NetWork | ZeroBOX

IP Address	Status	Action
107.161.23.204	Active	Moloch
164.124.101.2	Active	Moloch
183.181.96.104	Active	Moloch
198.54.117.216	Active	Moloch
23.227.38.74	Active	Moloch
45.9.150.53	Active	Moloch
66.96.147.110	Active	Moloch

Name	Response	Post-Analysis Lookup
www.youindependents.com	CNAME shops.myshopify.com CNAME 1052404235.myshopify.com A 23.227.38.74	23.227.38.74
www.preabsorb.xyz	A 45.9.150.53	45.9.150.53
www.moominmamalog.com	A 183.181.96.104	183.181.96.104
www.covidforensicaudit.com	A 107.161.23.204 A 198.251.84.92 A 70.39.125.244 A 45.58.190.82 A 188.164.131.200 A 64.32.22.102 A 198.251.81.30 A 204.188.203.155 A 209.141.38.71 A 192.161.187.200 CNAME parking.namesilo.com A 168.235.88.209	64.32.22.102
www.dreampropertiesluxury.com
www.hide.osaka
www.yummyblockparty.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.218
www.livelife2dance.com	A 66.96.147.110	66.96.147.110

TCP Requests

UDP Requests

POST 0 http://www.youindependents.com/uytf/

GET 403 http://www.youindependents.com/uytf/?LL3H=4gZWzCQSNvCFSIX3TCCSfGm4hewDNvk12RipHGWXMSt+k5Ek0hYYSU60Wgc01G0sa8dDiUBL&3fvpY=onotn4QHU8

POST 301 http://www.moominmamalog.com/uytf/

GET 301 http://www.moominmamalog.com/uytf/?LL3H=+SXs8d8PCWpYPTnDVnZ/rgUKiTpVQkZB43ovMboZe3wDdVfqHIRD2/RAaM1Yya+hF5S1tbmm&3fvpY=onotn4QHU8

POST 301 http://www.preabsorb.xyz/uytf/

GET 301 http://www.preabsorb.xyz/uytf/?LL3H=CyDmf8a9zRXI4uBUvqxKQxvXhva8IgKdUlf+6WmjHzh+sBX15F96MmphRgtIZq/wHj7icpHu&3fvpY=onotn4QHU8

POST 405 http://www.yummyblockparty.com/uytf/

GET 0 http://www.yummyblockparty.com/uytf/?LL3H=Z6tv0ZGp/7zpv8d2AUDeWgq8Hn78EURDlDcUQLbVJsQHU3RLSW2bB+eNIX+jIo6dzoZNYD4H&3fvpY=onotn4QHU8

POST 404 http://www.livelife2dance.com/uytf/

GET 404 http://www.livelife2dance.com/uytf/?LL3H=nWL7RNRHo/j80Lyt8UCHvbmKutdOKMlY9DMwTI9xJDmXbwKLPxqDlOH3RKGU0NxiguVaTKHR&3fvpY=onotn4QHU8

POST 403 http://www.covidforensicaudit.com/uytf/

GET 302 http://www.covidforensicaudit.com/uytf/?LL3H=/rf0mdjpoCRSpbcjOwHohbQL8pUiPYUuOprwQmUoatrP8p5Qu+dlnIThVC+pCpea36CLWQbo&3fvpY=onotn4QHU8

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49208 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
UDP 192.168.56.101:56887 -> 164.124.101.2:53	2029709	ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 45.9.150.53:80 -> 192.168.56.101:49211	2400001	ET DROP Spamhaus DROP Listed Traffic Inbound group 2	Misc Attack
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2029711	ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2029711	ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49217 -> 107.161.23.204:80	2029713	ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 183.181.96.104:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 183.181.96.104:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 183.181.96.104:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.216:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.216:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.216:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 45.9.150.53:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 45.9.150.53:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 45.9.150.53:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 45.9.150.53:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 66.96.147.110:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 107.161.23.204:80	2029711	ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1	Potentially Bad Traffic
TCP 192.168.56.101:49216 -> 66.96.147.110:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 66.96.147.110:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts