popup
NetWork | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Network Analysis

Download pcap
Hosts 3 DNS 1 TCP 4 UDP 10 HTTP(S) 4 ICMP 0 IRC 0 Suricata Snort
IP Address Status Action
103.155.80.150 Active Moloch
164.124.101.2 Active Moloch
164.132.216.38 Active Moloch
Name Response Post-Analysis Lookup
checkvim.com
A 164.132.216.38
164.132.216.38
GET 200 http://103.155.80.150/ssl/vbc.exe
REQUEST
RESPONSE
BODY 

            

        


    



        
            

    
        POST
        
        404
        http://checkvim.com/fd4/fre.php
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
            

    
        POST
        
        404
        http://checkvim.com/fd4/fre.php
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
            

    
        POST
        
        404
        http://checkvim.com/fd4/fre.php
        
    
    


        

            

                
 REQUEST

                

                    
                    
                

            

            

                
 RESPONSE

                

                    
                    
                

            

        


        

            

                 BODY
                
            

            

                

            

        


    



        
	




                            
ICMP traffic



No ICMP traffic performed.



                            
IRC traffic



No IRC requests performed.



                            
Suricata Alerts


    

        

            Flow
            SID
            Signature
            Category
        

        
        

            
                TCP
                192.168.56.101:49213 ->
                164.132.216.38:80
            
            2021641
            ET MALWARE LokiBot User-Agent (Charon/Inferno)
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49213 ->
                164.132.216.38:80
            
            2025381
            ET MALWARE LokiBot Checkin
            Malware Command and Control Activity Detected
        

        
        

            
                TCP
                192.168.56.101:49211 ->
                164.132.216.38:80
            
            2021641
            ET MALWARE LokiBot User-Agent (Charon/Inferno)
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49211 ->
                164.132.216.38:80
            
            2025381
            ET MALWARE LokiBot Checkin
            Malware Command and Control Activity Detected
        

        
        

            
                TCP
                192.168.56.101:49213 ->
                164.132.216.38:80
            
            2024313
            ET MALWARE LokiBot Request for C2 Commands Detected M1
            Malware Command and Control Activity Detected
        

        
        

            
                TCP
                192.168.56.101:49213 ->
                164.132.216.38:80
            
            2024318
            ET MALWARE LokiBot Request for C2 Commands Detected M2
            Malware Command and Control Activity Detected
        

        
        

            
                TCP
                192.168.56.101:49211 ->
                164.132.216.38:80
            
            2024312
            ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49211 ->
                164.132.216.38:80
            
            2024317
            ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49212 ->
                164.132.216.38:80
            
            2021641
            ET MALWARE LokiBot User-Agent (Charon/Inferno)
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49212 ->
                164.132.216.38:80
            
            2025381
            ET MALWARE LokiBot Checkin
            Malware Command and Control Activity Detected
        

        
        

            
                TCP
                192.168.56.101:49212 ->
                164.132.216.38:80
            
            2024312
            ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49212 ->
                164.132.216.38:80
            
            2024317
            ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49204 ->
                103.155.80.150:80
            
            2016141
            ET INFO Executable Download from dotted-quad Host
            A Network Trojan was detected
        

        
        

            
                TCP
                192.168.56.101:49204 ->
                103.155.80.150:80
            
            2019714
            ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
            Potentially Bad Traffic
        

        
        

            
                TCP
                103.155.80.150:80 ->
                192.168.56.101:49204
            
            2022050
            ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
            A Network Trojan was detected
        

        
        

            
                TCP
                103.155.80.150:80 ->
                192.168.56.101:49204
            
            2018959
            ET POLICY PE EXE or DLL Windows file download HTTP
            Potential Corporate Privacy Violation
        

        
        

            
                TCP
                103.155.80.150:80 ->
                192.168.56.101:49204
            
            2022051
            ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
            A Network Trojan was detected
        

        
        

            
                TCP
                103.155.80.150:80 ->
                192.168.56.101:49204
            
            2021076
            ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
            Potentially Bad Traffic
        

        
    




Suricata TLS


    
No Suricata TLS




                            
Snort Alerts


    
No Snort Alerts