NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
179.52.22.168	Active	Moloch
211.119.84.112	Active	Moloch
77.123.139.190	Active	Moloch
88.99.75.82	Active	Moloch

Name	Response	Post-Analysis Lookup
api.2ip.ua	A 77.123.139.190	77.123.139.190
mas.to	A 88.99.75.82	88.99.75.82
znpst.top	A 118.33.109.122 A 210.182.29.70 A 14.51.96.70 A 211.229.47.232 A 210.92.250.133 A 211.119.84.111 A 81.16.119.135 A 211.119.84.112 A 218.38.155.210 A 203.228.9.102	14.51.96.70
securebiz.org	A 115.88.24.202 A 190.218.32.60 A 179.52.22.168 A 211.169.6.249 A 61.98.7.133 A 61.255.185.201 A 175.117.131.127 A 115.91.207.131 A 113.11.118.155 A 190.141.222.206	222.236.49.124

TCP Requests

UDP Requests

GET 200 http://securebiz.org/fhsgtsspen6/get.php?pid=CD20CF071BA7C05D5F5E6CAF42496E78&first=true

GET 200 http://znpst.top/dl/build2.exe

GET 200 http://securebiz.org/files/1/build3.exe

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.101	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 77.123.139.190:443 -> 192.168.56.101:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
UDP 192.168.56.101:61479 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
UDP 192.168.56.101:59369 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 77.123.139.190:443 -> 192.168.56.101:49215	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 88.99.75.82:443 -> 192.168.56.101:49229	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 77.123.139.190:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.101:49218 -> 211.119.84.112:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49219 -> 179.52.22.168:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.101:49219 -> 179.52.22.168:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 211.119.84.112:80 -> 192.168.56.101:49218	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.119.84.112:80 -> 192.168.56.101:49218	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 179.52.22.168:80 -> 192.168.56.101:49219	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49228 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:55450 -> 8.8.8.8:53	2027757	ET DNS Query for .to TLD	Potentially Bad Traffic
TCP 192.168.56.101:49225 -> 88.99.75.82:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49203 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 77.123.139.190:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts