Report - nicolascoolman.eu/wp-updates/ZHPSuite.exe

Report Overview

Visitedpublic

2024-03-23 05:18:44

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
nicolascoolman.eu	unknown	unknown	2017-03-13 08:33:36	2024-03-21 06:20:21	495 B	3.5 MB	109.234.162.18

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

Scan Date	Severity	Indicator	Alert
2024-03-23	medium	nicolascoolman.eu/wp-updates/ZHPSuite.exe	Identifies compiled AutoIT script (as EXE).

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

File detected

URL

nicolascoolman.eu/wp-updates/ZHPSuite.exe

IP / ASN

109.234.162.18

#50474 O2switch SAS

File Overview

File TypePE32 executable (GUI) Intel 80386, for MS Windows, 5 sections

Size3.5 MB (3508424 bytes)

MD55635fd91e5f7799488630692548f7605

SHA15aab8d7013e29bbef00a0a3a210fe544e341d9af

SHA256ce564312a17c42ccf9635b4002285b879d1625df8179b2b64146c62bdb79b152

Detections

Analyzer	Verdict	Alert
Public InfoSec YARA rules	malware	Identifies compiled AutoIT script (as EXE).
VirusTotal	suspicious	VirusTotal - Scan result 1/64

JavaScript (0)

HTTP Transactions (1)

URL IP Response Size

GET nicolascoolman.eu/wp-updates/ZHPSuite.exe

109.234.162.18

200 OK

3.5 MB

URL

nicolascoolman.eu/wp-updates/ZHPSuite.exe

IP / ASN

109.234.162.18

#50474 O2switch SAS

Requested byN/A

Resource Info

File typePE32 executable (GUI) Intel 80386, for MS Windows, 5 sections

First Seen2023-08-20

Last Seen2025-05-14

Times Seen17

Size3.5 MB (3508424 bytes)

MD55635fd91e5f7799488630692548f7605

SHA15aab8d7013e29bbef00a0a3a210fe544e341d9af

SHA256ce564312a17c42ccf9635b4002285b879d1625df8179b2b64146c62bdb79b152

Certificate Info

IssuerLet's Encrypt

Subjectnicolascoolman.eu

FingerprintFF:94:39:97:48:68:5A:32:87:29:3E:C1:A9:1A:16:05:95:6F:17:9B

ValidityThu, 14 Mar 2024 09:14:17 GMT - Wed, 12 Jun 2024 09:14:16 GMT

Detections

Analyzer	Verdict	Alert
Public InfoSec YARA rules	malware	Identifies compiled AutoIT script (as EXE).
VirusTotal	suspicious	VirusTotal - Scan result 1/64

HTTP Headers

GET /wp-updates/ZHPSuite.exe HTTP/1.1
Host: nicolascoolman.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

HTTP/2 200 OK
date: Sat, 23 Mar 2024 05:18:18 GMT
content-type: application/x-msdownload
content-length: 3508424
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
content-security-policy: upgrade-insecure-requests;
x-frame-options: SAMEORIGIN
permissions-policy: accelerometer=(), autoplay=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
last-modified: Wed, 12 Jul 2023 08:45:31 GMT
strict-transport-security: max-age=63072000; includeSubDomains; preload
access-control-allow-origin: null
access-control-allow-methods: GET,PUT,POST,DELETE
access-control-allow-headers: Content-Type, Authorization
x-content-security-policy: img-src *; media-src * data:;
x-permitted-cross-domain-policies: none
cache-control: public
server: o2switch-PowerBoost-v3
accept-ranges: bytes
X-Firefox-Spdy: h2