Report - 45.207.168.120:7744/1111222222222.zip

Report Overview

Visitedpublic

2024-07-06 21:22:38

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
r10.o.lencr.org	unknown	2020-06-29	2024-06-06 21:45:11	2024-07-06 18:12:32	981 B	2.7 kB	23.36.77.32
45.207.168.120:7744	unknown	unknown	No data	No data	407 B	5.8 MB	45.207.168.120

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2024-07-06 21:22:12	medium	Client IP	45.207.168.120	ET INFO Dotted Quad Host ZIP Request
2024-07-06 21:22:12	high	45.207.168.120	Client IP	ET HUNTING Rejetto HTTP File Sever Response

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

Scan Date	Severity	Indicator	Alert
2024-07-06	medium	45.207.168.120	Sinkholed

ThreatFox

No alerts detected

File detected

URL

45.207.168.120:7744/1111222222222.zip

IP / ASN

45.207.168.120

#21859 ZEN-ECN

File Overview

File TypeZip archive data, at least v2.0 to extract, compression method=deflate

Size5.8 MB (5807959 bytes)

MD5e97e5dcbfb2bb44d889df3124903bfb1

SHA1166f7d7d1ec12009167db7ebe862d80f7ab3fbb2

SHA256feab3a7d78c04007af684425dd60df3c8707e143b86481cb30e2c105118e3b99

Archive (13)

Modified	Filename	Size	MD5	File type
2019-08-09 05:52	2.bat	214 B	9366387efaf029defa1d92ebec9be843	ASCII text, with CRLF line terminators
2019-02-12 04:41	Disable Lusrmgr.reg	332 B	b1efa56d1bba81c09ddf7b61c2e2e567	Windows Registry little-endian text (Win2K or above)
2024-01-09 01:40	LogDelete.bat	63 B	fb9c610ba195f9b18a96b84c5e755df7	ASCII text, with no line terminators
2024-06-27 09:24	mm.exe	5.4 MB	a913d7c91e9129b03e4992a42b4040e0	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive, 4 sections
2024-06-02 06:24	utilman.exe	56 kB	6172e9bd077d91af0356855e8e74ae59	PE32+ executable (console) x86-64, for MS Windows, 3 sections
2024-01-05 07:01	�ر��¼��鿴��.reg	161 B	63fd770ce885559746a4763918a7ae79	Windows Registry text (Win2K or above)
2019-04-03 16:00	1�Ҽ��Թ��Ա��.bat	2.9 kB	121dbfd80566ba06deb84a0149b9805f	DOS batch file, ASCII text, with CRLF line terminators
2021-12-14 05:47	dfControl.exe	457 kB	10d8e4ca3fa2902859c77f41baee4dda	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
2021-12-14 05:47	dfControl.ini	80 kB	e67af98f9f4ef6f902820917ab5d763b	Unicode text, UTF-16, little-endian text, with CRLF line terminators
2015-08-29 04:15	install_wim_tweak.exe	46 kB	ba352663c76c86c10a8d5c7b7a47f3c5	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
2019-03-31 08:54	Uninstall.cmd	308 B	05e34e86c455fc1d2373333612247b9e	DOS batch file, ISO-8859 text, with CRLF line terminators
2024-01-26 02:42	�½��ı��ĵ�.txt	110 B	d341bd554c34bdf64a5eb1ffb3922b74	Unicode text, UTF-8 text, with CRLF line terminators
2020-01-16 01:04	��.reg	699 B	94cc68800133d89ee0f4b307de8ecece	Windows Registry text (Win2K or above)

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	Detects malware by known bad imphash or rich_pe_header_hash

JavaScript (0)

HTTP Transactions (4)

URL IP Response Size

r10.o.lencr.org/

23.36.77.32

504 B

URL

r10.o.lencr.org/

IP / ASN

23.36.77.32

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-07-05

Last Seen2024-08-19

Times Seen43182

Size504 B (504 bytes)

MD5508d0867e7982df7cfa6ad58e05ce470

SHA16f4e15b94e527d02e8dd38f8b69b493cfae84c56

SHA256376a5286b71a4a7e90b3eece9b39480f50435d5ef3c7793828481f590d04bc77

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "376A5286B71A4A7E90B3EECE9B39480F50435D5EF3C7793828481F590D04BC77"
Last-Modified: Thu, 04 Jul 2024 23:47:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=5164
Expires: Sat, 06 Jul 2024 22:48:15 GMT
Date: Sat, 06 Jul 2024 21:22:11 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.76.226

504 B

URL

r10.o.lencr.org/

IP / ASN

23.36.76.226

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-07-05

Last Seen2024-08-19

Times Seen44889

Size504 B (504 bytes)

MD5861cce1bf441610f1dfbb14264d55122

SHA11596b2c44fcdb5f7a49c73da766e4ab48b6bd064

SHA256f67d59f3fddbcaf61f9f1aa87eca02a320f59402bb412687a4db4d8aa81867d2

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "F67D59F3FDDBCAF61F9F1AA87ECA02A320F59402BB412687A4DB4D8AA81867D2"
Last-Modified: Fri, 05 Jul 2024 17:32:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13286
Expires: Sun, 07 Jul 2024 01:03:39 GMT
Date: Sat, 06 Jul 2024 21:22:13 GMT
Connection: keep-alive

r10.o.lencr.org/

23.36.76.226

504 B

URL

r10.o.lencr.org/

IP / ASN

23.36.76.226

#20940 Akamai International B.V.

Requested byN/A

Resource Info

File typedata

First Seen2024-07-05

Last Seen2024-08-19

Times Seen44889

Size504 B (504 bytes)

MD5861cce1bf441610f1dfbb14264d55122

SHA11596b2c44fcdb5f7a49c73da766e4ab48b6bd064

SHA256f67d59f3fddbcaf61f9f1aa87eca02a320f59402bb412687a4db4d8aa81867d2

HTTP Headers

POST / HTTP/1.1
Host: r10.o.lencr.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/ocsp-request
Content-Length: 85
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "F67D59F3FDDBCAF61F9F1AA87ECA02A320F59402BB412687A4DB4D8AA81867D2"
Last-Modified: Fri, 05 Jul 2024 17:32:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=13286
Expires: Sun, 07 Jul 2024 01:03:39 GMT
Date: Sat, 06 Jul 2024 21:22:13 GMT
Connection: keep-alive

GET 45.207.168.120:7744/1111222222222.zip

45.207.168.120

200 OK

5.8 MB

URL

45.207.168.120:7744/1111222222222.zip

IP / ASN

45.207.168.120

#21859 ZEN-ECN

Requested byN/A

Resource Info

File typeZip archive data, at least v2.0 to extract, compression method=deflate

First Seen2024-08-19

Last Seen2024-08-19

Times Seen1

Size5.8 MB (5807959 bytes)

MD5e97e5dcbfb2bb44d889df3124903bfb1

SHA1166f7d7d1ec12009167db7ebe862d80f7ab3fbb2

SHA256feab3a7d78c04007af684425dd60df3c8707e143b86481cb30e2c105118e3b99

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed

HTTP Headers

GET /1111222222222.zip HTTP/1.1
Host: 45.207.168.120:7744
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 5807959
Accept-Ranges: bytes
Server: HFS 2.3m
Set-Cookie: HFS_SID_=0.141926925862208; path=/; HttpOnly
ETag: 699A4B8128D08E8492C48223C9632051
Last-Modified: Thu, 27 Jun 2024 22:02:06 GMT
Content-Disposition: attachment; filename="1111222222222.zip";