Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www2.lunapic.com | 72.9.146.243 |
GET
200
http://91.207.183.9:8000/artwork.hta
REQUEST
RESPONSE
BODY
GET /artwork.hta HTTP/1.1
Host: 91.207.183.9:8000
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 17197
Last-Modified: Sat, 14 Oct 2023 11:48:56 GMT
Content-Type: application/hta
Date: Tue, 17 Oct 2023 01:04:14 GMT
ETag: "7da9930adc85c54d0e2b7dc739a7f159-1697284136-17197"
Accept-Ranges: bytes
Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
GET
200
http://91.207.183.9:8000/main.bat
REQUEST
RESPONSE
BODY
GET /main.bat HTTP/1.1
Host: 91.207.183.9:8000
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 154
Last-Modified: Fri, 13 Oct 2023 13:17:27 GMT
Content-Type: text/plain
Date: Tue, 17 Oct 2023 01:04:18 GMT
ETag: "5720f861963a7d5332b9171ecdc663c0-1697203047-154"
Accept-Ranges: bytes
Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49175 -> 72.9.146.243:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49176 -> 72.9.146.243:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.103:49167 -> 91.207.183.9:8000 | 2022520 | ET POLICY Possible HTA Application Download | Potentially Bad Traffic |
| TCP 192.168.56.103:49167 -> 91.207.183.9:8000 | 2027261 | ET INFO Dotted Quad Host HTA Request | Potentially Bad Traffic |
| TCP 91.207.183.9:8000 -> 192.168.56.103:49177 | 2026989 | ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1 | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts