IP Address: 190.19.53.131Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
190.19.53.131​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SMB MSSQL

Tags

Download and Execute Service Deletion SMB Share Connect CMD SMB Null Session Login Service Configuration Successful SMB Login NetBIOS Listening Access Suspicious Domain Service Creation Service Start Malicious File SMB Port 445 Scan Outgoing Connection

Connect Back Servers

arvixecloud.com www.cyg2016.xyz scaleway.com dns.msftncsi.com 4711.se nycbug.org down.mys2016.info js.mys2016.info r3t.at ph3x.at

0.0.0.0 171.25.193.9 78.142.142.246 23.91.124.124 27.255.79.151 51.15.135.103 86.59.119.83 66.111.2.20

Basic Information

IP Address

190.19.53.131

Domain

-

ISP

Cablevision Argentina

Country

Argentina

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-28

Last seen in Guardicore Centra

2017-07-12

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB from FXNB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB from SERVERJHD with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started cmd.exe as a service named shcservice under service group None

Service Start Service Creation

The file C:\WINDOWS\svchost.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started c:\windows\svchost.exe as a service named WUpdator under service group None

Service Start Service Creation

The file C:\WINDOWS\lsasvs.exe was downloaded and executed

Download and Execute

Process c:\windows\svchost.exe generated outgoing network traffic to: 159.119.163.175:445, 238.63.213.173:445, 252.180.231.96:445, 98.121.131.7:445, 238.124.49.103:445, 36.47.175.46:445, 181.186.28.37:445, 48.149.173.196:445, 133.52.250.191:445, 152.88.22.243:445, 2.2.226.49:445, 26.107.111.33:445, 100.167.151.14:445, 23.220.130.55:445, 230.23.25.164:445, 185.253.100.43:445, 216.173.83.232:445, 48.185.208.212:445, 233.160.239.85:445, 233.37.187.201:445, 26.177.190.223:445, 47.57.46.111:445, 43.123.43.23:445, 8.112.89.147:445, 80.129.249.201:445, 78.44.187.159:445, 129.37.234.149:445, 70.170.82.93:445, 69.225.143.220:445, 252.201.136.248:445, 86.40.143.130:445, 123.227.205.40:445, 222.131.172.231:445, 206.72.182.119:445, 86.222.127.247:445, 153.119.144.112:445, 209.143.106.64:445, 219.128.39.12:445, 8.134.69.58:445, 205.60.180.228:445, 25.161.250.61:445, 220.79.132.90:445, 202.81.217.161:445, 104.236.0.4:445, 31.35.109.92:445, 177.28.148.202:445, 173.17.47.111:445, 14.58.33.87:445, 8.142.27.152:445, 148.8.177.101:445, 169.144.44.217:445, 180.72.242.45:445, 138.150.190.123:445, 97.1.201.194:445, 153.79.113.195:445, 238.89.13.136:445, 182.108.115.38:445, 147.221.233.94:445, 63.6.69.69:445, 131.220.86.175:445, 38.204.54.228:445, 36.167.4.25:445, 215.7.117.145:445, 180.196.70.119:445, 241.193.125.167:445, 133.230.253.51:445, 62.120.74.59:445, 73.253.131.165:445, 201.145.2.43:445, 183.171.109.3:445, 128.1.214.99:445, 103.148.71.2:445, 17.37.237.20:445, 220.90.113.164:445, 180.147.41.91:445, 226.77.187.205:445, 15.238.72.117:445, 50.57.106.238:445, 238.63.185.225:445, 191.232.104.246:445, 43.71.147.103:445, 103.117.137.161:445, 133.176.68.30:445, 118.14.216.132:445, 225.156.106.98:445, 54.161.153.211:445, 75.204.237.247:445, 142.120.223.239:445, 214.163.126.27:445, 104.117.166.187:445, 244.251.158.101:445 and 167.196.131.246:445

