Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| api.ip.sb | 104.26.12.31 |
GET
200
https://api.ip.sb/geoip
REQUEST
RESPONSE
BODY
GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 08:15:46 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gnTT%2BLJ2y80eCgnEkg%2BGnneXQqfUZvewewM3mxNkEONyudR2HO8VNu8rhBGMnXzy8NcUkjVCU46yzLQUBH1yqprUp3fc5lEOhMAs5Qk0tArXZyWOlPeSlK73Sg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8d2e5cf74eb4d3f2-KIX
alt-svc: h3=":443"; ma=86400
GET
200
http://87.120.127.223/panel/uploads/Afocvkc.dat
REQUEST
RESPONSE
BODY
GET /panel/uploads/Afocvkc.dat HTTP/1.1
Host: 87.120.127.223
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 15 Oct 2024 08:15:24 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
Last-Modified: Mon, 14 Oct 2024 04:30:20 GMT
ETag: "ea808-624684b6c5b85"
Accept-Ranges: bytes
Content-Length: 960520
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49169 -> 104.26.12.31:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 87.120.127.223:42128 -> 192.168.56.101:49168 | 2045000 | ET MALWARE RedLine Stealer - CheckConnect Response | Malware Command and Control Activity Detected |
| TCP 87.120.127.223:42128 -> 192.168.56.101:49168 | 2045001 | ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound | Malware Command and Control Activity Detected |
| TCP 87.120.127.223:42128 -> 192.168.56.101:49168 | 2046056 | ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) | A Network Trojan was detected |
| TCP 87.120.127.223:42128 -> 192.168.56.101:49168 | 2221010 | SURICATA HTTP unable to match response to request | Generic Protocol Command Decode |
Suricata TLS
| Flow | Issuer | Subject | Fingerprint |
|---|---|---|---|
|
TLSv1 192.168.56.101:49169 104.26.12.31:443 |
C=US, O=Google Trust Services, CN=WR1 | CN=api.ip.sb | 67:55:9d:38:46:36:29:e0:23:80:8c:58:24:25:99:c3:60:63:b7:0f |
Snort Alerts
No Snort Alerts