NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
103.155.80.150	Active	Moloch
164.124.101.2	Active	Moloch
164.132.216.38	Active	Moloch
52.138.218.121	Active	Moloch

Name	Response	Post-Analysis Lookup
checkvim.com	A 164.132.216.38	164.132.216.38
cml.lol	CNAME waws-prod-db3-107.vip.azurewebsites.windows.net A 52.138.218.121 CNAME camilyoshorturlwebapp.azurewebsites.net CNAME waws-prod-db3-107.cloudapp.net	52.138.218.121

TCP Requests

UDP Requests

OPTIONS 200 http://cml.lol/

HEAD 302 http://cml.lol/0a6wdc

HEAD 200 http://103.155.80.150/receipt/recp_21000989.wbk

OPTIONS 200 http://cml.lol/

GET 302 http://cml.lol/0a6wdc

GET 200 http://103.155.80.150/receipt/recp_21000989.wbk

HEAD 302 http://cml.lol/0a6wdc

HEAD 200 http://103.155.80.150/receipt/recp_21000989.wbk

GET 200 http://103.155.80.150/ssl/vbc.exe

POST 404 http://checkvim.com/fd4/fre.php

POST 404 http://checkvim.com/fd4/fre.php

POST 404 http://checkvim.com/fd4/fre.php

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 103.155.80.150:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 103.155.80.150:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 103.155.80.150:80 -> 192.168.56.103:49172	2026863	ET INFO Possible RTF File With Obfuscated Version Header	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts