IP23.33.119.57:0 ASN#20940 Akamai International B.V.
Hash66fbf7f95cb55f388373a20d4b1a736e afc34259758a563362367848629ff7639982e1fb 41c00088afc20571f6a0c6998324d9517346256ac33696dc706192ec606fe7a7
POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "41C00088AFC20571F6A0C6998324D9517346256AC33696DC706192EC606FE7A7"
Last-Modified: Mon, 02 Sep 2024 12:20:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=3721
Expires: Thu, 05 Sep 2024 05:24:52 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive
|
IP23.33.119.57:0 ASN#20940 Akamai International B.V.
Hash3b182d2525d361002ced8590b8a9ce07 12cd4e482375e47fdc8cde29fe98a6e3498260df 62ed97a3678824305419366056fd0bee73359522822ca42a16fabdcc3ad982be
POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "62ED97A3678824305419366056FD0BEE73359522822CA42A16FABDCC3AD982BE"
Last-Modified: Mon, 02 Sep 2024 14:37:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=3688
Expires: Thu, 05 Sep 2024 05:24:19 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive
|
IP23.33.119.57:0 ASN#20940 Akamai International B.V.
Hashcabaaa7c3e6a621cc5836be05eee4924 c4bc6288aed0597ff7ae2dbc5aea340b6c9636b8 2b2a41201a3881bd029ab7161be291b23128d5952e5959092607b98c951fa18c
POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "2B2A41201A3881BD029AB7161BE291B23128D5952E5959092607B98C951FA18C"
Last-Modified: Mon, 02 Sep 2024 14:33:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13689
Expires: Thu, 05 Sep 2024 08:11:00 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive
|
IP89.197.154.115:0 ASN#47474 Virtual1 Limited
File typeHTML document, ASCII text Hashbbd2fb185bddca506744d375d4ab3dd7 ed457c83fc844e022a799f3b26c37d8536953518 e39fce55eb918d9e6261fa7dd740b9dc0ad043e8fdcf26e89508764e8846dd85
Analyzer | Verdict | Alert | Quad9 DNS | malicious | Sinkholed |
GET / HTTP/1.1
Host: 89.197.154.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 04:22:54 GMT
Server: Apache/2.4.59 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
|
| 89.197.154.115/Meeting.exe | 89.197.154.115 | 200 OK | 74 kB |
URL User Request GET HTTP/1.189.197.154.115/Meeting.exe IP89.197.154.115:80 ASN#47474 Virtual1 Limited
File typePE32 executable (GUI) Intel 80386, for MS Windows, 4 sections Hash1ebcc328f7d1da17041835b0a960e1fa adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c 6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a
Analyzer | Verdict | Alert | Public Nextron YARA rules | malware | Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x | Public Nextron YARA rules | malware | Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal) | YARAhub by abuse.ch | malware | meth_peb_parsing | Elastic Security YARA Rules | malware | Windows.Trojan.Metasploit | Google GCTI YARA rules | malware | Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x | Quad9 DNS | malicious | Sinkholed |
GET /Meeting.exe HTTP/1.1
Host: 89.197.154.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 04:22:55 GMT
Server: Apache/2.4.59 (Debian)
Last-Modified: Wed, 04 Sep 2024 09:33:04 GMT
ETag: "1204a-62147dc692d8b"
Accept-Ranges: bytes
Content-Length: 73802
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
|