9b6f1d611ac2df8c519d6024abdb506b4b166b93f636a","rule":"Windows_Hacktool_Mimikatz_1388212a","scan_context":"file, memory","severity":"100","threat_name":"Windows.Hacktool.Mimikatz"}},{"sensor_name":"clamav","sensor_type":"antivirus","title":"ClamAV","description":"ClamAV","scan_date":"2025-10-25","alert":"Win.Dropper.Mimikatz-9778171-1","trigger":"120.25.163.165:8080/mimikatz_trunk/Win32/mimikatz.exe","verdict":"malicious","severity":"medium","comment":"","link":"https://www.clamav.net/","meta":null}],"urlquery":null}}]}