Report - prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe

Report Overview

Visitedpublic

2024-10-24 01:34:58

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
prod-guanabara-frontoffice-smartbus.oreons.com	unknown	2015-07-21	2023-01-02	2023-12-01	526 B	776 kB	189.39.40.208

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-10-24	medium	prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe	Detects an SFX archive with automatic script execution
2024-10-24	medium	prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe	files - file ~tmp01925d3f.exe
2024-10-24	medium	prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe	pe_detect_tls_callbacks

OpenPhish

No alerts detected

PhishTank

No alerts detected

Mnemonic Secure DNS

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe

IP / ASN

189.39.40.208

#16735 ALGAR TELECOM SA

File Overview

File TypePE32+ executable (GUI) x86-64, for MS Windows, 8 sections

Size776 kB (776184 bytes)

MD5b556390d95c240664c267bb4685eaf6c

SHA19134f8962076d907a899038d9f475f962c3e4bfa

SHA25677566994aa5772806e77756752c7e15974abb87464aaf451991822f32e1cd1c6

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	Detects an SFX archive with automatic script execution
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
YARAhub by abuse.ch	malware	pe_detect_tls_callbacks

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe

189.39.40.208

200 OK

776 kB

URL User Request GET HTTPS

prod-guanabara-frontoffice-smartbus.oreons.com/SmartBus.Client.Setup.exe

IP / ASN

189.39.40.208

#16735 ALGAR TELECOM SA

Requested byN/A

Resource Info

File typePE32+ executable (GUI) x86-64, for MS Windows, 8 sections

First Seen2024-10-24

Last Seen2024-10-24

Times Seen1

Size776 kB (776184 bytes)

MD5b556390d95c240664c267bb4685eaf6c

SHA19134f8962076d907a899038d9f475f962c3e4bfa

SHA25677566994aa5772806e77756752c7e15974abb87464aaf451991822f32e1cd1c6

Certificate Info

IssuerSectigo Limited

Subject*.oreons.com

FingerprintD3:B1:30:1D:55:43:CA:B4:60:42:A6:64:2B:87:45:E2:1E:FC:1E:63

ValidityFri, 19 Jan 2024 00:00:00 GMT - Sat, 18 Jan 2025 23:59:59 GMT

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	Detects an SFX archive with automatic script execution
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
YARAhub by abuse.ch	malware	pe_detect_tls_callbacks

HTTP Headers

GET /SmartBus.Client.Setup.exe HTTP/1.1
Host: prod-guanabara-frontoffice-smartbus.oreons.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 16 Oct 2024 03:41:25 GMT
Accept-Ranges: bytes
ETag: "73a4e5467d1fdb1:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 24 Oct 2024 01:34:33 GMT
Content-Length: 776184
Set-Cookie: LBTTI=rd2o00000000000000000000ffffc0a8f047o80; path=/; Httponly