Report - kaliaren.com/Boy1.php.zip

Report Overview

Visited public
2025-02-02 06:25:25
Tags
URL
kaliaren.com/Boy1.php.zip
Finishing URL
about:privatebrowsing
IP / ASN
103.24.12.203
#132644 PT. Cyberindo Mega Persada
Title
about:privatebrowsing

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
kaliaren.com	unknown	2007-07-19	2014-11-03	2025-01-15	491 B	59 kB	103.24.12.203

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
kaliaren.com/Boy1.php.zip
IP
103.24.12.203
ASN
#132644 PT. Cyberindo Mega Persada

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
59 kB (58913 bytes)
Hash
01ef10bed967e332ffeb7e8691883ece
72154303a2fc2e97c327a7a4773623ab457d4416
0c46ba200295ddc388f75c6237c3c7ce8ca490d40ca502696853ed0e2fd0709d

Archive (6)

Filename

Md5

File type

Boy1.php

d114324acdc501d7c01a71dfddbcdff9

ASCII text, with very long lines (22579), with no line terminators

index.php

19fd42062ea1ce66806eb8d2783249f0

PHP script, ASCII text, with CRLF line terminators

Boy3.php

52f736b3aa26dc221fb49d144e781bf7

data

privacy-modules.php

4c14cbc1df91baaee41f3e8a9d2b31a3

data

index2.php

4027633355d65b70df64ff66844b4980

PHP script, ASCII text, with CRLF line terminators

gacoan.php

a1eb4e8b221fba2c5123a28c3871aeea

PHP script, ASCII text, with CRLF line terminators

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
Public Nextron YARA rules	malware	PHP webshell using some kind of eval with encoded blob to decode
Public Nextron YARA rules	malware	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k
Public Nextron YARA rules	malware	php webshell containing base64 encoded payload
Public Nextron YARA rules	malware	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.
VirusTotal	suspicious	VirusTotal - Scan result 4/65

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

kaliaren.com/Boy1.php.zip

103.24.12.203

200 OK

59 kB

URL User Request GET HTTP/1.1
kaliaren.com/Boy1.php.zip
IP
103.24.12.203:443
ASN
#132644 PT. Cyberindo Mega Persada

Certificate
IssuerLet's Encrypt
Subjectkaliaren.com
Fingerprint72:A4:00:12:64:8E:D7:70:C4:D0:E3:DE:2F:5D:C0:55:19:68:02:2D
ValidityThu, 30 Jan 2025 06:04:50 GMT - Wed, 30 Apr 2025 06:04:49 GMT

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
59 kB (58913 bytes)
Hash
01ef10bed967e332ffeb7e8691883ece
72154303a2fc2e97c327a7a4773623ab457d4416
0c46ba200295ddc388f75c6237c3c7ce8ca490d40ca502696853ed0e2fd0709d

Detections

Analyzer	Verdict	Alert
VirusTotal	suspicious	VirusTotal - Scan result 4/65

HTTP Headers

GET /Boy1.php.zip HTTP/1.1
Host: kaliaren.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 02 Feb 2025 06:24:55 GMT
Server: Apache
Last-Modified: Tue, 07 Jan 2025 05:49:51 GMT
Accept-Ranges: bytes
Content-Length: 58913
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/zip

Report Overview

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Archive (6)

Detections

JavaScript (0)

HTTP Transactions (1)

URL User Request GET HTTP/1.1

IP

ASN

Certificate

File type

Size

Hash

Detections

HTTP Headers