IP Address: 185.8.50.73Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
185.8.50.73​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File Scheduled Task Creation IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Listening Access Suspicious Domain Download File Inbound HTTP Request

Connect Back Servers

revenusmarketing.net blazingfast.io donate.xmrt.pro

40.117.44.182 13.94.200.48 52.173.243.215 52.174.52.111 52.173.80.33 13.73.167.164 191.237.45.174 52.174.17.41 13.94.152.174 52.173.137.29 13.90.251.147 13.81.222.239 52.173.196.87 13.81.218.117 40.68.86.94 13.82.51.31 52.173.17.77 40.87.61.100 185.86.148.231 13.93.116.182 52.166.63.111 52.173.143.203 52.176.48.108 52.170.96.50 40.71.224.222 52.174.33.11 13.93.108.6 13.68.218.139 40.71.195.175 40.68.99.83

Basic Information

IP Address

185.8.50.73

Domain

-

ISP

Aruba SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-28

Last seen in Guardicore Centra

2018-11-13

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: revenusmarketing.net:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: revenusmarketing.net

Access Suspicious Domain Outgoing Connection

The file /tmp/x86 was downloaded and executed 3 times

Download and Execute

Process /tmp/x86 generated outgoing network traffic to: revenusmarketing.net:213

Outgoing Connection

Process /tmp/x86 attempted to access suspicious domains: revenusmarketing.net

Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: blazingfast.io:80

Outgoing Connection

/tmp/nexus.tar was downloaded

Download File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

/tmp/nexus.tar was identified as malicious by YARA according to rules: Malw Xmrig Miner

Malicious File

The file /tmp/.../Nexus was downloaded and executed 10 times

Download and Execute

Process /tmp/.../Nexus started listening on ports: 35000 3 times

Listening

Process /tmp/.../Nexus generated outgoing network traffic to: 185.61.138.151:3333

Outgoing Connection

Connection was closed due to user inactivity

/tmp/x86 was identified as malicious by YARA according to rules: Malw Pe Sections and 000 Common Rules

Malicious File

/tmp/.../NexusZeta.txt was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/tmp/.../run was identified as malicious by YARA according to rules: Malw Xmrig Miner

Malicious File

/tmp/.../Nexus was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/.../Zeta was identified as malicious by YARA according to rules: Malw Pe Sections and 000 Common Rules

Malicious File

Associated Files

/usr/local/apache2/cgi-bin/ws/v1/cluster/nexus.tar

SHA256: 8148c110eafc5e86ec0e45dee73d4bd0ed91d0e31fa1d74ef7d2a11cbebd50f1

1484800 bytes

/var/tmp/.z/Duck

SHA256: 5da9c364062f8848d940fe98fc70800e1906f92788204551150e7097a0dffcf4

745544 bytes

/tmp/x86

SHA256: 37a83c979bb3fd1bc804043be7e5029d7575ea4f63adb74cdd4cec326b50060e

37336 bytes

/tmp/x86

SHA256: b4593faa6591d0f7ee164ee0694837469f7a4b2b7a838bc1e91e798fd6f787b6

32927 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 185.8.50.73​Previously Malicious