urlquery - report: update.kiemthexua.net/autoupdate/hostfile/Autoupdate.exe

Fully Qualifying Domain Name	Rank	First Seen	Last Seen	Sent bytes	Received bytes	IP	Comment
ocsp.sectigo.com (1)	487	2019-11-29 12:50:24	2023-05-26 10:07:58	330	963	104.18.15.101
update.kiemthexua.net (1)	0	2023-05-05 17:26:59	2023-05-24 18:00:10	428	1852236	103.90.227.43

Fully Qualifying Domain Name

Rank

First Seen

Last Seen

Sent bytes

Received bytes

Comment

ocsp.sectigo.com (1)

487

2019-11-29 12:50:24

2023-05-26 10:07:58

330

963

104.18.15.101

update.kiemthexua.net (1)

2023-05-05 17:26:59

2023-05-24 18:00:10

428

1852236

103.90.227.43

Timestamp	Severity	Source IP	Destination IP	Alert
2023-05-26 09:01:11 UTC	high	103.90.227.43	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP

Timestamp

Severity

Source IP

Destination IP

Alert

2023-05-26 09:01:11 UTC

high

103.90.227.43

Client IP

ET POLICY PE EXE or DLL Windows file download HTTP

Scan Date	Severity	Indicator	Comment
2023-05-26	medium	update.kiemthexua.net/autoupdate/hostfile/Autoupdate.exe	Malware

Scan Date

Severity

Indicator

Comment

2023-05-26

medium

update.kiemthexua.net/autoupdate/hostfile/Autoupdate.exe

Malware

Analyzer

Scan Date

Verdict

Comment

VirusTotal

2023-05-20

31/71

VirusTotal Report

Date	UQ / IDS / BL	URL	IP
2023-05-30 09:01:08 UTC	0 - 1 - 0	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-28 13:23:40 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-27 16:01:04 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-26 09:01:27 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-25 16:00:44 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43

Date

UQ / IDS / BL

URL

2023-05-30 09:01:08 UTC

0 - 1 - 0

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-28 13:23:40 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-27 16:01:04 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-26 09:01:27 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-25 16:00:44 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

Date	UQ / IDS / BL	URL	IP
2023-06-06 01:06:52 UTC	0 - 0 - 20	103.133.104.112/dashboard/	103.133.104.112
2023-06-05 22:08:13 UTC	0 - 3 - 2	103.133.104.112/877/hkcmd.exe	103.133.104.112
2023-06-05 22:08:09 UTC	0 - 1 - 2	103.133.104.112/ih/ihihihihihihihihihihihi%23 (...)	103.133.104.112
2023-06-05 16:42:56 UTC	0 - 1 - 1	14.225.254.203/	14.225.254.203
2023-06-05 16:23:29 UTC	0 - 0 - 2	103.140.251.122/	103.140.251.122

Date

UQ / IDS / BL

URL

2023-06-06 01:06:52 UTC

0 - 0 - 20

103.133.104.112/dashboard/

103.133.104.112

2023-06-05 22:08:13 UTC

0 - 3 - 2

103.133.104.112/877/hkcmd.exe

103.133.104.112

2023-06-05 22:08:09 UTC

0 - 1 - 2

103.133.104.112/ih/ihihihihihihihihihihihi%23 (...)

103.133.104.112

2023-06-05 16:42:56 UTC

0 - 1 - 1

14.225.254.203/

14.225.254.203

2023-06-05 16:23:29 UTC

0 - 0 - 2

103.140.251.122/

103.140.251.122

Date	UQ / IDS / BL	URL	IP
2023-05-30 09:01:08 UTC	0 - 1 - 0	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-28 13:23:40 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-27 16:01:04 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-26 09:01:27 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43
2023-05-25 16:00:44 UTC	0 - 1 - 1	update.kiemthexua.net/autoupdate/hostfile/Aut (...)	103.90.227.43

Date

UQ / IDS / BL

URL

2023-05-30 09:01:08 UTC

0 - 1 - 0

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-28 13:23:40 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-27 16:01:04 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-26 09:01:27 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

2023-05-25 16:00:44 UTC

0 - 1 - 1

update.kiemthexua.net/autoupdate/hostfile/Aut (...)

103.90.227.43

Date	UQ / IDS / BL	URL	IP
2023-06-06 07:06:38 UTC	0 - 1 - 0	pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)	178.22.88.105
2023-06-06 07:06:32 UTC	0 - 1 - 0	pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)	178.22.88.106
2023-06-06 07:06:27 UTC	0 - 2 - 0	pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)	188.93.63.129
2023-06-06 07:05:01 UTC	0 - 1 - 0	www.audiochannel.net/components/jp/mpfreesetup.exe	173.247.250.125
2023-06-06 07:04:49 UTC	0 - 1 - 0	www.audiochannel.net/software/sv/mixpadfsetup (...)	173.247.250.125

Date

UQ / IDS / BL

URL

2023-06-06 07:06:38 UTC

0 - 1 - 0

pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)

178.22.88.105

2023-06-06 07:06:32 UTC

0 - 1 - 0

pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)

178.22.88.106

2023-06-06 07:06:27 UTC

0 - 2 - 0

pkg.dl.mail.ru/packages/0_2018576distrib5/Ato (...)

188.93.63.129

2023-06-06 07:05:01 UTC

0 - 1 - 0

www.audiochannel.net/components/jp/mpfreesetup.exe

173.247.250.125

2023-06-06 07:04:49 UTC

0 - 1 - 0

www.audiochannel.net/software/sv/mixpadfsetup (...)

173.247.250.125

HTTP Transactions (2)

Request	Response
POST / HTTP/1.1 Host: ocsp.sectigo.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/ocsp-request Content-Length: 83 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache	104.18.15.101 HTTP/1.1 200 OK Content-Type: application/ocsp-response Date: Fri, 26 May 2023 09:01:10 GMT Content-Length: 471 Connection: keep-alive Last-Modified: Tue, 23 May 2023 10:09:58 GMT Expires: Tue, 30 May 2023 10:09:57 GMT Etag: "9cfc0c255766df140fc4407baf8210608a51e530" Cache-Control: max-age=349126,s-maxage=1800,public,no-transform,must-revalidate X-CCACDN-Proxy-ID: mcdpinlb4 X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 7cd4d4faad6ab50f-OSL --- Additional Info --- Magic: data Size: 471 Md5: 35ce21db37d5913dd943c973a3791778 Sha1: 9cfc0c255766df140fc4407baf8210608a51e530 Sha256: 5e15c615e8a64f52d1d353c73f0e476950a06c18fec4e106d00c025a40a3646f
GET /autoupdate/hostfile/Autoupdate.exe HTTP/1.1 Host: update.kiemthexua.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache	103.90.227.43 HTTP/1.1 200 OK Content-Type: application/octet-stream Server: nginx/1.19.1 Date: Fri, 26 May 2023 09:01:11 GMT Content-Length: 1851904 Connection: keep-alive Last-Modified: Tue, 16 May 2023 08:20:40 GMT ETag: "64633cd8-1c4200" Expires: Thu, 31 Dec 2037 23:55:55 GMT Cache-Control: max-age=315360000 Accept-Ranges: bytes --- Additional Info --- Magic: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\012- data Size: 1851904 Md5: af990ecd6f70bcb81134ad68b8c8d77a Sha1: e0cb39dc361549cf387ebdf3a502a1e3333da3a0 Sha256: cd5c111603132baa22eb549476067fe0ce91c56ee43c22a188de73692bbeac95 Blocklists: - fortinet: Malware - virustotal: 31/71 IDS: - ET POLICY PE EXE or DLL Windows file download HTTP

Request

Response

                                        
                                            POST / HTTP/1.1 

                                        
                                            
Host: ocsp.sectigo.com

                                        

                                        
                                            
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 

                                        
                                            
Accept: */* 

                                        
                                            
Accept-Language: en-US,en;q=0.5 

                                        
                                            
Accept-Encoding: gzip, deflate 

                                        
                                            
Content-Type: application/ocsp-request 

                                        
                                            
Content-Length: 83 

                                        
                                            
Connection: keep-alive 

                                        
                                            
Pragma: no-cache 

                                        
                                            
Cache-Control: no-cache

                                        
                                             104.18.15.101

                                            
                                                HTTP/1.1 200 OK 

                                            
                                                
Content-Type: application/ocsp-response

                                            

                                            
                                                
Date: Fri, 26 May 2023 09:01:10 GMT 

                                            
                                                
Content-Length: 471 

                                            
                                                
Connection: keep-alive 

                                            
                                                
Last-Modified: Tue, 23 May 2023 10:09:58 GMT 

                                            
                                                
Expires: Tue, 30 May 2023 10:09:57 GMT 

                                            
                                                
Etag: "9cfc0c255766df140fc4407baf8210608a51e530" 

                                            
                                                
Cache-Control: max-age=349126,s-maxage=1800,public,no-transform,must-revalidate 

                                            
                                                
X-CCACDN-Proxy-ID: mcdpinlb4 

                                            
                                                
X-Frame-Options: SAMEORIGIN 

                                            
                                                
CF-Cache-Status: DYNAMIC 

                                            
                                                
Server: cloudflare 

                                            
                                                
CF-RAY: 7cd4d4faad6ab50f-OSL 

                                            
                                                
 

                                            
                                            
                                                

                                                --- Additional Info ---

                                                Magic:  data

                                                Size:   471

                                                Md5:    35ce21db37d5913dd943c973a3791778

                                                Sha1:   9cfc0c255766df140fc4407baf8210608a51e530

                                                Sha256: 5e15c615e8a64f52d1d353c73f0e476950a06c18fec4e106d00c025a40a3646f

                                        
                                            GET /autoupdate/hostfile/Autoupdate.exe HTTP/1.1 

                                        
                                            
Host: update.kiemthexua.net

                                        

                                        
                                            
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 

                                        
                                            
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 

                                        
                                            
Accept-Language: en-US,en;q=0.5 

                                        
                                            
Accept-Encoding: gzip, deflate 

                                        
                                            
DNT: 1 

                                        
                                            
Connection: keep-alive 

                                        
                                            
Upgrade-Insecure-Requests: 1 

                                        
                                            
Pragma: no-cache 

                                        
                                            
Cache-Control: no-cache

                                        
                                             103.90.227.43

                                            
                                                HTTP/1.1 200 OK 

                                            
                                                
Content-Type: application/octet-stream

                                            

                                            
                                                
Server: nginx/1.19.1 

                                            
                                                
Date: Fri, 26 May 2023 09:01:11 GMT 

                                            
                                                
Content-Length: 1851904 

                                            
                                                
Connection: keep-alive 

                                            
                                                
Last-Modified: Tue, 16 May 2023 08:20:40 GMT 

                                            
                                                
ETag: "64633cd8-1c4200" 

                                            
                                                
Expires: Thu, 31 Dec 2037 23:55:55 GMT 

                                            
                                                
Cache-Control: max-age=315360000 

                                            
                                                
Accept-Ranges: bytes 

                                            
                                                
 

                                            
                                            
                                                

                                                --- Additional Info ---

                                                Magic:  PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\012- data

                                                Size:   1851904

                                                Md5:    af990ecd6f70bcb81134ad68b8c8d77a

                                                Sha1:   e0cb39dc361549cf387ebdf3a502a1e3333da3a0

                                                Sha256: cd5c111603132baa22eb549476067fe0ce91c56ee43c22a188de73692bbeac95

                                        

                                        
                                            

                                            

                                            
                                                Blocklists:

                                                
                                                      - fortinet: Malware

                                                
                                                      - virustotal: 31/71

                                                
                                            
                                            
                                            
                                                IDS:

                                                
                                                          - ET POLICY PE EXE or DLL Windows file download HTTP

URL	update.kiemthexua.net/autoupdate/hostfile/Autoupdate.exe
IP	103.90.227.43 (Vietnam)
ASN	#135905 VIETNAM POSTS AND TELECOMMUNICATIONS GROUP
UserAgent	Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Referer
Access	public
Report completed	2023-05-26 09:01:27 UTC
Status	Loading report..
IDS alerts	1
Blocklist alert	1
urlquery alerts	No alerts detected
Tags	None

Overview

Domain Summary (2)

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Blocklists

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

Files

Recent reports on same IP/ASN/Domain/Screenshot

Last 5 reports on IP: 103.90.227.43

Last 5 reports on ASN: VIETNAM POSTS AND TELECOMMUNICATIONS GROUP

Last 5 reports on domain: kiemthexua.net

Last 5 reports with similar screenshot

JavaScript

Executed Scripts (0)

Executed Evals (0)

Executed Writes (0)

HTTP Transactions (2)

Overview

Domain Summary (2)

Network Intrusion Detection Systemsinfo

Suricata /w Emerging Threats Pro

Blocklists

OpenPhish

PhishTank

Fortinet's Web Filter

mnemonic secure dns

Quad9 DNS

ThreatFox

Files

Recent reports on same IP/ASN/Domain/Screenshot

Last 5 reports on IP: 103.90.227.43

Last 5 reports on ASN: VIETNAM POSTS AND TELECOMMUNICATIONS GROUP

Last 5 reports on domain: kiemthexua.net

Last 5 reports with similar screenshot

JavaScript

Executed Scripts (0)

Executed Evals (0)

Executed Writes (0)

HTTP Transactions (2)

Network Intrusion Detection Systems