Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| fresh1.ironoreprod.top | 172.67.166.168 |
GET
200
http://fresh1.ironoreprod.top/_errorpages/wealthzx.exe
REQUEST
RESPONSE
BODY
GET /_errorpages/wealthzx.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)
Host: fresh1.ironoreprod.top
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 01 Dec 2023 04:00:03 GMT
Content-Type: application/octet-stream
Content-Length: 692224
Connection: keep-alive
Last-Modified: Fri, 01 Dec 2023 01:33:15 GMT
ETag: "a9000-60b68c0914e67"
Cache-Control: max-age=14400
CF-Cache-Status: EXPIRED
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vC84Acu%2BBFG%2Fjp%2BF0fWlc%2BH6%2F6df%2FdUbMZhu326qXDvkFrN%2FgCTjffzVkHPKGt%2B7V2v6kPvk%2F6ojfc0G1Z78hgeXYBwoVD1QClNBu4mk%2BV%2FN1kiJbrBny2iXXUErq4tAljhuYnS8aYX9"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 82e86bc65c5d52ef-LAX
alt-svc: h3=":443"; ma=86400
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.103:52760 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| TCP 192.168.56.103:49162 -> 104.21.16.60:80 | 2022896 | ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 | A Network Trojan was detected |
| TCP 192.168.56.103:49162 -> 104.21.16.60:80 | 2023882 | ET INFO HTTP Request to a *.top domain | Potentially Bad Traffic |
| TCP 104.21.16.60:80 -> 192.168.56.103:49162 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 104.21.16.60:80 -> 192.168.56.103:49162 | 2023464 | ET HUNTING Possible EXE Download From Suspicious TLD | Misc activity |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts