NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.166.140.8	Active	Moloch
185.215.113.67	Active	Moloch

Name	Response	Post-Analysis Lookup
bitbucket.org	A 185.166.140.8 A 185.166.140.9 A 185.166.140.7	104.192.141.1

UDP Requests

GET 404 https://bitbucket.org/tons1/evotopro/downloads/Zaddikim.exe

HTTP/1.1 404 Not Found Date: Wed, 17 Jul 2024 00:08:00 GMT Content-Type: text/html; charset=utf-8 Content-Length: 23652 Server: AtlassianEdge X-Used-Mesh: False Vary: Accept-Language, Origin, Accept-Encoding Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file Etag: "cd2dc499abbed49adee0063562605bfd" X-Dc-Location: Micros-3 X-Served-By: 61a9a12c804c X-Version: 3213c3a25a7c X-Static-Version: 3213c3a25a7c X-Request-Count: 2997 X-Render-Time: 0.2793102264404297 X-B3-Traceid: 3c2aed0f563b498ca78c1047f19ab0a9 X-B3-Spanid: b188ff7816b372d3 X-Frame-Options: SAMEORIGIN Content-Security-Policy: connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://d301sr5gafysq2.cloudfront.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ 'nonce-VWLjNpkh2Yn/iLJYDsQkpg=='; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; base-uri 'self'; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website X-Usage-Quota-Remaining: 996461.642 X-Usage-Request-Cost: 3616.53 X-Usage-User-Time: 0.100566 X-Usage-System-Time: 0.007930 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Cache-Control: max-age=900 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 3c2aed0f563b498ca78c1047f19ab0a9 Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.67:40960 -> 192.168.56.103:49162	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49162	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49162	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49164 -> 185.166.140.8:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49162 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49164 185.166.140.8:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian US, Inc., CN=bitbucket.org	bf:7c:47:a3:25:75:32:6e:c5:f8:ea:29:e6:bd:ba:2d:a7:99:28:78

Snort Alerts

No Snort Alerts