NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
198.49.23.145	Active	Moloch
52.221.6.123	Active	Moloch
86.105.245.69	Active	Moloch

Name	Response	Post-Analysis Lookup
www.conciergedoctx.com	A 198.49.23.145 CNAME ext-sq.squarespace.com A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.49.23.144
www.songlautramtuoii.online	A 54.254.26.94 CNAME dns.ladipage.com A 52.221.6.123 A 13.251.251.159 CNAME ladi-dns-ssl-nlb-prod-1499fa9d75307fb9.elb.ap-southeast-1.amazonaws.com	13.251.251.159
www.tutormenu.com	A 86.105.245.69	86.105.245.69

TCP Requests

UDP Requests

GET 400 http://www.conciergedoctx.com/ot8m/?jL04lx=Rmy3N+wlsRdc90DKYlbpEySH7ThpQk5pvEca9UocKjs4Ay+6v+slbSS77FUJSyocKPIUdUnf&J2JDYB=9rq8dVhp1hk

GET 302 http://www.tutormenu.com/ot8m/?jL04lx=g8cv0xR7y4pLfuFFpYeFZV+iqXO0L9iKvg1J1UlmtFW0Ap3F99BbST2Gi4J9oY96SsViaqCU&J2JDYB=9rq8dVhp1hk

GET 200 http://www.songlautramtuoii.online/ot8m/?jL04lx=hlO6KFEr2r7qnFraUvvFUKAyhetrIIx2KuYJyx3bWB4eldvIKfxiKjTklgJdTBMxBekRJB0Q&J2JDYB=9rq8dVhp1hk

HTTP/1.1 200 OK Server: openresty Date: Fri, 07 May 2021 02:38:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Set-Cookie: LADI_CLIENT_ID=858ae141-a441-4abc-6141-90c4c94c5c2d; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_PAGE_VIEW=0; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_PAGE_VIEW_PATH=0; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_FORM_SUBMIT=0; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_FORM_SUBMIT_PATH=0; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_PAGE_VIEW=1; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_PAGE_VIEW_PATH=1; Path=/ot8m; Expires=Mon, 05 May 2031 02:38:43 GMT Set-Cookie: LADI_CAMP_ID=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_NAME=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_TYPE=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_ORIGIN_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_TARGET_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_PAGE_VIEW=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_CONFIG=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_END_DATE=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_FUNNEL_NEXT_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_FUNNEL_PREV_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CLIENT_ID=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_PAGE_VIEW=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_PAGE_VIEW_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_FORM_SUBMIT=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_FORM_SUBMIT_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_ID=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_NAME=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_TYPE=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_ORIGIN_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_TARGET_URL=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_PAGE_VIEW=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_CONFIG=; Path=/ot8m; Max-Age=0 Set-Cookie: LADI_CAMP_END_DATE=; Path=/ot8m; Max-Age=0 Statuscode: 404

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49810 -> 198.49.23.145:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49810 -> 198.49.23.145:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49810 -> 198.49.23.145:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 52.221.6.123:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 52.221.6.123:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49814 -> 52.221.6.123:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49812 -> 86.105.245.69:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49812 -> 86.105.245.69:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.102:49812 -> 86.105.245.69:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts