{"report_id":"bf251d35-f837-4acd-882d-0b7e4c30016a","version":6,"status":"done","tags":[],"date":"2025-12-21T05:44:40Z","url":{"schema":"http","addr":"www.vssweb.net/ivsweb.exe","fqdn":"www.vssweb.net","domain":"vssweb.net","tld":"net"},"ip":{"addr":"65.9.60.195","port":0,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing","dom":{"size":4657,"mime_type":"text/html; charset=utf-8","magic":"HTML document, Unicode text, UTF-8 text","md5":"68744c237305efbcc529630639a41a4e","sha1":"67a04a133a92f0f08272e702165ac6666db0911f","sha256":"eaf7416b63d0a12774d655348e38a229eae601124ee077f5558a5caa0c369a3d","sha512":"ad0f27f46f426f17365d9e1256562a177c3239bc035f77a34c5748459ee67fda5319b28fdf95777c79ad19a0e4048e61a3ee1a686267ccc9fffba90dc2cda9ad","ssdeep":"96:AMDFs1Bx1U3b61j1XB7gx10UFZV2WOzCBTjl22D+i8kDNLerlS:n561FpEmULV2jUjM2D+z0sJS","tlshash":"00a143a944f0663b189392a5e9c1bf57af816607cb8d69807baf40f31fc7d54886f10d","dom_hash":"domhash0f75e96bbe12b34f36b59d8eab215780","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"www.vssweb.net/ivsweb.exe","fqdn":"www.vssweb.net","domain":"vssweb.net","tld":"net"},"ip":{"addr":"65.9.60.195","port":0,"asn":16509,"as":"AMAZON-02","country":"United States","country_code":"US"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-01-25T05:44:40Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":2,"urlquery":0,"analyzer":1}},"detection":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062740,\"rev\":25,\"signature\":\"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2010_07_30\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_06_04\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-12-21","alert":"Scans presence of the found strings using the in-house brute force method","trigger":"www.vssweb.net/ivsweb.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Byambaa@pubcert.mn","date":"2024-10-01","description":"Scans presence of the found strings using the in-house brute force method","rule":"ScanStringsInsocks5systemz","yarahub_license":"CC0 1.0","yarahub_reference_md5":"73875E9DA68182B09BC6A7FAAFFF67D8","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"cd061b79-9264-480a-bda6-2242046143d5"}}],"urlquery":null},"summary":[{"fqdn":"www.vssweb.net","ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"domain_registered":"2012-05-29","domain_rank":0,"first_seen":"2013-05-20T07:34:58Z","last_seen":"2025-08-23T10:52:37.549042Z","alert_count":5,"request_count":2,"received_data":2484601,"sent_data":902,"comment":"","tags":null,"fingerprints":[{"name":"Amazon CloudFront","description":"Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds.","website":"https://aws.amazon.com/cloudfront/","common_platform_enumeration":"","icon":"Amazon Cloudfront.svg","categories":["CDN"]},{"name":"Amazon Web Services","description":"Amazon Web Services (AWS) is a comprehensive cloud services platform offering compute power, database storage, content delivery and other functionality.","website":"https://aws.amazon.com/","common_platform_enumeration":"","icon":"Amazon Web Services.svg","categories":["PaaS"]},{"name":"Apache Tomcat","description":"Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies.","website":"https://tomcat.apache.org","common_platform_enumeration":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","icon":"Apache Tomcat.svg","categories":["Web servers"]},{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"b9bc4b7ab4b3a030699ca8b5c06f6045","sha1":"44ddd1d4b274d1835cb95885ac6019c24cd98986","sha256":"a0afd64858dfba6797b2aaf386cce4ba1422fbeca27e6a10c31b2fabcb584bfd","sha512":"900ae690380da951632abd4cdb14ff6a9b6f2bf6aa602142b0d9d68931e1e81eeba2c30f4ae36b521ca180a3df568222f0b62076a973030662729c2a3f247a3d","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections","size":2484168,"url":{"schema":"http","addr":"www.vssweb.net/ivsweb.exe","fqdn":"www.vssweb.net","domain":"vssweb.net","tld":"net"},"ip":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-12-21","alert":"Scans presence of the found strings using the in-house brute force method","trigger":"www.vssweb.net/ivsweb.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Byambaa@pubcert.mn","date":"2024-10-01","description":"Scans presence of the found strings using the in-house brute force method","rule":"ScanStringsInsocks5systemz","yarahub_license":"CC0 1.0","yarahub_reference_md5":"73875E9DA68182B09BC6A7FAAFFF67D8","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"cd061b79-9264-480a-bda6-2242046143d5"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"www.vssweb.net/ivsweb.exe","fqdn":"www.vssweb.net","domain":"vssweb.net","tld":"net"},"ip":{"addr":"0.0.0.0","port":0,"asn":0,"as":"","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-12-21T05:44:15.541Z","timestamp":0,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET /ivsweb.exe HTTP/1.1\r\nHost: www.vssweb.