Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| vshell.io | 144.126.151.240 | |
| filedn.com | 74.120.9.25 | |
| ip-api.com | 208.95.112.1 |
GET
200
https://filedn.com/lK8iuOs2ybqy4Dz6sat9kSz/Hasselmus.jpb
REQUEST
RESPONSE
BODY
GET /lK8iuOs2ybqy4Dz6sat9kSz/Hasselmus.jpb HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Host: filedn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: CacheHTTPd v1.0
Date: Sat, 12 Oct 2024 02:27:31 +0000
Content-Type: application/octet-stream
Content-Length: 424120
Etag: "15797bae97b7b53ac04bf99b9ab1670041f37801"
Expires: Sat, 12 Oct 2024 08:27:31 +0000
Content-Disposition: attachment; filename="Hasselmus.jpb"
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Connection: keep-alive
Keep-Alive: timeout=30
GET
200
https://filedn.com/lK8iuOs2ybqy4Dz6sat9kSz/QblVUbUiHwTSX245.bin
REQUEST
RESPONSE
BODY
GET /lK8iuOs2ybqy4Dz6sat9kSz/QblVUbUiHwTSX245.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Host: filedn.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: CacheHTTPd v1.0
Date: Sat, 12 Oct 2024 02:28:12 +0000
Content-Type: application/octet-stream
Content-Length: 356416
Etag: "9db35e9cd54311d312ccb87777a28aeac62bf663"
Expires: Sat, 12 Oct 2024 08:28:12 +0000
Content-Disposition: attachment; filename="QblVUbUiHwTSX245.bin"
Accept-Ranges: bytes
Content-Transfer-Encoding: binary
Connection: keep-alive
Keep-Alive: timeout=30
GET
200
http://ip-api.com/json/
REQUEST
RESPONSE
BODY
GET /json/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
Host: ip-api.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Oct 2024 02:28:15 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 273
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49165 -> 74.120.9.25:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49166 -> 74.120.9.25:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.101:49167 -> 208.95.112.1:80 | 2036383 | ET MALWARE Common RAT Connectivity Check Observed | A Network Trojan was detected |
| TCP 192.168.56.101:49167 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
| UDP 192.168.56.101:54148 -> 164.124.101.2:53 | 2054141 | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) | Device Retrieving External IP Address Detected |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49165 74.120.9.25:443 |
C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA | CN=filedn.com | f1:84:2d:e7:88:e7:61:14:50:8b:a7:c3:5f:e6:88:07:a9:bc:40:f8 |
|
TLSv1 192.168.56.101:49166 74.120.9.25:443 |
C=LV, L=Riga, O=GoGetSSL, CN=GoGetSSL RSA DV CA | CN=filedn.com | f1:84:2d:e7:88:e7:61:14:50:8b:a7:c3:5f:e6:88:07:a9:bc:40:f8 |
Snort Alerts
No Snort Alerts