NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

NetWork | ZeroBOX

IP Address	Status	Action
103.6.248.9	Active	Moloch
164.124.101.2	Active	Moloch
207.244.97.155	Active	Moloch
23.95.60.83	Active	Moloch

Name	Response	Post-Analysis Lookup
www.sadwqe.quest
www.memyar.com	A 207.244.97.155	207.244.97.155

TCP Requests

UDP Requests

GET 200 http://103.6.248.9/S307M/wininit.exe

GET 200 http://23.95.60.83/FBI/4/XemnhqpeY66.bin

GET 403 http://www.memyar.com/gs22/?s0=9ZBC0f+9RgjxeuZvHOxJK0OniZLAdU+4qjFxfxF4zayhVhrzWW9GrjI8li8yjT6m11JrM5L0&CZ=7nH8XRk

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 103.6.248.9:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 103.6.248.9:80 -> 192.168.56.103:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 207.244.97.155:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 103.6.248.9:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.6.248.9:80 -> 192.168.56.103:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 103.6.248.9:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 23.95.60.83:80	2018752	ET MALWARE Generic .bin download from Dotted Quad	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts