NetWork | ZeroBOX

Network Analysis

IP Address Status Action
77.91.77.81 Active Moloch
85.28.47.30 Active Moloch
Name Response Post-Analysis Lookup
No hosts contacted.
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/sqlite3.dll
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/freebl3.dll
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/mozglue.dll
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/msvcp140.dll
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/nss3.dll
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/softokn3.dll
REQUEST
RESPONSE
GET 200 http://85.28.47.30/69934896f997d5bb/vcruntime140.dll
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE
POST 200 http://85.28.47.30/920475a59bac849d.php
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 85.28.47.30:80 -> 192.168.56.103:49162 2400008 ET DROP Spamhaus DROP Listed Traffic Inbound group 9 Misc Attack
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2044243 ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2044244 ET MALWARE Win32/Stealc Requesting browsers Config from C2 Malware Command and Control Activity Detected
TCP 85.28.47.30:80 -> 192.168.56.103:49162 2051828 ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2044246 ET MALWARE Win32/Stealc Requesting plugins Config from C2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49162 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2044248 ET MALWARE Win32/Stealc Submitting System Information to C2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 85.28.47.30:80 2044301 ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49165 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.28.47.30:80 -> 192.168.56.103:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.28.47.30:80 -> 192.168.56.103:49162 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.28.47.30:80 -> 192.168.56.103:49162 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 85.28.47.30:80 -> 192.168.56.103:49165 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 85.28.47.30:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts