NetWork | ZeroBOX

Network Analysis

IP Address Status Action
164.124.101.2 Active Moloch
188.34.200.103 Active Moloch
74.114.154.22 Active Moloch
Name Response Post-Analysis Lookup
eduarroma.tumblr.com 74.114.154.18
GET 200 https://eduarroma.tumblr.com/
REQUEST
RESPONSE
POST 200 http://188.34.200.103/948
REQUEST
RESPONSE
GET 200 http://188.34.200.103/freebl3.dll
REQUEST
RESPONSE
GET 200 http://188.34.200.103/mozglue.dll
REQUEST
RESPONSE
GET 200 http://188.34.200.103/msvcp140.dll
REQUEST
RESPONSE
GET 200 http://188.34.200.103/nss3.dll
REQUEST
RESPONSE
GET 200 http://188.34.200.103/softokn3.dll
REQUEST
RESPONSE
GET 200 http://188.34.200.103/vcruntime140.dll
REQUEST
RESPONSE
POST 200 http://188.34.200.103/
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49166 -> 74.114.154.22:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 188.34.200.103:80 -> 192.168.56.102:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2025431 ET MALWARE Vidar/Arkei Stealer Client Data Upload A Network Trojan was detected
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2029236 ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 188.34.200.103:80 2029846 ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49166
74.114.154.22:443
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.tumblr.com 14:78:ba:5b:b5:54:5d:a1:2c:d2:79:4c:42:99:bb:3a:a9:db:86:c2

Snort Alerts

No Snort Alerts