NetWork | ZeroBOX

IP Address	Status	Action
103.237.87.56	Active	Moloch
104.237.252.28	Active	Moloch
164.124.101.2	Active	Moloch

Name	Response	Post-Analysis Lookup
sempersim.su	A 104.237.252.28	104.237.252.28

TCP Requests

UDP Requests

GET 200 http://103.237.87.56/setup/bin.exe

POST 404 http://sempersim.su/c13/fre.php

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 104.237.252.28:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 104.237.252.28:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49170 -> 104.237.252.28:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 104.237.252.28:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49169 -> 104.237.252.28:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49170 -> 104.237.252.28:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 104.237.252.28:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 104.237.252.28:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 104.237.252.28:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 104.237.252.28:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 104.237.252.28:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49169 -> 104.237.252.28:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 103.237.87.56:80	2019696	ET MALWARE Possible MalDoc Payload Download Nov 11 2014	A Network Trojan was detected
TCP 192.168.56.101:49162 -> 103.237.87.56:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 103.237.87.56:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 103.237.87.56:80 -> 192.168.56.101:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 104.237.252.28:80 -> 192.168.56.101:49170	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 104.237.252.28:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.101:49171 -> 104.237.252.28:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49171 -> 104.237.252.28:80	2014170	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 104.237.252.28:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 104.237.252.28:80 -> 192.168.56.101:49171	2025483	ET MALWARE LokiBot Fake 404 Response	A Network Trojan was detected
TCP 103.237.87.56:80 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.237.87.56:80 -> 192.168.56.101:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 103.237.87.56:80 -> 192.168.56.101:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts