NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

NetWork | ZeroBOX

IP Address	Status	Action
13.107.42.12	Active	Moloch
13.107.42.13	Active	Moloch
156.233.233.109	Active	Moloch
164.124.101.2	Active	Moloch
172.104.184.240	Active	Moloch
204.11.56.48	Active	Moloch
34.102.136.180	Active	Moloch

Name	Response	Post-Analysis Lookup
www.royallecleaning.com	A 34.102.136.180 CNAME royallecleaning.com	34.102.136.180
www.syktxny.com	A 156.233.233.109	156.233.233.109
3jaqfq.am.files.1drv.com	A 13.107.42.12 CNAME odc-am-files-geo.onedrive.akadns.net CNAME am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net CNAME odc-am-files-brs.onedrive.akadns.net CNAME am-files.fe.1drv.com CNAME l-0003.l-msedge.net	13.107.42.12
onedrive.live.com	CNAME odc-web-geo.onedrive.akadns.net CNAME l-0004.l-msedge.net A 13.107.42.13 CNAME odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net CNAME odc-web-brs.onedrive.akadns.net	13.107.42.13
www.tamzeedhossain.xyz	CNAME tamzeedhossain.xyz A 172.104.184.240	172.104.184.240
www.riverdenim.com	A 204.11.56.48	204.11.56.48

TCP Requests

UDP Requests

GET 302 https://onedrive.live.com/download?cid=E9FFBDDD0AB75605&resid=E9FFBDDD0AB75605%21109&authkey=ABYj71iorCY38jA

GET 200 https://3jaqfq.am.files.1drv.com/y4m9NcDd_ZUc-GHIuKUJyY5hL6x3aLUxl-YC6RJP1LELDrHXkb4STEbYPsABvitxp7nPbLk9le36HVSTTDIiO0Trb7b1V7RTuFcf2-bU-I2nFaemAFuadfU0NoWSqbpkPK8rRQZjfl6YHBLX5qU-9GOQ9k4bjaSe72pWfC52uClmJHPOlKOOP_TcruMbLJ-CEdQ_EEBWOneCB3_bqGPDui2pw/Ajihoeuvpfseywgzvkdmaxhisrgsstr?download&psid=1

GET 302 https://onedrive.live.com/download?cid=E9FFBDDD0AB75605&resid=E9FFBDDD0AB75605%21109&authkey=ABYj71iorCY38jA

GET 200 https://3jaqfq.am.files.1drv.com/y4mDJ-FDsSGp1PeATbALhO1LMI7cTJ9FePRrkNEtWG3rHFjt_i4rSUCWbQOGLNAmBI8N37baAfkTDo1nGhbOSuT7MK0ywZgPNGT33Noc102eAtOnfb-1XQGdUtGu9u38cLgAYzEvGmRo6bJ_gbtHFbm5E4_W8w2XTJKegmp-GqeyNrZsM69-AooFcQoTiVbnroYqmVVen8sASYkwAwmXz-dFA/Ajihoeuvpfseywgzvkdmaxhisrgsstr?download&psid=1

GET 301 http://www.tamzeedhossain.xyz/og2w/?HzrLR=2n8A1PfAVAzhZ3Hc4aY9dwANXyB5d3RIGzd/lG0EaSO3J5o8WGm6pS7XNEVcLC/w0j6f90Gx&Qh-Ha=tBwxNhWXOzSD&sql=1

POST 404 http://www.tamzeedhossain.xyz/og2w/

POST 404 http://www.tamzeedhossain.xyz/og2w/

GET 200 http://www.riverdenim.com/og2w/?HzrLR=8Qx1tP3sSR3Pi0BPI5Y3Wscd1rolyxc4xXpahl252jPQw5aPvU+EM4W1Ph9GZj366CKy6bjY&Qh-Ha=tBwxNhWXOzSD&sql=1

GET 403 http://www.royallecleaning.com/og2w/?HzrLR=RMYdZkGlKd9/cr2q5T7ZE6ssqe4CFpRGJ/mMAD2/ND62kBwptZEMascQDDeN8P25ASvuBy5k&Qh-Ha=tBwxNhWXOzSD&sql=1

POST 405 http://www.royallecleaning.com/og2w/

POST 405 http://www.royallecleaning.com/og2w/

GET 404 http://www.syktxny.com/og2w/?HzrLR=8nCUkDMhhpUJRG43K21tXcgfonDfOShSkumyTfFE8rS8vc8c9x3KWZtckQdcrOjDdiF8eozj&Qh-Ha=tBwxNhWXOzSD&sql=1

POST 0 http://www.syktxny.com/og2w/

POST 0 http://www.syktxny.com/og2w/

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 13.107.42.13:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 172.104.184.240:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 172.104.184.240:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 172.104.184.240:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 172.104.184.240:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 172.104.184.240:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 156.233.233.109:80 -> 192.168.56.103:49199	2400015	ET DROP Spamhaus DROP Listed Traffic Inbound group 16	Misc Attack
TCP 192.168.56.103:49195 -> 34.102.136.180:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 204.11.56.48:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 204.11.56.48:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 204.11.56.48:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 156.233.233.109:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 156.233.233.109:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 156.233.233.109:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 13.107.42.13:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	CN=onedrive.com	50:2f:33:10:92:ac:27:7b:17:be:82:68:3b:e2:29:ad:97:41:b7:bb
TLSv1 192.168.56.103:49170 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e
TLSv1 192.168.56.103:49169 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

Snort Alerts

No Snort Alerts