Report - 89.197.154.115/Meeting.exe

Report Overview

Visited public
2024-09-05 04:23:17
Tags
Submit Tags
URL
89.197.154.115/Meeting.exe
Finishing URL
about:privatebrowsing
IP / ASN
89.197.154.115
#47474 Virtual1 Limited
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
89.197.154.115	unknown	unknown	No data	No data	661 B	75 kB	89.197.154.115
r10.o.lencr.org	unknown	2020-06-29	2024-06-06 21:45:11	2024-09-04 18:12:06	981 B	2.7 kB	23.33.119.57

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-09-05	medium	89.197.154.115/Meeting.exe	Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x
2024-09-05	medium	89.197.154.115/Meeting.exe	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
2024-09-05	medium	89.197.154.115/Meeting.exe	meth_peb_parsing
2024-09-05	medium	89.197.154.115/Meeting.exe	Windows.Trojan.Metasploit
2024-09-05	medium	89.197.154.115/Meeting.exe	Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2024-09-05	medium	89.197.154.115	Sinkholed
2024-09-05	medium	89.197.154.115	Sinkholed

ThreatFox

No alerts detected

JavaScript (0)

HTTP Transactions (5)

URL IP Response Size

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
66fbf7f95cb55f388373a20d4b1a736e
afc34259758a563362367848629ff7639982e1fb
41c00088afc20571f6a0c6998324d9517346256ac33696dc706192ec606fe7a7

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "41C00088AFC20571F6A0C6998324D9517346256AC33696DC706192EC606FE7A7"
Last-Modified: Mon, 02 Sep 2024 12:20:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=3721
Expires: Thu, 05 Sep 2024 05:24:52 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
3b182d2525d361002ced8590b8a9ce07
12cd4e482375e47fdc8cde29fe98a6e3498260df
62ed97a3678824305419366056fd0bee73359522822ca42a16fabdcc3ad982be

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "62ED97A3678824305419366056FD0BEE73359522822CA42A16FABDCC3AD982BE"
Last-Modified: Mon, 02 Sep 2024 14:37:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=3688
Expires: Thu, 05 Sep 2024 05:24:19 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive

r10.o.lencr.org/

23.33.119.57

504 B

URL
r10.o.lencr.org/
IP
23.33.119.57:0
ASN
#20940 Akamai International B.V.

File type
data
Size
504 B (504 bytes)
Hash
cabaaa7c3e6a621cc5836be05eee4924
c4bc6288aed0597ff7ae2dbc5aea340b6c9636b8
2b2a41201a3881bd029ab7161be291b23128d5952e5959092607b98c951fa18c

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "2B2A41201A3881BD029AB7161BE291B23128D5952E5959092607B98C951FA18C"
Last-Modified: Mon, 02 Sep 2024 14:33:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13689
Expires: Thu, 05 Sep 2024 08:11:00 GMT
Date: Thu, 05 Sep 2024 04:22:51 GMT
Connection: keep-alive

89.197.154.115/

89.197.154.115

608 B

URL
89.197.154.115/
IP
89.197.154.115:0
ASN
#47474 Virtual1 Limited

File type
HTML document, ASCII text
Size
608 B (608 bytes)
Hash
bbd2fb185bddca506744d375d4ab3dd7
ed457c83fc844e022a799f3b26c37d8536953518
e39fce55eb918d9e6261fa7dd740b9dc0ad043e8fdcf26e89508764e8846dd85

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET / HTTP/1.1
Host: 89.197.154.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 04:22:54 GMT
Server: Apache/2.4.59 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 608
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8

GET 89.197.154.115/Meeting.exe

89.197.154.115

200 OK

74 kB

URL User Request GET HTTP/1.1
89.197.154.115/Meeting.exe
IP
89.197.154.115:80
ASN
#47474 Virtual1 Limited

File type
PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
Size
74 kB (73802 bytes)
Hash
1ebcc328f7d1da17041835b0a960e1fa
adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c
6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x
Public Nextron YARA rules	malware	Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
YARAhub by abuse.ch	malware	meth_peb_parsing
Elastic Security YARA Rules	malware	Windows.Trojan.Metasploit
Google GCTI YARA rules	malware	Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /Meeting.exe HTTP/1.1
Host: 89.197.154.115
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Thu, 05 Sep 2024 04:22:55 GMT
Server: Apache/2.4.59 (Debian)
Last-Modified: Wed, 04 Sep 2024 09:33:04 GMT
ETag: "1204a-62147dc692d8b"
Accept-Ranges: bytes
Content-Length: 73802
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

JavaScript (0)

HTTP Transactions (5)

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

Detections

HTTP Headers

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

Detections

HTTP Headers