NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.28 04:04
Purchase Order.pdf.msc
04.28 02:04
setup.exe
04.28 02:04
2025416-方案1-方案細節.pdf.lnk
04.28 10:04
Distribution Document....
04.28 10:04
pik.ps1
04.28 10:04
123.hta
04.28 10:04
verify-sec
04.28 10:04
nums.vbs
04.28 10:04
op.exe
04.28 10:04
cred.dll

Latest News
04.28 05:04
Decoding njRAT traffic...
04.28 05:04
더우드랜드, 푸르메재단 어린이재활병원에 ...
04.28 05:04
S2W, 일본 ‘머티리얼 디지털’과 협력...
04.28 05:04
28th April – Threat In...
04.28 05:04
NVIDIA Riva Vulnerabil...
04.28 05:04
Look! It’s a Knob! It’...
04.28 05:04
US Shoppers Pay for Tr...
04.28 05:04
Deliveroo Shares Jump ...
04.28 05:04
Data Centers Are Emerg...
04.28 05:04
Dubai Data Center Lead...

NetWork | ZeroBOX

IP Address	Status	Action
104.20.3.235	Active	Moloch
104.21.19.3	Active	Moloch
104.26.2.16	Active	Moloch
141.94.96.71	Active	Moloch
164.124.101.2	Active	Moloch
83.168.108.45	Active	Moloch

Name	Response	Post-Analysis Lookup
justpaste.it	A 83.168.108.45	83.168.108.45
jaiodsnvzxkxcz5hvxzkighiwagfew9oi0d3219v687dyfsdg.su	A 104.21.19.3 A 172.67.184.91	172.67.184.91
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.3.235
rentry.co	A 172.67.75.40 A 104.26.2.16 A 104.26.3.16	104.26.2.16
pool.supportxmr.com	A 141.94.96.71 CNAME pool-fr.supportxmr.com A 141.94.96.144 A 141.94.96.195	141.94.96.195

TCP Requests

UDP Requests

No traffic

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 104.26.2.16:443	2044865	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 104.26.2.16:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2047928	ET MALWARE CoinMiner Domain in DNS Lookup (pool .supportxmr .com)	Crypto Currency Mining Activity Detected
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2044864	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)	Misc activity
TCP 192.168.56.103:49165 -> 83.168.108.45:443	2038806	ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI	Misc activity
TCP 192.168.56.103:49165 -> 83.168.108.45:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49165 -> 83.168.108.45:443	2038806	ET INFO Observed Pastebin-style Service Domain (justpaste .it) in TLS SNI	Misc activity
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2038805	ET INFO Observed DNS Query to Pastebin-style Service (justpaste .it)	Misc activity
TCP 192.168.56.103:49166 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49167 -> 104.21.19.3:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49163 141.94.96.71:443	C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool	C=IT, ST=Pool, L=Daemon, O=Mining Pool, CN=mining.pool	03:77:e8:c9:9c:cd:15:56:b7:2d:35:fc:01:90:83:6c:b5:42:f6:d0
TLS 1.3 192.168.56.103:49164 104.26.2.16:443	None	None	None
TLS 1.3 192.168.56.103:49165 83.168.108.45:443	None	None	None
TLS 1.3 192.168.56.103:49166 104.20.3.235:443	None	None	None
TLS 1.3 192.168.56.103:49167 104.21.19.3:443	None	None	None

Snort Alerts

No Snort Alerts