| 0.0 |
n/a |
185.118.166.155 |
80 |
10.192.1.157 |
49496 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Fake 404 Response |
1 |
| 0.0 |
n/a |
185.118.166.155 |
80 |
10.192.1.157 |
49292 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Fake 404 Response |
1 |
| 100.0 |
4098 |
170.231.127.136 |
80 |
10.192.1.157 |
49272 |
Potential Corporate Privacy Violation |
ET POLICY |
PE EXE or DLL Windows file download HTTP |
1 |
| 100.0 |
4098 |
170.231.127.136 |
80 |
10.192.1.157 |
49272 |
Potentially Bad Traffic |
ET INFO |
Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2 |
| 933.0 |
7768 |
10.192.1.157 |
49276 |
104.31.92.140 |
80 |
Potential Corporate Privacy Violation |
ET POLICY |
Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
1 |
| 933.0 |
7768 |
10.192.1.157 |
49276 |
104.31.92.140 |
80 |
A Network Trojan was detected |
ET HUNTING |
SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 |
1 |
| 933.0 |
7768 |
10.192.1.157 |
49276 |
104.31.92.140 |
80 |
Misc activity |
ET INFO |
AutoIt User Agent Executable Request |
3 |
| 933.0 |
7812 |
104.31.92.140 |
80 |
10.192.1.157 |
49276 |
Potential Corporate Privacy Violation |
ET POLICY |
PE EXE or DLL Windows file download HTTP |
1 |
| 942.0 |
14571 |
10.192.1.157 |
58419 |
10.192.1.1 |
53 |
Device Retrieving External IP Address Detected |
ET INFO |
External IP Lookup Domain in DNS Lookup (icanhazip .com) |
2 |
| 942.0 |
14580 |
10.192.1.157 |
49277 |
104.20.17.242 |
80 |
Potential Corporate Privacy Violation |
ET POLICY |
Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
1 |
| 942.0 |
14580 |
10.192.1.157 |
49277 |
104.20.17.242 |
80 |
Attempted Information Leak |
ET POLICY |
IP Check Domain (icanhazip. com in HTTP Host) |
2 |
| 943.0 |
14587 |
10.192.1.157 |
55958 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 949.0 |
15155 |
10.192.1.157 |
50063 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 956.0 |
15168 |
10.192.1.157 |
49420 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 962.0 |
15183 |
10.192.1.157 |
59447 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 963.0 |
15193 |
10.192.1.157 |
49288 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 963.0 |
15193 |
10.192.1.157 |
49288 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 963.0 |
15198 |
10.192.1.157 |
49288 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Application/Credential Data Exfiltration Detected M1 |
1 |
| 963.0 |
15207 |
10.192.1.157 |
49291 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 963.0 |
15207 |
10.192.1.157 |
49291 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 964.0 |
15213 |
10.192.1.157 |
49291 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Application/Credential Data Exfiltration Detected M1 |
1 |
| 964.0 |
15224 |
10.192.1.157 |
49292 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 964.0 |
15224 |
10.192.1.157 |
49292 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 965.0 |
15229 |
10.192.1.157 |
49292 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M1 |
1 |
| 965.0 |
15229 |
10.192.1.157 |
49292 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M2 |
1 |
| 968.0 |
15237 |
10.192.1.157 |
65222 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET INFO |
Observed DNS Query to .biz TLD |
2 |
| 969.0 |
15342 |
37.48.82.212 |
80 |
10.192.1.157 |
49293 |
A Network Trojan was detected |
ET MALWARE |
Zberp/ZeusVM receiving config via image file (steganography) |
1 |
| 969.0 |
15348 |
10.192.1.157 |
54628 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 971.0 |
15383 |
10.192.1.157 |
49298 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
1 |
| 971.0 |
15383 |
10.192.1.157 |
49298 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Trojan Generic - POST To gate.php with no referer |
1 |
| 971.0 |
15383 |
10.192.1.157 |
49298 |
37.48.82.212 |
80 |
Potentially Bad Traffic |
ET MALWARE |
Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative) |
2 |
| 973.0 |
15389 |
10.192.1.157 |
58636 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 976.0 |
15391 |
10.192.1.157 |
52452 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 978.0 |
15402 |
10.192.1.157 |
50856 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 983.0 |
15454 |
10.192.1.157 |
64259 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 983.0 |
15457 |
10.192.1.157 |
58595 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 988.0 |
15478 |
10.192.1.157 |
56263 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 989.0 |
15720 |
10.192.1.157 |
58537 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 993.0 |
16005 |
10.192.1.157 |
50145 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 996.0 |
16018 |
10.192.1.157 |
51772 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 998.0 |
16025 |
10.192.1.157 |
59601 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 998.0 |
16028 |
10.192.1.157 |
52333 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1003.0 |
16039 |
10.192.1.157 |
49678 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1003.0 |
16040 |
10.192.1.157 |
60204 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1005.0 |
16050 |
10.192.1.157 |
54488 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1008.0 |
16058 |
10.192.1.157 |
51090 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1010.0 |
16063 |
10.192.1.157 |
57979 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1013.0 |
16080 |
10.192.1.157 |
60267 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1016.0 |
16085 |
10.192.1.157 |
50247 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1018.0 |
16094 |
10.192.1.157 |
63390 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1023.0 |
16101 |
10.192.1.157 |
52997 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1023.0 |
16104 |
10.192.1.157 |
50027 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1025.0 |
16110 |
10.192.1.157 |
63543 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1025.0 |
16122 |
10.192.1.157 |
49344 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 1025.0 |
16122 |
10.192.1.157 |
49344 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 1026.0 |
16127 |
10.192.1.157 |
49344 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M1 |
1 |
| 1026.0 |
16127 |
10.192.1.157 |
49344 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M2 |
1 |
| 1026.0 |
16129 |
185.118.166.155 |
80 |
10.192.1.157 |
49344 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Fake 404 Response |
1 |
| 1028.0 |
16132 |
10.192.1.157 |
57517 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1030.0 |
16134 |
10.192.1.157 |
51502 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1032.0 |
16159 |
10.192.1.157 |
49349 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
1 |
| 1032.0 |
16159 |
10.192.1.157 |
49349 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Trojan Generic - POST To gate.php with no referer |
1 |
| 1034.0 |
16168 |
10.192.1.157 |
51209 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1037.0 |
16170 |
10.192.1.157 |
55505 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1039.0 |
16439 |
10.192.1.157 |
54348 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1041.0 |
16713 |
10.192.1.157 |
49298 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1044.0 |
16734 |
10.192.1.157 |
62546 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1045.0 |
16743 |
10.192.1.157 |
50946 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1049.0 |
16760 |
10.192.1.157 |
62007 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1050.0 |
16766 |
10.192.1.157 |
51963 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1054.0 |
16780 |
10.192.1.157 |
54359 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1054.0 |
16782 |
10.192.1.157 |
59660 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1059.0 |
16812 |
10.192.1.157 |
58719 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1061.0 |
16819 |
10.192.1.157 |
51081 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1064.0 |
16839 |
10.192.1.157 |
65306 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1065.0 |
16845 |
10.192.1.157 |
55899 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1069.0 |
16867 |
10.192.1.157 |
53742 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1070.0 |
16869 |
10.192.1.157 |
58658 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1074.0 |
17132 |
10.192.1.157 |
51177 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1075.0 |
17155 |
10.192.1.157 |
57775 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1077.0 |
17220 |
10.192.1.157 |
61930 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1080.0 |
17250 |
10.192.1.157 |
64747 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1081.0 |
17254 |
10.192.1.157 |
50868 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1085.0 |
17273 |
10.192.1.157 |
50020 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1085.0 |
17276 |
10.192.1.157 |
60559 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1090.0 |
17303 |
10.192.1.157 |
56630 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1090.0 |
17320 |
10.192.1.157 |
58849 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1093.0 |
17683 |
10.192.1.157 |
49446 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
1 |
| 1093.0 |
17683 |
10.192.1.157 |
49446 |
37.48.82.212 |
80 |
A Network Trojan was detected |
ET MALWARE |
Trojan Generic - POST To gate.php with no referer |
1 |
| 1095.0 |
17859 |
10.192.1.157 |
53534 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1095.0 |
17866 |
10.192.1.157 |
56341 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1100.0 |
17897 |
10.192.1.157 |
57715 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1100.0 |
17901 |
10.192.1.157 |
49616 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1105.0 |
17931 |
10.192.1.157 |
52341 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1105.0 |
17934 |
10.192.1.157 |
60281 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1110.0 |
17966 |
10.192.1.157 |
63054 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1110.0 |
17969 |
10.192.1.157 |
64369 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1113.0 |
17989 |
10.192.1.157 |
49487 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 1113.0 |
17989 |
10.192.1.157 |
49487 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 1114.0 |
17996 |
10.192.1.157 |
49487 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Application/Credential Data Exfiltration Detected M1 |
1 |
| 1114.0 |
18005 |
10.192.1.157 |
49491 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 1114.0 |
18005 |
10.192.1.157 |
49491 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 1115.0 |
18014 |
10.192.1.157 |
49491 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot Application/Credential Data Exfiltration Detected M1 |
1 |
| 1115.0 |
18026 |
10.192.1.157 |
49496 |
185.118.166.155 |
80 |
A Network Trojan was detected |
ET MALWARE |
LokiBot User-Agent (Charon/Inferno) |
1 |
| 1115.0 |
18026 |
10.192.1.157 |
49496 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Checkin |
1 |
| 1115.0 |
18030 |
10.192.1.157 |
55159 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1115.0 |
18033 |
10.192.1.157 |
51372 |
10.192.1.1 |
53 |
Potentially Bad Traffic |
ET POLICY |
DNS Query to DynDNS Domain *.ddns .net |
2 |
| 1115.0 |
18038 |
10.192.1.157 |
49496 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M1 |
1 |
| 1115.0 |
18038 |
10.192.1.157 |
49496 |
185.118.166.155 |
80 |
Malware Command and Control Activity Detected |
ET MALWARE |
LokiBot Request for C2 Commands Detected M2 |
1 |
CS Personal
//
cloudshark.org
