IP Address: 62.210.113.76Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
62.210.113.76​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Outgoing Connection HTTP Scheduled Task Creation Human Log Tampering Access Suspicious Domain Download File New SSH Key Kill Process Download and Allow Execution Malicious File DNS Query SSH 62 Shell Commands Successful SSH Login Download Operation Package Install Download and Execute Protect File

Connect Back Servers

fcn-mro.pool.minergate.com canonical.com wwww.helloclaire.co.uk mine.moneropool.com mro.pool.minergate.com xmr.pool.minergate.com www.helloclaire.co.uk archive.ubuntu.com mro.extremepool.org your-server.de

199.115.116.216 176.9.2.145 212.53.87.134 176.9.147.178 91.189.88.152 138.201.31.14 213.239.196.214

Basic Information

IP Address

62.210.113.76

Domain

-

ISP

Free SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-29

Last seen in Guardicore Centra

2018-09-16

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: wwww.helloclaire.co.uk

DNS Query Access Suspicious Domain

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.152:80

Outgoing Connection

Process /usr/lib/apt/methods/http attempted to access domains: archive.ubuntu.com

DNS Query

The file /usr/share/doc/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/doc/nano/examples was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/preinst was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/postinst was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/prerm was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/postrm was downloaded and granted execution privileges

Download and Allow Execution

The file /bin/nano.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: www.helloclaire.co.uk 2 times

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 212.53.87.134:80 2 times

Outgoing Connection

The file /var/tmp/bash was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/. /.bash/h64 was downloaded and loaded by /var/tmp/. /.bash/bash

Download and Execute

The file /var/tmp/. /.bash/bash was downloaded and executed

Download and Execute

Process /var/tmp/. /.bash/bash generated outgoing network traffic to: 176.9.2.145:5556, 176.9.147.178:5559, 213.239.196.214:45560, 199.115.116.216:5555 and 138.201.31.14:3336

Outgoing Connection

Process /var/tmp/. /.bash/bash attempted to access domains: mine.moneropool.com, mro.pool.minergate.com, xmr.pool.minergate.com and fcn-mro.pool.minergate.com

DNS Query

Process /var/tmp/. /.bash/bash attempted to access suspicious domains: mro.extremepool.org

DNS Query Access Suspicious Domain Outgoing Connection

/var/tmp/. /bash.tgz was downloaded

Download File

The file /var/tmp/. /.bash was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/. /.bash/h32 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/. /.bash/run was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/. /.bash/autorun was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/. /.bash/upd was downloaded and granted execution privileges

Download and Allow Execution

Log File Tampering detected from /bin/bash on the following logs: /var/log/lastlog and /var/log/wtmp

Log Tampering

/var/tmp/. /.bash/h64 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Apt Eqgrp Apr17

Malicious File

An attempt to download /root/.ssh/authorized_keys was made

New SSH Key

/var/tmp/. /.bash/h32 was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

/var/tmp/. /.bash/bash was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

Associated Files

/var/tmp/ /systemd-private-484004451d0046639858c0420ad0891c-systemd-timesyncd.service/security

SHA256: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

838583 bytes

/var/tmp/.ssh/h32

SHA256: 45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161

15125 bytes

/var/tmp/.bash/bash

SHA256: d9791f4dfd903bf3c7c5258ac4ae92df11fc37c3b1749e15f173c1aeb6fafb67

3876568 bytes

/var/tmp/. /.bash/run

SHA256: 59f7af842d75f0053f3a786e89eb99c41e7b39aa790bcd707233657b495eae4a

415 bytes

/var/tmp/. /.bash/autorun

SHA256: 50a50aa5901ab79b3b6569b6b3ddab7aabf47c7e5270dfc0d50f768a86244ba0

289 bytes

/var/tmp/. /.bash/upd

SHA256: 64343ae778d30da781254ddcc928856ab09e4e0e758db5685e903c19d3dc1f18

166 bytes

/var/tmp/. /bash.tgz

SHA256: 33efd2bbf636203779d94349169feaa23ebdfb18c69c148c9264274b776cd3a6

1755055 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 62.210.113.76​Previously Malicious