Process c:\windows\svchost.exe scanned port 445 on 92 IP Addresses

Port 445 Scan

C:\WINDOWS\lsasvs.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid, Packer Compiler Signatures and Crypto Signatures

Malicious File

C:\WINDOWS\taskhcst.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Peid, Packer Compiler Signatures and Crypto Signatures

Malicious File

The file C:\WINDOWS\TaskHost\Tor\taskhosts.exe was downloaded and executed

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\libevent-2-0-5.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\libssp-0.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\libgcc_s_sjlj-1.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\libeay32.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\ssleay32.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

The file C:\WINDOWS\TaskHost\Tor\zlib1.dll was downloaded and loaded by c:\windows\taskhost\tor\taskhosts.exe

Download and Execute

Process c:\windows\taskhost\tor\taskhosts.exe started listening on ports: 9050

Listening

C:\WINDOWS\TaskHost\Tor\libeay32.dll was identified as malicious by YARA according to rules: Malw Miscelanea, Crypto Signatures, Antidebug Antivm, Maldoc Somerules, Packer Compiler Signatures and Malw Rooter

Malicious File

C:\WINDOWS\TaskHost\Tor\libevent-2-0-5.dll was identified as malicious by YARA according to rules: Malw Miscelanea, Malw Rooter, Packer Compiler Signatures and Antidebug Antivm

Malicious File

C:\WINDOWS\TaskHost\Tor\libevent_core-2-0-5.dll was identified as malicious by YARA according to rules: Malw Miscelanea, Malw Rooter, Packer Compiler Signatures and Antidebug Antivm

Malicious File

C:\WINDOWS\TaskHost\Tor\libevent_extra-2-0-5.dll was identified as malicious by YARA according to rules: Malw Miscelanea, Antidebug Antivm and Packer Compiler Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\libgcc_s_sjlj-1.dll was identified as malicious by YARA according to rules: Malw Miscelanea and Packer Compiler Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\libssp-0.dll was identified as malicious by YARA according to rules: Malw Miscelanea and Packer Compiler Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\ssleay32.dll was identified as malicious by YARA according to rules: Malw Miscelanea, Antidebug Antivm and Packer Compiler Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\tor-gencert.exe was identified as malicious by YARA according to rules: Antidebug Antivm, Packer Compiler Signatures and Crypto Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\tor.exe was identified as malicious by YARA according to rules: Malw Miscelanea, Antidebug Antivm, Packer Compiler Signatures, Crypto Signatures and Malw Pe Sections

Malicious File

C:\WINDOWS\TaskHost\Tor\zlib1.dll was identified as malicious by YARA according to rules: Packer Compiler Signatures and Crypto Signatures

Malicious File

C:\WINDOWS\TaskHost\Tor\taskhosts.exe was identified as malicious by YARA according to rules: Malw Miscelanea, Antidebug Antivm, Packer Compiler Signatures, Crypto Signatures and Malw Pe Sections

Malicious File

Process c:\windows\taskhost\tor\taskhosts.exe generated outgoing network traffic to: 51.15.135.103:443, 86.59.119.83:443, 78.142.142.246:443, 171.25.193.9:80, 66.111.2.20:9001 and 23.91.124.124:9001

Outgoing Connection

Process c:\windows\taskhost\tor\taskhosts.exe attempted to access suspicious domains: ph3x.at, nycbug.org, arvixecloud.com, r3t.at and 4711.se

Access Suspicious Domain Outgoing Connection

Associated Files

C:\WINDOWS\lsasvs.exe

SHA256: 646a30f6c9a5e5e3801cfa926c87fc18da395aac86ec0bfd3d0305b45333d384

61440 bytes

C:\WINDOWS\svchost.exe

SHA256: 80161d8b4eede382ac7463cc69a9de73a6edec4ec4a82a5b107047061cd653ec

4952064 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 190.19.53.131​Previously Malicious