NetWork | ZeroBOX

Network Analysis

IP Address Status Action
147.45.68.138 Active Moloch
Name Response Post-Analysis Lookup
No hosts contacted.
GET 200 http://147.45.68.138/
REQUEST
RESPONSE
POST 200 http://147.45.68.138/
REQUEST
RESPONSE
POST 200 http://147.45.68.138/
REQUEST
RESPONSE
POST 200 http://147.45.68.138/
REQUEST
RESPONSE
POST 200 http://147.45.68.138/
REQUEST
RESPONSE
POST 200 http://147.45.68.138/
REQUEST
RESPONSE
GET 200 http://147.45.68.138/sql.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/freebl3.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/mozglue.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/msvcp140.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/softokn3.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/vcruntime140.dll
REQUEST
RESPONSE
GET 200 http://147.45.68.138/nss3.dll
REQUEST
RESPONSE

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49166 -> 147.45.68.138:80 2049087 ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST A Network Trojan was detected
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 147.45.68.138:80 -> 192.168.56.101:49168 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.68.138:80 -> 192.168.56.101:49168 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 147.45.68.138:80 2044303 ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 147.45.68.138:80 -> 192.168.56.101:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.68.138:80 -> 192.168.56.101:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 147.45.68.138:80 -> 192.168.56.101:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 147.45.68.138:80 2044307 ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2044302 ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2044306 ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 147.45.68.138:80 2044305 ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity A suspicious filename was detected
TCP 147.45.68.138:80 -> 192.168.56.101:49166 2051831 ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts