NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
85.209.3.9	Active	Moloch
95.214.27.254	Active	Moloch

Name	Response	Post-Analysis Lookup
rc30.tuktuk.ug	A 85.209.3.9	85.209.3.9

TCP Requests
- 192.168.56.103:49164 85.209.3.9:11290
  rc30.tuktuk.ug
- 192.168.56.103:49166 95.214.27.254:80

UDP Requests

GET 200 http://95.214.27.254/getfile/winlog.exe

GET 200 http://95.214.27.254/getfile/msedge.exe

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 85.209.3.9:11290 -> 192.168.56.103:49164	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 95.214.27.254:80	2017679	ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download	A Network Trojan was detected
TCP 192.168.56.103:49166 -> 95.214.27.254:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 95.214.27.254:80 -> 192.168.56.103:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 95.214.27.254:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 95.214.27.254:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 95.214.27.254:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 95.214.27.254:80 -> 192.168.56.103:49166	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49166 -> 95.214.27.254:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 85.209.3.9:11290	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts