NetWork | ZeroBOX

IP Address	Status	Action
103.48.133.134	Active	Moloch
104.21.84.71	Active	Moloch
164.124.101.2	Active	Moloch
164.160.129.201	Active	Moloch
199.59.242.153	Active	Moloch
3.1.135.107	Active	Moloch
34.102.136.180	Active	Moloch
34.98.99.30	Active	Moloch
74.220.219.18	Active	Moloch

Name	Response	Post-Analysis Lookup
www.hsicclassactionsettlement.com
www.goteclift.com	A 164.160.129.201 CNAME goteclift.com	164.160.129.201
www.gaigoilaocai.com	A 104.21.84.71 A 172.67.187.204	104.21.84.71
www.ashestore.site	A 52.74.68.242 A 54.169.219.94 CNAME dns.ladipage.com CNAME ladi-dns-ssl-nlb-prod-2-d9215092a8318d52.elb.ap-southeast-1.amazonaws.com A 3.1.135.107	52.74.68.242
www.thetew.com	CNAME thetew.com A 74.220.219.18	74.220.219.18
www.rsautoluxe.com	A 103.48.133.134	103.48.133.134
www.pon.xyz	CNAME 71822.bodis.com A 199.59.242.153	199.59.242.153
www.brasilupshop.com	A 34.98.99.30 CNAME brasilupshop.com	34.98.99.30
www.kingdomvets.com	A 34.102.136.180 CNAME kingdomvets.com	34.102.136.180

TCP Requests

UDP Requests

POST 301 http://www.ashestore.site/wufn/

GET 301 http://www.ashestore.site/wufn/?9rj01D0=ISgUE+y+HqjXLrBNcsoJQrgsUIy+PQnmT8IaV+VtAkMVvOhkkzR0T7N+DJe4wV9WEmWhQkdE&v4=Ch6LF

POST 301 http://www.thetew.com/wufn/

GET 301 http://www.thetew.com/wufn/?9rj01D0=krP6P15MZQO22/e1Z0jungPG+tUyhBT5786LeGCZDahp25nY4EPnlmCvSbt3zmNAYEf0+pED&v4=Ch6LF

POST 0 http://www.gaigoilaocai.com/wufn/

GET 301 http://www.gaigoilaocai.com/wufn/?9rj01D0=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&v4=Ch6LF

POST 302 http://www.rsautoluxe.com/wufn/

GET 302 http://www.rsautoluxe.com/wufn/?9rj01D0=w5EnrSKap8oRy2zPlnddF8gTSk3mhpsg6+K+ZUM/zOnILWZ553OzJd1vgJ8iXK568zhVN9hj&v4=Ch6LF

POST 0 http://www.goteclift.com/wufn/

GET 302 http://www.goteclift.com/wufn/?9rj01D0=em0DFdLl6esmbY8UPc/uZDIcKySfcb/lSoae1pTrnNJVgQ0OOt09p+wnf9M0i6X3i3/It/+2&v4=Ch6LF

POST 405 http://www.brasilupshop.com/wufn/

GET 403 http://www.brasilupshop.com/wufn/?9rj01D0=59brRu9dLS77nFy0s50o1uJFUTMvI+fKw5ePYjcZBjdZ1DjOWYIxIDuCUckQyVdYQE+vfh4M&v4=Ch6LF

POST 0 http://www.pon.xyz/wufn/

GET 200 http://www.pon.xyz/wufn/?9rj01D0=TjHmMFEWoC7f3AvZD4fy73K0u4EyZw5fKqkeqDjs9aj0G9oQA4BDCe56sbMIcecYmi82gg8d&v4=Ch6LF

POST 405 http://www.kingdomvets.com/wufn/

GET 403 http://www.kingdomvets.com/wufn/?9rj01D0=o6NP/38pvTDlv+JV19NTB11bpLiuGI0dHMB5Vx/enan56b3Zy4geNSKYW/CwegZqLuXFQkxp&v4=Ch6LF

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49207 -> 74.220.219.18:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 74.220.219.18:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 74.220.219.18:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 103.48.133.134:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 103.48.133.134:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 103.48.133.134:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 104.21.84.71:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 104.21.84.71:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 104.21.84.71:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 199.59.242.153:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 199.59.242.153:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 199.59.242.153:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 199.59.242.153:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.98.99.30:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.98.99.30:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49215 -> 34.98.99.30:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 3.1.135.107:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 3.1.135.107:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 3.1.135.107:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 164.160.129.201:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 164.160.129.201:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 164.160.129.201:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts