Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.ez-cheats.com | 43.255.241.176 |
GET
200
https://www.ez-cheats.com/panel/topup_hwid.php?h=085ec62e9b2ec0ab976156f2008398da
REQUEST
RESPONSE
BODY
GET /panel/topup_hwid.php?h=085ec62e9b2ec0ab976156f2008398da HTTP/1.1
User-Agent: MSDN SurfBear
Host: www.ez-cheats.com
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=mtp9a8bcal2mnqn9pauuvhhan3; path=/
X-Powered-By: ASP.NET
Date: Fri, 30 Jul 2021 01:26:28 GMT
Content-Length: 6
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.102:49166 -> 43.255.241.176:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49165 -> 43.255.241.176:1337 | 2013214 | ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49165 -> 43.255.241.176:1337 | 2016922 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic | Malware Command and Control Activity Detected |
| TCP 192.168.56.102:49165 -> 43.255.241.176:1337 | 2021716 | ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102 | Malware Command and Control Activity Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.102:49166 43.255.241.176:443 |
C=US, O=Let's Encrypt, CN=R3 | CN=ez-cheats.com | d7:29:76:a4:3b:25:ce:d3:9c:c3:da:88:a9:58:5c:ce:f4:d8:09:81 |
Snort Alerts
No Snort Alerts