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":0,"size_decoded":0,"mime_type":"","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-04T11:49:30.368697Z","times_seen":13330398,"resource_available":true,"data":null}},"time_used":951,"timings":{"blocked":0,"dns":941,"connect":1,"send":0,"wait":0,"receive":0,"ssl":6},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062740,\"rev\":25,\"signature\":\"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2010_07_30\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_06_04\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"}],"analyzer":null,"urlquery":null}},{"url":{"schema":"http","addr":"www.vssweb.net/ivsweb.exe","fqdn":"www.vssweb.net","domain":"vssweb.net","tld":"net"},"ip":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-12-21T05:44:16.504Z","timestamp":0,"http_version":"","security_state":"insecure","security_info":null,"request":{"raw":"GET /ivsweb.exe HTTP/1.1\r\nHost: www.vssweb.net\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nDate: Sun, 21 Dec 2025 05:44:16 GMT\r\nServer: Apache-Coyote/1.1\r\nSet-Cookie: JSESSIONID=91C9BFC662662FA03B941E42FA94D541; Path=/; HttpOnly\r\nX-Cache: Miss from cloudfront\r\nVia: 1.1 7bc180ff569f641823300f4c342cb63a.cloudfront.net (CloudFront)\r\nX-Amz-Cf-Pop: OSL50-P2\r\nX-Amz-Cf-Id: B5U_ssr4tvB52iRZPD8CZ-iUq4GFfCuWTEAkvBKGzMKhusSNzeZh2A==\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Amazon CloudFront","description":"Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds.","website":"https://aws.amazon.com/cloudfront/","common_platform_enumeration":"","icon":"Amazon Cloudfront.svg","categories":["CDN"]},{"name":"Amazon Web Services","description":"Amazon Web Services (AWS) is a comprehensive cloud services platform offering compute power, database storage, content delivery and other functionality.","website":"https://aws.amazon.com/","common_platform_enumeration":"","icon":"Amazon Web Services.svg","categories":["PaaS"]},{"name":"Apache Tomcat","description":"Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies.","website":"https://tomcat.apache.org","common_platform_enumeration":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","icon":"Apache Tomcat.svg","categories":["Web servers"]},{"name":"Java","description":"Java is a class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.","website":"https://java.com","common_platform_enumeration":"cpe:2.3:a:oracle:jre:*:*:*:*:*:*:*:*","icon":"Java.svg","categories":["Programming languages"]}],"data":{"size":2484168,"size_decoded":0,"mime_type":"application/x-msdos-program","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections","md5":"b9bc4b7ab4b3a030699ca8b5c06f6045","sha1":"44ddd1d4b274d1835cb95885ac6019c24cd98986","sha256":"a0afd64858dfba6797b2aaf386cce4ba1422fbeca27e6a10c31b2fabcb584bfd","sha512":"900ae690380da951632abd4cdb14ff6a9b6f2bf6aa602142b0d9d68931e1e81eeba2c30f4ae36b521ca180a3df568222f0b62076a973030662729c2a3f247a3d","ssdeep":"24576:lqeGs55FqjJR6cy/HpfhZmw0y9JUAFMYQ3VI:+rNRVQ5Zx96shQ3VI","tlshash":"6d252363d60269f0c291c3f68e5f9089d263b3352d306b1471dc9bd9af37a4e999e348","first_seen":"2025-08-23T10:52:38.769212Z","last_seen":"2026-01-21T10:57:51.105761Z","times_seen":3,"resource_available":false,"data":null}},"time_used":1825,"timings":{"blocked":1,"dns":1,"connect":1,"send":0,"wait":348,"receive":1474,"ssl":0},"alerts":{"ids":[{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET POLICY PE EXE or DLL Windows file download HTTP","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018959,\"rev\":5,\"signature\":\"ET POLICY PE EXE or DLL Windows file download HTTP\",\"category\":\"Potential Corporate Privacy Violation\",\"severity\":1,\"metadata\":{\"confidence\":[\"High\"],\"created_at\":[\"2014_08_19\"],\"signature_severity\":[\"Informational\"],\"updated_at\":[\"2025_01_16\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"},{"sensor_name":"suricata","title":"Suricata IDS","description":"Suricata /w Emerging Threats Pro","date":"2025-12-21T05:44:17Z","timestamp":1766295857,"ip_dst":{"addr":"172.18.0.16","port":37784,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"3.167.7.134","port":80,"asn":0,"as":"","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File","source":"{\"timestamp\":\"2025-12-21T05:44:17.129260+0000\",\"flow_id\":2067956040249871,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"3.167.7.134\",\"src_port\":80,\"dest_ip\":\"172.18.0.16\",\"dest_port\":37784,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"exe.no.referer\",\"ET.http.binary\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2062740,\"rev\":25,\"signature\":\"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"confidence\":[\"Medium\"],\"created_at\":[\"2010_07_30\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2025_06_04\"]}},\"http\":{\"hostname\":\"www.vssweb.net\",\"url\":\"/ivsweb.exe\",\"http_user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\",\"http_content_type\":\"text/plain\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":41480},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":23,\"pkts_toclient\":37,\"bytes_toserver\":1935,\"bytes_toclient\":45791,\"start\":\"2025-12-21T05:44:16.504335+0000\"}}"}],"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"YARAhub by abuse.ch","description":"YARAhub by abuse.ch","scan_date":"2025-12-21","alert":"Scans presence of the found strings using the in-house brute force method","trigger":"www.vssweb.net/ivsweb.exe","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Byambaa@pubcert.mn","date":"2024-10-01","description":"Scans presence of the found strings using the in-house brute force method","rule":"ScanStringsInsocks5systemz","yarahub_license":"CC0 1.0","yarahub_reference_md5":"73875E9DA68182B09BC6A7FAAFFF67D8","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"cd061b79-9264-480a-bda6-2242046143d5"}}],"urlquery":null}}]}