NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.233.20.22	Active	Moloch
193.233.20.25	Active	Moloch
193.56.146.11	Active	Moloch

Name	Response	Post-Analysis Lookup
hueref.eu	A 193.56.146.11	193.56.146.11

TCP Requests

UDP Requests

POST 200 http://193.233.20.25/buH5N004d/index.php

GET 404 http://193.233.20.22/male/serko4.exe

POST 200 http://193.233.20.25/buH5N004d/index.php

GET 404 http://193.233.20.22/ti/mohta5.exe

POST 200 http://193.233.20.25/buH5N004d/index.php

GET 404 http://193.233.20.25/buH5N004d/Plugins/cred64.dll

GET 200 http://193.233.20.25/buH5N004d/Plugins/clip64.dll

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49182 -> 193.233.20.22:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49182 -> 193.233.20.22:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 193.233.20.25:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 193.233.20.25:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 193.233.20.25:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 193.233.20.25:80 -> 192.168.56.103:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 193.233.20.25:80 -> 192.168.56.103:49183	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 193.233.20.25:80 -> 192.168.56.103:49183	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts