NetWork | ZeroBOX

Network Analysis

IP Address Status Action
164.124.101.2 Active Moloch
193.233.254.61 Active Moloch
77.91.124.156 Active Moloch
77.91.68.1 Active Moloch
77.91.68.3 Active Moloch
77.91.68.61 Active Moloch
Name Response Post-Analysis Lookup
No hosts contacted.
POST 200 http://77.91.68.61/rock/index.php
REQUEST
RESPONSE
GET 200 http://77.91.68.1/new/foto4060.exe
REQUEST
RESPONSE
POST 200 http://77.91.68.61/rock/index.php
REQUEST
RESPONSE
GET 200 http://77.91.68.1/new/fotod360.exe
REQUEST
RESPONSE
POST 200 http://77.91.68.61/rock/index.php
REQUEST
RESPONSE
GET 200 http://77.91.68.1/smo/du.exe
REQUEST
RESPONSE
POST 200 http://77.91.68.61/rock/index.php
REQUEST
RESPONSE
GET 200 http://77.91.68.3/fuzz/faman.exe
REQUEST
RESPONSE
POST 200 http://77.91.68.61/rock/index.php
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
GET 404 http://77.91.68.61/rock/Plugins/cred64.dll
REQUEST
RESPONSE
GET 200 http://77.91.68.61/rock/Plugins/clip64.dll
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE
POST 200 http://193.233.254.61/loghub/master
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49178 -> 77.91.68.1:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49178 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.1:80 -> 192.168.56.101:49178 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49178 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 77.91.68.61:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.101:49177 -> 77.91.68.61:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49190 -> 77.91.68.61:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49190 -> 77.91.68.61:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 77.91.68.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 77.91.68.3:80 -> 192.168.56.101:49193 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.3:80 -> 192.168.56.101:49193 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 77.91.68.3:80 -> 192.168.56.101:49193 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49195 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49182 -> 77.91.68.61:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49178 -> 77.91.68.1:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49178 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 77.91.68.1:80 -> 192.168.56.101:49178 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49195 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49195 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49178 -> 77.91.68.1:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 77.91.68.1:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 77.91.68.61:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization) A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49202 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 77.91.124.156:19071 -> 192.168.56.101:49202 2046056 ET MALWARE Redline Stealer Activity (Response) A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49202 -> 77.91.124.156:19071 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 77.91.68.61:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 77.91.68.61:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 77.91.68.61:80 -> 192.168.56.101:49210 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 77.91.68.61:80 -> 192.168.56.101:49210 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 77.91.68.61:80 -> 192.168.56.101:49210 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic
TCP 192.168.56.101:49208 -> 193.233.254.61:80 2018358 ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts