NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.19 02:09
66ea645129e6a_jacobs.exe
09.19 11:09
clip64.dll
09.19 11:09
cred64.dll
09.19 10:09
vsfdajg16.exe
09.19 10:09
QuickBooks_Setup.msi
09.19 10:09
QuickBooks_Desktop_Set...
09.19 10:09
game.exe
09.19 10:09
vlsadg.exe
09.19 10:09
lnfsda.exe
09.19 10:09
66eaadab755d2_installs...

Latest News
09.20 07:09
Unravelling the World ...
09.20 07:09
European, Latin Americ...
09.20 07:09
OpenAI to Decide Which...
09.20 07:09
September 20, 2024
09.20 06:09
Stocks Hit Highs and A...
09.20 06:09
Fake GitHub Site Targe...
09.20 06:09
Vanilla Tempest levera...
09.20 06:09
Exploding Pagers Sound...
09.20 06:09
The time I almost got ...
09.20 05:09
High-risk vulnerabilit...

NetWork | ZeroBOX

IP Address	Status	Action
104.26.12.31	Active	Moloch
147.45.47.81	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.22	Active	Moloch

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.12.31

TCP Requests

UDP Requests

GET 200 https://api.ip.sb/ip

GET 200 http://147.45.47.81/conhost.exe

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.22:80 -> 192.168.56.103:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 104.26.12.31:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.22:80 -> 192.168.56.103:49165	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49170 -> 147.45.47.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.47.81:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 185.215.113.22:80	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49167 104.26.12.31:443	C=US, O=Google Trust Services, CN=WR1	CN=api.ip.sb	67:55:9d:38:46:36:29:e0:23:80:8c:58:24:25:99:c3:60:63:b7:0f

Snort Alerts

No Snort Alerts