NetWork | ZeroBOX

Network Analysis

IP Address Status Action
146.75.92.193 Active Moloch
164.124.101.2 Active Moloch
172.67.197.250 Active Moloch
45.152.112.146 Active Moloch
GET 200 https://i.imgur.com/yximuB4.png
REQUEST
RESPONSE
GET 200 https://contur2fa.recipeupdates.rest/__hh/files/run
REQUEST
RESPONSE
GET 200 https://contur2fa.recipeupdates.rest/__hh/files/run_search
REQUEST
RESPONSE
POST 200 http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE
POST 200 http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE
POST 200 http://proresupdate.com/h9fmdW5/index.php
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 146.75.92.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 172.67.197.250:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49172 -> 172.67.197.250:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 45.152.112.146:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
146.75.92.193:443
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.imgur.com 39:5b:e1:0d:4a:fc:a4:c7:f3:71:de:c4:5c:12:69:f9:5f:58:9f:42
TLSv1
192.168.56.101:49170
172.67.197.250:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=recipeupdates.rest 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf
TLSv1
192.168.56.101:49172
172.67.197.250:443
C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=recipeupdates.rest 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf

Snort Alerts

No Snort Alerts