{"report_id":"9d6cd4a4-d93c-41e5-a1ba-b1183690e527","version":6,"status":"done","tags":[],"date":"2024-09-05T04:23:17Z","url":{"schema":"http","addr":"89.197.154.115/Meeting.exe","fqdn":"89.197.154.115","domain":"89.197.154.115","tld":""},"ip":{"addr":"89.197.154.115","port":0,"asn":47474,"as":"Virtual1 Limited","country":"United Kingdom","country_code":"GB"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-11-28T22:32:22Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"89.197.154.115","ip":{"addr":"89.197.154.115","port":0,"asn":47474,"as":"Virtual1 Limited","country":"United Kingdom","country_code":"GB"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":7,"request_count":2,"received_data":74964,"sent_data":661,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-09-04 18:12:06","alert_count":0,"request_count":3,"received_data":2662,"sent_data":981,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"1ebcc328f7d1da17041835b0a960e1fa","sha1":"adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c","sha256":"6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a","sha512":"0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","size":73802,"url":{"schema":"http","addr":"89.197.154.115/Meeting.exe","fqdn":"89.197.154.115","domain":"89.197.154.115","tld":"115"},"ip":{"addr":"89.197.154.115","port":80,"asn":47474,"as":"Virtual1 Limited","country":"United Kingdom","country_code":"GB"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2023-03-23","description":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","hash":"5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"Internal Research","rule":"SUSP_Imphash_Mar23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-05","alert":"meth_peb_parsing","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_peb_parsing","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"fc096806-e637-43ac-b969-ec6a1f37328a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-05","alert":"Windows.Trojan.Metasploit","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","description":"Identifies Metasploit 64 bit reverse tcp shellcode.","fingerprint":"7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987","id":"4a1c4da8-837d-4ad1-a672-ddb8ba074936","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22","rule":"Windows_Trojan_Metasploit_4a1c4da8","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2023-03-23","description":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","hash":"5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"Internal Research","rule":"SUSP_Imphash_Mar23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-05","alert":"meth_peb_parsing","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_peb_parsing","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"fc096806-e637-43ac-b969-ec6a1f37328a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-05","alert":"Windows.Trojan.Metasploit","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","description":"Identifies Metasploit 64 bit reverse tcp shellcode.","fingerprint":"7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987","id":"4a1c4da8-837d-4ad1-a672-ddb8ba074936","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22","rule":"Windows_Trojan_Metasploit_4a1c4da8","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-09-05","alert":"Sinkholed","trigger":"89.197.154.115","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-09-05","alert":"Sinkholed","trigger":"89.197.154.115","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-05T04:22:51.397284582Z","timestamp":1725510171397,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"41C00088AFC20571F6A0C6998324D9517346256AC33696DC706192EC606FE7A7\"\r\nLast-Modified: Mon, 02 Sep 2024 12:20:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=3721\r\nExpires: Thu, 05 Sep 2024 05:24:52 GMT\r\nDate: Thu, 05 Sep 2024 04:22:51 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"66fbf7f95cb55f388373a20d4b1a736e","sha1":"afc34259758a563362367848629ff7639982e1fb","sha256":"41c00088afc20571f6a0c6998324d9517346256ac33696dc706192ec606fe7a7","sha512":"80f0c1a3f29e795722e05ea6260e1ec92780f3f554ace63e7a0e4ad5d030be18b0cde8397bffc652a92306b23ba802aa8a0db463bac3a6827e645816bd5759a0","ssdeep":"","tlshash":"02f00e7956f2e6c3faf8112314a6ed606c227aab780021a279800ac239c67f6678545c","first_seen":"2024-09-02T19:20:57Z","last_seen":"2024-09-19T23:09:36.632755Z","times_seen":35846,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-05T04:22:51.729323315Z","timestamp":1725510171729,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"62ED97A3678824305419366056FD0BEE73359522822CA42A16FABDCC3AD982BE\"\r\nLast-Modified: Mon, 02 Sep 2024 14:37:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=3688\r\nExpires: Thu, 05 Sep 2024 05:24:19 GMT\r\nDate: Thu, 05 Sep 2024 04:22:51 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"3b182d2525d361002ced8590b8a9ce07","sha1":"12cd4e482375e47fdc8cde29fe98a6e3498260df","sha256":"62ed97a3678824305419366056fd0bee73359522822ca42a16fabdcc3ad982be","sha512":"a9af0e3420d2ef7b1e515e4014c080aa80aca75d801f852b484ac418bafb12eda0ff0e4d2ae943bc5fab828c296a2ec8ec22c6b66222a285f3dd6a5c7fe82cfd","ssdeep":"","tlshash":"4bf005b9a5b5ba148aed1c4468f5c51d9b107efd3cc111c3acc5c1b52e5575c019410d","first_seen":"2024-09-02T21:43:18Z","last_seen":"2024-09-19T23:06:53.189609Z","times_seen":16139,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.33.119.57","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-05T04:22:51.901163318Z","timestamp":1725510171901,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"2B2A41201A3881BD029AB7161BE291B23128D5952E5959092607B98C951FA18C\"\r\nLast-Modified: Mon, 02 Sep 2024 14:33:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=13689\r\nExpires: Thu, 05 Sep 2024 08:11:00 GMT\r\nDate: Thu, 05 Sep 2024 04:22:51 