NetWork | ZeroBOX

IP Address	Status	Action
154.220.42.157	Active	Moloch
164.124.101.2	Active	Moloch
172.67.152.150	Active	Moloch
3.223.115.185	Active	Moloch
3.33.152.147	Active	Moloch
34.102.136.180	Active	Moloch
85.159.209.113	Active	Moloch

Name	Response	Post-Analysis Lookup
www.panchotrucking.com	CNAME panchotrucking.com A 34.102.136.180	34.102.136.180
www.868h.asia	CNAME 868h.asia A 34.102.136.180	34.102.136.180
www.howtofindbantingbalance.com	A 15.197.142.173 CNAME howtofindbantingbalance.com A 3.33.152.147	3.33.152.147
www.ardisadr.online
www.biggergrip.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.trendingintown.com	A 172.67.152.150 A 104.21.1.238	172.67.152.150
www.ly3389.com
www.perdiemsuites.com	A 85.159.209.113	85.159.209.113
www.guidedwaveradar.com	A 154.220.42.157	154.220.42.157

TCP Requests

UDP Requests

GET 403 http://www.howtofindbantingbalance.com/k8u7/?Dxlpd=p6GTacn3/Q6AxTFZ/ZB3p/bKO+ZqPSIrBFIZ8yN7vuPf5MrEzId2b0EoxX15HGsoR8icZzBf&6l=lnPh

GET 301 http://www.trendingintown.com/k8u7/?Dxlpd=Vr0Rh7zQTLeNfw8adC2JQqvpc/3aYgxURDfGcR/suFLAtqxvODOkh6Reg2pL8lwE08YXA0fB&6l=lnPh

GET 403 http://www.868h.asia/k8u7/?Dxlpd=lb8rjfl52cmYdhThEvD9kZf/bwgiwD22iu0LVQMCIXW9ezzDd6Os1fkQVY7frnNdQjl/k1tK&6l=lnPh

GET 200 http://www.guidedwaveradar.com/k8u7/?Dxlpd=m7XsaC3LFTc3DL3UpfSM5HghLUgmteSwbdp7Mmqxe4n/PuqOauCFs0cjKfmd0+Mbiyfr5uj6&6l=lnPh

GET 302 http://www.biggergrip.com/k8u7/?Dxlpd=CLaWwSkYDzetNKQrRBb6EjbZGfXFJS47cJSoZ//uEPbcWJjLWFp5Gt+MBCj2yyU3ErK29nww&6l=lnPh

GET 403 http://www.panchotrucking.com/k8u7/?Dxlpd=3SRMCF84GJJBOvwcj5jDcB+vDYXsgp++ASGYiz6SnWPEoK0qreZ+nWrgbp8MRTTSPve+gvk+&6l=lnPh

GET 0 http://www.perdiemsuites.com/k8u7/?Dxlpd=2/fw7tjBwMqqEn8BZnZEoD2KmJEHmDK3XsQ17M4M4A3pTMb2Fza7gEsBV4rgW3i9DOkODtyc&6l=lnPh

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 3.33.152.147:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 3.33.152.147:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 3.33.152.147:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 34.102.136.180:80	2032986	ET INFO HTTP Request to a *.asia domain	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 34.102.136.180:80	2032986	ET INFO HTTP Request to a *.asia domain	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 85.159.209.113:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 85.159.209.113:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 85.159.209.113:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 172.67.152.150:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 172.67.152.150:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 172.67.152.150:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 154.220.42.157:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 154.220.42.157:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 154.220.42.157:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts