NetWork | ZeroBOX

IP Address	Status	Action
13.250.255.10	Active	Moloch
154.216.110.149	Active	Moloch
162.159.130.233	Active	Moloch
164.124.101.2	Active	Moloch
172.104.94.112	Active	Moloch
172.67.162.204	Active	Moloch
18.181.31.166	Active	Moloch
198.54.117.217	Active	Moloch
216.58.220.115	Active	Moloch
23.105.244.169	Active	Moloch
34.102.136.180	Active	Moloch
74.208.236.170	Active	Moloch

Name	Response	Post-Analysis Lookup
www.thepropertygoat.com	A 34.102.136.180 CNAME thepropertygoat.com	34.102.136.180
www.sjmdesignstudio.com
www.asistente-ti.com	A 34.102.136.180 CNAME asistente-ti.com	34.102.136.180
www.rd26x.com	A 172.104.94.112 CNAME rd26x.com	172.104.94.112
www.xn--l6qw76agwi5rjeuzk9q.com
www.aliexpress-br.com
www.divinevoid.com	CNAME www.divinevoid.com.s.strikinglydns.com A 18.181.31.166 A 54.248.227.74	18.176.133.53
www.fightfigures.com	A 74.208.236.170	74.208.236.170
www.dogiadunggiare.online	CNAME dns.ladipage.com CNAME ladi-dns-ssl-nlb-prod-4-5fac4e17b8b8295e.elb.ap-southeast-1.amazonaws.com A 13.250.255.10 A 13.250.192.238	13.250.255.10
www.girlspiter.club	A 23.105.244.169	23.105.244.169
www.mabnapakhsh.com	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.217
www.ikkbs-a02.com	A 172.67.162.204 A 104.21.90.239	172.67.162.204
www.abbastanza.info	CNAME www.abbastanza.info.ghs.googlehosted.com CNAME ghs.googlehosted.com A 216.58.220.115	216.58.220.115
www.paomovar.com	CNAME paomovar.com A 34.102.136.180	34.102.136.180
www.cyebang.com	A 154.216.110.149	154.216.110.149
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

TCP Requests

UDP Requests

GET 200 https://cdn.discordapp.com/attachments/893177342426509335/898388092430483526/7A426138.jpg

GET 200 https://cdn.discordapp.com/attachments/893177342426509335/898388093822984232/13289851.jpg

POST 200 http://www.cyebang.com/mexq/

GET 200 http://www.cyebang.com/mexq/?lxldV=g6L0/Z2cdy+PQR0/l6rXBhzWGtzMcF3Ol137FLHMI1/7C2CX6Ije7QQ81WlooZwAwjE41ZtU&Tj8=YBZL

POST 405 http://www.asistente-ti.com/mexq/

GET 403 http://www.asistente-ti.com/mexq/?lxldV=FXytxKb7hlS0NB95F4E2l5t7HPJ3Y/hCXozEuR5SBn2hmfCvUpXKCkvUGJqgiwTgq5SCS4oc&Tj8=YBZL

POST 0 http://www.rd26x.com/mexq/

GET 301 http://www.rd26x.com/mexq/?lxldV=NkB1NXPBFDbDKRQZsa3bgqux4BDsfoNouiBmY062wfTHfxIwCLTnegL+vUKelNVaBIOAn2Cu&Tj8=YBZL

POST 301 http://www.divinevoid.com/mexq/

GET 0 http://www.divinevoid.com/mexq/?lxldV=KqxNkYKwhK8QCGnTjvaSVFverL9tDCQk0D0fcPjoodLCHWHMSCJf+11BJWe1YSP1vIOC7L4x&Tj8=YBZL

POST 405 http://www.mabnapakhsh.com/mexq/

GET 0 http://www.mabnapakhsh.com/mexq/?lxldV=OU1GtVXDbsnAoZAJ+r3UhPtpR181l/ARJ5oFEWbh76Mk/J1Ds5ZKsjMHrQjA03ZUl7BK7iZc&Tj8=YBZL

POST 405 http://www.thepropertygoat.com/mexq/

GET 403 http://www.thepropertygoat.com/mexq/?lxldV=a7LEMNgPF40tNRiX8Nab284n24B1ISiHmaUOi826CaNlLuQPC7P9Z06/J0q5w54UkOOw30O0&Tj8=YBZL

POST 404 http://www.girlspiter.club/mexq/

GET 404 http://www.girlspiter.club/mexq/?lxldV=fzhR5iDoK/FMbNanNPgySKtGhsLhyiuSpsOSscLZe2SSRgDl3GCmdM/c8tfRmghpgq4HDdiJ&Tj8=YBZL

POST 405 http://www.paomovar.com/mexq/

GET 403 http://www.paomovar.com/mexq/?lxldV=keGnqMLdj851sJRi2j39jp79R3melR4wNuD9uq7cFAzjBnJQcKEU6p8BE35gFM0DNsm1xZQ1&Tj8=YBZL

POST 405 http://www.abbastanza.info/mexq/

GET 0 http://www.abbastanza.info/mexq/?lxldV=HxheXHNeZnuh7hWJGhsr6d5umAb+gTBnlbDLBsLWbPaXIzw9yocRim9m9M79jCReeU6Lm+iq&Tj8=YBZL

POST 0 http://www.ikkbs-a02.com/mexq/

GET 301 http://www.ikkbs-a02.com/mexq/?lxldV=VV5AgV3GCIayE1q/uEC3YKUlRjxT/D9Wjoi84UeRM+gohUBTid2T1AFz2q8EbYiQSNLVot46&Tj8=YBZL

POST 0 http://www.fightfigures.com/mexq/

GET 404 http://www.fightfigures.com/mexq/?lxldV=nF8Mi7Lo4h+4yZVT5Ia3Bbev17k0Adz6GOgv+uMYTn1aoIKK7kPNVt7dZ/cJJMW4PgTrtPs8&Tj8=YBZL

POST 301 http://www.dogiadunggiare.online/mexq/

GET 301 http://www.dogiadunggiare.online/mexq/?lxldV=aMphtwNDzsdiE6X2ifxu9cLfxHarG5ZcKcAFFOnAQEmMg5UnruKiUh8bnA8dfmdKNc1n63nj&Tj8=YBZL

ICMP traffic

Source	Destination	ICMP Type
192.168.56.101	164.124.101.2	3
192.168.56.101	164.124.101.2	3
192.168.56.101	164.124.101.2	3
192.168.56.101	164.124.101.2	3
192.168.56.101	164.124.101.2	3
192.168.56.101	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49199 -> 162.159.130.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49208 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 216.58.220.115:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 216.58.220.115:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49224 -> 216.58.220.115:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 172.67.162.204:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 172.67.162.204:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 172.67.162.204:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 13.250.255.10:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 13.250.255.10:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49230 -> 13.250.255.10:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 154.216.110.149:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 154.216.110.149:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 154.216.110.149:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.105.244.169:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.105.244.169:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 23.105.244.169:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 74.208.236.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 74.208.236.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49228 -> 74.208.236.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 18.181.31.166:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 18.181.31.166:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 18.181.31.166:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.217:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.217:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.217:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 172.104.94.112:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 172.104.94.112:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 172.104.94.112:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49199 162.159.130.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Snort Alerts

No Snort Alerts