IP Address: 209.141.56.95Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
209.141.56.95​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request

Connect Back Servers

artificial-intelligence.tk ip-149-56-46.net qj3w.com comparecarinsurancequotes.co hostwindsdns.com

13.90.251.180 68.183.106.233 40.68.103.162 52.173.243.215 13.69.86.134 52.176.57.101 52.168.89.181 13.93.93.21 52.174.52.111 13.92.131.99 13.69.86.194 52.168.169.156 52.233.179.93 13.82.52.9 104.40.187.35 149.56.46.196 52.166.206.33 52.176.107.216 52.166.59.19 137.135.80.180 52.173.74.14 52.179.23.37 52.173.17.77 40.68.86.94 13.82.51.31 52.173.242.8 40.87.60.178 13.81.11.198 23.101.128.211 40.69.166.92

Basic Information

IP Address

209.141.56.95

Domain

-

ISP

FranTech Solutions

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-16

Last seen in Guardicore Centra

2018-11-05

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: artificial-intelligence.tk:80 11 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: artificial-intelligence.tk 30 times

Access Suspicious Domain Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Legion.mips was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.mips was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/Legion.mpsl was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.mpsl was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.sh4 was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.sh4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.x86 was downloaded and executed 5 times

Download and Execute

The file /tmp/Legion.arm6 was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.arm6 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.i686 was downloaded and executed 5 times

Download and Execute

The file /tmp/Legion.ppc was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.ppc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.i586 was downloaded and executed 4 times

Download and Execute

The file /tmp/Legion.m68k was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.m68k was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.sparc was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.sparc was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /usr/bin/wget generated outgoing network traffic to: 68.183.106.233:80 19 times

Outgoing Connection

The file /tmp/Legion.arm4 was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.arm4 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.arm5 was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.arm5 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/Legion.arm7 was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/Legion.arm7 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/bins.sh.1 was downloaded

Download File

Process /tmp/Legion.x86 generated outgoing network traffic to: 68.183.106.233:54

Outgoing Connection

Process /tmp/Legion.x86 attempted to access suspicious domains: artificial-intelligence.tk

Access Suspicious Domain Outgoing Connection

Process /tmp/Legion.i686 generated outgoing network traffic to: 68.183.106.233:54

Outgoing Connection

Process /tmp/Legion.i686 attempted to access suspicious domains: artificial-intelligence.tk

Access Suspicious Domain Outgoing Connection

/tmp/Legion.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/Legion.i686 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/Legion.i586 was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

Connection was closed due to timeout

Associated Files

/tmp/bins.sh.1

SHA256: 43c129baf965188e09aa0ac40159d5723ee14e3739de892441dd0671709ef2b8

2134 bytes

/tmp/Legion.mips

SHA256: 7ad4ca68ecbdd61c13c328d48e058a9001eba2c709c5b0cccabb3ad1fff65848

148887 bytes

/tmp/Legion.mpsl

SHA256: 3bc04bc1a892d06a8aa01bbda841a0eb6c76d291035a8923e2a9b4309c28a949

148887 bytes

/tmp/Legion.sh4

SHA256: 41e7ffd07053c1247d8194cce409549290711a6aa3fda2d4664c38b17d547803

99599 bytes

/tmp/Legion.x86

SHA256: 98b4b098b8ac40edb46d65228d275fa0d0460e4172d2db755eab816dad1da2ad

100653 bytes

/tmp/Kronos

SHA256: a7c094cb9df2e1f13a88ae8e37a3ad4c27fc49f6cdb9a95cc876c56bd433b7f4

929 bytes

/tmp/hy67j

SHA256: 7b5b7e4e25572e1b5c2df6f26136b731ab684adf99f5250b186085bef0e36f92

25052 bytes

/tmp/hy67j

SHA256: 8b7cc939c4ea26a38e1f4589ebf931f5623ed8addac78db333be3627ff04b973

25076 bytes

/tmp/bins.sh

SHA256: 611fccb028409b762732949d5ca1158b3e42e469708e46f6d012fe541b2c742d

1639 bytes

/tmp/ntpd

SHA256: 1f569128fcaa0e41b12750bd4f230e77f112492589351eb5be17442c9f828f4f

171459 bytes

/tmp/sshd

SHA256: da5f1ad077a21de17178690a31611be5849bf896e583433a82cd717eee807821

171587 bytes

/tmp/openssh

SHA256: 50b003d361c245d9e0226ec91dad498f9b13e7f03764324b79a4c9aeebb75146

129666 bytes

/tmp/bash

SHA256: b6f1c2a92462ada638c861d9d82f6412065624399b8e1feca81a38b14ea2120e

140997 bytes

/tmp/Legion.x86

SHA256: 99b696c0ace8b55662d34954dbdee0cde144b6b0528186834279f68c62d17451

106078 bytes

/tmp/Legion.arm6

SHA256: b09944e7004051793a4d070c4670db9fcd5ff50a5e99bee04631d1b5179c5f38

134363 bytes

/tmp/Legion.i686

SHA256: b7a4ea91e1904607166ec75544e7d10993b60edb0b4628e937bd8a2e3c942a42

94899 bytes

/tmp/Legion.ppc

SHA256: d0446107fbf4b140244ed05c6cf00a06e286fa49315ca2f9e96d4c6b61290006

111032 bytes

/tmp/Legion.i586

SHA256: 389fe41d5a9625bd6b7a9a8720a0c3be1366347bda298007bc38ed5815e44c81

90803 bytes

/tmp/Legion.m68k

SHA256: 625b24cb200bb1452c9971547d471748fc329b9817b9a56b81e3ba561da69729

109022 bytes

/tmp/Legion.sparc

SHA256: 7c546d7cf6a7190aa7bad7fbe958aa57c71c7a5294bb7272521c89b47b26ebfd

125258 bytes

/tmp/Legion.arm4

SHA256: 5b902d099609f0695d770f032a6f3fe3879af58f662f38b794053a2274d3b871

119690 bytes

/tmp/Legion.arm5

SHA256: f59042c965e636069463e99648f8deb41c96e6046578ff650491f65b4deed981

115088 bytes

/tmp/Legion.arm7

SHA256: 3f681061a3a75aa404a357cab97fcd07e9550e1fcd9adb824a66b163609e996c

173140 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 209.141.56.95​Previously Malicious