NetWork | ZeroBOX

IP Address	Status	Action
109.106.251.102	Active	Moloch
120.48.139.92	Active	Moloch
154.55.172.139	Active	Moloch
164.124.101.2	Active	Moloch
217.26.48.101	Active	Moloch
34.120.55.112	Active	Moloch
38.239.160.233	Active	Moloch
43.154.196.178	Active	Moloch
45.33.6.223	Active	Moloch
89.31.143.1	Active	Moloch
91.106.207.17	Active	Moloch

Name	Response	Post-Analysis Lookup
www.tarolstroy.store	A 91.106.207.17	91.106.207.17
www.lancele.com	A 38.239.160.233	38.239.160.233
www.0096061.com	A 154.55.172.139	154.55.172.139
www.terrenoscampestres.com	CNAME terrenoscampestres.com A 109.106.251.102	109.106.251.102
www.14zhibo.work	A 43.154.196.178	43.154.196.178
www.ticimmo.com	A 217.26.48.101	217.26.48.101
www.qfx88.com	A 120.48.139.92 CNAME p117bf.dns39.top	120.48.139.92
www.solarwachstum.com	A 89.31.143.1	89.31.143.1
www.kp69f.top	A 34.120.55.112 A 34.149.198.43	34.149.198.43
www.sqlite.org	A 45.33.6.223	45.33.6.223

TCP Requests

UDP Requests

POST 405 http://www.solarwachstum.com/6huu/

GET 200 http://www.solarwachstum.com/6huu/?OqPR=w02mQAblJWbyIo6ozgnxrIUPRxqR4gn//aKR4b4C2qQSYqcw3Vi29oLFIvtOIeXnZF+XC4+RsLS3HuGm7zRt9dlAuIsc4gbzWXQ9ldM=&Yln=M4DXTK1SNj

GET 200 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip

POST 405 http://www.kp69f.top/6huu/

GET 200 http://www.kp69f.top/6huu/?OqPR=c/0CEmjcp1qhbjrBdr7qFpTEdTMNmdGL+2G3nk26J8C5sXkvdYxGabdoDx2ERzE1q79WMkYCDIvd6DDSGqF5RzVKrD1kqEcaGqxbLU4=&Yln=M4DXTK1SNj

POST 404 http://www.14zhibo.work/6huu/

GET 404 http://www.14zhibo.work/6huu/?OqPR=DY82kxx300f8Ik70WvLdREOGU4sx5WmLPZ3/q1TGOtAA9/Gzsd9nceuxwkKKmb1RPsemirf5O/kWho3f6FGpO5KONInBcJ6F+ssJurA=&Yln=M4DXTK1SNj

POST 404 http://www.tarolstroy.store/6huu/

GET 404 http://www.tarolstroy.store/6huu/?OqPR=En7LCrBqRDvhnDHpczrHWaIedYbeAgZr6OxVyCrdWihd6XEAizhpO0j/kkT3E0Ail4lmu+00ROJTwCbrXgrUq/0FdQ7yD2DHgTmcEH4=&Yln=M4DXTK1SNj

POST 0 http://www.lancele.com/6huu/

GET 404 http://www.lancele.com/6huu/?OqPR=lkPChsOgbmG6IllhHTLtf7ULj1acQ37do+96zoOFU1wEZ7Q3pDLdySJi8tX/LksgKKJ2zleSV8oD4OY5SI7MA2q2BuCSDDIq7z8yKSo=&Yln=M4DXTK1SNj

POST 200 http://www.qfx88.com/6huu/

GET 200 http://www.qfx88.com/6huu/?OqPR=ai4Hj7VNL/eal8v50vngd1esaVL80O28AVhmObBuZqCvkNevFGLtvLG4llGxYwRMqic01nY12J0ERo7jbuO1GzAlXIwPB2kWrkts/2A=&Yln=M4DXTK1SNj

POST 404 http://www.0096061.com/6huu/

GET 404 http://www.0096061.com/6huu/?OqPR=cmX/07TqI3ZVBqSk8R867+hdp8bVOoL06AzKIpvdRFeyAj6hvaaJUHhkQ/toAIcVWWdRQEgjpGpGrDxsMG4sQneWN+dP3qrEhepv/3Q=&Yln=M4DXTK1SNj

POST 404 http://www.terrenoscampestres.com/6huu/

GET 301 http://www.terrenoscampestres.com/6huu/?OqPR=vPEZFS80w83TR1ISai5AEG4cZjK/Z0sPVYJxvP0qkrafDKWjEP7E989Tf/65iA6Wv6B2G+FeAz/F94bTMl2+G2T5U6uSTMLdr8gHGso=&Yln=M4DXTK1SNj

POST 404 http://www.ticimmo.com/6huu/

GET 0 http://www.ticimmo.com/6huu/?OqPR=TigSyFlwP0RNpBbhC/rdMwC8b/Qg/Ivp2etxz330Y/wAN2mEJT4yMf4cHTRgrqo8FsDkyKZ/RDxnb9SkkKZ8CLMuGFsv81COs/EjZGo=&Yln=M4DXTK1SNj

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2027877	ET INFO HTTP Request to Suspicious *.work Domain	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2027877	ET INFO HTTP Request to Suspicious *.work Domain	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 34.120.55.112:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2027868	ET INFO Observed DNS Query to .work TLD	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 43.154.196.178:80	2027877	ET INFO HTTP Request to Suspicious *.work Domain	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 120.48.139.92:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 120.48.139.92:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 120.48.139.92:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 91.106.207.17:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 91.106.207.17:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49173 -> 91.106.207.17:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49166 -> 89.31.143.1:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 217.26.48.101:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 217.26.48.101:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 217.26.48.101:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 154.55.172.139:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 154.55.172.139:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49179 -> 154.55.172.139:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 109.106.251.102:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 109.106.251.102:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49181 -> 109.106.251.102:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 38.239.160.233:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 38.239.160.233:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49175 -> 38.239.160.233:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 43.154.196.178:80	2027877	ET INFO HTTP Request to Suspicious *.work Domain	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 34.120.55.112:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.120.55.112:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.120.55.112:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 34.120.55.112:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts