LetsDefend EventID 86 Walkthrough

Collection Data

Parse Alert

• SOURCE ADDRESS:

  • 172.16.17.49
    • Investigation Channel > Maximize Alert > Source Address

• DESTINATION ADDRESS:

  • 91.189.114.8
    • Investigation Channel > Maximize Alert > Destination Address
  • Talos IP and Reputation > neutral
  • VirusTotal > clean
  • AbusIPDB > Data Center / Web Hosting / Transit
  • Whois > ORG-JR15-RIPE

• USER AGENT:

  • Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
    • Investigation Channel > Maximize Alert > User Agent

Search Log

• Requested URL: hxxp[://]mogagrocol[.]ru/wp-content/plugins/akismet/fv/index[.]php?email=ellie@letsdefend[.]io
  • Log Management > Searched source and destination IP > HTTP log with URL

Analyze

Analyze URL Address

• Copied URL > submitted to VirusTotal > URL flagged as malware / phishing

• Hybrid Analysis > URL flagged as Phishing Site

• URLHaus - Similar URL with same domain was submitted as containing malware