IP Address: Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information


Attacker, Scanner

Services Targeted



HTTP Log Tampering HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request Service Stop

Associated Attack Servers


Basic Information

IP Address




DigitalOcean, LLC


United States


Created Date


Updated Date




First seen in Guardicore Centra


Last seen in Guardicore Centra


What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to:

Outgoing Connection

The file /tmp/mysql.sock.lock was downloaded and granted execution privileges

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/TrioSec.x86 was downloaded and executed 16 times

Download and Execute

Process /tmp/TrioSec.x86 generated outgoing network traffic to:

Outgoing Connection

Service iptables was stopped

Service Stop

Service firewalld was stopped

Service Stop

Log File Tampering detected from /bin/rm on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs

Log Tampering

Connection was closed due to user inactivity

/tmp/TrioSec.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files


SHA256: 80b5c16861c00a095cb2b092baff76789f72c7fc65b066c92469583e97d7b232

13007 bytes


SHA256: dbb4593d02f3e0099507f4f72d4cf373f33ccc5bc0fa49c47ddf8d702b3263fb

11679 bytes


SHA256: 4afbb25a82cf8909f7d8b24484aaa272c442077b3dc73664a47b6a2c87e501ed

99157 bytes


SHA256: ed0138392d62df9f460d8dc064817be7990e2d87e401a81e0f0c844b4cbd16c2

102934 bytes


SHA256: e08e53630f06e8c0ca4dc40fff575d0634314f6848fbe8133a49f71f3dd10d56

56832 bytes


SHA256: ba2f2e9632323e41fce6a4612fab614ff4b0053b2d89b455b273fe9d2a4d7216

11679 bytes


SHA256: f48f1049c6e78aef9bc2b52127bf90844db215d8b37ad422ef9e7b32510342d8

100655 bytes


SHA256: cd670a518c35b28c0cd96c5449f6a9fba6b8ed0506e610c846b153de67bada93

34254 bytes


SHA256: a223f22b98e1f859a1faaa4b765c98a24b1890ce411ccef2fa3ec564ea1eb3a6

85604 bytes


SHA256: ce71a21a1c246280ab3a29f2dc44f94dd99a79f6bb26896811629b4ea5a4b797

108742 bytes


SHA256: 80d8a13817b84623c3da9ae798ede877b2686aca7ace6abf5ce6be4c0a4f4716

103311 bytes


SHA256: 064c530bb0cfb2899dcf0757bdad33f80fab08fa0502d690fc84bbe70daf2d41

11679 bytes


SHA256: d176087af08a8f8327c0ebad178ae6c31faa7ac41b54f850f6d719aca3a06a9f

94016 bytes


SHA256: 363008e80a93570aef53330df853fd3bc381fdb68b6ec2fb37b7e091f9194740

35584 bytes


SHA256: aa8f910b3ce170109494f7dc629a7b4c9083b30d5a84c8b47679dffee0815648

31600 bytes


SHA256: 89ba93b9b9e27ab6a24b85c237abcce979a15640007cf70dba31cecf464f6db9

1056 bytes


SHA256: e4910e746c998a6abc41abe79ff962bd7adc1d4095480fb93b58bead3f817e09

84719 bytes


SHA256: 5c13e1dee33c8bb451efc8a755ee914bca5e0d1d79bb730b1f0fff15f346487b

13007 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address:​Previously Malicious