IP Address: 152.175.37.91Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
152.175.37.91​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Successful SSH Login Download and Allow Execution Download and Execute Malicious File Outgoing Connection 10 Shell Commands Access Suspicious Domain Listening Service Configuration SSH Brute Force Scheduled Task Creation SSH Download Operation

Connect Back Servers

ip-54-39-23.net ip-51-254-221.eu

54.39.23.28 51.254.221.129

Basic Information

IP Address

152.175.37.91

Domain

-

ISP

Movistar Movil Chile

Country

Chile

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-04

Last seen in Guardicore Centra

2018-05-04

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login SSH Brute Force

Process /usr/bin/wget generated outgoing network traffic to: 54.39.23.28:80 3 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-23.net 3 times

Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 51.254.221.129:80 11 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-254-221.eu 11 times

Outgoing Connection Access Suspicious Domain

The file /tmp/cron was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/tfti was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/pftp was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/ntpd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/sshd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/bash was downloaded and executed 40 times

Download and Execute

Process /tmp/bash started listening on ports: 61000

Listening

The file /usr/local/bin/dash was downloaded and executed

Download and Execute

The file /tmp/pty was downloaded and executed

Download and Execute

The file /tmp/shy was downloaded and executed

Download and Execute

The file /tmp/nsshtfti was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/2sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/nsshcron was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/nsshpftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/loop2 was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/var/tmp/bash was identified as malicious by YARA according to rules: Malw Pe Sections

Malicious File

/tmp/pftp was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/tmp/bash was identified as malicious by YARA according to rules: Malw Pe Sections

Malicious File

/tmp/tfti was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/tmp/shy was identified as malicious by YARA according to rules: Malw Pe Sections

Malicious File

/tmp/pty was identified as malicious by YARA according to rules: Malw Pe Sections

Malicious File

/tmp/loop3 was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/tmp/loop1 was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

/tmp/cron was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections

Malicious File

Connection was closed due to user inactivity

Associated Files

/tmp/cron

SHA256: f12aa6748543fde5d3b6f882418035634d559fc4ab222d6cfb399fd659b5e34f

946684 bytes

/tmp/tfti

SHA256: c937caa3b2e6cbf2cc67d02639751c320c8832047ff3b7ad5783e0fd9c2d7bae

789436 bytes

/tmp/pftp

SHA256: cfc82255b7e75da9cd01cffdfd671ccf6fafaa3f705041d383149c1191d8bdff

941492 bytes

/tmp/ntpd

SHA256: e2267edd2b70b5f42a2da942fa47cca98e745f2f2ff8f3bbf7baf8b1331c1a89

39168 bytes

/tmp/sshd

SHA256: 5477129edd21ce219e2a8ecf4c0930532c73417702215f5813c437f66c8b0299

39064 bytes

/tmp/bash

SHA256: 5f2b198701ce619c6af308bcf3cdb2ef36ad2a5a01b9d9b757de1b066070dad7

38948 bytes

/tmp/pty

SHA256: 5e8398c89631ea8d9e776ec9bdd6348cb32a77b300ab8b4ead1860a6a1e50be7

36140 bytes

/tmp/shy

SHA256: 948ef8732346e136320813aade0737540ef498945c1ea14f26a2677e4d64fdee

35772 bytes

/tmp/nsshtfti

SHA256: d4fba221b1a706dd3c617e33077d1072b37b2702c3235d342d94abfd032ba5f8

47988 bytes

/tmp/nsshcron

SHA256: 2cfa79ce4059bbc5798f6856cf82af7fce1d161d6ef398c07f01a010ba5299ea

45904 bytes

/tmp/nsshpftp

SHA256: 3ca8c549357d6121b96256715709bccf16a249dcc45bad482f6c8123fc75642f

45736 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 152.175.37.91​Previously Malicious