popup
NetWork | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Network Analysis

Download pcap
Hosts 3 DNS 1 TCP 3 UDP 5 HTTP(S) 1 ICMP 0 IRC 0 Suricata Snort
IP Address Status Action
164.124.101.2 Active Moloch
185.246.220.60 Active Moloch
91.235.128.141 Active Moloch
Name Response Post-Analysis Lookup
cp5ua.hyperhost.ua
A 91.235.128.141
91.235.128.141
GET 200 http://185.246.220.60/chamberzx.exe
REQUEST
RESPONSE
BODY 

            

        


    



        
	




                            
ICMP traffic



No ICMP traffic performed.



                            
IRC traffic



No IRC requests performed.



                            
Suricata Alerts


    

        

            Flow
            SID
            Signature
            Category
        

        
        

            
                TCP
                91.235.128.141:587 ->
                192.168.56.101:49166
            
            2260002
            SURICATA Applayer Detect protocol only one direction
            Generic Protocol Command Decode
        

        
        

            
                TCP
                192.168.56.101:49166 ->
                91.235.128.141:587
            
            906200022
            SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
            undefined
        

        
        

            
                TCP
                192.168.56.101:49162 ->
                185.246.220.60:80
            
            2016141
            ET INFO Executable Download from dotted-quad Host
            Potentially Bad Traffic
        

        
        

            
                TCP
                185.246.220.60:80 ->
                192.168.56.101:49162
            
            2022050
            ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
            A Network Trojan was detected
        

        
        

            
                TCP
                185.246.220.60:80 ->
                192.168.56.101:49162
            
            2018959
            ET POLICY PE EXE or DLL Windows file download HTTP
            Potential Corporate Privacy Violation
        

        
        

            
                TCP
                185.246.220.60:80 ->
                192.168.56.101:49162
            
            2022051
            ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
            A Network Trojan was detected
        

        
        

            
                TCP
                185.246.220.60:80 ->
                192.168.56.101:49162
            
            2021076
            ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
            Potentially Bad Traffic
        

        
    




Suricata TLS


    

        

            Flow
            Issuer
            Subject
            Fingerprint
        

        
        

            
                TLS 1.2 

                192.168.56.101:49166 

                91.235.128.141:587
            		
            C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
            CN=*.hyperhost.ua
            31:5a:b5:30:54:87:eb:3f:d4:42:69:f9:97:6e:d8:03:c6:5d:32:c0
        

        
    





                            
Snort Alerts


    
No Snort Alerts