Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 5 subscribers
  • Views 5430 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATP detection www.hostingcloud.racing C2/Generic-A AFCd

momopace

I'm having multiple UTMs reporting a C2/Generic-A some machines try to resolve this domain name "www.hostingcloud.racing". I have scanned every server/PC that is reporting on and there is never anything there.

any one have any idea about this domain name "www.hostingcloud.racing"

 


This thread was automatically locked due to age.
  • 0

    From a Sophos Central Managed Endpoint, if I visit that URL via a browser it gets stopped as:

    High Risk Website Blocked
    • Location: www.hostingcloud.racing
    • Access has been blocked as the threat C2/Generic-A has been found on this website.

    Looking in the SRC of the endpoint block page:

    <div id="categoryId" style="display: none;">19</div>

    <option value="19">Hacking</option>

    So it's also classified as a hacking site.

    Making a request from the command line, as I have a UTM, I get back:

    Invoke-WebRequest -Uri "www.hostingcloud.racing" -OutFile C:\1.txt
    Invoke-WebRequest :
    UTM 9 http://www.sophos.com

    Content blocked!!
    While trying to retrieve the URL:
    www.hostingcloud.racing/
    The content is blocked due to the following condition:
    The URL you have requested is blocked by Surf Protection. If you think this is wrong, please contact your administrator.
    Report:
    Blocked Category (Hacking/Computer Crime)
    Your cache administrator is:
    a@b.com
    Powered by UTM Web Protection


    This confirms the cat 19 classification for hacking.

    A lookup for me:

    nslookup www.hostingcloud.racing
    Address: 192.168.0.1

    Non-authoritative answer:
    Name: www.hostingcloud.racing
    Address: 81.171.8.143

    Virus Total for the URL:

    https://www.virustotal.com/gui/url/c21ba8338188adeb26aa9207efac69c0352924b22694e23334e06ba7e0af304a/detection

    ...shows a few vendors detect it including Sophos.

    I think for more info from Sophos, you will have to fill in https://secure2.sophos.com/en-us/support/submit-a-sample.aspx for the Web Address (URL) option.

    Thanks,
    Jak

Unfiltered HTML