Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.ficylkghv.com | ||
| www.promushealth.com | 81.17.29.148 | |
| www.517912.com |
CNAME
y.ya-bo888.com
|
38.47.227.76 |
| www.uzmayaqoob.com |
CNAME
uzmayaqoob.com
|
154.49.142.142 |
- UDP Requests
-
-
192.168.56.103:50800 164.124.101.2:53
-
192.168.56.103:52760 164.124.101.2:53
-
192.168.56.103:53673 164.124.101.2:53
-
192.168.56.103:64894 164.124.101.2:53
-
192.168.56.103:137 192.168.56.101:137
-
192.168.56.103:137 192.168.56.255:137
-
192.168.56.103:138 192.168.56.255:138
-
192.168.56.103:49154 239.255.255.250:1900
-
8.8.8.8:53 192.168.56.103:53673
-
GET
404
http://www.517912.com/t6tg/?9r4P2=x+Kv6xpWcNesBkKfTwjNPM0LnGFvN7+CPVZKKdjbvYvOGsJKnhF5jBVeRF44UVI4ghuUdA3c&EjU4Sz=fdMTVRIPlB
REQUEST
RESPONSE
BODY
GET /t6tg/?9r4P2=x+Kv6xpWcNesBkKfTwjNPM0LnGFvN7+CPVZKKdjbvYvOGsJKnhF5jBVeRF44UVI4ghuUdA3c&EjU4Sz=fdMTVRIPlB HTTP/1.1
Host: www.517912.com
Connection: close
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 28 Oct 2023 03:43:57 GMT
Content-Type: text/html
Content-Length: 146
Connection: close
GET
301
http://www.uzmayaqoob.com/t6tg/?9r4P2=XP7jkasqkgrWx1C3rIh2LMmDsrx9AEXuv+yJvInbJHFGDwSK0i3nVRBGHVeWBLS+d5Gq1e4Y&EjU4Sz=fdMTVRIPlB
REQUEST
RESPONSE
BODY
GET /t6tg/?9r4P2=XP7jkasqkgrWx1C3rIh2LMmDsrx9AEXuv+yJvInbJHFGDwSK0i3nVRBGHVeWBLS+d5Gq1e4Y&EjU4Sz=fdMTVRIPlB HTTP/1.1
Host: www.uzmayaqoob.com
Connection: close
HTTP/1.1 301 Moved Permanently
Connection: close
content-type: text/html
content-length: 707
date: Sat, 28 Oct 2023 03:44:18 GMT
server: LiteSpeed
location: https://www.uzmayaqoob.com/t6tg/?9r4P2=XP7jkasqkgrWx1C3rIh2LMmDsrx9AEXuv+yJvInbJHFGDwSK0i3nVRBGHVeWBLS+d5Gq1e4Y&EjU4Sz=fdMTVRIPlB
platform: hostinger
content-security-policy: upgrade-insecure-requests
GET
302
http://www.promushealth.com/t6tg/?9r4P2=7tYymCvuwOydaUuPNkovhG/t52+K0Kp+Kp8xcgM9C2uQN+XKa74YZrRvofV08ZJStB5H4sxz&EjU4Sz=fdMTVRIPlB
REQUEST
RESPONSE
BODY
GET /t6tg/?9r4P2=7tYymCvuwOydaUuPNkovhG/t52+K0Kp+Kp8xcgM9C2uQN+XKa74YZrRvofV08ZJStB5H4sxz&EjU4Sz=fdMTVRIPlB HTTP/1.1
Host: www.promushealth.com
Connection: close
HTTP/1.1 302 Found
cache-control: max-age=0, private, must-revalidate
connection: close
content-length: 11
date: Sat, 28 Oct 2023 03:44:38 GMT
location: http://survey-smiles.com
server: nginx
set-cookie: sid=5226a862-7544-11ee-aae3-7c2297ccdd8d; path=/; domain=.promushealth.com; expires=Thu, 15 Nov 2091 06:58:46 GMT; max-age=2147483647; HttpOnly
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49166 -> 38.47.227.76:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49168 -> 63.141.242.46:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 154.49.142.142:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts