NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.11 10:11
bxn.exe
11.11 10:11
glued.hta
11.11 10:11
MONDAYconstraints.vbs
11.11 10:11
tartarises.vbs
11.11 10:11
xwo.exe
11.11 10:11
comehomeconstraints.vbs
11.11 10:11
hello.exe
11.11 10:11
chrome_130.exe
11.11 10:11
s.exe
11.11 10:11
Citatfusk.vbe

Latest News
11.13 01:11
망고플레이·위드브레인, 봉사 활동 MOU 체결
11.13 01:11
Vietnam Tech Champion ...
11.13 01:11
Prosus Gains $2 Billio...
11.13 01:11
Bei diesem neuen Mathe...
11.13 12:11
안랩, 디지털포렌식 챌린지 2024에서 ...
11.13 12:11
The End of Ondsel and ...
11.13 12:11
쥬노, 디저트 브랜드 '카삭산도' 팝업스...
11.13 11:11
Security Alert: Micros...
11.13 11:11
Security Alert: Micros...
11.13 11:11
매크론-더픽트, 조선·해양·방산 분야 디...

NetWork | ZeroBOX

IP Address	Status	Action
147.45.60.44	Active	Moloch
163.172.171.111	Active	Moloch
164.124.101.2	Active	Moloch
172.67.19.24	Active	Moloch
185.196.11.123	Active	Moloch
212.47.253.124	Active	Moloch

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 146.59.154.106 A 212.47.253.124 A 51.89.23.91 A 163.172.154.142 A 54.37.232.103 A 54.37.137.114 A 51.15.65.182 A 162.19.224.121 A 51.15.193.130	212.47.253.124
stagingbyvdveen.com	A 147.45.60.44	147.45.60.44
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	51.195.43.17
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	172.67.19.24

TCP Requests

UDP Requests

POST 200 http://185.196.11.123/h9k4kfklCdszZ3/index.php

POST 200 http://185.196.11.123/h9k4kfklCdszZ3/index.php

GET 200 http://stagingbyvdveen.com/get/setup2.exe

POST 200 http://185.196.11.123/h9k4kfklCdszZ3/index.php

GET 200 http://185.196.11.123/FirstZ.exe

POST 200 http://185.196.11.123/h9k4kfklCdszZ3/index.php

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.60.44:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.60.44:80 -> 192.168.56.101:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.196.11.123:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49174 -> 172.67.19.24:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.101:49168 -> 185.196.11.123:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49168 -> 185.196.11.123:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.196.11.123:80 -> 192.168.56.101:49168	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.196.11.123:80 -> 192.168.56.101:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.196.11.123:80 -> 192.168.56.101:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.196.11.123:80 -> 192.168.56.101:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.196.11.123:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49174 172.67.19.24:443	None	None	None
TLS 1.3 192.168.56.101:49173 163.172.171.111:10943	None	None	None
TLS 1.3 192.168.56.101:49175 212.47.253.124:14433	None	None	None

Snort Alerts

No Snort Alerts