Report - knaben.org/random/cola/download/Virus/programmer.exe

Report Overview

Visitedpublic

2025-04-09 00:41:38

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
knaben.org	unknown	2016-06-25	2016-09-30	2025-04-09	520 B	11 MB	104.21.82.152

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2025-04-09	medium	knaben.org/random/cola/download/Virus/programmer.exe	Detects a tool used by APT groups - file ChromePass.exe
2025-04-09	medium	knaben.org/random/cola/download/Virus/programmer.exe	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
2025-04-09	medium	knaben.org/random/cola/download/Virus/programmer.exe	Scans presence of the found strings using the in-house brute force method

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

knaben.org/random/cola/download/Virus/programmer.exe

IP / ASN

104.21.82.152

#13335 CLOUDFLARENET

File Overview

File TypePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

Size11 MB (10803712 bytes)

MD5ef3bff9c8aa5651f0daad412ddba3a00

SHA197f1ede506e0a897a9a214539592ec14925ed4fe

SHA256e27621e09d3ce0bb57ece8f9034df44fb8733d783fcec2b9549c6c55d963859c

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects a tool used by APT groups - file ChromePass.exe
YARAhub by abuse.ch	malware	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
YARAhub by abuse.ch	malware	Scans presence of the found strings using the in-house brute force method
VirusTotal	malicious	VirusTotal - Scan result 42/70

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET knaben.org/random/cola/download/Virus/programmer.exe

104.21.82.152

200 OK

11 MB

URL

knaben.org/random/cola/download/Virus/programmer.exe

IP / ASN

104.21.82.152

#13335 CLOUDFLARENET

Requested byN/A

Resource Info

File typePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

First Seen2024-09-19

Last Seen2025-04-09

Times Seen3

Size11 MB (10803712 bytes)

MD5ef3bff9c8aa5651f0daad412ddba3a00

SHA197f1ede506e0a897a9a214539592ec14925ed4fe

SHA256e27621e09d3ce0bb57ece8f9034df44fb8733d783fcec2b9549c6c55d963859c

Certificate Info

IssuerGoogle Trust Services

Subjectknaben.org

Fingerprint47:DD:D2:C6:C9:79:B0:B7:89:CC:09:36:A2:D1:40:34:BA:6D:CE:5A

ValiditySat, 05 Apr 2025 16:38:36 GMT - Fri, 04 Jul 2025 17:37:08 GMT

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects a tool used by APT groups - file ChromePass.exe
YARAhub by abuse.ch	malware	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
YARAhub by abuse.ch	malware	Scans presence of the found strings using the in-house brute force method
VirusTotal	malicious	VirusTotal - Scan result 42/70

HTTP Headers

GET /random/cola/download/Virus/programmer.exe HTTP/1.1
Host: knaben.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Wed, 09 Apr 2025 00:41:14 GMT
content-type: application/octet-stream
content-length: 10803712
last-modified: Sat, 20 Nov 2021 21:21:41 GMT
etag: "619966e5-a4da00"
onion-location: http://knabenxyzjl3bt5al7awroewfkg37x6duutapjytdib4w42mk2kiqpid.onion/random/cola/download/Virus/programmer.exe
cache-control: max-age=14400
cf-cache-status: HIT
age: 12
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vLMFO5K7YCifSuP694l6yg6TTOgED5iSUHXwnodUmlV8Alaah%2BMhu%2BgLoG6z%2Baa%2BQiUa9FRY7O2xVaGKyEkM7ZWo3KvB0Q70YmQWohR45tTwHvIwQW%2Fi%2BilSajl%2F"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 92d5f52c3cfd56cb-OSL
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=548&min_rtt=494&rtt_var=176&sent=7&recv=10&lost=0&retrans=0&sent_bytes=3267&recv_bytes=1274&delivery_rate=7941499&cwnd=254&unsent_bytes=0&cid=b498b7429d22bb05&ts=32&x=0"
X-Firefox-Spdy: h2