NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.03 05:10
cliloc_fix.exe
10.02 02:10
66fbfccd837ac_vadggdsa...
10.02 02:10
66fc5c187ba75_lyla343.exe
10.02 02:10
66fbfcc301a31_swws.exe
10.02 02:10
66fbd9a4db4c9_Governme...
10.02 02:10
66fb2538369cb_EdgeUpda...
10.02 02:10
cc.js
10.02 02:10
kixx.js
10.02 02:10
66f55533ca7d6_RDPWInst...
10.02 02:10
SPOOF.exe

Latest News
10.03 11:10
LevelBlue: Driving Cyb...
10.03 11:10
Polaris Dawn, and the ...
10.03 11:10
Not Black Mirror: Meta...
10.03 11:10
Browser Guard now flag...
10.03 11:10
NYC Schools Reverse Co...
10.03 11:10
North Korean Hackers U...
10.03 11:10
Why Fuzzing Isn?t Enou...
10.03 10:10
Browser Guard now flag...
10.03 10:10
Zimbra SMTP vulnerabil...
10.03 10:10
Not Black Mirror: Meta...

NetWork | ZeroBOX

IP Address	Status	Action
125.253.92.50	Active	Moloch
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
62.204.41.23	Active	Moloch

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	142.202.242.45
maper.info	A 148.251.234.93	148.251.234.93

TCP Requests

UDP Requests

GET 200 http://62.204.41.23/o.png

GET 200 http://62.204.41.23/file.png

GET 200 http://62.204.41.23/r.png

GET 200 http://62.204.41.23/OneDrive.png

GET 200 http://62.204.41.23/dllhost.png

GET 200 http://62.204.41.23/lsass.png

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2014819	ET INFO Packed Executable Download	Misc activity
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 62.204.41.23:80 -> 192.168.56.101:49169	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
TCP 62.204.41.23:80 -> 192.168.56.101:49168	2020482	ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps	A Network Trojan was detected
TCP 62.204.41.23:80 -> 192.168.56.101:49170	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49173 -> 125.253.92.50:80	2024792	ET POLICY Cryptocurrency Miner Checkin	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49179 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49180 -> 148.251.234.93:443	2026897	ET POLICY IP Logger Redirect Domain in SNI	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts