{"report_id":"d9d1f55e-8b55-4f09-90df-d696ac5100fe","version":6,"status":"done","tags":[],"date":"2025-02-18T19:27:37Z","url":{"schema":"http","addr":"nanzzzzz.xpanelnanz.my.id/SC%20ADD%20CURL%20UTAMA%20LOGO%20GG.zip","fqdn":"nanzzzzz.xpanelnanz.my.id","domain":"xpanelnanz.my.id","tld":"my.id"},"ip":{"addr":"172.67.186.117","port":0,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"","expires_at":"2027-04-29T19:27:37Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"nanzzzzz.xpanelnanz.my.id","ip":{"addr":"172.67.186.117","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"domain_registered":"2024-11-26","domain_rank":0,"first_seen":"2025-02-18T19:27:37.644971Z","last_seen":"2025-02-18T19:27:37.644971Z","alert_count":0,"request_count":1,"received_data":9361,"sent_data":531,"comment":"","tags":null,"fingerprints":null}],"files":[{"md5":"a8f618d117ae45c2577fe05cd04cfea9","sha1":"f084b094d7c390f2ea71dc1495d1288987ee224d","sha256":"df536f8252616d39cae0d33be9e51bb4f2129c0f68b87c64488bed89fc944999","sha512":"230b212c661ff7511d9c631421d0ba826336ff0183829b4a50c4d14bf9ea3f36d6e0956df0a4e1d9b3783fb7919db6d99c9e617b69f33cbf12d8918342d6eac6","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":8456,"url":{"schema":"https","addr":"nanzzzzz.xpanelnanz.my.id/SC%20ADD%20CURL%20UTAMA%20LOGO%20GG.zip","fqdn":"nanzzzzz.xpanelnanz.my.id","domain":"xpanelnanz.my.id","tld":"my.id"},"ip":{"addr":"172.67.186.117","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"archive":[{"path":"nanz/add.php","filename":"add.php","modified":"2024-04-08T05:25:26+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":709,"md5":"276c8dc3f406eca24424d2fe6db3915b","sha1":"0a4fabd672429284fb285d13b6e02f60314ffcef","sha256":"b4c0e796b3cc44b59f4c5a191f4ce45a295513750c5741331cecbab6fa60e669","sha512":"b403fecd74459d01e139914894b1f10b3bff3578d52da9c3ac57aa569bb0aee1bdfa7333177ed94894d5b44a84db6e1c5d4ba453153eebd3811ff1e43a683d29","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/apiii.php","filename":"apiii.php","modified":"2024-04-08T09:56:39+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":517,"md5":"becbd19d60c61442a3fb67c3f2517544","sha1":"28551bd1edb3a12d1d2e8ed907d36a4bea9676ee","sha256":"b66e1b629a4a273ce137847004d00d1ef424586e504e04ec257b900995f1da40","sha512":"00cf2f871f6be5013a45d0642c747ab5251f5260a0d079ee7bc5840d313f721a74c084f772e549beef755a6e32e83fc3c6b262b64bdfc6b8a56397684dc2f79e","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/data.php","filename":"data.php","modified":"2024-04-08T11:13:02+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF, LF line terminators","size":1313,"md5":"7d5ef3a91ca339c33a1689920ed88e81","sha1":"36551e4781f596205f2ccfbeb373dffbf798de5e","sha256":"902eef3a10fcd0d78aeac522343aa4a821a7937ac5054866384759e14ce038ac","sha512":"98df70b6fea4b69025fcd7602f23bffe0da0318a34251ddf7e7e6b416c64f60d0290d1b5b2c5ebaaf1b7495fd494999119b784cc175d540d7af95b7959b94fa3","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/index.php","filename":"index.php","modified":"2024-12-30T20:32:50Z","Modified":"","magic":"HTML document, ASCII text, with CRLF line terminators","size":3605,"md5":"bcc09a84c3eca15ce07a6906cbf62a2e","sha1":"bf9f7f347be683c485841bc37e3b9be8b118d6bf","sha256":"262ab20adae9394181468561481fbef1bee160c6945b7c62fb32fc020a87fdc9","sha512":"fe42b5760aa7c73d8b67af11424b8915c487e0e29f631dde4f494e41ac9c7de5a6197995b5e31dbb91dd30193c0e175b48b1a2c2b473dc98de7ecdd4e83f34a0","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/add.php","filename":"add.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":506,"md5":"6c7df1ee2a4ea517564758014de6932b","sha1":"1cda6acf69564967f0a5951975f1b8fbacc7bff3","sha256":"5be19ea60cf62223223dc83552d085e9a698586ea66dd3b8488f513ceb96100f","sha512":"beb06d2170d5569f3fbf169420285a797ea852e3db67ae71794efffdd9065b55eccb4d99dc260ac673317cff7dabb174d829f166c0e71d6c66861a2811809bae","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/data.json","filename":"data.json","modified":"2022-02-08T00:05:10+07:00","Modified":"","magic":"JSON text data","size":32,"md5":"79e9f27f547fb486d25784a77e59172c","sha1":"931c426a8bb20a34cd4c446701a78b7eaba910c1","sha256":"8e61d2d1e7932b3993cb3b09bd1c47d4ef3c85e30736abd5a60264f13fb6a36e","sha512":"183b19980a45d48db04d50469fa43f912dcb7d2d5601eb1305f9b8a9695041d93a02d439641668f9839cb4563ef736f9b7301e4f32b953f71af32d12ba8e66c6","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/data.php","filename":"data.php","modified":"2023-08-13T12:34:26+07:00","Modified":"","magic":"PHP script, ASCII text","size":85,"md5":"42b5df933873b22db14f03214fe659af","sha1":"6682c95a9b7a46578b09a8acd287146e987e89ac","sha256":"2eb828884ebeb5fbb022084730dcd73073350661a6b62af0d6f36c728a6b05de","sha512":"984479549c1ee16245a7227e4d85deca34447fea28afb68ac6dc5c28b3c487c0e693154c82ae4c03c20c99597778b10f7de89688d30194175411d716c7db5faf","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/delete.php","filename":"delete.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":257,"md5":"271637d7f749ef7ac3cab5d8e255834e","sha1":"bd763f0311952cae5833cfe3c98e722bb5232396","sha256":"97d61581d15613104253c8936dd9433f5edeb4b8ffe20c21f874336f91507c65","sha512":"9de08fea6d3d39b13439351938ae4fb31d803bd87c1cfe04e33b72fec8759323178e67f517eef6cc2cf59a01051a247b863dc28f86ae25a0ac5bbb33ea5f195f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/delete.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}},{"path":"nanz/ndra/ganti.php","filename":"ganti.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":349,"md5":"30c0a44a8765e8e9e075b0fa636f5e5d","sha1":"098224204acb994f094b2ad6517ae308613adfa8","sha256":"b5aaefa44bd4691ef45155cf4a5bd581cd253620ad7c580d504579fa562715af","sha512":"b7a12cefa3090ceb1a05537f5095ebd95324c06f4f5a6a02c1c22818f6635d126e12b364b68a2ca7f225624130e7be7e078ad03c90a36658bb65233627a4b572","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/ganti.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}},{"path":"nanz/ndra/index.php","filename":"index.php","modified":"2021-11-18T03:46:42+07:00","Modified":"","magic":"JavaScript source, ASCII text","size":7600,"md5":"c778ec8337385d1ce4a24707dc10da4c","sha1":"a777b04f96600f1a56cd2bb28c15dd8964e21190","sha256":"a4005b8f8b0d711e36f407bf643e8d5bde54dd3337b00e7cfc69097c8b2398fc","sha512":"9388ab5677918ce9b03f3993fafe51867ecef17d91157e1440262c42d6ab1c781d8a4b05159a1a6b759828b9fc785c1624369211f21c62e8773e25150c0c72d8","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/script.js","filename":"script.js","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"JavaScript source, ASCII text","size":472,"md5":"ac2cf6af18e38908934a3804eb11f5bd","sha1":"ecfbea57e70d3cbdd66c45bfd84ba77e66cace37","sha256":"eb26f104a806146ee2d7fa06a5cf52ac33c5bcd91b7f3951718625aacc6e6769","sha512":"81d6b083443e13721cacc60170338625ebc17100cc25daf86513793adeddcf472c78714cbb8612a1128967a01be535c0240f65bbbdca6efcb752913c97198922","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/style.css","filename":"style.css","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"ASCII text","size":981,"md5":"1718b9c01b40832f36f05b05b4f5a9a1","sha1":"6d423cc154688a7ce1437896a9cf54ea4e93fcec","sha256":"5a87d528419e242239aa4fa252eb1361d2c941986a4e5c2e74674d9ec78d26ad","sha512":"58ce989e3a209977817b67aac067a29b22c010adc1fb30215ada3e2996a4c84b361dbcddda99682e69e2bcbd69c62915782c60d35c87f235cc64174a8af94588","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/script.js","filename":"script.js","modified":"2024-04-08T05:24:00+07:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1466,"md5":"8d3e305898d02b028b3e6b7d7d9ba47f","sha1":"fab0e94deff8f7126eaec78dfe7348433178fcb3","sha256":"297623d5e7a79f9b2e0af14b1383eeda6a763f19d6646687c1adba4c0a83aaba","sha512":"fcd8e88378ee2c5711adeb37605aa9014bf0d5944cd8b6e780ae3ba88cbfb4d818f24ca345383e0190f11afffc74e3aa712a52600194dcd0b8d97dc724762fd3","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/delete.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/ganti.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}}],"artifacts":{"windows_shortcuts":null,"files":[{"md5":"a8f618d117ae45c2577fe05cd04cfea9","sha1":"f084b094d7c390f2ea71dc1495d1288987ee224d","sha256":"df536f8252616d39cae0d33be9e51bb4f2129c0f68b87c64488bed89fc944999","sha512":"230b212c661ff7511d9c631421d0ba826336ff0183829b4a50c4d14bf9ea3f36d6e0956df0a4e1d9b3783fb7919db6d99c9e617b69f33cbf12d8918342d6eac6","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","size":8456,"url":{"schema":"https","addr":"nanzzzzz.xpanelnanz.my.id/SC%20ADD%20CURL%20UTAMA%20LOGO%20GG.zip","fqdn":"nanzzzzz.xpanelnanz.my.id","domain":"xpanelnanz.my.id","tld":"my.id"},"ip":{"addr":"172.67.186.117","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"archive":[{"path":"nanz/add.php","filename":"add.php","modified":"2024-04-08T05:25:26+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":709,"md5":"276c8dc3f406eca24424d2fe6db3915b","sha1":"0a4fabd672429284fb285d13b6e02f60314ffcef","sha256":"b4c0e796b3cc44b59f4c5a191f4ce45a295513750c5741331cecbab6fa60e669","sha512":"b403fecd74459d01e139914894b1f10b3bff3578d52da9c3ac57aa569bb0aee1bdfa7333177ed94894d5b44a84db6e1c5d4ba453153eebd3811ff1e43a683d29","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/apiii.php","filename":"apiii.php","modified":"2024-04-08T09:56:39+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":517,"md5":"becbd19d60c61442a3fb67c3f2517544","sha1":"28551bd1edb3a12d1d2e8ed907d36a4bea9676ee","sha256":"b66e1b629a4a273ce137847004d00d1ef424586e504e04ec257b900995f1da40","sha512":"00cf2f871f6be5013a45d0642c747ab5251f5260a0d079ee7bc5840d313f721a74c084f772e549beef755a6e32e83fc3c6b262b64bdfc6b8a56397684dc2f79e","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/data.php","filename":"data.php","modified":"2024-04-08T11:13:02+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF, LF line terminators","size":1313,"md5":"7d5ef3a91ca339c33a1689920ed88e81","sha1":"36551e4781f596205f2ccfbeb373dffbf798de5e","sha256":"902eef3a10fcd0d78aeac522343aa4a821a7937ac5054866384759e14ce038ac","sha512":"98df70b6fea4b69025fcd7602f23bffe0da0318a34251ddf7e7e6b416c64f60d0290d1b5b2c5ebaaf1b7495fd494999119b784cc175d540d7af95b7959b94fa3","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/index.php","filename":"index.php","modified":"2024-12-30T20:32:50Z","Modified":"","magic":"HTML document, ASCII text, with CRLF line terminators","size":3605,"md5":"bcc09a84c3eca15ce07a6906cbf62a2e","sha1":"bf9f7f347be683c485841bc37e3b9be8b118d6bf","sha256":"262ab20adae9394181468561481fbef1bee160c6945b7c62fb32fc020a87fdc9","sha512":"fe42b5760aa7c73d8b67af11424b8915c487e0e29f631dde4f494e41ac9c7de5a6197995b5e31dbb91dd30193c0e175b48b1a2c2b473dc98de7ecdd4e83f34a0","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/add.php","filename":"add.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":506,"md5":"6c7df1ee2a4ea517564758014de6932b","sha1":"1cda6acf69564967f0a5951975f1b8fbacc7bff3","sha256":"5be19ea60cf62223223dc83552d085e9a698586ea66dd3b8488f513ceb96100f","sha512":"beb06d2170d5569f3fbf169420285a797ea852e3db67ae71794efffdd9065b55eccb4d99dc260ac673317cff7dabb174d829f166c0e71d6c66861a2811809bae","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/data.json","filename":"data.json","modified":"2022-02-08T00:05:10+07:00","Modified":"","magic":"JSON text data","size":32,"md5":"79e9f27f547fb486d25784a77e59172c","sha1":"931c426a8bb20a34cd4c446701a78b7eaba910c1","sha256":"8e61d2d1e7932b3993cb3b09bd1c47d4ef3c85e30736abd5a60264f13fb6a36e","sha512":"183b19980a45d48db04d50469fa43f912dcb7d2d5601eb1305f9b8a9695041d93a02d439641668f9839cb4563ef736f9b7301e4f32b953f71af32d12ba8e66c6","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/data.php","filename":"data.php","modified":"2023-08-13T12:34:26+07:00","Modified":"","magic":"PHP script, ASCII text","size":85,"md5":"42b5df933873b22db14f03214fe659af","sha1":"6682c95a9b7a46578b09a8acd287146e987e89ac","sha256":"2eb828884ebeb5fbb022084730dcd73073350661a6b62af0d6f36c728a6b05de","sha512":"984479549c1ee16245a7227e4d85deca34447fea28afb68ac6dc5c28b3c487c0e693154c82ae4c03c20c99597778b10f7de89688d30194175411d716c7db5faf","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/delete.php","filename":"delete.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":257,"md5":"271637d7f749ef7ac3cab5d8e255834e","sha1":"bd763f0311952cae5833cfe3c98e722bb5232396","sha256":"97d61581d15613104253c8936dd9433f5edeb4b8ffe20c21f874336f91507c65","sha512":"9de08fea6d3d39b13439351938ae4fb31d803bd87c1cfe04e33b72fec8759323178e67f517eef6cc2cf59a01051a247b863dc28f86ae25a0ac5bbb33ea5f195f","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/delete.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}},{"path":"nanz/ndra/ganti.php","filename":"ganti.php","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"PHP script, ASCII text, with CRLF line terminators","size":349,"md5":"30c0a44a8765e8e9e075b0fa636f5e5d","sha1":"098224204acb994f094b2ad6517ae308613adfa8","sha256":"b5aaefa44bd4691ef45155cf4a5bd581cd253620ad7c580d504579fa562715af","sha512":"b7a12cefa3090ceb1a05537f5095ebd95324c06f4f5a6a02c1c22818f6635d126e12b364b68a2ca7f225624130e7be7e078ad03c90a36658bb65233627a4b572","alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/ganti.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}},{"path":"nanz/ndra/index.php","filename":"index.php","modified":"2021-11-18T03:46:42+07:00","Modified":"","magic":"JavaScript source, ASCII text","size":7600,"md5":"c778ec8337385d1ce4a24707dc10da4c","sha1":"a777b04f96600f1a56cd2bb28c15dd8964e21190","sha256":"a4005b8f8b0d711e36f407bf643e8d5bde54dd3337b00e7cfc69097c8b2398fc","sha512":"9388ab5677918ce9b03f3993fafe51867ecef17d91157e1440262c42d6ab1c781d8a4b05159a1a6b759828b9fc785c1624369211f21c62e8773e25150c0c72d8","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/script.js","filename":"script.js","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"JavaScript source, ASCII text","size":472,"md5":"ac2cf6af18e38908934a3804eb11f5bd","sha1":"ecfbea57e70d3cbdd66c45bfd84ba77e66cace37","sha256":"eb26f104a806146ee2d7fa06a5cf52ac33c5bcd91b7f3951718625aacc6e6769","sha512":"81d6b083443e13721cacc60170338625ebc17100cc25daf86513793adeddcf472c78714cbb8612a1128967a01be535c0240f65bbbdca6efcb752913c97198922","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/ndra/style.css","filename":"style.css","modified":"2021-11-18T03:35:22+07:00","Modified":"","magic":"ASCII text","size":981,"md5":"1718b9c01b40832f36f05b05b4f5a9a1","sha1":"6d423cc154688a7ce1437896a9cf54ea4e93fcec","sha256":"5a87d528419e242239aa4fa252eb1361d2c941986a4e5c2e74674d9ec78d26ad","sha512":"58ce989e3a209977817b67aac067a29b22c010adc1fb30215ada3e2996a4c84b361dbcddda99682e69e2bcbd69c62915782c60d35c87f235cc64174a8af94588","alerts":{"urlquery":null,"analyzer":null}},{"path":"nanz/script.js","filename":"script.js","modified":"2024-04-08T05:24:00+07:00","Modified":"","magic":"ASCII text, with CRLF line terminators","size":1466,"md5":"8d3e305898d02b028b3e6b7d7d9ba47f","sha1":"fab0e94deff8f7126eaec78dfe7348433178fcb3","sha256":"297623d5e7a79f9b2e0af14b1383eeda6a763f19d6646687c1adba4c0a83aaba","sha512":"fcd8e88378ee2c5711adeb37605aa9014bf0d5944cd8b6e780ae3ba88cbfb4d818f24ca345383e0190f11afffc74e3aa712a52600194dcd0b8d97dc724762fd3","alerts":{"urlquery":null,"analyzer":null}}],"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/delete.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}},{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"Public Nextron YARA rules","scan_date":"2025-02-18","alert":"PHP webshell which only writes an uploaded file to disk","trigger":"nanz/ndra/ganti.php","verdict":"malware","severity":"medium","comment":"","link":"https://github.com/Neo23x0/signature-base","meta":{"author":"Arnim Rupp","date":"2021/04/17","description":"PHP webshell which only writes an uploaded file to disk","license":"Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE","rule":"webshell_php_writer","score":"50"}}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"nanzzzzz.xpanelnanz.my.id/SC%20ADD%20CURL%20UTAMA%20LOGO%20GG.zip","fqdn":"nanzzzzz.xpanelnanz.my.id","domain":"xpanelnanz.my.id","tld":"my.id"},"ip":{"addr":"172.67.186.117","port":443,"asn":13335,"as":"CLOUDFLARENET","country":"","country_code":"zz"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2025-02-18T19:27:07.353Z","timestamp":1739906827353,"http_version":"HTTP/2","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"ECDSA-P256-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"xpanelnanz.my.id","organization":""},"issuer":{"commonName":"WE1","organization":"Google Trust Services"},"validity":{"start":"Fri, 24 Jan 2025 15:45:17 GMT","end":"Thu, 24 Apr 2025 16:37:54 GMT"},"fingerprint":{"sha1":"E0:DD:ED:9E:FB:E8:F9:0A:81:C8:15:F6:8D:97:6A:C2:51:E3:5A:15","sha256":"9E:44:0E:11:AC:3B:30:A7:2D:84:81:57:C4:D5:68:7B:C3:6F:CB:52:81:23:82:E1:39:73:B6:2E:D5:CD:A9:E5"}}},"request":{"raw":"GET /SC%20ADD%20CURL%20UTAMA%20LOGO%20GG.zip HTTP/1.1\r\nHost: nanzzzzz.xpanelnanz.my.id\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ndate: Tue, 18 Feb 2025 19:27:07 GMT\r\ncontent-type: application/zip\r\ncontent-length: 8456\r\nlast-modified: Sat, 15 Feb 2025 22:37:33 GMT\r\ncache-control: max-age=14400\r\ncf-cache-status: HIT\r\naccept-ranges: bytes\r\nreport-to: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=MmnMb9ilEEwjzvi2qMVV2ZF6t%2Bdg3GX3F9Xf5rMpioPFPJw6OyLTZZTZZ5bZSuzcLdFtkgdjPHPEI4q5PHV%2BIWg75xJDGkKvR3Mmmz656guXb1%2Fs%2BffibbG9F%2BLHL5T%2BtQRkcteoHav73Imr\"}],\"group\":\"cf-nel\",\"max_age\":604800}\r\nnel: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}\r\nvary: Accept-Encoding\r\nserver: cloudflare\r\ncf-ray: 914069a728ba56ba-OSL\r\nalt-svc: h3=\":443\"; ma=86400\r\nserver-timing: cfL4;desc=\"?proto=TCP\u0026rtt=6417\u0026min_rtt=449\u0026rtt_var=11916\u0026sent=7\u0026recv=11\u0026lost=0\u0026retrans=0\u0026sent_bytes=3211\u0026recv_bytes=1164\u0026delivery_rate=6611872\u0026cwnd=254\u0026unsent_bytes=0\u0026cid=4042f33f4b576c01\u0026ts=568\u0026x=0\"\r\nX-Firefox-Spdy: h2\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":8456,"size_decoded":8456,"mime_type":"application/zip","magic":"Zip archive data, at least v2.0 to extract, compression method=deflate","md5":"a8f618d117ae45c2577fe05cd04cfea9","sha1":"f084b094d7c390f2ea71dc1495d1288987ee224d","sha256":"df536f8252616d39cae0d33be9e51bb4f2129c0f68b87c64488bed89fc944999","sha512":"230b212c661ff7511d9c631421d0ba826336ff0183829b4a50c4d14bf9ea3f36d6e0956df0a4e1d9b3783fb7919db6d99c9e617b69f33cbf12d8918342d6eac6","ssdeep":"192:XpIj6dNa3JvZpIntBCRuUCF0EtLdPWPAXW8nyrDXc/c3TjRmhcL:XpIedNa3ZZWtBCRRWtXJyL","tlshash":"9f02193a3bb14654ed5ff5bf264c078acdcb302f85467d5a1e0152a1aa857e53b203ce","first_seen":"2025-02-18T19:27:40.828213Z","last_seen":"2025-02-18T19:27:40.828213Z","times_seen":1,"resource_available":false,"data":null}},"time_used":614,"timings":{"blocked":31,"dns":10,"connect":1,"send":0,"wait":551,"receive":1,"ssl":17},"alerts":{"ids":null,"analyzer":null,"urlquery":null}}]}