{"report_id":"b2130a18-c1c8-4cd0-8c8f-e04de4b55806","version":6,"status":"done","tags":[],"date":"2024-10-06T13:02:02Z","url":{"schema":"http","addr":"114.242.201.21:8001/help.scr","fqdn":"114.242.201.21","domain":"114.242.201.21","tld":""},"ip":{"addr":"114.242.201.21","port":0,"asn":4808,"as":"China Unicom Beijing Province Network","country":"China","country_code":"CN"},"final":{"url":{"schema":"http","addr":"114.242.201.21:8001/help.scr","fqdn":"114.242.201.21:8001","domain":"114.242.201.21","tld":"21:8001"},"title":"114.242.201.21:8001/help.scr"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-12-15T19:13:48Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"r10.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-06 21:45:11","last_seen":"2024-10-05 18:12:17","alert_count":0,"request_count":4,"received_data":3550,"sent_data":1308,"comment":"","tags":null,"fingerprints":null},{"fqdn":"r11.o.lencr.org","ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"domain_registered":"2020-06-29","domain_rank":0,"first_seen":"2024-06-07 07:43:57","last_seen":"2024-10-05 18:13:05","alert_count":0,"request_count":3,"received_data":2661,"sent_data":981,"comment":"","tags":null,"fingerprints":null},{"fqdn":"114.242.201.21:8001","ip":{"addr":"114.242.201.21","port":8001,"asn":4808,"as":"China Unicom Beijing Province Network","country":"China","country_code":"CN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":5,"request_count":2,"received_data":7152349,"sent_data":755,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"a2af48a018c65d34b445bd35bdd1b597","sha1":"76daedc184a0cb9a717fc49f86a57b5baed0a35c","sha256":"d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","sha512":"d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections","size":7134772,"url":{"schema":"http","addr":"114.242.201.21:8001/help.scr","fqdn":"114.242.201.21:8001","domain":"114.242.201.21","tld":"21:8001"},"ip":{"addr":"114.242.201.21","port":0,"asn":4808,"as":"China Unicom Beijing Province Network","country":"China","country_code":"CN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_get_eip","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_stackstrings","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-01","alert":"Scan result 63/71","trigger":"d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","verdict":"malicious","severity":"","comment":"malicious - 63/71","link":"https://www.virustotal.com/gui/file/d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_get_eip","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_stackstrings","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-06","alert":"Sinkholed","trigger":"114.242.201.21","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-06","alert":"Sinkholed","trigger":"114.242.201.21","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:35.40025926Z","timestamp":1728219695400,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"0842041BACD5F9C317B8B951ADDEA5B11B18C882478A57E582E172BF84C9404E\"\r\nLast-Modified: Sat, 05 Oct 2024 18:18:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=2291\r\nExpires: Sun, 06 Oct 2024 13:39:46 GMT\r\nDate: Sun, 06 Oct 2024 13:01:35 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"961f4f0ab9b7bf5f05b339f676b49762","sha1":"cd111640dbe14096627ae7a7692aa12de2009820","sha256":"0842041bacd5f9c317b8b951addea5b11b18c882478a57e582e172bf84c9404e","sha512":"82967cd5a4fd98997a1ba36e13577ac83ca64cb227372c6ca20445c85a3f39a7e14314b8bbc69b1f6c798bab4abd0f69ec63e9d99514ad57d626afb8d0c329d9","ssdeep":"","tlshash":"64f00ecb1962fc1de67a96282deaf522bc227977280802e4949143636814bb825ca998","first_seen":"2024-10-06T04:15:45Z","last_seen":"2024-10-11T09:19:46.500859Z","times_seen":12529,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:35.430504627Z","timestamp":1728219695430,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"692B8AB76640FA1991A613DE0D236D9F805D432D1807574D3E434AA197F261FC\"\r\nLast-Modified: Sat, 05 Oct 2024 16:16:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=21114\r\nExpires: Sun, 06 Oct 2024 18:53:29 GMT\r\nDate: Sun, 06 Oct 2024 13:01:35 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"a3efcda1a9e998d5544071b0c97e2bce","sha1":"95295765d8bb2b090d2daac1e33901c3d882486f","sha256":"692b8ab76640fa1991a613de0d236d9f805d432d1807574d3e434aa197f261fc","sha512":"6ece0c29fba09cb8d55788c084c8d090f3e749e20ba22730da4b1926b569ba35f16c6bb74c25d8cab289394ebcab211d828dd8378fb42b3dab4251cc8ccc7729","ssdeep":"","tlshash":"8bf00e6f09a0bd155b642c41adb0eb3e5f203daa78453b9044e84fb33401ee80a4a22c","first_seen":"2024-10-05T22:52:04Z","last_seen":"2024-10-11T09:19:20.879372Z","times_seen":16715,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:35.67056394Z","timestamp":1728219695670,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"7E1C229FCA475D3A4760D7950E2CCD0B8BB27F4C4BC5FD43E96260BFA32388B7\"\r\nLast-Modified: Sat, 05 Oct 2024 16:15:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=13651\r\nExpires: Sun, 06 Oct 2024 16:49:06 GMT\r\nDate: Sun, 06 Oct 2024 13:01:35 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"92cd7893843bf7005d9d4281f7ddeb25","sha1":"1d1762ecf80a622168eb8734901fc27382da2b2a","sha256":"7e1c229fca475d3a4760d7950e2ccd0b8bb27f4c4bc5fd43e96260bfa32388b7","sha512":"b4004c4db4e1cce5fd0b4a6f1b67d5bb96a57ec64967218661d491a8084afbf33fdea54cd5d4078ef950711d3c3301166e86ee2048e4a1341af3429de93b9932","ssdeep":"","tlshash":"78f00ec507b6ba109f621e247529e23eae106bb6611613a520e803e75486bde2bd882c","first_seen":"2024-10-06T02:22:48Z","last_seen":"2024-10-11T09:16:25.205845Z","times_seen":23072,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r10.o.lencr.org/","fqdn":"r10.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:35.747087293Z","timestamp":1728219695747,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r10.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"25AC9A9B10F13BB7B9CAB9D9D74175F4E9B6BDDD5BDCAAFB958C1D9395985637\"\r\nLast-Modified: Sun, 06 Oct 2024 06:48:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4117\r\nExpires: Sun, 06 Oct 2024 14:10:12 GMT\r\nDate: Sun, 06 Oct 2024 13:01:35 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"4489f5e8956a10cb4018f0d3d819f0b2","sha1":"fd6caa5bc55c86049955569ecd2f9879bfac8175","sha256":"25ac9a9b10f13bb7b9cab9d9d74175f4e9b6bddd5bdcaafb958c1d9395985637","sha512":"ebe00d200e1cd350a4bcdcbe269ecb7838cc96a29c0175075d7b063c63bee83aa2b37e887877f843b4e39a37dd1948dbef29a6894ea6da0fd80d467f5295f3fb","ssdeep":"","tlshash":"b2f005a10bb9f406e57c9c10f569d4a12d31ae6831106dd069c013b0fd63ee667c5a4c","first_seen":"2024-10-06T11:46:46Z","last_seen":"2024-10-11T09:17:32.20734Z","times_seen":11562,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:37.709898592Z","timestamp":1728219697709,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"8456900AB387A69910DAA36C8DF04728E49BFCA1F31F176465608432F3DE90DC\"\r\nLast-Modified: Fri, 04 Oct 2024 18:19:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4300\r\nExpires: Sun, 06 Oct 2024 14:13:17 GMT\r\nDate: Sun, 06 Oct 2024 13:01:37 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"6c63037d1240287ccbfc7295cd0c2c38","sha1":"fa4e8be173a4c9bdb4a8dfa4916aa781ce5ac179","sha256":"8456900ab387a69910daa36c8df04728e49bfca1f31f176465608432f3de90dc","sha512":"2387eae75b5850cb54b48ff780435a3038856a213534db369c420aa6d963318d9ca8ab55b6f544e0b09c6543b27274d7f00fe4d8dcf7fece3c0f5cf4df60ea38","ssdeep":"","tlshash":"bcf005062573b8981a144d2de581e53b083038f57094d3fb55fc43e13d057e9595144c","first_seen":"0001-01-01T00:00:00Z","last_seen":"2024-10-11T09:19:46.50427Z","times_seen":24789,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:37.712583952Z","timestamp":1728219697712,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"8456900AB387A69910DAA36C8DF04728E49BFCA1F31F176465608432F3DE90DC\"\r\nLast-Modified: Fri, 04 Oct 2024 18:19:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4300\r\nExpires: Sun, 06 Oct 2024 14:13:17 GMT\r\nDate: Sun, 06 Oct 2024 13:01:37 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"6c63037d1240287ccbfc7295cd0c2c38","sha1":"fa4e8be173a4c9bdb4a8dfa4916aa781ce5ac179","sha256":"8456900ab387a69910daa36c8df04728e49bfca1f31f176465608432f3de90dc","sha512":"2387eae75b5850cb54b48ff780435a3038856a213534db369c420aa6d963318d9ca8ab55b6f544e0b09c6543b27274d7f00fe4d8dcf7fece3c0f5cf4df60ea38","ssdeep":"","tlshash":"bcf005062573b8981a144d2de581e53b083038f57094d3fb55fc43e13d057e9595144c","first_seen":"0001-01-01T00:00:00Z","last_seen":"2024-10-11T09:19:46.50427Z","times_seen":24789,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"r11.o.lencr.org/","fqdn":"r11.o.lencr.org","domain":"lencr.org","tld":"org"},"ip":{"addr":"23.36.77.32","port":0,"asn":20940,"as":"Akamai International B.V.","country":"Norway","country_code":"NO"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:37.715647454Z","timestamp":1728219697715,"http_version":"","security_state":"","security_info":null,"request":{"raw":"POST / HTTP/1.1\r\nHost: r11.o.lencr.org\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/ocsp-request\r\nContent-Length: 85\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nContent-Type: application/ocsp-response\r\nContent-Length: 504\r\nETag: \"8456900AB387A69910DAA36C8DF04728E49BFCA1F31F176465608432F3DE90DC\"\r\nLast-Modified: Fri, 04 Oct 2024 18:19:00 UTC\r\nCache-Control: public, no-transform, must-revalidate, max-age=4300\r\nExpires: Sun, 06 Oct 2024 14:13:17 GMT\r\nDate: Sun, 06 Oct 2024 13:01:37 GMT\r\nConnection: keep-alive\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":504,"size_decoded":504,"mime_type":"application/octet-stream","magic":"data","md5":"6c63037d1240287ccbfc7295cd0c2c38","sha1":"fa4e8be173a4c9bdb4a8dfa4916aa781ce5ac179","sha256":"8456900ab387a69910daa36c8df04728e49bfca1f31f176465608432f3de90dc","sha512":"2387eae75b5850cb54b48ff780435a3038856a213534db369c420aa6d963318d9ca8ab55b6f544e0b09c6543b27274d7f00fe4d8dcf7fece3c0f5cf4df60ea38","ssdeep":"","tlshash":"bcf005062573b8981a144d2de581e53b083038f57094d3fb55fc43e13d057e9595144c","first_seen":"0001-01-01T00:00:00Z","last_seen":"2024-10-11T09:19:46.50427Z","times_seen":24789,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"114.242.201.21:8001/favicon.ico","fqdn":"114.242.201.21:8001","domain":"114.242.201.21","tld":"21:8001"},"ip":{"addr":"114.242.201.21","port":8001,"asn":4808,"as":"China Unicom Beijing Province Network","country":"China","country_code":"CN"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://114.242.201.21:8001/help.scr","date":"2024-10-06T13:01:37.952Z","timestamp":1728219697952,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: 114.242.201.21:8001\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://114.242.201.21:8001/help.scr\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: openresty\r\nDate: Sun, 06 Oct 2024 12:46:38 GMT\r\nContent-Type: image/x-icon\r\nContent-Length: 16958\r\nLast-Modified: Thu, 11 Jul 2019 14:25:31 GMT\r\nConnection: keep-alive\r\nETag: \"5d2746db-423e\"\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":16958,"size_decoded":16958,"mime_type":"image/x-icon","magic":"MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel","md5":"e05b47d5ce11d2f4182a964255870b76","sha1":"ef53228107481b411f6e2bbc44d2a70eef0c1ddf","sha256":"72f32f21bba2b3790781f3b548e63dabbe9c0ef5f56f589058e099daaa5cb22e","sha512":"34bde3ae4ebf8f621edb2ff4bdde5c6671cfd65be9b126840cce7a2e8040c8d4fec2d16f22e4e917d9a2f9b750c95df84c5c8b487f8a3b663ea70560edeabc69","ssdeep":"96:l9DuZN+V3csJwRETWUqBGkZ1TPMz55555555555ecs0Ka43AwsjPn3QXM:lUZN+dcWwRETWUyZ1XsW3AwsjAXM","tlshash":"a1720eace195dfe5c818f27e0e30904a2d1865f78b4895e7703a728d40a0ddf76f12ab","first_seen":"2024-07-18T14:05:22Z","last_seen":"2025-02-24T08:58:40.774985Z","times_seen":23,"resource_available":false,"data":null}},"time_used":536,"timings":{"blocked":-1,"dns":0,"connect":0,"send":0,"wait":265,"receive":271,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-06","alert":"Sinkholed","trigger":"114.242.201.21","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"114.242.201.21:8001/help.scr","fqdn":"114.242.201.21:8001","domain":"114.242.201.21","tld":"21:8001"},"ip":{"addr":"114.242.201.21","port":0,"asn":4808,"as":"China Unicom Beijing Province Network","country":"China","country_code":"CN"},"is_navigation_request":false,"resource_type":"","requested_by":"","date":"2024-10-06T13:01:45.14502644Z","timestamp":1728219705145,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /help.scr HTTP/1.1\r\nHost: 114.242.201.21:8001\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":""},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: openresty\r\nDate: Sun, 06 Oct 2024 12:46:36 GMT\r\nContent-Type: text/plain\r\nLast-Modified: Fri, 06 Sep 2024 09:36:08 GMT\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nETag: W/\"66dacd08-8f7800\"\r\nX-Content-Type-Options: nosniff\r\nX-XSS-Protection: 1; mode=block\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":7134772,"size_decoded":9402368,"mime_type":"application/octet-stream","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections","md5":"a2af48a018c65d34b445bd35bdd1b597","sha1":"76daedc184a0cb9a717fc49f86a57b5baed0a35c","sha256":"d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","sha512":"d8def07a8accdb65b6b9dfc3168981b600a78310ec06cb626fcd000e7bcc4627ff5be7fc9f26992838226d84982ddd470d9ac89e041727e72b738a61bec61319","ssdeep":"196608:rhHMBGC3PtXtT+Was8ywq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0jwuwasMdJOnZKVSaaNZOn","tlshash":"bf96e022bdd18577c66303327d5df23972eeb5741b3581c763981f2d2a702e26a3922b","first_seen":"2024-06-14T04:04:18Z","last_seen":"2025-04-21T15:30:32.610507Z","times_seen":211,"resource_available":false,"data":null}},"time_used":0,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":0,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_get_eip","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-10-06","alert":"meth_stackstrings","trigger":"114.242.201.21:8001/help.scr","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-10-06","alert":"Sinkholed","trigger":"114.242.201.21","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-10-01","alert":"Scan result 63/71","trigger":"d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","verdict":"malicious","severity":"","comment":"malicious - 63/71","link":"https://www.virustotal.com/gui/file/d6350d8a664b3585108ee2b6f04f031d478e97a53962786b18e4780a3ca3da60","meta":null}],"urlquery":null}}]}