Report - raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip

Report Overview

Visited public
2024-10-22 14:17:06
Tags
URL
raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip
Finishing URL
about:privatebrowsing
IP / ASN
185.199.108.133
#54113 FASTLY
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
raw.githubusercontent.com	35802	2014-02-06	2014-03-01	2024-10-16	521 B	30 kB	185.199.109.133

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Mnemonic Secure DNS

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip
IP
185.199.109.133
ASN
#54113 FASTLY

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
29 kB (29359 bytes)
Hash
0c72eb543631ae328e2c0ba9aec714ea
925e5964d36f1d8329ccd2ee3f873777d2823f36
138d0bc07a1095dce3f69a75276ab04e4b39da1ae74c8a09cdcb8dbab305a962

Archive (5)

Filename

Md5

File type

BypassBest.php

75daa0902d0a21c52273432e34fa630a

PHP script, ASCII text, with very long lines (32403)

hello.php

5e82d748aa12d1019fe53d3e0c0eb5ae

PHP script, ASCII text, with very long lines (308)

readme.txt

a0a9112830072d0b51aa34eaefb62f50

ASCII text

style.php

eff18051344566a0283b940db29acce2

PHP script, ASCII text

wp-22.php

c4e69cc3663b67c00868f4be5c4e6ff7

PHP script, ASCII text, with very long lines (14580), with no line terminators

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	PHP webshell obfuscated by encoding of mixed hex and dec
Public Nextron YARA rules	malware	PHP webshell which eval()s obfuscated string
Public Nextron YARA rules	malware	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.
Public Nextron YARA rules	malware	typical webshell strings, suspicious

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

	URL	IP	Response	Size
	raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip	185.199.109.133	200 OK	29 kB
URL User Request GET HTTP/2 raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip IP 185.199.109.133:443 ASN #54113 FASTLY Certificate IssuerDigiCert Inc Subject.github.io Fingerprint97:D8:C5:70:0F:12:24:6C:88:BC:FA:06:7E:8C:A7:4D:A8:62:67:28 ValidityFri, 15 Mar 2024 00:00:00 GMT - Fri, 14 Mar 2025 23:59:59 GMT File type Zip archive data, at least v2.0 to extract, compression method=deflate Size 29 kB (29359 bytes) Hash 0c72eb543631ae328e2c0ba9aec714ea 925e5964d36f1d8329ccd2ee3f873777d2823f36 138d0bc07a1095dce3f69a75276ab04e4b39da1ae74c8a09cdcb8dbab305a962 HTTP Headers GET /starkvps007/app/refs/heads/main/tolly.zip HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Upgrade-Insecure-Requests: 1 Connection: keep-alive Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: cross-site Pragma: no-cache Cache-Control: no-cache HTTP/2 200 OK cache-control: max-age=300 content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox content-type: application/zip etag: W/"79b5a0c4dbe7f087962f0d4d8bd3e0552683700f3eb2199a21189e41de44ac96" strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block x-github-request-id: 97C5:0E03:28F1930:2AE5C90:6717B3C8 accept-ranges: bytes date: Tue, 22 Oct 2024 14:16:40 GMT via: 1.1 varnish x-served-by: cache-hel1410033-HEL x-cache: MISS x-cache-hits: 0 x-timer: S1729606600.471578,VS0,VE116 vary: Authorization,Accept-Encoding,Origin access-control-allow-origin: cross-origin-resource-policy: cross-origin x-fastly-request-id: 1e1b0fb3509af8ce69dda2702789814cb76b0a36 expires: Tue, 22 Oct 2024 14:21:40 GMT source-age: 0 content-length: 29359 X-Firefox-Spdy: h2

raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip

185.199.109.133

200 OK

29 kB

URL User Request GET HTTP/2
raw.githubusercontent.com/starkvps007/app/refs/heads/main/tolly.zip
IP
185.199.109.133:443
ASN
#54113 FASTLY

Certificate
IssuerDigiCert Inc
Subject*.github.io
Fingerprint97:D8:C5:70:0F:12:24:6C:88:BC:FA:06:7E:8C:A7:4D:A8:62:67:28
ValidityFri, 15 Mar 2024 00:00:00 GMT - Fri, 14 Mar 2025 23:59:59 GMT

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
29 kB (29359 bytes)
Hash
0c72eb543631ae328e2c0ba9aec714ea
925e5964d36f1d8329ccd2ee3f873777d2823f36
138d0bc07a1095dce3f69a75276ab04e4b39da1ae74c8a09cdcb8dbab305a962

HTTP Headers

GET /starkvps007/app/refs/heads/main/tolly.zip HTTP/1.1
Host: raw.githubusercontent.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
cache-control: max-age=300
content-security-policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
content-type: application/zip
etag: W/"79b5a0c4dbe7f087962f0d4d8bd3e0552683700f3eb2199a21189e41de44ac96"
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
x-frame-options: deny
x-xss-protection: 1; mode=block
x-github-request-id: 97C5:0E03:28F1930:2AE5C90:6717B3C8
accept-ranges: bytes
date: Tue, 22 Oct 2024 14:16:40 GMT
via: 1.1 varnish
x-served-by: cache-hel1410033-HEL
x-cache: MISS
x-cache-hits: 0
x-timer: S1729606600.471578,VS0,VE116
vary: Authorization,Accept-Encoding,Origin
access-control-allow-origin: *
cross-origin-resource-policy: cross-origin
x-fastly-request-id: 1e1b0fb3509af8ce69dda2702789814cb76b0a36
expires: Tue, 22 Oct 2024 14:21:40 GMT
source-age: 0
content-length: 29359
X-Firefox-Spdy: h2

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Mnemonic Secure DNS

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Archive (5)

Detections

JavaScript (0)

HTTP Transactions (1)

URL User Request GET HTTP/2

IP

ASN

Certificate

File type

Size

Hash

HTTP Headers