NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.166.140.9	Active	Moloch
185.215.113.67	Active	Moloch
3.5.29.22	Active	Moloch

Name	Response	Post-Analysis Lookup
bitbucket.org	A 185.166.140.8 A 185.166.140.9 A 185.166.140.7	185.166.140.7
bbuseruploads.s3.amazonaws.com	A 16.182.106.105 A 3.5.25.42 A 3.5.3.139 A 3.5.7.110 A 16.182.71.193 A 54.231.199.25 CNAME s3-1-w.amazonaws.com A 3.5.29.22 CNAME s3-w.us-east-1.amazonaws.com A 52.217.160.49	54.231.231.113

TCP Requests

UDP Requests

GET 302 https://bitbucket.org/cloudappsoftware/vsc/downloads/GlitchClipper.exe

HTTP/1.1 302 Found Date: Sun, 11 Aug 2024 05:57:45 GMT Content-Type: text/html; charset=utf-8 Content-Length: 0 Server: AtlassianEdge Location: https://bbuseruploads.s3.amazonaws.com/0046344b-dbc7-4633-ba53-858e97e1e5e3/downloads/e035ed78-1bf0-4b5e-b1b5-5452a9c00962/GlitchClipper.exe?response-content-disposition=attachment%3B%20filename%3D%22GlitchClipper.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNACKCQR3&Signature=0WJdjhH0SzZbZrg4qmi8SZhFZ1c%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJGMEQCIEk%2BARBMnCUmBc%2B4pE%2FLa%2FXufm9B9egBuQycdCg0PqkwAiB%2FJLKBV7ZCeo6kUBQVydv1ivbUl3CHG7AFwB5Ve1dCDCqnAghvEAAaDDk4NDUyNTEwMTE0NiIMOVl5UzuIlAe9MITSKoQCVVtkn%2FpUoHlSF02oe4h2lTomBpfefAEuKnNpHAuBWN7prPQgMTqVZWNuxiUYi1unMhcX2MkjGlQ4VbMWl7v0XjUEneW8uXb3jjfbwjBpUu9%2FehfDZcef8pKMqekxlnv7uYSkEUIqP7%2FxJKYRxxNYkQgfMBtOIMlNk2D0XzSI0jaeRzup4oYiGftG6Y62slfk4MfdNZ4Fr0fmaicEs%2FVc6X2UkwpF%2FYlfORUKcjK1Oc%2BzjmQDyjw4IVi7N6%2FfR0UKtOnQ58AOpnyt1jeZe3V3I1ajPYwFppy2QHHWYbuI49pGZGqy1%2BNIIgPHME5oVe4FJPKixo3xpnPL3OXsaW31abikMj0wkqDhtQY6ngEuq0NPpIJ4eoRobfM450Na17ef9eAvuAhiGVozXMuLABm9hdgvUUFB2x6r2%2BVsNi7xP9DvAXE5f1tArFGJjVEs8wwsJVM%2BtqfacjbOLG8Dh1EyJfGJjgom65rQfHPRPyDA6UamyxSfg9WC9zkEq4nZwz2Wm3mc3k6cLzQfk8Mr6HumakVxDKW4UAqaYDtFt%2BzVIEkRzKYcxiogT%2FvSMA%3D%3D&Expires=1723356954 Expires: Sun, 11 Aug 2024 05:57:45 GMT Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private X-Used-Mesh: False Vary: Accept-Language, Origin Content-Language: en X-View-Name: bitbucket.apps.downloads.views.download_file X-Dc-Location: Micros-3 X-Served-By: 07e2497f71cc X-Version: e919bc9cc4d0 X-Static-Version: e919bc9cc4d0 X-Request-Count: 1005 X-Render-Time: 0.036920785903930664 X-B3-Traceid: 68b01fd92a434ff5ac7ef417a97a8bb3 X-B3-Spanid: 2c529598b7dfb5f8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: base-uri 'self'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; object-src 'none'; frame-ancestors 'self' start.atlassian.com start.stg.atlassian.com atlaskit.atlassian.com bitbucket.org; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: *; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io events.launchdarkly.com app.launchdarkly.com statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev-west--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/; report-uri https://web-security-reports.services.atlassian.com/csp-report/bb-website X-Usage-Quota-Remaining: 999339.052 X-Usage-Request-Cost: 672.07 X-Usage-User-Time: 0.020162 X-Usage-System-Time: 0.000000 X-Usage-Input-Ops: 0 X-Usage-Output-Ops: 0 Age: 0 X-Cache: MISS X-Content-Type-Options: nosniff X-Xss-Protection: 1; mode=block Atl-Traceid: 68b01fd92a434ff5ac7ef417a97a8bb3 Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600} Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

GET 200 https://bbuseruploads.s3.amazonaws.com/0046344b-dbc7-4633-ba53-858e97e1e5e3/downloads/e035ed78-1bf0-4b5e-b1b5-5452a9c00962/GlitchClipper.exe?response-content-disposition=attachment%3B%20filename%3D%22GlitchClipper.exe%22&AWSAccessKeyId=ASIA6KOSE3BNNACKCQR3&Signature=0WJdjhH0SzZbZrg4qmi8SZhFZ1c%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJGMEQCIEk%2BARBMnCUmBc%2B4pE%2FLa%2FXufm9B9egBuQycdCg0PqkwAiB%2FJLKBV7ZCeo6kUBQVydv1ivbUl3CHG7AFwB5Ve1dCDCqnAghvEAAaDDk4NDUyNTEwMTE0NiIMOVl5UzuIlAe9MITSKoQCVVtkn%2FpUoHlSF02oe4h2lTomBpfefAEuKnNpHAuBWN7prPQgMTqVZWNuxiUYi1unMhcX2MkjGlQ4VbMWl7v0XjUEneW8uXb3jjfbwjBpUu9%2FehfDZcef8pKMqekxlnv7uYSkEUIqP7%2FxJKYRxxNYkQgfMBtOIMlNk2D0XzSI0jaeRzup4oYiGftG6Y62slfk4MfdNZ4Fr0fmaicEs%2FVc6X2UkwpF%2FYlfORUKcjK1Oc%2BzjmQDyjw4IVi7N6%2FfR0UKtOnQ58AOpnyt1jeZe3V3I1ajPYwFppy2QHHWYbuI49pGZGqy1%2BNIIgPHME5oVe4FJPKixo3xpnPL3OXsaW31abikMj0wkqDhtQY6ngEuq0NPpIJ4eoRobfM450Na17ef9eAvuAhiGVozXMuLABm9hdgvUUFB2x6r2%2BVsNi7xP9DvAXE5f1tArFGJjVEs8wwsJVM%2BtqfacjbOLG8Dh1EyJfGJjgom65rQfHPRPyDA6UamyxSfg9WC9zkEq4nZwz2Wm3mc3k6cLzQfk8Mr6HumakVxDKW4UAqaYDtFt%2BzVIEkRzKYcxiogT%2FvSMA%3D%3D&Expires=1723356954

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.67:21405 -> 192.168.56.101:49163	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:21405 -> 192.168.56.101:49163	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:21405 -> 192.168.56.101:49163	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49165 -> 185.166.140.9:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 3.5.29.22:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49163 -> 185.215.113.67:21405	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.101:49165 185.166.140.9:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian US, Inc., CN=bitbucket.org	2a:b7:65:d0:f2:15:5d:a9:32:63:6f:1b:9d:6a:14:0b:b8:63:a1:17
TLS 1.2 192.168.56.101:49166 3.5.29.22:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.s3.amazonaws.com	57:fe:c9:73:13:31:ca:2c:91:7f:05:c3:3b:16:ff:3f:1b:d8:7d:e2

Snort Alerts

No Snort Alerts