Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| voucher-01-static.com | 91.92.243.32 |
GET
200
http://voucher-01-static.com/kvro/1337x.txt
REQUEST
RESPONSE
BODY
GET /kvro/1337x.txt HTTP/1.1
Host: voucher-01-static.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 08 Jul 2024 09:25:20 GMT
Content-Type: text/plain
Content-Length: 8701
Last-Modified: Tue, 02 Apr 2024 03:10:06 GMT
Connection: keep-alive
ETag: "660b770e-21fd"
Accept-Ranges: bytes
GET
200
http://voucher-01-static.com/kvro/xplayd.hta
REQUEST
RESPONSE
BODY
GET /kvro/xplayd.hta HTTP/1.1
Host: voucher-01-static.com
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 08 Jul 2024 09:25:21 GMT
Content-Type: application/octet-stream
Content-Length: 9771
Last-Modified: Sat, 08 Jun 2024 11:31:46 GMT
Connection: keep-alive
ETag: "66644122-262b"
Accept-Ranges: bytes
GET
200
http://voucher-01-static.com/kvro/Erlnb.exe
REQUEST
RESPONSE
BODY
GET /kvro/Erlnb.exe HTTP/1.1
Host: voucher-01-static.com
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 08 Jul 2024 09:25:22 GMT
Content-Type: application/octet-stream
Content-Length: 26624
Last-Modified: Fri, 17 May 2024 05:55:50 GMT
Connection: keep-alive
ETag: "6646f166-6800"
Accept-Ranges: bytes
GET
200
http://voucher-01-static.com/rkei/1085.txt
REQUEST
RESPONSE
BODY
GET /rkei/1085.txt HTTP/1.1
Host: voucher-01-static.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 08 Jul 2024 09:25:26 GMT
Content-Type: text/plain
Content-Length: 786944
Last-Modified: Fri, 17 May 2024 05:35:18 GMT
Connection: keep-alive
ETag: "6646ec96-c0200"
Accept-Ranges: bytes
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 91.92.243.32:80 -> 192.168.56.101:49163 | 2400012 | ET DROP Spamhaus DROP Listed Traffic Inbound group 13 | Misc Attack |
| TCP 192.168.56.101:49163 -> 91.92.243.32:80 | 2022520 | ET POLICY Possible HTA Application Download | Potentially Bad Traffic |
| TCP 91.92.243.32:80 -> 192.168.56.101:49163 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 91.92.243.32:80 -> 192.168.56.101:49163 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts