Report - rtost.duckdns.org/mimicr/WinUpdatehmd.exe

Report Overview

Visitedpublic

2024-05-20 20:35:32

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
rtost.duckdns.org	unknown	2013-04-12	2022-07-22 17:17:28	2024-03-10 01:32:02	411 B	807 kB	51.38.57.226

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2024-05-20 20:35:07	medium	Client IP	51.38.57.226	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
2024-05-20 20:35:07	medium	Client IP	51.38.57.226	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
2024-05-20 20:35:07	medium	Client IP	51.38.57.226	ETPRO HUNTING EXE Request to DuckDNS DynDNS Domain
2024-05-20 20:35:07	medium	Client IP	51.38.57.226	ETPRO HUNTING EXE Request to DuckDNS DynDNS Domain
2024-05-20 20:35:07	high	51.38.57.226	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP
2024-05-20 20:35:07	high	51.38.57.226	Client IP	ET POLICY PE EXE or DLL Windows file download HTTP

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-05-20	medium	rtost.duckdns.org/mimicr/WinUpdatehmd.exe	files - file ~tmp01925d3f.exe

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

rtost.duckdns.org/mimicr/WinUpdatehmd.exe

IP / ASN

51.38.57.226

#16276 OVH SAS

File Overview

File TypePE32+ executable (console) x86-64, for MS Windows, 7 sections

Size807 kB (806912 bytes)

MD5232f515e88e1aebc80431e38c5643ab3

SHA109eda29d40ec60fa94f943fd7f4c82ac9f52472c

SHA256993e32ccf945f76fbd201edff99e46d8b73532e4e8524a4d5dd8592149b7e4aa

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
VirusTotal	malicious	VirusTotal - Scan result 45/72

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET rtost.duckdns.org/mimicr/WinUpdatehmd.exe

51.38.57.226

807 kB

URL

rtost.duckdns.org/mimicr/WinUpdatehmd.exe

IP / ASN

51.38.57.226

#16276 OVH SAS

Requested byN/A

Resource Info

File typePE32+ executable (console) x86-64, for MS Windows, 7 sections

First Seen2024-08-19

Last Seen2024-08-19

Times Seen1

Size807 kB (806912 bytes)

MD5232f515e88e1aebc80431e38c5643ab3

SHA109eda29d40ec60fa94f943fd7f4c82ac9f52472c

SHA256993e32ccf945f76fbd201edff99e46d8b73532e4e8524a4d5dd8592149b7e4aa

Detections

Analyzer	Verdict	Alert
YARAhub by abuse.ch	malware	files - file ~tmp01925d3f.exe
VirusTotal	malicious	VirusTotal - Scan result 45/72
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
suricata	medium	ETPRO HUNTING EXE Request to DuckDNS DynDNS Domain
suricata	medium	ETPRO HUNTING EXE Request to DuckDNS DynDNS Domain
suricata	high	ET POLICY PE EXE or DLL Windows file download HTTP
suricata	high	ET POLICY PE EXE or DLL Windows file download HTTP

HTTP Headers

GET /mimicr/WinUpdatehmd.exe HTTP/1.1
Host: rtost.duckdns.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 20 May 2024 20:35:07 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
Last-Modified: Wed, 28 Feb 2024 19:14:02 GMT
ETag: "c5000-61275f214f3ef"
Accept-Ranges: bytes
Content-Length: 806912
Keep-Alive: timeout=100, max=1000000000
Connection: Keep-Alive
Content-Type: application/x-msdownload