LetsDefend level 1 alert SOC119 - Proxy - Malicious Executable File Detected event-id 83
Details
EventID: 83
Event Time: March 21, 2021, 1:02 p.m.
Rule: SOC119 - Proxy - Malicious Executable File Detected
Level: Security Analyst
Source Address 172.16.17.5
Source Hostname SusieHost
Destination Address 51.195.68.163
Destination Hostname win-rar.com
Username Susie
Request URL https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit
User Agent Chrome - Windows
Device Action Allowed
Create Case
Collection Data
- Source Address
172.16.17.5 - Destination Address
51.195.68.163 - User-Agent
Chrome - Windows
Search Log
Raw Log
- Request URL: https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit
- Request Method: GET
- Device Action: Allowed
- Process: chrome.exe
- Parent Process: explorer.exe
- Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e
Analyze URL Address
Access https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit
AnyRun: https://app.any.run/tasks/b2a085d0-0d28-4978-9b60-b37b4fd15175
VirusTotal:
https://www.virustotal.com/gui/url/bc62b755250c21cf885d35ec4eac37a7fb5faf373f9786074dc33ad997286841?nocache=1
No threats detected.
www.win-rar[.]com
VirusTotal: https://www.virustotal.com/gui/domain/www.win-rar.com/detection
urlscan.io: https://urlscan.io/result/8f81dda0-9f4b-4b09-98a5-ba3eefe4b9f1/#summary
urlscan.io domain search: https://urlscan.io/domain/www.win-rar.com
51.195.68.163
VirusTotal: https://www.virustotal.com/gui/ip-address/51.195.68.163
urlscan ip search: https://urlscan.io/ip/51.195.68.163
ip-sc[.]net : https://ip-sc.net/ja/r/51.195.68.163
Answer: Non-malicious
Add Artifacts
- URL Address
https[:]//www.win-rar[.]com/postdownload.html?&L=0&Version=32bit - IP Address
51.195.68.163 -> Non-malicious
End
