NetWork | ZeroBOX

IP Address	Status	Action
160.121.176.84	Active	Moloch
160.124.11.194	Active	Moloch
163.44.239.73	Active	Moloch
164.124.101.2	Active	Moloch
35.186.238.101	Active	Moloch
54.85.86.211	Active	Moloch
99.83.154.118	Active	Moloch

Name	Response	Post-Analysis Lookup
www.malcorinmobiliaria.com	A 160.121.176.84	160.121.176.84
www.defenestration.world	A 99.83.154.118	99.83.154.118
www.lucytime.com	A 160.124.11.194	160.124.11.194
www.mercuryaid.net
www.brunoecatarina.com	A 54.85.86.211	54.85.86.211
www.adultpeace.com	A 163.44.239.73 CNAME adultpeace.com	163.44.239.73
www.m678.xyz
www.aideliveryrobot.com	A 35.186.238.101	35.186.238.101

TCP Requests

UDP Requests

POST 405 http://www.aideliveryrobot.com/p2io/

GET 403 http://www.aideliveryrobot.com/p2io/?RvE=xikLqsON4SLys5Ctbg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYLyVZkm9Sn2R1rpOJsEg&Mfg=lHNl

POST 200 http://www.brunoecatarina.com/p2io/

GET 200 http://www.brunoecatarina.com/p2io/?RvE=OHUffbgvv2IRIzjH29fk0Sz2RAv4pH8VLsbDGAU3/+1JsitNqq1vDtXSpGXNdq06DpgCyNqt&Mfg=lHNl

POST 0 http://www.malcorinmobiliaria.com/p2io/

GET 0 http://www.malcorinmobiliaria.com/p2io/?RvE=X0EtArFEUual2LrizL+JDvaaIJih4TPXrew0ftkRNgE5xhBEnMYnqlEM9Znbjzoaa6WF3j6b&Mfg=lHNl

POST 0 http://www.defenestration.world/p2io/

GET 403 http://www.defenestration.world/p2io/?RvE=lrOqxb+TUC8Po5HmYZ1tkMjkgx31NOkXgmck/5zOeb61pSaxp+mpU5HJ8/bv+r3dcUpLXcCA&Mfg=lHNl

POST 0 http://www.adultpeace.com/p2io/

GET 301 http://www.adultpeace.com/p2io/?RvE=4oufm6g7w9cVhgu+mDBWoA8I6Q2bNaX51teMhl/6i5f1woTl8Y4Ohfe29cQ9y7IaJQfIj0iK&Mfg=lHNl

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 160.121.176.84:80 -> 192.168.56.101:49209	2400017	ET DROP Spamhaus DROP Listed Traffic Inbound group 18	Misc Attack
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49211 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
UDP 192.168.56.101:55450 -> 164.124.101.2:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 163.44.239.73:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 163.44.239.73:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 163.44.239.73:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 99.83.154.118:80	2027879	ET INFO HTTP Request to Suspicious *.world Domain	Potentially Bad Traffic
TCP 192.168.56.101:49206 -> 35.186.238.101:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 35.186.238.101:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 35.186.238.101:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 54.85.86.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 54.85.86.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 54.85.86.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 160.121.176.84:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 160.121.176.84:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 160.121.176.84:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts