{"report_id":"c55c39fa-0dba-455e-8beb-5dd6bfbe2a4e","version":6,"status":"done","tags":[],"date":"2025-05-13T17:56:32Z","url":{"schema":"http","addr":"github.com/Coporton/IDM-Activation-Script/releases/download/v2.5.1/IDM-Activation-Script-main.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.3","port":0,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-07-22T17:56:31Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"github.com","ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"domain_registered":"2007-10-09","domain_rank":1423,"first_seen":"2016-07-13T12:28:22Z","last_seen":"2025-05-07T15:08:31.503422Z","alert_count":0,"request_count":1,"received_data":2822072,"sent_data":565,"comment":"","tags":null,"fingerprints":null},{"fqdn":"objects.githubusercontent.com","ip":{"addr":"185.199.111.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"domain_registered":"2014-02-06","domain_rank":134060,"first_seen":"2021-11-01T21:34:29Z","last_seen":"2025-05-07T16:23:42.174203Z","alert_count":1,"request_count":1,"received_data":2818444,"sent_data":987,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"0df6f5d5965e2239137b23c8001f2ed1","sha1":"1e221942e7058f0a7c717f14af2e52845eee1784","sha256":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","sha512":"1d2b5ae8e9ced651ed8f614c1094615c875b6f586df715ebafb98a3ba45d5fac5d2183fbf7ef81dddc3fcb6e88e8c7d6af05c43725067567ca3c7ef96f0982e1","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":2817586,"url":{"schema":"https","addr":"objects.githubusercontent.com/github-production-release-asset-2e65be/843673148/8ea8955c-10c4-43c4-8ee7-af2d51d43b39?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20250513%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20250513T175559Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=0d8c9e6636f65af117e891781b788f8816732a8108b8b7c47e741fcf97acd1e8\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DIDM-Activation-Script-main.zip\u0026response-content-type=application%2Foctet-stream","fqdn":"objects.githubusercontent.com","domain":"objects.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.111.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"archive":[{"path":"IDM-Activation-Script-main/src/banner_art.txt","filename":"banner_art.txt","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1032,"md5":"13bfef56e214dc91015e3341acda17e9","sha1":"6bb7ae0ef29cf65b291f79920e0874eac0fe6e1c","sha256":"86ea90a9d22aa5cf5dd15c14c869da34fea66e427ee4863a9da68bac8740b8ee","sha512":"dfd674f48731a95bebc059ceb8364ced3fd9f16edc0e7ca189f0fc9d2c5474d79f45c71181447aa520e619fdf72cdcc34fa3c7230aaf0efe4036e0e45704a9d4","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/src/data.bin","filename":"data.bin","modified":"2025-05-11T18:38:27+06:00","Modified":"","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections","size":6035456,"md5":"7b1a4cabeab8b64d5fb54658e328c259","sha1":"c023172c5de9f3e825976d7390e84a33884dfe60","sha256":"fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","sha512":"a077ead0165077f816c92d332d83162ccbd1f15944cd064a73381d3cfc702f9a479ccd484ce1577d34255ed109948d551e00727d9d74a75580361bde2ac0cae5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/data.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 2/72","trigger":"fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","verdict":"suspicious","severity":"","comment":"suspicious - 2/72","link":"https://www.virustotal.com/gui/file/fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","meta":null}]}},{"path":"IDM-Activation-Script-main/src/dataHlp.bin","filename":"dataHlp.bin","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections","size":519992,"md5":"3f3303af5b33d751bb1152110a807c7f","sha1":"aafa70b0b787b3009ed88016094ba5caa2725f68","sha256":"db273cc8cf91a1df241b7511db392524cbab6c40f8df7d8535ace4b51fed9ffb","sha512":"46c107e825dab0a9215ac2d53159e7f41aa8d548b28dd1085a22550b5809e92ecfd684c146adc7c686e2abf00681dc7e37d4d459a53038b2f694ca290d9375a4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/dataHlp.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]}},{"path":"IDM-Activation-Script-main/src/extensions.bin","filename":"extensions.bin","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"Windows Registry little-endian text (Win2K or above)","size":18448,"md5":"d75ceb6bec202ac2e4157fa5ccf2ea40","sha1":"38efb14850c50037abd08784f9bea70baa453b0a","sha256":"df89aa1ff1712e82fe4c87348a745d5856d52a683c019509f7ffd02bae7bee0f","sha512":"755056a13c912014357cb8983b1daacab07bce366ca58c0446873bb2c617038d78e32b6b34b2cd663cf4850a059aa62345595ada7137a377dd274c9dfa02da84","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/src/registry.bin","filename":"registry.bin","modified":"2025-05-11T18:42:41+06:00","Modified":"","magic":"Windows Registry text (Win2K or above)","size":273,"md5":"49082ce63b396fd43e432cbc454e96f4","sha1":"c2c5168c4916171b2666c4c2ccbe208770ada1af","sha256":"cc58d6ef93b965f68263df7d7c443f24d7114c3193536c5bbf0368f192494963","sha512":"4e6d653cff391832f95ce70ae454668f80d9c8a926a1a16f9892d831b4f3978ba57923201c8f58d75f73b606ac6c39696a0a51a99c0a581d6aae4e39ff8ee731","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/IASL.cmd","filename":"IASL.cmd","modified":"2025-05-11T18:43:06+06:00","Modified":"","magic":"DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators, with escape sequences","size":17975,"md5":"453fee665274f8227eb25111faf9531b","sha1":"3a6dc97a52a79b8c270320946a69aa3e34771340","sha256":"31886cb2164ec0b893ae33bb91c7accfa7da4f9736d7adc8b1d49a68b565ef11","sha512":"61709da50725916f817b7d0d54a0906212fb29dce62073bbc676c9991b0b3eb2c89ab6f8c81391b2e29ee0bc421f108b15fbed1843c51ca08052ad6bbd346173","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/LICENSE","filename":"LICENSE","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1077,"md5":"354960ccc2e02ad40c438827ec105d18","sha1":"f310827b078ada5b09d3967e53a43290a2a21903","sha256":"b800a52c77c8ac924a16bbd34136fe2877f477efac1eaa1af7af0c36703d8966","sha512":"a83bea2534326618c92d622cc918b7af2827e666539d1eb9a0b21a2ca3abcea9b09bb8b3ff3a380884d371a3c2be1489f61d13ddff46f4e5cb8e635b71700da6","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/README.md","filename":"README.md","modified":"2025-05-11T18:43:23+06:00","Modified":"","magic":"Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators","size":3684,"md5":"d9a4d058c2e3b6e905612b4242624975","sha1":"6f0b119ed2741918f0d06e5e7db03ac7841b87b4","sha256":"98cd208b3274443fb7fec435fa585d0480bb8b5e44c7b9e1f0d980e6f529de90","sha512":"551a26136b2a1ef9f6c662fd17a9d62bdcd92aacb1c1e3407148d559adf1f7d4fec7d55afff21c1dddd24f18960d8101644a9bbb24511acc7e10c179437aefe9","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/data.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/dataHlp.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 7/66","trigger":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","verdict":"suspicious","severity":"","comment":"suspicious - 7/66","link":"https://www.virustotal.com/gui/file/df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","meta":null}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"0df6f5d5965e2239137b23c8001f2ed1","sha1":"1e221942e7058f0a7c717f14af2e52845eee1784","sha256":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","sha512":"1d2b5ae8e9ced651ed8f614c1094615c875b6f586df715ebafb98a3ba45d5fac5d2183fbf7ef81dddc3fcb6e88e8c7d6af05c43725067567ca3c7ef96f0982e1","magic":"Zip archive data, at least v1.0 to extract, compression method=store","size":2817586,"url":{"schema":"https","addr":"objects.githubusercontent.com/github-production-release-asset-2e65be/843673148/8ea8955c-10c4-43c4-8ee7-af2d51d43b39?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20250513%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20250513T175559Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=0d8c9e6636f65af117e891781b788f8816732a8108b8b7c47e741fcf97acd1e8\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DIDM-Activation-Script-main.zip\u0026response-content-type=application%2Foctet-stream","fqdn":"objects.githubusercontent.com","domain":"objects.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.111.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"archive":[{"path":"IDM-Activation-Script-main/src/banner_art.txt","filename":"banner_art.txt","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1032,"md5":"13bfef56e214dc91015e3341acda17e9","sha1":"6bb7ae0ef29cf65b291f79920e0874eac0fe6e1c","sha256":"86ea90a9d22aa5cf5dd15c14c869da34fea66e427ee4863a9da68bac8740b8ee","sha512":"dfd674f48731a95bebc059ceb8364ced3fd9f16edc0e7ca189f0fc9d2c5474d79f45c71181447aa520e619fdf72cdcc34fa3c7230aaf0efe4036e0e45704a9d4","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/src/data.bin","filename":"data.bin","modified":"2025-05-11T18:38:27+06:00","Modified":"","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections","size":6035456,"md5":"7b1a4cabeab8b64d5fb54658e328c259","sha1":"c023172c5de9f3e825976d7390e84a33884dfe60","sha256":"fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","sha512":"a077ead0165077f816c92d332d83162ccbd1f15944cd064a73381d3cfc702f9a479ccd484ce1577d34255ed109948d551e00727d9d74a75580361bde2ac0cae5","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/data.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 2/72","trigger":"fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","verdict":"suspicious","severity":"","comment":"suspicious - 2/72","link":"https://www.virustotal.com/gui/file/fdf57fd8755ff47f2cfb220a26345208079abc625a32e4a5190689168ea73470","meta":null}]}},{"path":"IDM-Activation-Script-main/src/dataHlp.bin","filename":"dataHlp.bin","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections","size":519992,"md5":"3f3303af5b33d751bb1152110a807c7f","sha1":"aafa70b0b787b3009ed88016094ba5caa2725f68","sha256":"db273cc8cf91a1df241b7511db392524cbab6c40f8df7d8535ace4b51fed9ffb","sha512":"46c107e825dab0a9215ac2d53159e7f41aa8d548b28dd1085a22550b5809e92ecfd684c146adc7c686e2abf00681dc7e37d4d459a53038b2f694ca290d9375a4","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/dataHlp.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}}]}},{"path":"IDM-Activation-Script-main/src/extensions.bin","filename":"extensions.bin","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"Windows Registry little-endian text (Win2K or above)","size":18448,"md5":"d75ceb6bec202ac2e4157fa5ccf2ea40","sha1":"38efb14850c50037abd08784f9bea70baa453b0a","sha256":"df89aa1ff1712e82fe4c87348a745d5856d52a683c019509f7ffd02bae7bee0f","sha512":"755056a13c912014357cb8983b1daacab07bce366ca58c0446873bb2c617038d78e32b6b34b2cd663cf4850a059aa62345595ada7137a377dd274c9dfa02da84","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/src/registry.bin","filename":"registry.bin","modified":"2025-05-11T18:42:41+06:00","Modified":"","magic":"Windows Registry text (Win2K or above)","size":273,"md5":"49082ce63b396fd43e432cbc454e96f4","sha1":"c2c5168c4916171b2666c4c2ccbe208770ada1af","sha256":"cc58d6ef93b965f68263df7d7c443f24d7114c3193536c5bbf0368f192494963","sha512":"4e6d653cff391832f95ce70ae454668f80d9c8a926a1a16f9892d831b4f3978ba57923201c8f58d75f73b606ac6c39696a0a51a99c0a581d6aae4e39ff8ee731","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/IASL.cmd","filename":"IASL.cmd","modified":"2025-05-11T18:43:06+06:00","Modified":"","magic":"DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators, with escape sequences","size":17975,"md5":"453fee665274f8227eb25111faf9531b","sha1":"3a6dc97a52a79b8c270320946a69aa3e34771340","sha256":"31886cb2164ec0b893ae33bb91c7accfa7da4f9736d7adc8b1d49a68b565ef11","sha512":"61709da50725916f817b7d0d54a0906212fb29dce62073bbc676c9991b0b3eb2c89ab6f8c81391b2e29ee0bc421f108b15fbed1843c51ca08052ad6bbd346173","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/LICENSE","filename":"LICENSE","modified":"2025-04-29T12:00:00+06:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1077,"md5":"354960ccc2e02ad40c438827ec105d18","sha1":"f310827b078ada5b09d3967e53a43290a2a21903","sha256":"b800a52c77c8ac924a16bbd34136fe2877f477efac1eaa1af7af0c36703d8966","sha512":"a83bea2534326618c92d622cc918b7af2827e666539d1eb9a0b21a2ca3abcea9b09bb8b3ff3a380884d371a3c2be1489f61d13ddff46f4e5cb8e635b71700da6","alerts":{"urlquery":null,"analyzer":null}},{"path":"IDM-Activation-Script-main/README.md","filename":"README.md","modified":"2025-05-11T18:43:23+06:00","Modified":"","magic":"Unicode text, UTF-8 text, with very long lines (317), with CRLF line terminators","size":3684,"md5":"d9a4d058c2e3b6e905612b4242624975","sha1":"6f0b119ed2741918f0d06e5e7db03ac7841b87b4","sha256":"98cd208b3274443fb7fec435fa585d0480bb8b5e44c7b9e1f0d980e6f529de90","sha512":"551a26136b2a1ef9f6c662fd17a9d62bdcd92aacb1c1e3407148d559adf1f7d4fec7d55afff21c1dddd24f18960d8101644a9bbb24511acc7e10c179437aefe9","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/data.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2025-05-13","alert":"meth_stackstrings","trigger":"IDM-Activation-Script-main/src/dataHlp.bin","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_stackstrings","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"00000000000000000000000000000000","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"71fe67dc-8cb3-4b1f-8eb8-7b2e0933e0b4"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 7/66","trigger":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","verdict":"suspicious","severity":"","comment":"suspicious - 7/66","link":"https://www.virustotal.com/gui/file/df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"github.com/Coporton/IDM-Activation-Script/releases/download/v2.5.1/IDM-Activation-Script-main.zip","fqdn":"github.com","domain":"github.com","tld":"com"},"ip":{"addr":"140.82.121.4","port":443,"asn":36459,"as":"GITHUB","country":"Germany","country_code":"DE"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-13T17:55:59.147Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"github.com","organization":""},"issuer":{"commonName":"Sectigo ECC Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Wed, 05 Feb 2025 00:00:00 GMT","end":"Thu, 05 Feb 2026 23:59:59 GMT"},"fingerprint":{"sha1":"E4:33:71:DD:D6:91:4A:75:B6:1F:9E:4F:74:6D:9B:F0:DD:26:FC:3A","sha256":"B8:BB:81:87:68:33:87:39:42:04:5A:8D:F8:F0:62:19:E0:06:02:EB:CB:43:84:C7:AB:C2:4F:18:37:9C:87:F5"}}},"request":{"raw":"GET /Coporton/IDM-Activation-Script/releases/download/v2.5.1/IDM-Activation-Script-main.zip HTTP/1.1\r\nHost: github.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 302 Found\r\ndate: Tue, 13 May 2025 17:55:59 GMT\r\ncontent-type: text/html; charset=utf-8\r\ncontent-length: 0\r\nvary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame,Accept-Encoding, Accept, X-Requested-With\r\nlocation: https://objects.githubusercontent.com/github-production-release-asset-2e65be/843673148/8ea8955c-10c4-43c4-8ee7-af2d51d43b39?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20250513%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20250513T175559Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=0d8c9e6636f65af117e891781b788f8816732a8108b8b7c47e741fcf97acd1e8\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DIDM-Activation-Script-main.zip\u0026response-content-type=application%2Foctet-stream\r\ncache-control: no-cache\r\nstrict-transport-security: max-age=31536000; includeSubdomains; preload\r\nx-frame-options: deny\r\nx-content-type-options: nosniff\r\nx-xss-protection: 0\r\nreferrer-policy: no-referrer-when-downgrade\r\ncontent-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/\r\nserver: github.com\r\nx-github-request-id: 57F3:2CC77E:66F0003:6985291:682387AF\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"302","status_text":"Found","fingerprints":null,"data":{"size":2817586,"size_decoded":0,"mime_type":"application/octet-stream","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","first_seen":"0001-01-01T00:00:00Z","last_seen":"2026-04-04T13:49:31.916752Z","times_seen":13333799,"resource_available":true,"data":null}},"time_used":400,"timings":{"blocked":111,"dns":0,"connect":26,"send":0,"wait":178,"receive":0,"ssl":80},"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"objects.githubusercontent.com/github-production-release-asset-2e65be/843673148/8ea8955c-10c4-43c4-8ee7-af2d51d43b39?