NetWork | ZeroBOX

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.199.67	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.4	Active	Moloch
172.67.75.166	Active	Moloch
185.215.113.46	Active	Moloch
193.233.132.62	Active	Moloch
34.117.186.192	Active	Moloch
64.233.188.84	Active	Moloch

Name	Response	Post-Analysis Lookup
ssl.gstatic.com	A 142.250.199.67	172.217.161.195
accounts.google.com	A 64.233.188.84	64.233.188.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 172.217.25.4	142.250.207.100
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

TCP Requests

UDP Requests

GET 200 https://db-ip.com/demo/home.php?s=175.208.134.152

:	GET /demo/home.php?s=175.208.134.152 HTTP/1.1
Connection:	Keep-Alive
Content-Type:	application/x-www-form-urlencoded
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host:	db-ip.com

:	HTTP/1.1 200 OK
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/json
Transfer-Encoding:	chunked
Connection:	keep-alive
x-iplb-request-id:	AC46C792
x-iplb-instance:	59128
CF-Cache-Status:	DYNAMIC
Report-To:	{"endpoints"
NEL:	{"success_fraction"
Server:	cloudflare
CF-RAY:	857294b7688a29d9-FUK
alt-svc:	h3="

GET 302 https://accounts.google.com/

:	GET / HTTP/1.1
Accept:	text/html, application/xhtml+xml, /
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive

:	HTTP/1.1 302 Moved Temporarily
Content-Type:	text/html; charset=UTF-8
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Set-Cookie:	__Host-GAPS=1
X-Frame-Options:	DENY
Content-Security-Policy:	script-src 'nonce-64XjcPnTIT4DpEeMugM84Q' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Location:	https
Content-Encoding:	gzip
Date:	Sun, 18 Feb 2024 01
Expires:	Sun, 18 Feb 2024 01
Cache-Control:	private, max-age=0
X-Content-Type-Options:	nosniff
X-XSS-Protection:	1; mode=block
Server:	GSE
Alt-Svc:	h3="
Transfer-Encoding:	chunked

GET 302 https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

:	GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/1.1
Accept:	text/html, application/xhtml+xml, /
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 302 Found
Content-Type:	application/binary
Set-Cookie:	__Host-GAPS=1
Cache-Control:	no-cache, no-store, max-age=0, must-revalidate
Pragma:	no-cache
Expires:	Mon, 01 Jan 1990 00
Date:	Sun, 18 Feb 2024 01
Location:	https
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Cross-Origin-Resource-Policy:	cross-origin
Content-Security-Policy:	script-src 'nonce-Dd2T-bZtqYpHz1z0DhPkgQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsSigninPassiveLoginHttp/cspreport;worker-src 'self'
Content-Security-Policy:	require-trusted-types-for 'script';report-uri /_/AccountsSigninPassiveLoginHttp/cspreport
Cross-Origin-Opener-Policy:	unsafe-none
Permissions-Policy:	ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=*
Accept-CH:	Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server:	ESF
Content-Length:	0
X-XSS-Protection:	0
X-Content-Type-Options:	nosniff
Alt-Svc:	h3="

GET 302 https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ATuJsjwZDFIam6L22WTWI-kQASX9bbFhlY8Qfpn45PMVfMK-s8Kyidgcfo81UwYYYE3hoi8cxOYr

GET /InteractiveLogin?continue=https:	//accounts.google.com/&followup=https
Accept:	text/html, application/xhtml+xml, /
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 302 Moved Temporarily
Content-Type:	text/html; charset=UTF-8
X-Frame-Options:	DENY
Cache-Control:	no-cache, no-store, max-age=0, must-revalidate
Pragma:	no-cache
Expires:	Mon, 01 Jan 1990 00
Date:	Sun, 18 Feb 2024 01
Location:	https
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Cross-Origin-Opener-Policy-Report-Only:	same-origin; report-to="coop_gse_qebhlk"
Content-Security-Policy:	require-trusted-types-for 'script';report-uri /cspreport
Content-Security-Policy:	script-src 'nonce-VSkD0fxW-ZdrCbNiTCiSXg' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Report-To:	{"group"
Content-Encoding:	gzip
X-Content-Type-Options:	nosniff
X-XSS-Protection:	1; mode=block
Server:	GSE
Alt-Svc:	h3="
Transfer-Encoding:	chunked

GET 200 https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjwFn3TVCNRzJMcCHLiAbyOatgCfg9GZ0yxkBGaodHQIa13Oi7C4nekCckwkC7E_8TSu1Gl5&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-2029714484%3A1708220637104788

:	GET /v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ATuJsjwFn3TVCNRzJMcCHLiAbyOatgCfg9GZ0yxkBGaodHQIa13Oi7C4nekCckwkC7E_8TSu1Gl5&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-2029714484%3A1708220637104788 HTTP/1.1
Accept:	text/html, application/xhtml+xml, /
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 200 OK
Content-Type:	text/html; charset=utf-8
X-Frame-Options:	DENY
Vary:	Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
x-auto-login:	realm=com.google&args=continue%3Dhttps
x-ua-compatible:	IE=edge
Cache-Control:	no-cache, no-store, max-age=0, must-revalidate
Pragma:	no-cache
Expires:	Mon, 01 Jan 1990 00
Date:	Sun, 18 Feb 2024 01
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Content-Security-Policy:	script-src 'nonce-Tr_VTIjz7K2tb92cV8tAEw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /v3/signin/_/AccountsSignInUi/cspreport;worker-src 'self'
Content-Security-Policy:	require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
Cross-Origin-Opener-Policy-Report-Only:	same-origin; report-to="AccountsSignInUi"
Accept-CH:	Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy:	ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=*
Report-To:	{"group"
Cross-Origin-Resource-Policy:	same-site
reporting-endpoints:	default="/v3/signin/_/AccountsSignInUi/web-reports?context=eJzjWsGoxSXFEKghxbBXaReTY-wTJlcgntv9lGkhEC9__5RpNRDHrHrGlADEB-OeMx0F4rcJL5g-AnFr6wumTiDe3POCaTsQT-N5yTQLiI9sf8l0Aog_33vJ9B2I3315ycTz9SWTBBBrAPEOHw8WvnXTWVWAWHf9dNZQIJ50cjrrNCCW_zWdVRmIndJnsAYBsU_9DNYYIBbi4bh78Og6NoEJn9e0MQIAutxUNA"
Content-Encoding:	gzip
Server:	ESF
X-XSS-Protection:	0
X-Content-Type-Options:	nosniff
Alt-Svc:	h3="
Transfer-Encoding:	chunked

GET 200 https://accounts.google.com/_/bscframe

:	GET /_/bscframe HTTP/1.1
Accept:	text/html, application/xhtml+xml, /
Referer:	https
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 200 OK
Content-Type:	text/html; charset=utf-8
Vary:	Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
X-Frame-Options:	SAMEORIGIN
Cache-Control:	no-cache, no-store, max-age=0, must-revalidate
Pragma:	no-cache
Expires:	Mon, 01 Jan 1990 00
Date:	Sun, 18 Feb 2024 01
Content-Security-Policy:	script-src 'unsafe-eval';require-trusted-types-for 'script';object-src 'none'
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Cross-Origin-Resource-Policy:	same-site
Accept-CH:	Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy-Report-Only:	same-origin; report-to="AccountsSignInSignUpUi"
Permissions-Policy:	ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version=*
Report-To:	{"group"
Content-Encoding:	gzip
Server:	ESF
X-XSS-Protection:	0
X-Content-Type-Options:	nosniff
Alt-Svc:	h3="
Transfer-Encoding:	chunked

GET 200 https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png

:	GET /images/branding/googlelogo/2x/googlelogo_color_74x24dp.png HTTP/1.1
Accept:	image/png, image/svg+xml, image/;q=0.8, /*;q=0.5
Referer:	https
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	ssl.gstatic.com
Connection:	Keep-Alive

:	HTTP/1.1 200 OK
Accept-Ranges:	bytes
Cross-Origin-Resource-Policy:	cross-origin
Cross-Origin-Opener-Policy-Report-Only:	same-origin; report-to="static-on-bigtable"
Report-To:	{"group"
Content-Length:	3240
X-Content-Type-Options:	nosniff
Server:	sffe
X-XSS-Protection:	0
Date:	Tue, 13 Feb 2024 04
Expires:	Wed, 12 Feb 2025 04
Cache-Control:	public, max-age=31536000
Age:	420582
Last-Modified:	Thu, 02 Nov 2023 22
Content-Type:	image/png
Vary:	Origin
Alt-Svc:	h3="

GET 302 https://accounts.google.com/favicon.ico

:	GET /favicon.ico HTTP/1.1
Accept:	/
Accept-Encoding:	gzip, deflate
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 302 Moved Temporarily
Content-Type:	text/html; charset=UTF-8
X-Frame-Options:	DENY
Vary:	Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
Cache-Control:	no-cache, no-store, max-age=0, must-revalidate
Pragma:	no-cache
Expires:	Mon, 01 Jan 1990 00
Date:	Sun, 18 Feb 2024 01
Location:	https
Strict-Transport-Security:	max-age=31536000; includeSubDomains
Content-Security-Policy:	require-trusted-types-for 'script';report-uri /cspreport
Content-Security-Policy:	script-src 'nonce-mKbV_FCwvrvvsAnKrF6gKw' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /cspreport
Cross-Origin-Opener-Policy-Report-Only:	same-origin; report-to="coop_gse_qebhlk"
Report-To:	{"group"
Content-Encoding:	gzip
X-Content-Type-Options:	nosniff
X-XSS-Protection:	1; mode=block
Server:	GSE
Alt-Svc:	h3="
Transfer-Encoding:	chunked

GET 204 https://accounts.google.com/generate_204?9CAOBw

:	GET /generate_204?9CAOBw HTTP/1.1
Accept:	image/png, image/svg+xml, image/;q=0.8, /*;q=0.5
Referer:	https
Accept-Language:	ko-KR
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding:	gzip, deflate
Host:	accounts.google.com
Connection:	Keep-Alive
Cookie:	__Host-GAPS=1

:	HTTP/1.1 204 No Content
Content-Length:	0
Cross-Origin-Resource-Policy:	cross-origin
Date:	Sun, 18 Feb 2024 01
Alt-Svc:	h3="

GET 304 https://www.google.com/favicon.ico

:	GET /favicon.ico HTTP/1.1
Accept:	/
Accept-Encoding:	gzip, deflate
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host:	www.google.com
Connection:	Keep-Alive
If-Modified-Since:	Tue, 22 Oct 2019 18

:	HTTP/1.1 304 Not Modified
Date:	Sat, 17 Feb 2024 22
Expires:	Sun, 25 Feb 2024 22
Last-Modified:	Tue, 22 Oct 2019 18
Cache-Control:	public, max-age=691200
Vary:	Accept-Encoding
Age:	11153
Alt-Svc:	h3="

GET 200 https://db-ip.com/demo/home.php?s=175.208.134.152

:	GET /demo/home.php?s=175.208.134.152 HTTP/1.1
Connection:	Keep-Alive
Content-Type:	application/x-www-form-urlencoded
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host:	db-ip.com

:	HTTP/1.1 200 OK
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/json
Transfer-Encoding:	chunked
Connection:	keep-alive
x-iplb-request-id:	AC46C792
x-iplb-instance:	59215
CF-Cache-Status:	DYNAMIC
Report-To:	{"endpoints"
NEL:	{"success_fraction"
Server:	cloudflare
CF-RAY:	857295981f7529d2-FUK
alt-svc:	h3="

GET 200 https://db-ip.com/demo/home.php?s=175.208.134.152

:	GET /demo/home.php?s=175.208.134.152 HTTP/1.1
Connection:	Keep-Alive
Content-Type:	application/x-www-form-urlencoded
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host:	db-ip.com

:	HTTP/1.1 200 OK
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/json
Transfer-Encoding:	chunked
Connection:	keep-alive
x-iplb-request-id:	AC46C797
x-iplb-instance:	59215
CF-Cache-Status:	DYNAMIC
Report-To:	{"endpoints"
NEL:	{"success_fraction"
Server:	cloudflare
CF-RAY:	857295c61e9f29e5-FUK
alt-svc:	h3="

HEAD 200 http://185.215.113.46/cost/fu.exe

:	HEAD /cost/fu.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Content-Length:	0
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	918528
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d155b8-e0400"
Accept-Ranges:	bytes

GET 200 http://185.215.113.46/cost/fu.exe

:	GET /cost/fu.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	918528
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d155b8-e0400"
Accept-Ranges:	bytes

HEAD 200 http://185.215.113.46/mine/amert.exe

:	HEAD /mine/amert.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Content-Length:	0
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	1901056
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d155b1-1d0200"
Accept-Ranges:	bytes

GET 200 http://185.215.113.46/mine/amert.exe

:	GET /mine/amert.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	1901056
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d155b1-1d0200"
Accept-Ranges:	bytes

HEAD 200 http://185.215.113.46/cost/niks.exe

:	HEAD /cost/niks.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Content-Length:	0
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	1754624
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d1556f-1ac600"
Accept-Ranges:	bytes

GET 200 http://185.215.113.46/cost/niks.exe

:	GET /cost/niks.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	1754624
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d1556f-1ac600"
Accept-Ranges:	bytes

HEAD 200 http://185.215.113.46/mine/plaza.exe

:	HEAD /mine/plaza.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Content-Length:	0
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	3098112
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d1559e-2f4600"
Accept-Ranges:	bytes

GET 200 http://185.215.113.46/mine/plaza.exe

:	GET /mine/plaza.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	3098112
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d1559e-2f4600"
Accept-Ranges:	bytes

HEAD 200 http://185.215.113.46/cost/ladas.exe

:	HEAD /cost/ladas.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Content-Length:	0
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	2371072
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d15584-242e00"
Accept-Ranges:	bytes

GET 200 http://185.215.113.46/cost/ladas.exe

:	GET /cost/ladas.exe HTTP/1.1
User-Agent:	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
Host:	185.215.113.46
Cache-Control:	no-cache

:	HTTP/1.1 200 OK
Server:	nginx/1.18.0 (Ubuntu)
Date:	Sun, 18 Feb 2024 01
Content-Type:	application/octet-stream
Content-Length:	2371072
Last-Modified:	Sun, 18 Feb 2024 00
Connection:	keep-alive
ETag:	"65d15584-242e00"
Accept-Ranges:	bytes

GET 200 http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

:	GET /IE9CompatViewList.xml HTTP/1.1
Accept:	/
Accept-Encoding:	gzip, deflate
User-Agent:	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host:	ie9cvlist.ie.microsoft.com
If-Modified-Since:	Thu, 21 Nov 2019 19
If-None-Match:	0x8D76EBA32AF0BC3
Connection:	Keep-Alive

:	HTTP/1.1 200 OK
Content-Encoding:	gzip
Age:	9041
Cache-Control:	max-age=21600
Content-MD5:	p9g4jsuZO6TaLMVAI9ujVg==
Content-Type:	text/xml
Date:	Sun, 18 Feb 2024 01
Etag:	0x8D9521D2D2DF1EC
Last-Modified:	Wed, 28 Jul 2021 23
Server:	ECAcc (tka/897A)
Vary:	Accept-Encoding
X-Cache:	HIT
x-ms-blob-type:	BlockBlob
x-ms-lease-status:	unlocked
x-ms-request-id:	5144dcfe-f01e-00b7-38f7-61e207000000
x-ms-version:	2009-09-19
Content-Length:	13702

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49169 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49183 -> 64.233.188.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49186 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.101:49166	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49187 -> 142.250.199.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49189 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49190 -> 172.217.25.4:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49203	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49207 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 193.233.132.62:50500	2049661	ET MALWARE RisePro CnC Activity (Inbound)	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49210	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49231 -> 172.67.75.166:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.46:80 -> 192.168.56.101:49177	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.46:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49205 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49167 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49229 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49169 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49182 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49183 64.233.188.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	22:f1:10:1f:49:c5:97:f4:85:76:5a:20:dd:85:7c:ff:e2:c9:2a:1f
TLSv1 192.168.56.101:49186 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49187 142.250.199.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	f1:41:dd:4f:a6:9f:7b:ae:ae:af:78:bd:08:f8:c8:40:3c:c4:8c:93
TLSv1 192.168.56.101:49189 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49190 172.217.25.4:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	2a:14:a8:9a:ea:5b:44:20:c3:ae:90:ff:4d:2f:4c:22:15:54:f9:7c
TLSv1 192.168.56.101:49207 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.101:49231 172.67.75.166:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Snort Alerts

No Snort Alerts