NetWork | ZeroBOX

IP Address	Status	Action
103.28.36.182	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.67	Active	Moloch
185.215.113.9	Active	Moloch
58.65.168.132	Active	Moloch
45.33.6.223	Active	Moloch

Name	Response	Post-Analysis Lookup
atlpvt.com	A 58.65.168.132	58.65.168.132
coe.com.vn	A 103.28.36.182	103.28.36.182
mktrex155.xyz

TCP Requests

UDP Requests

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/build.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/crypted.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/5447jsX.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/crypteda.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/25072023.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/pered.exe

POST 200 http://185.215.113.16/Jo89Ku7d/index.php

GET 200 http://185.215.113.16/inc/2020.exe

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.28.36.182:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.28.36.182:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2022491	ET HUNTING Download Request Containing Suspicious Filename - Crypted	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 103.28.36.182:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49285 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49293 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49295 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 58.65.168.132:443 -> 192.168.56.101:49297	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49302 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 58.65.168.132:443 -> 192.168.56.101:49303	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 58.65.168.132:443 -> 192.168.56.101:49286	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49301 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts