Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
i.imgur.com | 199.232.192.193 | |
proresupdate.com | 45.152.112.146 | |
contur2fa.recipeupdates.rest | 172.67.197.250 |
GET
200
https://i.imgur.com/yximuB4.png
REQUEST
RESPONSE
BODY
GET /yximuB4.png HTTP/1.1
Connection: Keep-Alive
Host: i.imgur.com
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 1193876
Content-Type: image/png
Last-Modified: Mon, 10 Jun 2024 13:57:00 GMT
ETag: "8d443e7cb87cacf0f589ce55599e008f"
x-amz-server-side-encryption: AES256
X-Amz-Cf-Pop: IAD89-P1
X-Amz-Cf-Id: spb0uhxXxTvr6lHCGKZULmvyWyMe7S4mKQELWlNDl90VkWhm5tukzw==
cache-control: public, max-age=31536000
Accept-Ranges: bytes
Date: Mon, 17 Jun 2024 07:53:41 GMT
Age: 583001
X-Served-By: cache-iad-kjyo7100163-IAD, cache-bur-kbur8200132-BUR
X-Cache: Miss from cloudfront, HIT, HIT
X-Cache-Hits: 5, 1
X-Timer: S1718610821.101069,VS0,VE5
Strict-Transport-Security: max-age=300
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
Server: cat factory 1.0
X-Content-Type-Options: nosniff
GET
200
https://contur2fa.recipeupdates.rest/__hh/files/run
REQUEST
RESPONSE
BODY
GET /__hh/files/run HTTP/1.1
Host: contur2fa.recipeupdates.rest
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 07:54:41 GMT
Content-Type: application/octet-stream
Content-Length: 740
Connection: keep-alive
Last-Modified: Wed, 29 May 2024 13:13:27 GMT
ETag: "665729f7-2e4"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d6JHTPuqMx%2Fz0vwetdGKveUOD3QdLpwtbb99mOwqB%2F0mfEVl%2FpDxoA3OwbM5%2FFNwS8w9o4RQ6kkR%2BFjTMNLwcyLe6jUoGfBvWhgHQKYMl6c4aRM5rmvgFXrXGmHKbsD1Z4KQg2vyoOPWENpL87Rr"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 89517916de0c7d56-LAX
alt-svc: h3=":443"; ma=86400
GET
200
https://contur2fa.recipeupdates.rest/__hh/files/run_search
REQUEST
RESPONSE
BODY
GET /__hh/files/run_search HTTP/1.1
Host: contur2fa.recipeupdates.rest
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 17 Jun 2024 07:54:46 GMT
Content-Type: application/octet-stream
Content-Length: 1983
Connection: keep-alive
Last-Modified: Wed, 29 May 2024 13:11:47 GMT
ETag: "66572993-7bf"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HgVLB%2Brc46OIdl65CIIEOi9CNnRisAYQnL4WgF3XbiVn8th28lYYkbmYwNWscrw8a1Hc%2FeOsxWV3qCkCzkx7ctxo4sikl5MzSUnrDxxHDX99ofTNEdnhiViNNizte5TPCo8NmC6LBED%2F5ZS%2FZXM8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 895179384b487c36-LAX
alt-svc: h3=":443"; ma=86400
POST
200
http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE
BODY
POST /h9fmdW5/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: proresupdate.com
Content-Length: 4
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 17 Jun 2024 07:54:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
POST
200
http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE
BODY
POST /h9fmdW5/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: proresupdate.com
Content-Length: 160
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 17 Jun 2024 07:54:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE
BODY
POST /h9fmdW5/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: proresupdate.com
Content-Length: 31
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 17 Jun 2024 07:54:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49161 -> 146.75.92.193:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49170 -> 172.67.197.250:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49172 -> 172.67.197.250:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49169 -> 45.152.112.146:80 | 2044696 | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 | A Network Trojan was detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49161 146.75.92.193:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.imgur.com | 39:5b:e1:0d:4a:fc:a4:c7:f3:71:de:c4:5c:12:69:f9:5f:58:9f:42 |
TLSv1 192.168.56.101:49170 172.67.197.250:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=recipeupdates.rest | 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf |
TLSv1 192.168.56.101:49172 172.67.197.250:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=recipeupdates.rest | 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf |
Snort Alerts
No Snort Alerts