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20250513%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20250513T175559Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=0d8c9e6636f65af117e891781b788f8816732a8108b8b7c47e741fcf97acd1e8\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DIDM-Activation-Script-main.zip\u0026response-content-type=application%2Foctet-stream","fqdn":"objects.githubusercontent.com","domain":"objects.githubusercontent.com","tld":"githubusercontent.com"},"ip":{"addr":"185.199.111.133","port":443,"asn":54113,"as":"FASTLY","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"","requested_by":"","date":"2025-05-13T17:55:59.452Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"*.github.io","organization":""},"issuer":{"commonName":"Sectigo RSA Domain Validation Secure Server CA","organization":"Sectigo Limited"},"validity":{"start":"Fri, 07 Mar 2025 00:00:00 GMT","end":"Sat, 07 Mar 2026 23:59:59 GMT"},"fingerprint":{"sha1":"8C:FF:59:E5:8E:C4:FA:76:FE:AF:2D:C5:C0:D4:13:6A:77:2D:F9:91","sha256":"7D:11:22:EA:96:98:52:34:1E:8D:D9:2B:CC:0C:7E:CC:00:96:30:D1:4D:A7:34:D7:CA:42:D5:B5:4A:2B:20:97"}}},"request":{"raw":"GET /github-production-release-asset-2e65be/843673148/8ea8955c-10c4-43c4-8ee7-af2d51d43b39?X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Credential=releaseassetproduction%2F20250513%2Fus-east-1%2Fs3%2Faws4_request\u0026X-Amz-Date=20250513T175559Z\u0026X-Amz-Expires=300\u0026X-Amz-Signature=0d8c9e6636f65af117e891781b788f8816732a8108b8b7c47e741fcf97acd1e8\u0026X-Amz-SignedHeaders=host\u0026response-content-disposition=attachment%3B%20filename%3DIDM-Activation-Script-main.zip\u0026response-content-type=application%2Foctet-stream HTTP/1.1\r\nHost: objects.githubusercontent.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: application/octet-stream\r\nlast-modified: Sun, 11 May 2025 12:49:18 GMT\r\netag: \"0x8DD908A3E9D6C34\"\r\nserver: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0\r\nx-ms-request-id: aabf629e-d01e-005b-6873-c2d86e000000\r\nx-ms-version: 2025-05-05\r\nx-ms-creation-time: Sun, 11 May 2025 12:49:18 GMT\r\nx-ms-blob-content-md5: Dfb11ZZeIjkTeyPIAB8u0Q==\r\nx-ms-lease-status: unlocked\r\nx-ms-lease-state: available\r\nx-ms-blob-type: BlockBlob\r\ncontent-disposition: attachment; filename=IDM-Activation-Script-main.zip\r\nx-ms-server-encrypted: true\r\nvia: 1.1 varnish, 1.1 varnish\r\nfastly-restarts: 1\r\naccept-ranges: bytes\r\nage: 0\r\ndate: Tue, 13 May 2025 17:56:00 GMT\r\nx-served-by: cache-iad-kiad7000101-IAD, cache-hel1410021-HEL\r\nx-cache: HIT, MISS\r\nx-cache-hits: 286, 0\r\nx-timer: S1747158960.537833,VS0,VE98\r\ncontent-length: 2817586\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":2817586,"size_decoded":0,"mime_type":"application/octet-stream","magic":"Zip archive data, at least v1.0 to extract, compression method=store","md5":"0df6f5d5965e2239137b23c8001f2ed1","sha1":"1e221942e7058f0a7c717f14af2e52845eee1784","sha256":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","sha512":"1d2b5ae8e9ced651ed8f614c1094615c875b6f586df715ebafb98a3ba45d5fac5d2183fbf7ef81dddc3fcb6e88e8c7d6af05c43725067567ca3c7ef96f0982e1","ssdeep":"49152:UDXMIGqUDFfszxVkU58GKw589P0hws/TypgAMSGe7SHuAUZeb3WNNF/xDKW:UDXM9qUpfgXkU58rLu1GgAqSSH6ZuGTD","tlshash":"0dd5339b6c0da995c34e383becfb08e653da18e5c046df2167393dae49ed2e44c4192d","first_seen":"2025-05-12T11:50:50.281153Z","last_seen":"2025-05-13T17:56:34.968374Z","times_seen":2,"resource_available":false,"data":null}},"time_used":1285,"timings":{"blocked":67,"dns":1,"connect":26,"send":0,"wait":528,"receive":622,"ssl":36},"alerts":{"ids":null,"analyzer":[{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2025-05-12","alert":"Scan result 7/66","trigger":"df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","verdict":"suspicious","severity":"","comment":"suspicious - 7/66","link":"https://www.virustotal.com/gui/file/df0424833d3282453f0276d290e746a7a24ee9988d2c4a3ab60da6dae422e8ae","meta":null}],"urlquery":null}}]}