NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.99.133.246	Active	Moloch
83.97.73.127	Active	Moloch
95.214.27.98	Active	Moloch

Name	Response	Post-Analysis Lookup
No hosts contacted.

TCP Requests

UDP Requests

POST 200 http://95.214.27.98/cronus/index.php

GET 200 http://95.214.27.98/lend/kds7uq5kknv.exe

POST 200 http://95.214.27.98/cronus/index.php

GET 304 http://95.214.27.98/lend/kds7uq5kknv.exe

POST 200 http://95.214.27.98/cronus/index.php

POST 200 http://185.99.133.246/c2sock

GET 404 http://95.214.27.98/cronus/Plugins/cred64.dll

GET 200 http://95.214.27.98/cronus/Plugins/clip64.dll

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043233	ET MALWARE RedLine Stealer TCP CnC net.tcp Init	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 83.97.73.127:19045 -> 192.168.56.102:49166	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49166 -> 83.97.73.127:19045	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2044695	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M1	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 95.214.27.98:80 -> 192.168.56.102:49184	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 95.214.27.98:80 -> 192.168.56.102:49184	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 95.214.27.98:80 -> 192.168.56.102:49184	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49190 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49189 -> 185.99.133.246:80	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 95.214.27.98:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49190	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.99.133.246:80 -> 192.168.56.102:49189	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts