NetWork | ZeroBOX

IP Address	Status	Action
104.20.3.235	Active	Moloch
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch
172.67.198.131	Active	Moloch
185.172.128.116	Active	Moloch
185.172.128.19	Active	Moloch
185.215.113.67	Active	Moloch
23.41.113.9	Active	Moloch
31.31.198.35	Active	Moloch
51.15.193.130	Active	Moloch
51.68.137.186	Active	Moloch
77.91.77.81	Active	Moloch

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 163.172.154.142 A 212.47.253.124 A 51.15.193.130 A 146.59.154.106 A 54.37.232.103 A 54.37.137.114 A 51.15.65.182 A 162.19.224.121 A 51.89.23.91	51.15.58.224
boredombusters.online	A 104.21.44.95 A 172.67.198.131	104.21.44.95
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	51.68.137.186
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	104.20.4.235
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.40.44.214
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
kmsandallapp.ru	A 31.31.198.35	31.31.198.35

TCP Requests

UDP Requests

GET 403 https://kmsandallapp.ru/Gibson.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/judit.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/redline123123.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/upd.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/setup222.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/gold.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/lummac2.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/drivermanager.exe

GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://185.172.128.116/NewLatest.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://77.91.77.81/lend/monster.exe

POST 200 http://185.172.128.116/Mb3GvQs8/index.php

POST 200 http://185.172.128.116/Mb3GvQs8/index.php?scr=1

POST 200 http://185.172.128.116/Mb3GvQs8/index.php

GET 200 http://185.172.128.116/b2c2c1.exe

GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c

GET 200 http://185.172.128.19/FirstZ.exe

POST 200 http://77.91.77.81/Kiru9gu/index.php

GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c

GET 200 http://x1.i.lencr.org/

GET 200 http://apps.identrust.com/roots/dstrootcax3.p7c

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49212 -> 185.172.128.116:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49221 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 31.31.198.35:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49236 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49232 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49237 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 185.172.128.116:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49219 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49238 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49173 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49228 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLS 1.2 192.168.56.103:49229 31.31.198.35:443	C=US, O=Let's Encrypt, CN=R11	CN=kmsandallapp.ru	26:c0:93:6a:03:1b:96:aa:25:61:71:21:f5:de:ad:77:51:bf:39:19
TLS 1.3 192.168.56.103:49235 51.15.193.130:14433	None	None	None
TLSv1 192.168.56.103:49236 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49239 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49232 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLS 1.3 192.168.56.103:49233 51.68.137.186:10943	None	None	None
TLS 1.3 192.168.56.103:49234 104.20.3.235:443	None	None	None
TLSv1 192.168.56.103:49237 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49219 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49225 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49238 172.67.198.131:443	None	None	None

Snort Alerts

No Snort Alerts