NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
162.55.188.246	Active	Moloch
162.55.212.236	Active	Moloch
45.159.189.105	Active	Moloch
78.47.9.120	Active	Moloch

Name	Response	Post-Analysis Lookup
No hosts contacted.

TCP Requests

UDP Requests

POST 200 http://78.47.9.120/so57Nst/index.php?scr=1

POST 200 http://78.47.9.120/so57Nst/index.php

GET 200 http://162.55.212.236/unsecapp.exe

POST 200 http://78.47.9.120/so57Nst/index.php

GET 200 http://162.55.212.236/tcpupdate.exe

GET 200 http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

GET 200 http://45.159.189.105/bot/online?guid=TEST22-PC&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

POST 200 http://78.47.9.120/so57Nst/index.php

GET 200 http://45.159.189.105/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

GET 200 http://45.159.189.105/bot/online?guid=TEST22-PC&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 162.55.212.236:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 78.47.9.120:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 78.47.9.120:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49175	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 78.47.9.120:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 162.55.212.236:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 162.55.212.236:80 -> 192.168.56.103:49178	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 78.47.9.120:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039775	ET MALWARE Laplas Clipper - Regex CnC Request	A Network Trojan was detected
TCP 192.168.56.103:49180 -> 45.159.189.105:80	2039776	ET MALWARE Laplas Clipper - SetOnline CnC Checkin	A Network Trojan was detected
TCP 162.55.188.246:15647 -> 192.168.56.103:49184	2029217	ET MALWARE Arechclient2 Backdoor CnC Init	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 78.47.9.120:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts