IP Address: 188.212.13.176Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
188.212.13.176​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Outgoing Connection HTTP Access Suspicious Domain Human Download File Download and Allow Execution DNS Query SSH Successful SSH Login Download Operation Package Install SFTP 26 Shell Commands Malicious File

Connect Back Servers

bad-team.info canonical.com snkhacker.3x.ro shentel.net sp1.winchesterwireless.net ybernetik.3x.ro cybernetik.3x.ro your-server.de www.speedtest.net s1.speedtest.wdc1.us.leaseweb.net edinburg.speedtest.shentel.net blazingfast.io mrreacher.net nasapaul.com rootclaiu.3x.ro undo.com stosat-malt-01.sys.comcast.net www.3x.ro comcast.net 3x.ro stosat-rstn-01.sys.comcast.net ntc-com.com customcomputersva.com bigdaddy.wave2net.com archive.ubuntu.com dreamhost.com

69.241.0.94 69.241.87.90 91.189.88.152 184.170.114.134 176.9.0.7 185.11.145.5 151.101.2.219 204.111.21.7 176.9.0.4 185.61.137.36 176.9.0.6 176.9.0.8 176.9.0.3 91.189.88.162 207.244.94.68 91.189.88.149 64.90.49.201 176.9.0.1 204.111.5.18 176.9.0.2 72.21.92.82 176.9.0.9 176.9.0.5 89.42.39.160

Basic Information

IP Address

188.212.13.176

Domain

-

ISP

Moldtelecom SA

Country

Moldova, Republic of

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-05-27

Last seen in Guardicore Centra

2018-10-05

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: rootclaiu.3x.ro and 3x.ro

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.160:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.162:80

Outgoing Connection

Process /usr/lib/apt/methods/http attempted to access domains: archive.ubuntu.com

DNS Query

The file /usr/share/doc/unzip was downloaded and granted execution privileges

Download and Allow Execution

/usr/bin/unzipsfx.dpkg-new was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/usr/bin/funzip.dpkg-new was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/usr/bin/zipinfo.dpkg-new was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/usr/share/doc/unzip/BUGS.dpkg-new was identified as malicious by YARA according to rules: Packer

Malicious File

/root/drg.zip was downloaded

Download File

The file /var/lib/dpkg/tmp.ci/postinst was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/postrm was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/zipinfo.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/funzip.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/zipgrep.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/unzipsfx.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password 3 times

Successful SSH Login

/root/drg.pl was downloaded

Download File

/root/NWMPROJECT/.drg.pl was downloaded

Download File

/root/NWMPROJECT/.cshrc was downloaded

Download File

/root/NWMPROJECT/.tcshrc was downloaded

Download File

The file /root/NWMPROJECT/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/about was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/install was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/launch was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/menu was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/start was downloaded and granted execution privileges

Download and Allow Execution

The file /root/NWMPROJECT/start2 was downloaded and granted execution privileges

Download and Allow Execution

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/lib/dpkg/tmp.ci/postinst

SHA256: 6ecdb1415319c81c14a94114a279186a8054c221fe6c63b8a8a2ce38b8b39966

111 bytes

/var/lib/dpkg/tmp.ci/postrm

SHA256: 27793cfe5796bf9b694e2e2ce532d62917dcad70b64b8a160947f84fd279008a

78 bytes

/usr/bin/zipinfo.dpkg-new

SHA256: 32917004db9408bb8a3e67c06116f69555db53f0f78c1bb49948bf1bdab73bfb

162488 bytes

/usr/bin/funzip.dpkg-new

SHA256: 80ed6b0f255e4646c64c89ad0a3211c79a87c1adcf4d52b24287146ed2520f84

22672 bytes

/usr/bin/zipgrep.dpkg-new

SHA256: d077ccd18e5719776df7f06b667bda8f7547aa5c3b9cf174c0005608e9309bb8

2953 bytes

/usr/bin/unzipsfx.dpkg-new

SHA256: c78abf845fcc0c5494a18ae63a03444a6a134b8a33d95fabc80f4145a4d2e550

76392 bytes

/var/tmp/scan/pscan2

SHA256: 2ede344e0415193d41b90d3cdfbf8558c307d8b8182464dfe15655ea1f88eab0

888972 bytes

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/sshd.filepart

SHA256: 3c00611b670b128c1ca6d3c6f0e9522eea385e0670e74a9b2b26325b4e13c864

1485768 bytes

/var/tmp/.x/Nasa/n

SHA256: 046a09f66630f581d6eaeb734f775f41f1e46238ffe369f6905464fed1531afd

1959 bytes

/var/tmp/.x/Nasa/nhdd

SHA256: 43333adf6ba7d876d5574543278616dad40376b1024a01d0f48c04b0ca5f7534

1485768 bytes

/var/tmp/.x/Nasa/pscan2

SHA256: 291cf164abfff4269e84209fe0763bb3295f7fad9d265c6354b8d4494ac5410f

14012 bytes

/var/tmp/scan/pscan2.cfi

SHA256: 1a286986ebbe66abbedcc76ae4e2fd23c2668b076cd9dc79bf53c24961041ab8

6027 bytes

/var/tmp/zone/speedtestvps.py

SHA256: 02cd63a2e9d2cd538ca5230380ad3668b967955f193ec1090b275baa55315680

25312 bytes

/var/tmp/.x/Nasa.zip

SHA256: dbf70633cde2587ec3cc8c3379c9f4e9af3664ca61cb0fcd58b40288643b304f

821131 bytes

/var/tmp/zone/h4e

SHA256: e51130d43fa755eb78fed311783b9f82df7f11020af33078e79911f2ef4b78bb

1524 bytes

/var/tmp/zone/pscan2

SHA256: f01ff39b0bf2261a12f1ecb7b90ae8cfd6dd565c4e1b1448358754691a70784c

14012 bytes

/var/tmp/zone/go

SHA256: eb2e188412b35c12cc9d809d026ce000faef827d49d751950976c1ffeb20a898

1672 bytes

/var/tmp/zone/cyberinfo

SHA256: 99f04e8e5757a1c11deef3587bb283238e79c5fac5045e94ca98f797b65c486e

1975 bytes

/var/tmp/zone/sshd.filepart

SHA256: 2ce58df270e5b0c75d6e4719cc2c2606de76f24f8b833f382da01954abb0eb74

1485768 bytes

/root/drg.zip

SHA256: 92ad6278521c0987ecb9149aa5cf5f9ba46f4fe2c9a7608e7cf0c5ac3aa215ac

7819 bytes

/var/tmp/site.pl

SHA256: db46a011de487cf69d0c48b87884344dd41a6e872d9ca5b6d698e6200f633cae

3133 bytes

/root/irc.zip

SHA256: fcffc78c1429afa16d4c22d65f044316d8d72a3236d696094c661fa33eda6e7d

3742654 bytes

/root/NWMPROJECT/a

SHA256: a1cbb849b99f00167587b4861e8c684fb0e514bff882332d77c98ebfa3cb5548

1840 bytes

/root/NWMPROJECT/about

SHA256: 1bc080f121689c28a39d5ce22c3c4247a12161090bf6e678f18ddeb689cfd1d5

1265 bytes

/root/NWMPROJECT/install

SHA256: a9c17e0aba22639e952aee929ec9dcc04ef0b77e333581015d44e22fa0260f6c

2213 bytes

/root/NWMPROJECT/launch

SHA256: c48054c3d26382cb39e062f5a29f0fcfcb38d4a80f6d0908c65eb22308804ee7

39 bytes

/root/NWMPROJECT/menu

SHA256: 3b8dd5c4ed61f7e1d9ac4b7222519e761695414028b5afed70f0527e495e2116

16917 bytes

/root/NWMPROJECT/start

SHA256: f6bdb01e316e4332fc561e87d10a28b354bde76c633ab656d58ebd524eda02ce

42 bytes

/root/NWMPROJECT/start2

SHA256: 7b3088213174d4faa84693d13dfe03a7f5b58d69da7555f1749c9287d5cdef76

43 bytes

/root/NWMPROJECT/.drg.pl

SHA256: b9fa331b8685b6b73eaee01471418606b12c4f2263d35ad3dfc7e4831959eff9

1480 bytes

/var/tmp/test.py

SHA256: 522066d0b384832a0680ab13fe442a61498c11545e336367815e46e454b8c069

25857 bytes

/root/skairipa

SHA256: 3a80e9dbdafb4d302388ea3b18b478f0a63d52b26cae0b9a52bea932a1987109

72980 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 188.212.13.176​Previously Malicious