NetWork | ZeroBOX

IP Address	Status	Action
104.76.78.101	Active	Moloch
116.202.6.47	Active	Moloch
149.154.167.99	Active	Moloch
162.0.217.254	Active	Moloch
164.124.101.2	Active	Moloch
211.119.84.112	Active	Moloch
211.59.14.90	Active	Moloch

Name	Response	Post-Analysis Lookup
zexeq.com	A 175.126.109.15 A 222.236.49.123 A 211.59.14.90 A 123.140.161.243 A 190.140.74.43 A 86.122.83.142 A 58.235.189.192 A 138.36.3.134 A 151.251.19.81 A 211.171.233.129	37.34.248.24
api.2ip.ua	A 162.0.217.254	162.0.217.254
t.me	A 149.154.167.99	149.154.167.99
uaery.top	A 210.182.29.70 A 176.226.127.181 A 187.245.185.123 A 211.171.233.126 A 211.59.14.90 A 190.229.19.7 A 186.182.55.44 A 58.235.189.192 A 211.119.84.112 A 211.171.233.129	210.182.29.70
steamcommunity.com	A 104.76.78.101	104.76.78.101

TCP Requests

UDP Requests

GET 200 https://steamcommunity.com/profiles/76561199471222742

GET 200 http://zexeq.com/test2/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true

GET 200 http://uaery.top/dl/build2.exe

GET 200 http://zexeq.com/files/1/build3.exe

GET 200 http://116.202.6.47/

GET 200 http://116.202.6.47/photos.zip

POST 200 http://116.202.6.47/

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49185 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 116.202.6.47:80	2027262	ET INFO Dotted Quad Host ZIP Request	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2022896	ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 211.119.84.112:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2023464	ET HUNTING Possible EXE Download From Suspicious TLD	Misc activity
TCP 211.119.84.112:80 -> 192.168.56.103:49178	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49177 -> 211.59.14.90:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 211.59.14.90:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 211.59.14.90:80 -> 192.168.56.103:49177	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected
TCP 149.154.167.99:443 -> 192.168.56.103:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 211.59.14.90:80	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 211.59.14.90:80	2036333	ET MALWARE Win32/Vodkagats Loader Requesting Payload	A Network Trojan was detected
TCP 211.59.14.90:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49183 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 162.0.217.254:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 104.76.78.101:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 162.0.217.254:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49189 104.76.78.101:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	b1:30:5e:4c:ee:14:70:87:a7:d7:1c:77:07:b5:3c:2c:99:13:aa:c5

Snort Alerts

No Snort Alerts