Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.wzmatics.com |
CNAME
ghs.googlehosted.com
|
142.250.207.115 |
| www.sagemarlin.com |
CNAME
sagemarlin.com
|
144.172.65.58 |
| www.329.bio | 154.211.4.240 |
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
GET
403
http://www.sagemarlin.com/4hc5/?ETUTzJu=tnE9MOQ00nvUG52k2PEJ6LCN/o5/DE1FN6NfjKIUkwnk1cDdV9wwqkCICz01rybBvk+yXrcK&DxoHW=VDKPcDdPwnEd1V
REQUEST
RESPONSE
BODY
GET /4hc5/?ETUTzJu=tnE9MOQ00nvUG52k2PEJ6LCN/o5/DE1FN6NfjKIUkwnk1cDdV9wwqkCICz01rybBvk+yXrcK&DxoHW=VDKPcDdPwnEd1V HTTP/1.1
Host: www.sagemarlin.com
Connection: close
HTTP/1.1 403 Forbidden
Date: Thu, 26 Oct 2023 08:17:39 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Length: 373
Connection: close
Content-Type: text/html; charset=UTF-8
GET
301
http://www.wzmatics.com/4hc5/?ETUTzJu=ZiyK7zNAvHInllj0cd7rkvUuUvXCAzs8N7im8yG2jaA0EmIYIWtmNG/kZbe9TfEQka9v17XU&DxoHW=VDKPcDdPwnEd1V
REQUEST
RESPONSE
BODY
GET /4hc5/?ETUTzJu=ZiyK7zNAvHInllj0cd7rkvUuUvXCAzs8N7im8yG2jaA0EmIYIWtmNG/kZbe9TfEQka9v17XU&DxoHW=VDKPcDdPwnEd1V HTTP/1.1
Host: www.wzmatics.com
Connection: close
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 26 Oct 2023 08:18:15 GMT
Location: https://www.wzmatics.com/4hc5/?ETUTzJu=ZiyK7zNAvHInllj0cd7rkvUuUvXCAzs8N7im8yG2jaA0EmIYIWtmNG/kZbe9TfEQka9v17XU&DxoHW=VDKPcDdPwnEd1V
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49168 -> 172.217.24.115:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 144.172.65.58:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts