{"report_id":"fd14fa5d-74fd-4835-8bad-fd9dea236b28","version":6,"status":"done","tags":[],"date":"2024-02-01T03:01:19Z","url":{"schema":"http","addr":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","fqdn":"11.94afxptdown.kecoka.cn","domain":"kecoka.cn","tld":"cn"},"ip":{"addr":"111.177.11.72","port":0,"asn":136192,"as":"Xiangyang, Hubei Province, P.R.China.","country":"China","country_code":"CN"},"final":{"url":{"schema":"about","addr":"about:privatebrowsing","fqdn":"","domain":"","tld":""},"title":"about:privatebrowsing"},"submit":{"url":{"schema":"","addr":"","fqdn":"","domain":"","tld":""},"ip":{"addr":"","port":0,"asn":0,"as":"","country":"","country_code":""},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2026-10-26T01:16:38Z","useragent":"Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","referer":"","cookies":null,"exit_node":"default"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":0}},"detection":{"ids":null,"analyzer":null,"urlquery":null},"summary":[{"fqdn":"11.94afxptdown.kecoka.cn:8093","ip":{"addr":"111.177.11.72","port":8093,"asn":136192,"as":"Xiangyang, Hubei Province, P.R.China.","country":"China","country_code":"CN"},"domain_registered":"unknown","domain_rank":0,"first_seen":"No data","last_seen":"No data","alert_count":2,"request_count":1,"received_data":439245,"sent_data":504,"comment":"","tags":null,"fingerprints":null}],"files":null,"artifacts":{"windows_shortcuts":null,"files":[{"md5":"c0bce7ecfebcaf6ae4d0767ebb79c5da","sha1":"b6c9f0653a086513679f743bb5b6001973956cf2","sha256":"77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","sha512":"375d7b9468cd41ed0699596bf86d3e468b64b8c89d357ce70e56958688f07ee19d367ab59d44f3a838fd47c4e1add8effe70e02c9ef9eed8616596832afc2c63","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections","size":438608,"url":{"schema":"http","addr":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","fqdn":"11.94afxptdown.kecoka.cn:8093","domain":"kecoka.cn","tld":"cn"},"ip":{"addr":"111.177.11.72","port":8093,"asn":136192,"as":"Xiangyang, Hubei Province, P.R.China.","country":"China","country_code":"CN"},"archive":null,"alerts":{"urlquery":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-02-01","alert":"meth_get_eip","trigger":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-01-19","alert":"Scan result 54/68","trigger":"77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","verdict":"malicious","severity":"","comment":"malicious - 54/68","link":"https://www.virustotal.com/gui/file/77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","meta":null}]}}],"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":[{"sensor_name":"suricata","description":"Suricata /w Emerging Threats Pro","alerts":null}],"analyzer":[{"sensor_name":"infosec_yara","type":"yara","description":"Public InfoSec YARA rules","link":"","alerts":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-02-01","alert":"meth_get_eip","trigger":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}}]},{"sensor_name":"openphish","type":"url","description":"OpenPhish","link":"","alerts":null},{"sensor_name":"phishtank","type":"url","description":"PhishTank","link":"","alerts":null},{"sensor_name":"mnemonic_dns","type":"domain","description":"mnemonic secure dns","link":"","alerts":null},{"sensor_name":"quad9","type":"domain","description":"Quad9 DNS","link":"","alerts":null},{"sensor_name":"threatfox","type":"url","description":"ThreatFox","link":"","alerts":null}],"urlquery":null},"javascript":{"script":null,"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"http","addr":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","fqdn":"11.94afxptdown.kecoka.cn:8093","domain":"kecoka.cn","tld":"cn"},"ip":{"addr":"111.177.11.72","port":8093,"asn":136192,"as":"Xiangyang, Hubei Province, P.R.China.","country":"China","country_code":"CN"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2024-02-01T03:00:54.142Z","timestamp":1706756454142,"http_version":"HTTP/1.1","security_state":"insecure","security_info":null,"request":{"raw":"GET /pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM HTTP/1.1\r\nHost: 11.94afxptdown.kecoka.cn:8093\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nDNT: 1\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/1.1 200 OK\r\nServer: openresty\r\nDate: Thu, 01 Feb 2024 03:00:17 GMT\r\nContent-Type: application/x-msdownload\r\nContent-Length: 438608\r\nConnection: keep-alive\r\nContent-Security-Policy: block-all-mixed-content\r\nETag: \"c0bce7ecfebcaf6ae4d0767ebb79c5da\"\r\nLast-Modified: Fri, 26 Jan 2024 03:33:14 GMT\r\nStrict-Transport-Security: max-age=31536000; includeSubDomains\r\nVary: Origin, Accept-Encoding\r\nX-Amz-Request-Id: 17ADC8542E29CA52\r\nX-Content-Type-Options: nosniff\r\nX-Xss-Protection: 1; mode=block\r\nExpires: Thu, 01 Feb 2024 03:10:17 GMT\r\nCache-Control: max-age=600\r\nX-Via: 117.48.143.42, 111.177.11.72\r\nX-Cache: HIT\r\nAccept-Ranges: bytes\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":null,"data":{"size":438608,"size_decoded":438608,"mime_type":"application/x-msdownload","magic":"PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections","md5":"c0bce7ecfebcaf6ae4d0767ebb79c5da","sha1":"b6c9f0653a086513679f743bb5b6001973956cf2","sha256":"77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","sha512":"375d7b9468cd41ed0699596bf86d3e468b64b8c89d357ce70e56958688f07ee19d367ab59d44f3a838fd47c4e1add8effe70e02c9ef9eed8616596832afc2c63","ssdeep":"12288:ZQVTzThv858payUIp803022g5NDwcJ2CrKBr3jr9HB:8uy30NgLDLGBrzrNB","tlshash":"da949c21ba41c032e4e341719afa8f735d7ca530132941ebb7d409b9afb41c1ba3a75b","first_seen":"2023-04-05T04:18:19Z","last_seen":"2024-07-10T02:47:00Z","times_seen":13,"resource_available":false,"data":null}},"time_used":2802,"timings":{"blocked":540,"dns":0,"connect":540,"send":0,"wait":278,"receive":1444,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"infosec_yara","sensor_type":"yara","title":"","description":"YARAhub by abuse.ch","scan_date":"2024-02-01","alert":"meth_get_eip","trigger":"11.94afxptdown.kecoka.cn:8093/pc/damochajianv6.1637.exe?tk=gjZkR2NzcDNlVzMiVDN3ImNhhDZ0YmMmljMmRWZlNWY852b812bj5CemFGN5wHNyczM3IjNwcTM","verdict":"malware","severity":"medium","comment":"","link":"https://yaraify.abuse.ch/yarahub/","meta":{"author":"Willi Ballenthin","date":"2022-06-13","rule":"meth_get_eip","yarahub_author_email":"william.ballenthin@mandiant.com","yarahub_author_twitter":"@williballenthin","yarahub_license":"CC BY 4.0","yarahub_reference_md5":"9727d5c2a5133f3b6a6466cc530a5048","yarahub_rule_matching_tlp":"TLP:WHITE","yarahub_rule_sharing_tlp":"TLP:WHITE","yarahub_uuid":"666bfd55-7931-454e-beb8-22b5211ab04f"}},{"sensor_name":"virustotal","sensor_type":"file","title":"","description":"VirusTotal","scan_date":"2024-01-19","alert":"Scan result 54/68","trigger":"77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","verdict":"malicious","severity":"","comment":"malicious - 54/68","link":"https://www.virustotal.com/gui/file/77b67cd492a8267668ccdb7b9ef15297153876f6dcdcf04d0fd7e22b57fb3307","meta":null}],"urlquery":null}}]}