NetWork | ZeroBOX

Network Analysis

IP Address Status Action
104.26.12.31 Active Moloch
164.124.101.2 Active Moloch
217.196.96.158 Active Moloch
94.142.138.4 Active Moloch
GET 200 https://api.ip.sb/ip
REQUEST
RESPONSE
GET 200 http://217.196.96.158/svchost.exe
REQUEST
RESPONSE
GET 200 http://217.196.96.158/conhost.exe
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 94.142.138.4:80 2043233 ET MALWARE RedLine Stealer TCP CnC net.tcp Init A Network Trojan was detected
TCP 192.168.56.101:49164 -> 94.142.138.4:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 94.142.138.4:80 -> 192.168.56.101:49164 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49164 -> 94.142.138.4:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49169 -> 104.26.12.31:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 217.196.96.158:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 217.196.96.158:80 2016696 ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download Potentially Bad Traffic
TCP 217.196.96.158:80 -> 192.168.56.101:49170 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 217.196.96.158:80 -> 192.168.56.101:49170 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 217.196.96.158:80 -> 192.168.56.101:49170 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 94.142.138.4:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49164 -> 94.142.138.4:80 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49170 -> 217.196.96.158:80 2017598 ET MALWARE Possible Kelihos.F EXE Download Common Structure A Network Trojan was detected
TCP 192.168.56.101:49170 -> 217.196.96.158:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49169
104.26.12.31:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc

Snort Alerts

No Snort Alerts