urlquery - report: 103.140.250.22/gcloud101/vbc.exe

Fully Qualifying Domain Name	Rank	First Seen	Last Seen	Sent bytes	Received bytes	IP	Comment
103.140.250.22 (1)	0	No data	No data	404	258787	103.140.250.22

Fully Qualifying Domain Name

Rank

First Seen

Last Seen

Sent bytes

Received bytes

Comment

103.140.250.22 (1)

No data

404

258787

103.140.250.22

Timestamp	Severity	Source IP	Destination IP	Alert
2023-05-26 10:45:49 UTC	high	Client IP	103.140.250.22	ETPRO HUNTING Observed Suspicious vbc.exe in URI - Possible Payload Execution
2023-05-26 10:45:49 UTC	high	Client IP	103.140.250.22	URLhaus Known malware download URL detected (2627116)
2023-05-26 10:45:49 UTC	medium	Client IP	103.140.250.22	ET INFO Executable Download from dotted-quad Host
2023-05-26 10:45:49 UTC	medium	Client IP	103.140.250.22	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
2023-05-26 10:45:50 UTC	high	103.140.250.22	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP
2023-05-26 10:45:50 UTC	medium	103.140.250.22	Client IP	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Timestamp

Severity

Source IP

Destination IP

Alert

2023-05-26 10:45:49 UTC

high

Client IP

103.140.250.22

ETPRO HUNTING Observed Suspicious vbc.exe in URI - Possible Payload Execution

2023-05-26 10:45:49 UTC

high

Client IP

103.140.250.22

URLhaus Known malware download URL detected (2627116)

2023-05-26 10:45:49 UTC

medium

Client IP

103.140.250.22

ET INFO Executable Download from dotted-quad Host

2023-05-26 10:45:49 UTC

medium

Client IP

103.140.250.22

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

2023-05-26 10:45:50 UTC

high

103.140.250.22

Client IP

ET POLICY PE EXE or DLL Windows file download HTTP

2023-05-26 10:45:50 UTC

medium

103.140.250.22

Client IP

ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Scan Date	Severity	Indicator	Comment
2023-05-26	medium	103.140.250.22/gcloud101/vbc.exe	Malware

Scan Date

Severity

Indicator

Comment

2023-05-26

medium

103.140.250.22/gcloud101/vbc.exe

Malware

Scan Date	Severity	Indicator	Comment
2023-05-26	medium	103.140.250.22	Sinkholed

Scan Date

Severity

Indicator

Comment

2023-05-26

medium

103.140.250.22

Sinkholed

Analyzer

Scan Date

Verdict

Comment

VirusTotal

2023-05-09

48/70

VirusTotal Report

Recent reports on same IP/ASN/Domain/Screenshot

Last 5 reports on IP: 103.140.250.22

Date	UQ / IDS / BL	URL	IP
2023-06-03 04:43:59 UTC	0 - 4 - 2	103.140.250.22/W90___11/dwm.exe	103.140.250.22
2023-06-02 07:33:12 UTC	0 - 4 - 2	103.140.250.22/R11198/smss.exe	103.140.250.22
2023-06-02 03:24:53 UTC	0 - 6 - 2	103.140.250.22/_____019_/vbc.exe	103.140.250.22
2023-05-31 10:48:50 UTC	0 - 4 - 1	103.140.250.22/R11198/smss.exe	103.140.250.22
2023-05-31 03:16:47 UTC	0 - 4 - 1	103.140.250.22/Receipt_003/dwm.exe	103.140.250.22

Last 5 reports on ASN: VIETNAM POSTS AND TELECOMMUNICATIONS GROUP

Date	UQ / IDS / BL	URL	IP
2023-06-06 01:06:52 UTC	0 - 0 - 20	103.133.104.112/dashboard/	103.133.104.112
2023-06-05 22:08:13 UTC	0 - 3 - 2	103.133.104.112/877/hkcmd.exe	103.133.104.112
2023-06-05 22:08:09 UTC	0 - 1 - 2	103.133.104.112/ih/ihihihihihihihihihihihi%23 (...)	103.133.104.112
2023-06-05 16:42:56 UTC	0 - 1 - 1	14.225.254.203/	14.225.254.203
2023-06-05 16:23:29 UTC	0 - 0 - 2	103.140.251.122/	103.140.251.122

Last 5 reports on domain: 103.140.250.22

Date	UQ / IDS / BL	URL	IP
2023-06-03 04:43:59 UTC	0 - 4 - 2	103.140.250.22/W90___11/dwm.exe	103.140.250.22
2023-06-02 07:33:12 UTC	0 - 4 - 2	103.140.250.22/R11198/smss.exe	103.140.250.22
2023-06-02 03:24:53 UTC	0 - 6 - 2	103.140.250.22/_____019_/vbc.exe	103.140.250.22
2023-05-31 10:48:50 UTC	0 - 4 - 1	103.140.250.22/R11198/smss.exe	103.140.250.22
2023-05-31 03:16:47 UTC	0 - 4 - 1	103.140.250.22/Receipt_003/dwm.exe	103.140.250.22

Last 5 reports with similar screenshot

Date	UQ / IDS / BL	URL	IP
2023-06-06 07:19:01 UTC	0 - 1 - 0	www.amlpages.com/Source/amlpages_en.zip	91.189.114.29
2023-06-06 07:18:47 UTC	0 - 2 - 0	www.seetrol.com/download/client.exe	45.115.155.209
2023-06-06 07:18:39 UTC	0 - 1 - 1	199.120.69.158/data/058f808ceb98268d/au.downl (...)	199.120.69.158
2023-06-06 07:18:03 UTC	0 - 2 - 1	79.137.195.246/client13/enc.exe	79.137.195.246
2023-06-06 07:17:20 UTC	0 - 1 - 1	103.160.3.10/bins/Astro.mpsl	103.160.3.10

Request	Response
GET /gcloud101/vbc.exe HTTP/1.1 Host: 103.140.250.22 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache	103.140.250.22 HTTP/1.1 200 OK Content-Type: application/x-msdownload Date: Fri, 26 May 2023 10:45:48 GMT Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 Last-Modified: Sun, 07 May 2023 22:46:06 GMT ETag: "3f19b-5fb22499ee836" Accept-Ranges: bytes Content-Length: 258459 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive --- Additional Info --- Magic: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive\012- data Size: 258459 Md5: 743a03da4bca80da5f49be2b77050225 Sha1: 49ccd55c30cb4e31be4d4bf48bac3bdcba1acec1 Sha256: 7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a Blocklists: - fortinet: Malware - quad9: Sinkholed - virustotal: 48/70 IDS: - ETPRO HUNTING Observed Suspicious vbc.exe in URI - Possible Payload Execution - URLhaus Known malware download URL detected (2627116) - ET INFO Executable Download from dotted-quad Host - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile - ET POLICY PE EXE or DLL Windows file download HTTP - ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

Request

Response

                                        
                                            GET /gcloud101/vbc.exe HTTP/1.1 

                                        
                                            
Host: 103.140.250.22

                                        

                                        
                                            
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 

                                        
                                            
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 

                                        
                                            
Accept-Language: en-US,en;q=0.5 

                                        
                                            
Accept-Encoding: gzip, deflate 

                                        
                                            
DNT: 1 

                                        
                                            
Connection: keep-alive 

                                        
                                            
Upgrade-Insecure-Requests: 1 

                                        
                                            
Pragma: no-cache 

                                        
                                            
Cache-Control: no-cache

                                        
                                             103.140.250.22

                                            
                                                HTTP/1.1 200 OK 

                                            
                                                
Content-Type: application/x-msdownload

                                            

                                            
                                                
Date: Fri, 26 May 2023 10:45:48 GMT 

                                            
                                                
Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28 

                                            
                                                
Last-Modified: Sun, 07 May 2023 22:46:06 GMT 

                                            
                                                
ETag: "3f19b-5fb22499ee836" 

                                            
                                                
Accept-Ranges: bytes 

                                            
                                                
Content-Length: 258459 

                                            
                                                
Keep-Alive: timeout=5, max=100 

                                            
                                                
Connection: Keep-Alive 

                                            
                                                
 

                                            
                                            
                                                

                                                --- Additional Info ---

                                                Magic:  PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive\012- data

                                                Size:   258459

                                                Md5:    743a03da4bca80da5f49be2b77050225

                                                Sha1:   49ccd55c30cb4e31be4d4bf48bac3bdcba1acec1

                                                Sha256: 7517367b3b61170bb7637de6f89077069159c4a04f430c28102e2d7cf5a0343a

                                        

                                        
                                            

                                            

                                            
                                                Blocklists:

                                                
                                                      - fortinet: Malware

                                                
                                                      - quad9: Sinkholed

                                                
                                                      - virustotal: 48/70

                                                
                                            
                                            
                                            
                                                IDS:

                                                
                                                          - ETPRO HUNTING Observed Suspicious vbc.exe in URI - Possible Payload Execution 

                                                
                                                          - URLhaus Known malware download URL detected (2627116)

                                                
                                                          - ET INFO Executable Download from dotted-quad Host

                                                
                                                          - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

                                                
                                                          - ET POLICY PE EXE or DLL Windows file download HTTP

                                                
                                                          - ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

URL	103.140.250.22/gcloud101/vbc.exe
IP	103.140.250.22 (Vietnam)
ASN	#135905 VIETNAM POSTS AND TELECOMMUNICATIONS GROUP
UserAgent	Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Referer
Access	public
Report completed	2023-05-26 10:46:06 UTC
Status	Loading report..
IDS alerts	6
Blocklist alert	2
urlquery alerts	No alerts detected
Tags	None

Overview

Domain Summary (1)

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Blocklists

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

Files

Recent reports on same IP/ASN/Domain/Screenshot

Last 5 reports on IP: 103.140.250.22

Last 5 reports on ASN: VIETNAM POSTS AND TELECOMMUNICATIONS GROUP

Last 5 reports on domain: 103.140.250.22

Last 5 reports with similar screenshot

JavaScript

Executed Scripts (0)

Executed Evals (0)

Executed Writes (0)

HTTP Transactions (1)

Overview

Domain Summary (1)

Network Intrusion Detection Systemsinfo

Suricata /w Emerging Threats Pro

Blocklists

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

Files

Recent reports on same IP/ASN/Domain/Screenshot

Last 5 reports on IP: 103.140.250.22

Last 5 reports on ASN: VIETNAM POSTS AND TELECOMMUNICATIONS GROUP

Last 5 reports on domain: 103.140.250.22

Last 5 reports with similar screenshot

JavaScript

Executed Scripts (0)

Executed Evals (0)

Executed Writes (0)

HTTP Transactions (1)

Network Intrusion Detection Systems