NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
156.242.168.24	Active	Moloch
164.124.101.2	Active	Moloch
192.3.179.147	Active	Moloch
194.11.155.157	Active	Moloch
52.58.78.16	Active	Moloch

Name	Response	Post-Analysis Lookup
www.freshfruits.online	A 52.58.78.16	52.58.78.16
www.cycw168.com	A 156.242.168.24 A 172.241.79.24	156.242.168.24
www.mantlepies.co.uk	A 194.11.155.157 CNAME mantlepies.co.uk	194.11.155.157

TCP Requests

UDP Requests

GET 200 http://192.3.179.147/44/vbc.exe

GET 301 http://www.mantlepies.co.uk/ne28/?t8o8szU=qqm+J93IvUzIpsvlcDCofCpDZ1e3GW2Uvp+4wrKJhnvgzBwSBunnLsrelTMknHiM20FMLgvx&kPj0q=K4kP

GET 410 http://www.freshfruits.online/ne28/?t8o8szU=gE2koM16bc0rOnK/MBZG/f0y7whpdIhM0SAPAPR9GoMdZqV7E8zDPgnGgOZ4njeguJBhKBSc&kPj0q=K4kP

GET 200 http://www.cycw168.com/ne28/?t8o8szU=mbwBRbi33CvFXvMYDzrBdhYiJ+Au0rT1qBAIEGFmWlPdn+ZGXHbMqIWZLoU5E/0nyretKFgo&kPj0q=K4kP

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 192.3.179.147:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 192.3.179.147:80	2035207	ET MALWARE MSIL/GenKryptik.FQRH Download Request	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 192.3.179.147:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.3.179.147:80 -> 192.168.56.103:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.3.179.147:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.179.147:80 -> 192.168.56.103:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 192.3.179.147:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 194.11.155.157:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 194.11.155.157:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 194.11.155.157:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 156.242.168.24:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 156.242.168.24:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 156.242.168.24:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 52.58.78.16:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 52.58.78.16:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 52.58.78.16:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts