NetWork | ZeroBOX

Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.29 05:04
tomcaterror.bmpqoq
04.29 04:04
qoq.ps1
04.29 04:04
Important_Document.pdf...
04.29 04:04
dllbase64reverse.txt.exe
04.29 10:04
RuntimeBroker.exe
04.29 10:04
2555d50c-0b7e-4aa3-8d8...
04.29 10:04
csr.bin
04.29 10:04
test.exe
04.29 10:04
FreePhotoShop%20Meme%2...
04.29 10:04
discord.exe

Latest News
04.29 10:04
Uncovering MintsLoader...
04.29 10:04
Blinded from Above: Ho...
04.29 10:04
Midea Reports Strong R...
04.29 10:04
Global Manufacturing L...
04.29 10:04
Threat Actors Accelera...
04.29 10:04
Millions of Apple Airp...
04.29 10:04
From Stocks to Dollar,...
04.29 10:04
[NEU] [hoch] Redmine.o...
04.29 10:04
Making Security Invisi...
04.29 09:04
Pro-Russian hackers st...

NetWork | ZeroBOX

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.75.172	Active	Moloch
208.67.222.222	Active	Moloch
35.186.245.55	Active	Moloch
94.131.105.161	Active	Moloch
194.59.218.160	Active	Moloch

Name	Response	Post-Analysis Lookup
api.ip.sb	CNAME api.ip.sb.cdn.cloudflare.net A 104.26.13.31 A 104.26.12.31 A 172.67.75.172	172.67.75.172
myip.opendns.com	A 175.208.134.152
yello9erylanguage.gromovananii199.repl.co	A 35.186.245.55	35.186.245.55
resolver1.opendns.com	A 208.67.222.222	208.67.222.222
222.222.67.208.in-addr.arpa	PTR dns.umbrella.com PTR dns.opendns.com PTR resolver1.opendns.com
myip.opendns.com

TCP Requests

UDP Requests

GET 200 https://api.ip.sb/geoip

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 94.131.105.161:1337 -> 192.168.56.101:49165	2045000	ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 172.67.75.172:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.131.105.161:1337 -> 192.168.56.101:49165	2045001	ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound	A Network Trojan was detected
TCP 192.168.56.101:49214 -> 35.186.245.55:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53007 -> 208.67.222.222:53	2023472	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)	Device Retrieving External IP Address Detected
UDP 192.168.56.101:53006 -> 208.67.222.222:53	2023472	ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)	Device Retrieving External IP Address Detected
TCP 94.131.105.161:1337 -> 192.168.56.101:49165	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode
TCP 192.168.56.101:49212 -> 94.131.105.161:57661	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 94.131.105.161:57661 -> 192.168.56.101:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.131.105.161:57661 -> 192.168.56.101:49212	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 94.131.105.161:57661 -> 192.168.56.101:49212	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 94.131.105.161:1337 -> 192.168.56.101:49165	2221010	SURICATA HTTP unable to match response to request	Generic Protocol Command Decode

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 172.67.75.172:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	53:56:0b:3a:91:49:7f:18:59:87:21:98:d3:7f:98:0b:b4:ae:cb:cc
TLS 1.2 192.168.56.101:49214 35.186.245.55:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=gromovananii199.repl.co	36:65:d3:d8:40:79:65:2a:c8:25:78:9d:48:cd:44:6a:65:4d:cb:c0

Snort Alerts

No Snort Alerts