NetWork | ZeroBOX

IP Address	Status	Action
130.185.250.214	Active	Moloch
131.188.40.189	Active	Moloch
141.255.162.34	Active	Moloch
149.56.45.200	Active	Moloch
164.124.101.2	Active	Moloch
173.75.39.61	Active	Moloch
185.215.113.93	Active	Moloch
193.11.164.243	Active	Moloch
212.83.168.196	Active	Moloch
23.129.64.201	Active	Moloch
46.105.121.228	Active	Moloch

Name	Response	Post-Analysis Lookup
api.wipmania.com	A 212.83.168.196	212.83.168.196

TCP Requests

UDP Requests

GET 200 http://185.215.113.93/pepwn.exe

GET 200 http://api.wipmania.com/

GET 200 http://23.129.64.201/tor/status-vote/current/consensus.z

GET 200 http://185.215.113.93/cc11

GET 200 http://185.215.113.93/cc22

GET 200 http://api.wipmania.com/

GET 200 http://23.129.64.201/tor/status-vote/current/consensus.z

ICMP traffic

No ICMP traffic performed.

IRC traffic

Command	Params	Type
CONNECT	%s:%s HTTP/1.0	client
CONNECT	%s:%s HTTP/1.1	client

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2400023	ET DROP Spamhaus DROP Listed Traffic Inbound group 24	Misc Attack
TCP 192.168.56.101:49203 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2520073	ET TOR Known Tor Exit Node Traffic group 74	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2522074	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2500216	ET COMPROMISED Known Compromised or Hostile Host Traffic group 109	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2520073	ET TOR Known Tor Exit Node Traffic group 74	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2522074	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75	Misc Attack
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2500216	ET COMPROMISED Known Compromised or Hostile Host Traffic group 109	Misc Attack
TCP 192.168.56.101:49200 -> 185.215.113.93:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 23.129.64.201:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49220 -> 23.129.64.201:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 23.129.64.201:80 -> 192.168.56.101:49220	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49205 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49211	2522180	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181	Misc Attack
TCP 131.188.40.189:443 -> 192.168.56.101:49214	2522139	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140	Misc Attack
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.93:80 -> 192.168.56.101:49200	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2002950	ET P2P TOR 1.0 Server Key Retrieval	Potential Corporate Privacy Violation
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49211 -> 149.56.45.200:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 192.168.56.101:49218 -> 212.83.168.196:80	2014304	ET POLICY External IP Lookup Attempt To Wipmania	Device Retrieving External IP Address Detected
TCP 149.56.45.200:9030 -> 192.168.56.101:49211	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 193.11.164.243:9030 -> 192.168.56.101:49215	2522302	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303	Misc Attack
TCP 46.105.121.228:9100 -> 192.168.56.101:49213	2522587	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 588	Misc Attack
TCP 192.168.56.101:49215 -> 193.11.164.243:9030	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49215 -> 193.11.164.243:9030	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation
TCP 193.11.164.243:9030 -> 192.168.56.101:49215	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49213 -> 46.105.121.228:9100	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 46.105.121.228:9100 -> 192.168.56.101:49213	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 192.168.56.101:49208 -> 23.129.64.201:80	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 192.168.56.101:49208 -> 23.129.64.201:80	2028914	ET POLICY TOR Consensus Data Requested	Potential Corporate Privacy Violation
TCP 23.129.64.201:80 -> 192.168.56.101:49208	2221001	SURICATA HTTP gzip decompression failed	Generic Protocol Command Decode
TCP 173.75.39.61:9001 -> 192.168.56.101:49212	2522224	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225	Misc Attack
TCP 192.168.56.101:49212 -> 173.75.39.61:9001	2028401	ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex	Unknown Traffic
TCP 173.75.39.61:9001 -> 192.168.56.101:49212	2018789	ET POLICY TLS possible TOR SSL traffic	Misc activity
TCP 192.168.56.101:49214 -> 131.188.40.189:443	2008113	ET P2P Tor Get Server Request	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49213 46.105.121.228:9100	CN=www.bwngpox3bvalfmorvip.com	CN=www.rxshttafrocltee.net	d2:47:05:7d:2c:eb:e7:41:65:f3:7b:03:43:39:b6:ae:51:14:d3:42
TLSv1 192.168.56.101:49212 173.75.39.61:9001	CN=www.4y5zm6ezqlkhbs2ix.com	CN=www.5ul6h6l4.net	dd:c6:e9:d1:7f:2e:55:3b:46:92:22:14:6d:d3:0c:85:e3:5a:8d:b6

Snort Alerts

No Snort Alerts