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"cabaaa7c3e6a621cc5836be05eee4924","sha1":"c4bc6288aed0597ff7ae2dbc5aea340b6c9636b8","sha256":"2b2a41201a3881bd029ab7161be291b23128d5952e5959092607b98c951fa18c","sha512":"7da36317a8c4f485281c503bcc03813f77f4339dd43124bdba3345414625f7dbb71911cd5eb19e1d4afb482b9ce0ffb5678bd41d4d5e6e77f56069bd2f99817d","ssdeep":"","tlshash":"a0f00efb12f33260dbf59d293989f23a0610ad9ebc2198e624c5d1cb9442fec408890c","first_seen":"2024-09-02T19:36:30Z","last_seen":"2024-09-19T23:09:22.854855Z","times_seen":22244,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"89.197.154.115/","fqdn":"89.197.154.115","domain":"89.197.154.115","tld":"115"},"ip":{"addr":"89.197.154.115","port":0,"asn":47474,"as":"Virtual1 Limited","country":"United Kingdom","country_code":"GB"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-09-05T04:22:54.911887409Z","timestamp":1725510174911,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET / HTTP/1.1\r\nHost: 89.197.154.115\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Thu, 05 Sep 2024 04:22:54 GMT\r\nServer: Apache/2.4.59 (Debian)\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 608\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html;charset=UTF-8\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":608,"size_decoded":2215,"mime_type":"text/html; charset=utf-8","magic":"HTML document, ASCII text","md5":"bbd2fb185bddca506744d375d4ab3dd7","sha1":"ed457c83fc844e022a799f3b26c37d8536953518","sha256":"e39fce55eb918d9e6261fa7dd740b9dc0ad043e8fdcf26e89508764e8846dd85","sha512":"5687f08b06c58c294053aa81513bc793cef00ed64b90368cb14b792b11008f2787fb14b9ea285279adcb5da3c32f34922c530744a6b83e2cc5cf172a8db22f2e","ssdeep":"","tlshash":"ee414505d4d186b7398024abd2047cde8ae789bcc3b009207e4fe9cfd7982bcca16192","first_seen":"2024-09-05T06:23:23Z","last_seen":"2024-09-19T22:32:24.624387Z","times_seen":14,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-09-05","alert":"Sinkholed","trigger":"89.197.154.115","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"89.197.154.115/Meeting.exe","fqdn":"89.197.154.115","domain":"89.197.154.115","tld":"115"},"ip":{"addr":"89.197.154.115","port":80,"asn":47474,"as":"Virtual1 Limited","country":"United Kingdom","country_code":"GB"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-09-05T04:22:55.006Z","timestamp":1725510175006,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /Meeting.exe HTTP/1.1\r\nHost: 89.197.154.115\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nDate: Thu, 05 Sep 2024 04:22:55 GMT\r\nServer: Apache/2.4.59 (Debian)\r\nLast-Modified: Wed, 04 Sep 2024 09:33:04 GMT\r\nETag: \"1204a-62147dc692d8b\"\r\nAccept-Ranges: bytes\r\nContent-Length: 73802\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/x-msdos-program\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":73802,"size_decoded":73802,"mime_type":"application/x-msdos-program","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections","md5":"1ebcc328f7d1da17041835b0a960e1fa","sha1":"adf1fe6df61d59ca7ac6232de6ed3c07d6656a8c","sha256":"6779bc4c64850150de694166f4b215ce25bbaca7d60b293fa7bb65e6bdecbc1a","sha512":"0c537e8dbdf5de433f862a31fbcb5a709f7727783cb36f7ed3dcac1acb44d704d5ad570035259022b46a0370754d029f476ae40280983d1586de9098e31a31d6","ssdeep":"1536:Imfnby2UHs4lwoK27TQPGjk8YXxMb+KR0Nc8QsJq39:lfnG/s4L7TfJYXxe0Nc8QsC9","tlshash":"fd73bf46d9c02472d1a5117d1b763ab49970f1fb3612c1aa798ccdeadbd1cb0a6373c2","first_seen":"2024-09-05T06:23:23Z","last_seen":"2024-11-10T07:48:04.553016Z","times_seen":10,"resource_available":false,"data":null}},"time_used":114,"timings":{"blocked":22,"dns":1,"connect":22,"send":0,"wait":23,"receive":46,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2024-09-05","alert":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp (https://github.com/ruppde)","date":"2023-03-23","description":"Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)","hash":"5b9348c24ff604e78d70464654e645b90dc695c7e0415959c443fe29cebc3c4e","license":"Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License","reference":"Internal Research","rule":"SUSP_Imphash_Mar23_2","score":"70"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-09-05","alert":"meth_peb_parsing","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_peb_parsing","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"fc096806-e637-43ac-b969-ec6a1f37328a"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Elastic Security YARA Rules","scan_date":"2024-09-05","alert":"Windows.Trojan.Metasploit","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/elastic/protections-artifacts/tree/main/yara","meta":{"arch_context":"x86","author":"Elastic Security","creation_date":"2021-06-10","description":"Identifies Metasploit 64 bit reverse tcp shellcode.","fingerprint":"7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987","id":"4a1c4da8-837d-4ad1-a672-ddb8ba074936","last_modified":"2021-08-23","license":"Elastic License v2","os":"windows","reference_sample":"9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22","rule":"Windows_Trojan_Metasploit_4a1c4da8","scan_context":"file, memory","severity":"100","threat_name":"Windows.Trojan.Metasploit"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Google GCTI YARA rules","scan_date":"2024-09-05","alert":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","trigger":"89.197.154.115/Meeting.exe","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/chronicle/GCTI","meta":{"author":"gssincla@google.com","date":"2022-11-18","description":"Cobalt Strike's resources/reverse.bin signature for versions 2.5 to 4.x","hash":"887f666d6473058e1641c3ce1dd96e47189a59c3b0b85c8b8fccdd41b84000c7","reference":"https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse","rule":"CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-09-05","alert":"Sinkholed","trigger":"89.197.154.115","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}
