NetWork | ZeroBOX

IP Address	Status	Action
154.36.192.148	Active	Moloch
154.37.38.226	Active	Moloch
164.124.101.2	Active	Moloch
192.64.116.162	Active	Moloch
198.54.117.242	Active	Moloch
199.15.163.128	Active	Moloch
204.93.169.182	Active	Moloch
45.33.6.223	Active	Moloch
5.101.152.161	Active	Moloch
95.216.161.178	Active	Moloch

Name	Response	Post-Analysis Lookup
www.insightcherry.online
www.bleclear.xyz	A 192.64.116.162	192.64.116.162
www.fieldzerohealth.com	CNAME balancer-ccm.wixdns.net CNAME gcdn0.wixdns.net CNAME td-balancer-199-15-163-128.wixdns.net A 199.15.163.128	199.15.163.138
www.chiyiqian.net	A 154.36.192.148	154.36.192.148
www.kioro.net	CNAME kioro.net A 204.93.169.182	204.93.169.182
www.nnhuigou.com	A 154.37.38.226	154.37.38.226
www.iidethakur.xyz	CNAME iidethakur.xyz A 95.216.161.178	95.216.161.178
www.najdlegend1.com
www.botanica-online.ru	A 5.101.152.161	5.101.152.161
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.ectdamageoutlaytospe.xyz	A 198.54.117.242	198.54.117.242

TCP Requests

UDP Requests

GET 404 http://www.iidethakur.xyz/erh1/?em=RTH9mQA/n/TNXPfYm1IQ7kHa2Q5nsTC6kRfi+yFPN0Z6FU6dgArPOJWDHQBf5RE1GBDoONRo0qQWV1gcrPNWuxRml6P17NRo//cHjbw=&vxk=R4T_9gGjkVANzOLb

GET 200 http://www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip

POST 403 http://www.ectdamageoutlaytospe.xyz/erh1/

GET 0 http://www.ectdamageoutlaytospe.xyz/erh1/?em=AHcw5OXb/Gm0OTCfDKZ3JK2DxYhw9RKBtUxAFBdta5MKTtGQWXSj63XVCvwVGfb92Yl3Ufjg0V67zzvooSJHcwgpn+BJcL90O6dhoL8=&vxk=R4T_9gGjkVANzOLb

POST 0 http://www.chiyiqian.net/erh1/

POST 200 http://www.chiyiqian.net/erh1/

GET 200 http://www.chiyiqian.net/erh1/?em=8yvHrbMZKMPX4G7f9erTK5Qf9jc5QJU63StCeoHWCyVfdjdYM9jxH3fQGE5Iu7GP0O1mEzOAIrrJFf6p4gJURBs6dEGFAV/evzhFOwU=&vxk=R4T_9gGjkVANzOLb

POST 404 http://www.botanica-online.ru/erh1/

GET 404 http://www.botanica-online.ru/erh1/?em=do8xsgN913Pnny2aQ+UK0nDZkGlYRkt5zPJAoWdaBDk5pObX0g+xLOXXB+ddgWePhlrLLqA2L4+lJsdSAyHVXgmknCRuXBaZ2Yv2Mew=&vxk=R4T_9gGjkVANzOLb

POST 404 http://www.bleclear.xyz/erh1/

GET 404 http://www.bleclear.xyz/erh1/?em=Z0WuN7dkRWVSR17LZJVNMUwcuzExK0sMDp8JW5x4tCvk4vgayadIan3yifpjez9lQ/1VNOuDl27ov1rCEZ0+qWmIWB6a3zv1qxdGx5k=&vxk=R4T_9gGjkVANzOLb

POST 403 http://www.fieldzerohealth.com/erh1/

GET 0 http://www.fieldzerohealth.com/erh1/?em=2fftqGAYz6+U6LebbRvkYVCnpFDwwjkXc5V+lmDsVDhPAKcfcJvMu1TqUMUx5Sl5ugQ4b/H1oW7OweiN6k/YFLbPvlSp+kJlDYXlmiM=&vxk=R4T_9gGjkVANzOLb

POST 403 http://www.nnhuigou.com/erh1/

GET 403 http://www.nnhuigou.com/erh1/?em=zgUlILOmccKllncYZi7rpx3Dy3rd1czJYU7gexZDdnilDjeuG+4Wva/CQyP1Xrup3QMjHCP+/VcwhY9vPmUWjWt3CJ1rvTCIIXYKhA4=&vxk=R4T_9gGjkVANzOLb

POST 0 http://www.kioro.net/erh1/

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49171 -> 154.36.192.148:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 192.64.116.162:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 198.54.117.242:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 5.101.152.161:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 204.93.169.182:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 199.15.163.128:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 154.37.38.226:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 5.101.152.161:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 5.101.152.161:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 5.101.152.161:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 154.37.38.226:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 154.37.38.226:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 154.37.38.226:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 95.216.161.178:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 95.216.161.178:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 95.216.161.178:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 95.216.161.178:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 154.36.192.148:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 154.36.192.148:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 154.36.192.148:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 198.54.117.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 198.54.117.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 198.54.117.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 198.54.117.242:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 192.64.116.162:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 192.64.116.162:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 192.64.116.162:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 192.64.116.162:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 199.15.163.128:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 199.15.163.128:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 199.15.163.128:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts