NetWork | ZeroBOX

IP Address	Status	Action
162.241.217.45	Active	Moloch
164.124.101.2	Active	Moloch
172.67.174.131	Active	Moloch
195.24.68.5	Active	Moloch
3.14.161.55	Active	Moloch
34.117.168.233	Active	Moloch
43.250.124.88	Active	Moloch
45.33.6.223	Active	Moloch

Name	Response	Post-Analysis Lookup
www.makulatura-sbor.site
www.aviator238.cyou	A 104.21.40.19 A 172.67.174.131	172.67.174.131
www.tonica.life	A 3.19.131.128 A 3.14.161.55	3.19.131.128
www.tiflovector.ru	A 195.24.68.5	195.24.68.5
www.ghyvmze5s.com	A 43.250.124.88	43.250.124.88
www.elaynegullis.com	CNAME gcdn0.wixdns.net A 34.117.168.233 CNAME td-ccm-168-233.wixdns.net	34.117.168.233
www.glenwoodstudiocrafts.com	A 162.241.217.45 CNAME glenwoodstudiocrafts.com	162.241.217.45
www.sqlite.org	A 45.33.6.223	45.33.6.223

TCP Requests

UDP Requests

GET 301 http://www.elaynegullis.com/pz6u/?gfuoJ=RLN7TRGvjwHq7PUV878gaeLXTOoLSh2gVAY4HztmGBYlfrA0o1jLcKhByS7l3UvVa8DWXe8maGDlvA7o1isB3qskVRFdaINY+8OOoek=&Ib=JpVVn8kuJmjvnz

GET 200 http://www.sqlite.org/2016/sqlite-dll-win32-x86-3100000.zip

POST 404 http://www.tonica.life/pz6u/

GET 404 http://www.tonica.life/pz6u/?gfuoJ=H3cqQrnleOtYl7hnGPubiIS0labqzqigzX8IXx/talSmztzMUlwIfpk89Fh5WaVP3Lmv67mvQzkZfbTpOci4WeTcTAhchhNQbkNGdls=&Ib=JpVVn8kuJmjvnz

POST 404 http://www.aviator238.cyou/pz6u/

GET 404 http://www.aviator238.cyou/pz6u/?gfuoJ=UyrgSxFtu3lXz+BcpDcql/UhilAww6e/QPXCtiRRfbVUoJ6/YhP9B1EmFWXTHuUT6TvndHSDvnTdkZIXPbpDZFJbIQW9nmMntHv5nFk=&Ib=JpVVn8kuJmjvnz

POST 404 http://www.tiflovector.ru/pz6u/

GET 404 http://www.tiflovector.ru/pz6u/?gfuoJ=0G6+4PQ3ff1VVX3bDlZY7prfmcsmSisC64ofEkjldKjfJt8rvq/jB6ECdFdI4gZQYQqDLzr6mpjEiqs3GX+9BiMAwHwt4KekEuDtmGU=&Ib=JpVVn8kuJmjvnz

POST 200 http://www.ghyvmze5s.com/pz6u/

GET 200 http://www.ghyvmze5s.com/pz6u/?gfuoJ=uytR2Tiz1twpM2dhblQC1B7BthyLXXG5FY7Kn1WRtAiI0duJ2fbunveoTy7fDIn07wry7tOJS3Y6hqcaHiueaqrp/c4n5kqaEVxvo8M=&Ib=JpVVn8kuJmjvnz

POST 404 http://www.glenwoodstudiocrafts.com/pz6u/

GET 301 http://www.glenwoodstudiocrafts.com/pz6u/?gfuoJ=AdMEqTYsvTG/AjKkKRLLui12hmt7noCWJPmXTDPlMsv+HXciE9QtIkdJXTqGLnrKTXLO19vQM3NQPwEWsx9FOo1L3PbWSzYh6xsrb6I=&Ib=JpVVn8kuJmjvnz

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 3.14.161.55:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027867	ET INFO Observed DNS Query to .life TLD	Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 162.241.217.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.250.124.88:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 162.241.217.45:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.250.124.88:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 162.241.217.45:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 43.250.124.88:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 3.14.161.55:80	2027876	ET INFO HTTP Request to Suspicious *.life Domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 195.24.68.5:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 195.24.68.5:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 195.24.68.5:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.117.168.233:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.117.168.233:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 34.117.168.233:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.67.174.131:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.67.174.131:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 172.67.174.131:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts