NetWork | ZeroBOX

IP Address	Status	Action
107.180.41.49	Active	Moloch
154.208.173.129	Active	Moloch
164.124.101.2	Active	Moloch
184.168.96.211	Active	Moloch
192.0.78.24	Active	Moloch
198.54.117.210	Active	Moloch
198.54.117.244	Active	Moloch
213.186.33.5	Active	Moloch
34.102.136.180	Active	Moloch
34.80.190.141	Active	Moloch
66.45.250.214	Active	Moloch

Name	Response	Post-Analysis Lookup
www.agircredit.com	A 66.45.250.214	66.45.250.214
www.grippyent.com	CNAME grippyent.com A 34.102.136.180	34.102.136.180
www.runawaypklyau.xyz	A 198.54.117.218 A 198.54.117.216 A 198.54.117.217 CNAME parkingpage.namecheap.com A 198.54.117.215 A 198.54.117.212 A 198.54.117.210 A 198.54.117.211	198.54.117.215
www.wuruixin.com	A 154.208.173.129	154.208.173.129
www.thesharingcorporation.com
www.cheryltesting.com
www.art-for-a-cause.com	A 192.0.78.25 CNAME art-for-a-cause.com A 192.0.78.24	192.0.78.24
www.classificationmetallurgie.com	A 213.186.33.5	213.186.33.5
www.fbiicrc.com
www.customsoftwarelogistics.com	A 107.180.41.49 CNAME customsoftwarelogistics.com	107.180.41.49
www.aragon.store
www.byrdemailplans.xyz	A 198.54.117.244	198.54.117.244
www.limitlesschurchbf.com	CNAME www112.wixdns.net A 34.80.190.141 CNAME td-balancer-ae1-190-141.wixdns.net CNAME 47363d5c-balancer.wixdns.net CNAME balancer.wixdns.net	34.80.190.141
www.the22yards.club	A 184.168.96.211 CNAME the22yards.club	184.168.96.211
www.aromaessentialco.com

TCP Requests

UDP Requests

POST 302 http://www.agircredit.com/m5cw/

GET 302 http://www.agircredit.com/m5cw/?DhA83=pyQ/3Qovfc/RPZMCxW1OunUS9o/5gtBsSz/IO5NXG9CNMrfiYkJ8HHxCBG/KRbNCHZObSuIw&EzuxZr=3fX4qpLxsHG

POST 0 http://www.limitlesschurchbf.com/m5cw/

GET 404 http://www.limitlesschurchbf.com/m5cw/?DhA83=FJ7qf+03OJ299TaeGYRCEgZhI0FCy0KPlWjCSoUTV71bkUOf+2adFNNc+T1Jy75KmXZNbCqV&EzuxZr=3fX4qpLxsHG

POST 301 http://www.art-for-a-cause.com/m5cw/

GET 301 http://www.art-for-a-cause.com/m5cw/?DhA83=J8VJ8UCC0khwQJPb8jXSgpuDN+WtvXxDYaYel8rzuxdPQ32TBsL8hQV0C7xWeQV4TeCDFs/g&EzuxZr=3fX4qpLxsHG

POST 302 http://www.classificationmetallurgie.com/m5cw/

GET 302 http://www.classificationmetallurgie.com/m5cw/?DhA83=/JTTvVUTsa8Y0xLO6KtGC+8GgnhRVvgk70AJBJ4TlCs6p2eL5EP4A9DynmjO2wjoVGTCezE4&EzuxZr=3fX4qpLxsHG

POST 405 http://www.grippyent.com/m5cw/

GET 403 http://www.grippyent.com/m5cw/?DhA83=i4icWyR5Y9i2t0xbz2p0H2L6OJRLVM0eNrDAHmVfjhFHrzfGIW3vf7ZP4pCLEbHBwypZOUqc&EzuxZr=3fX4qpLxsHG

POST 0 http://www.byrdemailplans.xyz/m5cw/

GET 0 http://www.byrdemailplans.xyz/m5cw/?DhA83=c7feWHcm0LII4MK/sCK1JbYS7bcjHAYM2455Rh7sTmKPwd3owB2HX887+DCt26EIPFNWBKVP&EzuxZr=3fX4qpLxsHG

POST 404 http://www.customsoftwarelogistics.com/m5cw/

GET 404 http://www.customsoftwarelogistics.com/m5cw/?DhA83=+S8mLshjf5hvUDGw0RmMlmkW9vRy5Hz2J+O5LZqlmuEIOFnlku0LQHz9Sw/RJOPoOd8q5Iza&EzuxZr=3fX4qpLxsHG

POST 405 http://www.runawaypklyau.xyz/m5cw/

GET 0 http://www.runawaypklyau.xyz/m5cw/?DhA83=5Bv/JLUtJrKO/9gZnmFexZq+Xed7eHY5Ibz4cfGRYXJLjLoDi3CrUEok8Uzan4zmfs4GZz2f&EzuxZr=3fX4qpLxsHG

POST 0 http://www.wuruixin.com/m5cw/

GET 0 http://www.wuruixin.com/m5cw/?DhA83=0EeHxnJ+lNU4xFJNfOARrzBQsLlykirUfGVKXlUPhiG1Vhwkxb1PbSgC0MAJvHsVsTmDYrcN&EzuxZr=3fX4qpLxsHG

POST 404 http://www.the22yards.club/m5cw/

GET 404 http://www.the22yards.club/m5cw/?DhA83=emMSuu7GUcaDa4Oo/eoU+baJRAHOsrVhqwxc30o52Oy/Uh4TjPMUhzrdSct0qi37V/+TpRYI&EzuxZr=3fX4qpLxsHG

ICMP traffic

Source	Destination	ICMP Type	Data
192.168.56.101	164.124.101.2	3

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49216 -> 107.180.41.49:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 107.180.41.49:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 107.180.41.49:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.80.190.141:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.80.190.141:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 34.80.190.141:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 184.168.96.211:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 184.168.96.211:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49222 -> 184.168.96.211:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 192.0.78.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 192.0.78.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 192.0.78.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 213.186.33.5:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 213.186.33.5:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 213.186.33.5:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.244:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.244:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.244:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 198.54.117.244:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49218 -> 198.54.117.210:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.210:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.210:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 154.208.173.129:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 154.208.173.129:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 154.208.173.129:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 198.54.117.210:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 66.45.250.214:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 66.45.250.214:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49204 -> 66.45.250.214:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts