NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
13.107.21.200	Active	Moloch
142.250.199.68	Active	Moloch
164.124.101.2	Active	Moloch
184.168.131.241	Active	Moloch
23.227.38.74	Active	Moloch
23.82.175.70	Active	Moloch

Name	Response	Post-Analysis Lookup
www.rbhealthy.com	A 23.82.175.70	23.82.175.70
www.google.com	A 142.250.199.68	172.217.31.164
www.kemal.cloud	CNAME kemal.cloud A 184.168.131.241	184.168.131.241
www.uniquelypotted.com	CNAME shops.myshopify.com CNAME uniquely-potted.myshopify.com A 23.227.38.74	23.227.38.74

TCP Requests

UDP Requests

GET 200 https://www.google.com/

GET 200 https://www.bing.com/

GET 301 http://www.kemal.cloud/glgd/?bl=jk4VpCF5xdpBDNcbSqsqgBgwF6YcP4kaSOYLmBmtlVdMnJSVXFYCGxGvNq3dPEwe6EUIg0zq&Rx=8pdTb4gHinL0bf

GET 302 http://www.rbhealthy.com/glgd/?bl=kR8gmaZqMogH8CiUuJYgQcfwl5N31iCbhe58//cToFgt6foWGXoMvouW9NVpWQhogq8/M5Y/&Rx=8pdTb4gHinL0bf

GET 403 http://www.uniquelypotted.com/glgd/?bl=V9IxTD1L2pbNugnzWnDipJso32tnejGJlJNh1IVIAa1aPYJ6KBCtXWw1B+PcSxzlCdhuOnbd&Rx=8pdTb4gHinL0bf

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49210 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.101:54056 -> 164.124.101.2:53	2027865	ET INFO Observed DNS Query to .cloud TLD	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 13.107.21.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 142.250.199.68:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 23.82.175.70:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 23.82.175.70:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 23.82.175.70:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 184.168.131.241:80	2027874	ET INFO HTTP Request to Suspicious *.cloud Domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49200 13.107.21.200:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02	CN=www.bing.com	e6:d6:8f:e4:5e:31:2c:7f:a5:1a:6c:d5:bb:5c:15:c6:54:47:bf:47
TLSv1 192.168.56.101:49198 142.250.199.68:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	f8:ac:5b:8f:1a:ee:5d:6b:5e:bc:fc:68:93:41:16:36:29:f6:62:36

Snort Alerts

No Snort Alerts