{"report_id":"e9069cba-e1eb-4a25-ab45-49485e77e7df","version":6,"status":"done","tags":[],"date":"2024-05-14T23:04:38Z","url":{"schema":"http","addr":"104.198.2.251/evmobtgqlmpo","fqdn":"104.198.2.251","domain":"104.198.2.251","tld":""},"ip":{"addr":"104.198.2.251","port":0,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"final":{"url":{"schema":"http","addr":"104.198.2.251/evmobtgqlmpo","fqdn":"104.198.2.251","domain":"104.198.2.251","tld":"251"},"title":"104.198.2.251/evmobtgqlmpo"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-25T16:57:03Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"104.198.2.251","ip":{"addr":"104.198.2.251","port":0,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"domain_registered":"unknown","domain_rank":0,"first_seen":"2023-09-19 15:38:27","last_seen":"2024-04-18 10:13:06","alert_count":6,"request_count":2,"received_data":807,"sent_data":852,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":[{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:14Z","timestamp":1715727854,"ip_dst":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)","source":"{\"timestamp\":\"2024-05-14T23:04:14.364432+0000\",\"flow_id\":1139506060103568,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.15\",\"src_port\":41656,\"dest_ip\":\"104.198.2.251\",\"dest_port\":80,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":91253671,\"rev\":1,\"signature\":\"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"source\":{\"ip\":\"104.198.2.251\",\"port\":80},\"target\":{\"ip\":\"172.18.0.15\",\"port\":41656},\"metadata\":{\"confidence_level\":[\"75\"],\"first_seen\":[\"2024_04_05\"]}},\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":74,\"bytes_toclient\":0,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:14Z","timestamp":1715727854,"ip_dst":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"ip_src":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"severity":"high","alert":"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)","source":"{\"timestamp\":\"2024-05-14T23:04:14.364432+0000\",\"flow_id\":1366082764836752,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"172.18.0.15\",\"src_port\":41656,\"dest_ip\":\"104.198.2.251\",\"dest_port\":80,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":91253671,\"rev\":1,\"signature\":\"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"source\":{\"ip\":\"104.198.2.251\",\"port\":80},\"target\":{\"ip\":\"172.18.0.15\",\"port\":41656},\"metadata\":{\"confidence_level\":[\"75\"],\"first_seen\":[\"2024_04_05\"]}},\"flow\":{\"pkts_toserver\":1,\"pkts_toclient\":0,\"bytes_toserver\":74,\"bytes_toclient\":0,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1366082764836752,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"reviewed_at\":[\"2024_04_23\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1366082764836752,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1139506060103568,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"reviewed_at\":[\"2024_04_23\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"Client IP","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1139506060103568,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"}]}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":null},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-05-14","alert":"Sinkholed","trigger":"104.198.2.251","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null},{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-05-14","alert":"Sinkholed","trigger":"104.198.2.251","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}]},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"104.198.2.251/evmobtgqlmpo","fqdn":"104.198.2.251","domain":"104.198.2.251","tld":"251"},"ip":{"addr":"104.198.2.251","port":0,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-05-14T23:04:13.410Z","timestamp":1715727853410,"http_version":"","security_state":"broken","security_info":null,"request":{"raw":"GET /evmobtgqlmpo HTTP/1.1\r\nHost: 104.198.2.251\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Tue, 14 May 2024 23:04:14 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=69da530ae41494365d5479d4efb89f7c|91.90.42.154|1715727854|1715727854|0|1|0; path=/; domain=104.198.2.251; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\nsnkz=91.90.42.154; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"","status_text":"","fingerprints":null,"data":{"size":20,"size_decoded":20,"mime_type":"","magic":"gzip compressed data, from Unix","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":477,"timings":{"blocked":477,"dns":0,"connect":228,"send":0,"wait":0,"receive":0,"ssl":237},"alerts":{"ids":[{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"172.18.0.15","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1366082764836752,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"reviewed_at\":[\"2024_04_23\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"172.18.0.15","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1366082764836752,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"172.18.0.15","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1139506060103568,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2018141,\"rev\":6,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"created_at\":[\"2014_02_15\"],\"former_category\":[\"TROJAN\"],\"reviewed_at\":[\"2024_04_23\"],\"updated_at\":[\"2022_08_11\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"},{"sensor_name":"suricata","title":"","description":"","date":"2024-05-14T23:04:15Z","timestamp":1715727855,"ip_dst":{"addr":"172.18.0.15","port":41656,"asn":0,"as":"","country":"","country_code":"zz"},"ip_src":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"severity":"high","alert":"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst","source":"{\"timestamp\":\"2024-05-14T23:04:15.046537+0000\",\"flow_id\":1139506060103568,\"in_iface\":\"br-31613a7ed13b\",\"event_type\":\"alert\",\"src_ip\":\"104.198.2.251\",\"src_port\":80,\"dest_ip\":\"172.18.0.15\",\"dest_port\":41656,\"proto\":\"TCP\",\"metadata\":{\"flowbits\":[\"http.dottedquadhost\"]},\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2037771,\"rev\":2,\"signature\":\"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst\",\"category\":\"A Network Trojan was detected\",\"severity\":1,\"metadata\":{\"attack_target\":[\"Client_Endpoint\"],\"created_at\":[\"2022_07_15\"],\"deployment\":[\"Perimeter\"],\"former_category\":[\"MALWARE\"],\"reviewed_at\":[\"2023_09_01\"],\"signature_severity\":[\"Major\"],\"updated_at\":[\"2023_05_19\"]}},\"http\":{\"hostname\":\"104.198.2.251\",\"url\":\"/evmobtgqlmpo\",\"http_user_agent\":\"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":200,\"length\":29},\"app_proto\":\"http\",\"flow\":{\"pkts_toserver\":5,\"pkts_toclient\":5,\"bytes_toserver\":736,\"bytes_toclient\":800,\"start\":\"2024-05-14T23:04:14.364432+0000\"}}"}],"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-05-14","alert":"Sinkholed","trigger":"104.198.2.251","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}},{"url":{"schema":"http","addr":"104.198.2.251/favicon.ico","fqdn":"104.198.2.251","domain":"104.198.2.251","tld":"251"},"ip":{"addr":"104.198.2.251","port":80,"asn":396982,"as":"GOOGLE-CLOUD-PLATFORM","country":"United States","country_code":"US"},"is_navigation_request":false,"resource_type":"img","requested_by":"http://104.198.2.251/evmobtgqlmpo","date":"2024-05-14T23:04:14.922Z","timestamp":1715727854922,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /favicon.ico HTTP/1.1\r\nHost: 104.198.2.251\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: image/avif,image/webp,*/*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: http://104.198.2.251/evmobtgqlmpo\r\nCookie: btst=69da530ae41494365d5479d4efb89f7c|91.90.42.154|1715727854|1715727854|0|1|0; snkz=91.90.42.154\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Tue, 14 May 2024 23:04:15 GMT\r\nContent-Type: text/html\r\nTransfer-Encoding: chunked\r\nConnection: close\r\nSet-Cookie: btst=69da530ae41494365d5479d4efb89f7c|91.90.42.154|1715727855|1715727854|0|2|0; path=/; domain=104.198.2.251; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;\r\nContent-Encoding: gzip\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":20,"size_decoded":20,"mime_type":"text/html","magic":"gzip compressed data, from Unix","md5":"7029066c27ac6f5ef18d660d5741979a","sha1":"46c6643f07aa7f6bfe7118de926b86defc5087c4","sha256":"59869db34853933b239f1e2219cf7d431da006aa919635478511fabbfc8849d2","sha512":"7e8e93f4a89ce7fae011403e14a1d53544c6e6f6b6010d61129dc27937806d2b03802610d7999eab33a4c36b0f9e001d9d76001b8354087634c1aa9c740c536f","ssdeep":"","tlshash":"de70000000c03c30cc00003000000000000c30000000c00300000c3000030c000c003c","first_seen":"2023-04-09T15:32:38Z","last_seen":"2025-03-02T06:10:10.559841Z","times_seen":229342,"resource_available":false,"data":null}},"time_used":453,"timings":{"blocked":-1,"dns":0,"connect":226,"send":0,"wait":227,"receive":0,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"quad9","sensor_type":"domain","title":"","description":"Quad9 DNS","scan_date":"2024-05-14","alert":"Sinkholed","trigger":"104.198.2.251","verdict":"malicious","severity":"medium","comment":"Sinkholed","link":"https://www.quad9.net","meta":null}],"urlquery":null}}]}