NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.02 08:07
log2.exe
07.02 08:07
log1.exe
07.02 07:07
svchost.exe
07.02 07:07
asec.exe
07.02 07:07
kdmapper.exe
07.02 07:07
buildcr.exe
07.02 07:07
csrss.exe
07.02 07:07
IHBHXXQF.exe
07.02 07:07
snukingorig2.5.exe
07.02 07:07
igccu.exe

Latest News
07.02 08:07
Infostealers on the Ri...
07.02 07:07
A Playbook for Detecti...
07.02 07:07
The Evolution of Phish...
07.02 07:07
CISA Report Finds Most...
07.02 06:07
Cyber A.I. Group Annou...
07.02 06:07
Despite adoption hurdl...
07.02 06:07
The importance of inte...
07.02 06:07
regreSSHion: Critical ...
07.02 06:07
ポルシェカレラカップブラジル、Microso...
07.02 06:07
Celebrate Repair Indep...

NetWork | ZeroBOX

IP Address	Status	Action
104.192.141.1	Active	Moloch
104.26.13.31	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.153.198.36	Active	Moloch
52.216.30.156	Active	Moloch
74.119.193.164	Active	Moloch

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1
bbuseruploads.s3.amazonaws.com	CNAME s3-1-w.amazonaws.com A 52.216.30.156	52.216.152.244
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	104.26.13.31

TCP Requests

UDP Requests

GET 200 https://api.ip.sb/geoip

GET 302 https://bitbucket.org/mminminminmin05/testtest/downloads/coohom.exe

GET 200 https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/63bdc9c9-25c5-4481-bdd4-24e8b322c041/coohom.exe?Signature=3v5pHGYDnTWICGm2HBSijwU5Vm4%3D&Expires=1616404050&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=vbsVworim5F6JZGDNseQH1r3xUaTZ3Gj&response-content-disposition=attachment%3B%20filename%3D%22coohom.exe%22

GET 302 https://bitbucket.org/mminminminmin05/testtest/downloads/clr.exe

GET 200 https://bbuseruploads.s3.amazonaws.com/17d04c6a-c1d1-40c0-985a-f0740a053130/downloads/f827393c-b39f-450b-8854-d15458efc0cd/clr.exe?Signature=iv2dAOS7O5uDtcuy6pQLlA38CIQ%3D&Expires=1616403908&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=navAx2o.B364539FO2C5fA3kQTj_uTIH&response-content-disposition=attachment%3B%20filename%3D%22clr.exe%22

GET 200 https://api.ip.sb/geoip

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49811 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49818 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49819 -> 52.216.30.156:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49832 -> 104.26.13.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 185.153.198.36:10202 -> 192.168.56.102:49810	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 74.119.193.164:3214 -> 192.168.56.102:49831	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49811 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e
TLS 1.2 192.168.56.102:49818 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=Private Organization, unknown=US, unknown=Delaware, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian, Inc., OU=Bitbucket, CN=bitbucket.org	4e:6a:4c:3b:82:15:ef:df:97:38:5e:50:ef:b9:86:42:84:3b:89:f0
TLS 1.2 192.168.56.102:49819 52.216.30.156:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2	C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=*.s3.amazonaws.com	90:e0:af:dc:fa:f7:0b:ac:50:bb:fa:43:e1:ec:e2:3d:ce:91:90:47
TLSv1 192.168.56.102:49832 104.26.13.31:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	5e:7d:19:2d:d7:66:0c:63:45:a5:24:8f:b7:db:35:a7:61:6d:89:0e

Snort Alerts

No Snort Alerts