IP Address: 185.244.25.136Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
185.244.25.136​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH HTTP

Tags

1 Shell Commands HTTP Download File Download and Execute Download and Allow Execution Outgoing Connection SSH Successful SSH Login Malicious File Download Operation

Connect Back Servers

xmr.pool.minergate.com your-server.de

40.117.44.182 52.166.70.254 104.46.40.157 185.244.25.134 13.93.93.21 104.43.223.89 40.77.30.74 78.46.23.253 40.121.222.121 168.63.109.146 185.244.25.217 52.233.143.163 52.176.45.217 52.176.107.216 40.77.24.190 168.63.110.59 52.173.137.160 13.82.25.160 137.135.80.180 52.232.107.2 40.77.30.223 78.46.49.212 52.173.74.71 168.63.109.62 52.168.38.28 40.68.123.235 52.186.120.217 206.189.0.110 52.173.88.213 52.166.58.57

Basic Information

IP Address

185.244.25.136

Domain

-

ISP

KV Solutions B.V.

Country

Netherlands

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-13

Last seen in Guardicore Centra

2019-09-24

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget generated outgoing network traffic to: 206.189.0.110:80 5 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/earyzq was downloaded and granted execution privileges

Download and Allow Execution

/tmp/earyzq was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

The file /tmp/cemtop was downloaded and granted execution privileges

Download and Allow Execution

/tmp/cemtop was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

The file /tmp/vtyhat was downloaded and granted execution privileges

Download and Allow Execution

/tmp/vtyhat was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

The file /tmp/vvglma was downloaded and executed

Download and Execute

Connection was closed due to user inactivity

/tmp/vvglma was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Associated Files

/tmp/loligang.x86.2

SHA256: 4362dd7a0f94d5aec5f4066179c48ef844727fe65c5a5fe42f1ff432badb09d8

66136 bytes

/tmp/bins.sh

SHA256: 4fb8fa7a126aec17488abf3b62feecda0ae87dbc099286702dd246e4b4fcb700

1702 bytes

/tmp/earyzq

SHA256: d94169d8864c747a20f4505e49b08ca7dffd9b0587ea0155cc56d01437ff9dbe

240420 bytes

/tmp/cemtop

SHA256: 314d0163359b3cc1976191492c09b5e506fce1169f91ff433d1fba420f6e2bc9

240420 bytes

/tmp/vtyhat

SHA256: ced55f91e98d250b826d435b2c3653c631f8119623c3e34106c821c0828d6816

171645 bytes

/tmp/vvglma

SHA256: c7705ed52e5d393a9e27e696b2c4581cec7c93662984151ab896e175bfe83cc8

175488 bytes

/var/tmp/xmr.zip

SHA256: 452d7d1f3f0a6c43c620414bf29e1069714a048be6906e12f66a81769a2ef626

745974 bytes

/var/tmp/xmr/xmrig64

SHA256: f6036209fb853abeae000802cbd724fcc4bf6e8586a299a1459f87f46c23d2ad

745544 bytes

/etc/rc.local

SHA256: 3df9e271d125c212135964601e91fe57514dc35dd8fca543f7414d4d687440e3

356 bytes

/tmp/8UsA.sh

SHA256: 4f2f8cbdc52fa67f6ffeae4769d9f9dab0eb9de93761fee2883722f8e4896e38

2090 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 185.244.25.136​Previously Malicious