{"report_id":"d27ca1e4-c6b6-4402-b435-dd19ef32cee6","version":6,"status":"done","tags":[],"date":"2024-11-29T18:35:45Z","url":{"schema":"http","addr":"updhasfyerted.kain.ws/upd1/system-eu/msxml4a.dll.zip","fqdn":"updhasfyerted.kain.ws","domain":"kain.ws","tld":"ws"},"ip":{"addr":"188.114.96.1","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-02-07T18:35:45Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"updhasfyerted.kain.ws","ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"The Netherlands","country_code":"NL"},"domain_registered":"2023-07-22","domain_rank":0,"first_seen":"2024-11-17T16:41:32.978074Z","last_seen":"2024-11-29T16:09:18.607595Z","alert_count":0,"request_count":1,"received_data":13479,"sent_data":506,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"ea98d5712289e1c56954841f395d9f59","sha1":"18f2a9545e6e6af7e553ecc81cd8e6f2de5c319f","sha256":"fda629f2680ef583173448dd24fefdaf4695b1d5bd5f61ffa062dadb1810f64b","sha512":"d47e21a7a5ebd1fd703acc7ebd31623806c41938855e7ad780c2108b851e77d836fe19ac35bc5fa587c0700929bda1d8dbcd64a333de1466a4c98be780c93c9f","magic":"Zip archive data, at least v4.5 to extract, compression method=deflate","size":12601,"url":{"schema":"https","addr":"updhasfyerted.kain.ws/upd1/system-eu/msxml4a.dll.zip","fqdn":"updhasfyerted.kain.ws","domain":"kain.ws","tld":"ws"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"The Netherlands","country_code":"NL"},"archive":[{"path":"msxml4a.dll","filename":"msxml4a.dll","modified":"","Modified":"2024-11-29T12:34:52Z","magic":"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 2 sections","size":44544,"md5":"ba674e08fd014aa1289bf2aeea4962a6","sha1":"2ed39ccdb9eedae37a64d9186d933a7f0452cd61","sha256":"d8b60cd615fb15c7411b77314b8eff7c0c8ad91579d761b5d20f55628175a865","sha512":"bc712db5c45e9c8cf021157165f0233f8ff9f2d019e5d18e857325d3be3273312f96627471a8526413e8bc57c9ccf0f3d17c5fec473ca9a1020208321cb86764","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect pe file that no import table","trigger":"msxml4a.dll","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"date":"2021-10-19","description":"Detect pe file that no import table","rule":"pe_no_import_table","yarahub_license":"CC0 1.0","yarahub_reference_md5":"045ff7ed5a360b19dcc4c5bd9211d194","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a91fb4f4-1ceb-456d-90d1-a25f6d16b204"}}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect pe file that no import table","trigger":"msxml4a.dll","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"date":"2021-10-19","description":"Detect pe file that no import table","rule":"pe_no_import_table","yarahub_license":"CC0 1.0","yarahub_reference_md5":"045ff7ed5a360b19dcc4c5bd9211d194","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a91fb4f4-1ceb-456d-90d1-a25f6d16b204"}}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"ea98d5712289e1c56954841f395d9f59","sha1":"18f2a9545e6e6af7e553ecc81cd8e6f2de5c319f","sha256":"fda629f2680ef583173448dd24fefdaf4695b1d5bd5f61ffa062dadb1810f64b","sha512":"d47e21a7a5ebd1fd703acc7ebd31623806c41938855e7ad780c2108b851e77d836fe19ac35bc5fa587c0700929bda1d8dbcd64a333de1466a4c98be780c93c9f","magic":"Zip archive data, at least v4.5 to extract, compression method=deflate","size":12601,"url":{"schema":"https","addr":"updhasfyerted.kain.ws/upd1/system-eu/msxml4a.dll.zip","fqdn":"updhasfyerted.kain.ws","domain":"kain.ws","tld":"ws"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"The Netherlands","country_code":"NL"},"archive":[{"path":"msxml4a.dll","filename":"msxml4a.dll","modified":"","Modified":"2024-11-29T12:34:52Z","magic":"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, 2 sections","size":44544,"md5":"ba674e08fd014aa1289bf2aeea4962a6","sha1":"2ed39ccdb9eedae37a64d9186d933a7f0452cd61","sha256":"d8b60cd615fb15c7411b77314b8eff7c0c8ad91579d761b5d20f55628175a865","sha512":"bc712db5c45e9c8cf021157165f0233f8ff9f2d019e5d18e857325d3be3273312f96627471a8526413e8bc57c9ccf0f3d17c5fec473ca9a1020208321cb86764","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect pe file that no import table","trigger":"msxml4a.dll","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"date":"2021-10-19","description":"Detect pe file that no import table","rule":"pe_no_import_table","yarahub_license":"CC0 1.0","yarahub_reference_md5":"045ff7ed5a360b19dcc4c5bd9211d194","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a91fb4f4-1ceb-456d-90d1-a25f6d16b204"}}]}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-11-29","alert":"Detect pe file that no import table","trigger":"msxml4a.dll","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"date":"2021-10-19","description":"Detect pe file that no import table","rule":"pe_no_import_table","yarahub_license":"CC0 1.0","yarahub_reference_md5":"045ff7ed5a360b19dcc4c5bd9211d194","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"a91fb4f4-1ceb-456d-90d1-a25f6d16b204"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"Mnemonic Secure DNS","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null},"http":[{"url":{"schema":"https","addr":"updhasfyerted.kain.ws/upd1/system-eu/msxml4a.dll.zip","fqdn":"updhasfyerted.kain.ws","domain":"kain.ws","tld":"ws"},"ip":{"addr":"188.114.96.1","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"The Netherlands","country_code":"NL"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-11-29T18:35:20.507Z","timestamp":1732905320507,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.2","cert":{"subject":{"commonName":"kain.ws","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Sat, 16 Nov 2024 20:12:47 GMT","end":"Fri, 14 Feb 2025 20:12:46 GMT"},"fingerprint":{"sha1":"69:CA:69:B1:68:0A:1D:E5:92:07:75:64:83:3F:58:5E:8A:0A:FC:97","sha256":"62:09:18:37:B8:8A:9C:D7:CC:A7:6D:3C:AB:61:E6:C0:11:00:A1:5F:ED:5B:CA:E1:06:48:E1:F8:B1:1B:24:A4"}}},"request":{"raw":"GET /upd1/system-eu/msxml4a.dll.zip HTTP/1.1\r\nHost: updhasfyerted.kain.ws\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Fri, 29 Nov 2024 18:35:20 GMT\r\ncontent-type: application/zip\r\ncontent-length: 12601\r\nlast-modified: Fri, 29 Nov 2024 15:39:21 GMT\r\netag: \"6749e029-3139\"\r\naccept-ranges: bytes\r\ncf-cache-status: DYNAMIC\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=fpXZc8f5Pj8w4TuTbyMdSNXt0vHWOsZdPFrEMtNk86%2Fi7%2Beczk3iyRM8PtvTYqW9bgDa4vifH%2FQBhupfB9XqWuMJD31aPBZHitV%2BoUZ%2BLIrQeBNXLoP%2FpW6ixtU8bIvXsJonkuZ9doQ%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nserver: cloudflare\r\ncf-ray: 8ea4b26d9938b50c-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfL4;desc=\"?proto=TCP\u0026rtt=16536\u0026min_rtt=16436\u0026rtt_var=2728\u0026sent=8\u0026recv=11\u0026lost=0\u0026retrans=0\u0026sent_bytes=3206\u0026recv_bytes=1194\u0026delivery_rate=262081\u0026cwnd=254\u0026unsent_bytes=0\u0026cid=7d7c6cbb943d9dc0\u0026ts=84\u0026x=0\"\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":12601,"size_decoded":12601,"mime_type":"application/zip","magic":"Zip archive data, at least v4.5 to extract, compression method=deflate","md5":"ea98d5712289e1c56954841f395d9f59","sha1":"18f2a9545e6e6af7e553ecc81cd8e6f2de5c319f","sha256":"fda629f2680ef583173448dd24fefdaf4695b1d5bd5f61ffa062dadb1810f64b","sha512":"d47e21a7a5ebd1fd703acc7ebd31623806c41938855e7ad780c2108b851e77d836fe19ac35bc5fa587c0700929bda1d8dbcd64a333de1466a4c98be780c93c9f","ssdeep":"384:V4Ia8J4vNClWRxRuQ9s5ttYibqQX03Q4DuJM:M8eVClUs53YiV4l","tlshash":"9042bf9cf9a7da0df4d380fb1ebcae181190645016a27af507095b29fe6f46bc3086c5","first_seen":"2024-11-29T18:35:48.182152Z","last_seen":"2024-11-29T18:35:48.182152Z","times_seen":1,"resource_available":false,"data":null}},"time_used":191,"timings":{"blocked":65,"dns":1,"connect":17,"send":0,"wait":58,"receive":2,"ssl":43},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}