IP Address: 89.234.157.254Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
89.234.157.254​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH SCP

Tags

Networking Operation Download File 24 Shell Commands SCP Scheduled Task Creation Download and Execute Malicious File SSH Successful SSH Login Protect File Outgoing Connection

Associated Attack Servers

zhtwwpqt6ci62n5o.onion.cab zhtwwpqt6ci62n5o.onion.link igxhhnue75hvk5yc.onion.cab gmpsfqrlquaokfl5.onion.link qcuifb2klqqkwc5q.onion.nu zlha65umg7qmprg6.onion.to qcuifb2klqqkwc5q.onion.link ip-37-59-44.eu zlha65umg7qmprg6.onion.cab gmpsfqrlquaokfl5.onion.cab ip-147-135-37.us ip-37-59-54.eu xphkxaiz233pjoto.onion.link your-server.de 6ppk2oii4hsweqb7.onion.link lmco62zvt7fnezd5.onion.cab zlha65umg7qmprg6.onion.link xphkxaiz233pjoto.onion.to ip-139-99-120.net tqz3y4w3eq4wi2ay.onion.cab ip-37-187-154.eu 37kcwpfxuftyiyie.onion.to qcuifb2klqqkwc5q.onion.cab xphkxaiz233pjoto.onion.cab ip-158-69-25.net ip-139-99-68.net zhtwwpqt6ci62n5o.onion.to 6ppk2oii4hsweqb7.onion.to xmr.pool.minergate.com startdedicated.de

139.99.68.128 62.138.11.6 176.9.53.68 147.135.37.31 103.198.0.2 94.130.165.85 176.9.47.243 139.99.120.73 37.59.44.193 37.59.45.174 37.59.54.205 88.99.242.92 185.100.85.150 188.213.49.65 139.99.120.75 46.36.37.82 158.69.25.77 88.99.193.240 185.206.146.35 37.187.154.79 192.36.27.5 37.59.44.93 81.4.122.134 176.9.2.145

Basic Information

IP Address

89.234.157.254

Domain

-

ISP

OPDOP SCIC

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-20

Last seen in Guardicore Centra

2021-02-20

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

The file /tmp/pinger was downloaded and executed 5 times

Download and Execute

/root/.system/ls was downloaded

Download File

/root/.system/lsof was downloaded

Download File

/root/.system/netstat was downloaded

Download File

/root/.system/ps was downloaded

Download File

/root/.system/pstree was downloaded

Download File

/root/.system/ss was downloaded

Download File

/root/.system/top was downloaded

Download File

/usr/bin/.yam was downloaded

Download File

The file /usr/bin/.main was downloaded and executed 6 times

Download and Execute

The file /usr/bin/.xmrig was downloaded and executed 8 times

Download and Execute

Process /usr/bin/.xmrig generated outgoing network traffic to: 185.206.146.35:4444

Outgoing Connection

Connection was closed due to timeout

/root/.system/lsof was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/root/.system/top was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/usr/bin/.xmrig was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/root/.system/ss was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/root/.system/netstat was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/root/.system/pstree was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/root/.system/ls was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

/root/.system/ps was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation

Malicious File

Associated Files

/bin/zz3b3fqk3ucgnmny2v6t0ry3k4

SHA256: e374a7ad447d2cf791ecae122894a51ba723901ea132e7fa16cd47c44e4a1769

512 bytes

/bin/dhpcd

SHA256: c0f64dede8861cb842434ca972bc0764d7c98d76ceeef8798e5344e149f549da

379416 bytes

/tmp/pinger

SHA256: bc56a689943679c7018b38b0349fb4bd9f9c957328949aed0d5a370dc12620c7

2146144 bytes

/root/.system/top

SHA256: a518beea171accec8553b02414e1ffba0b49b0592d58f406efc24ccf79cab873

1321504 bytes

/bin/dhpcd

SHA256: 66075f2bce413321d558e8febf4a1c22dfec0f6579f18b1be3b46d7853759388

1514000 bytes

/usr/bin/.xmrig

SHA256: bd14bc3cfd9528e4a7583ab39aecc876250333e1e0faab83781584bb7f65e3eb

1844640 bytes

/usr/bin/.main

SHA256: 9f8361f6f0baeca8504d88eac23575ad8aaac3639f692e5df6d5dbf6af31d811

1458912 bytes

/tmp/J19CUTs6ML2uf

SHA256: 1d292c5be00330c48e5f4dc20a28633179058a97d857281569a1b803b74aecec

4633216 bytes

/tmp/r9MAa0jfZD8rR

SHA256: bb8b611d3074b15a9fbe9967c0dd46346cd9f815bae60b3d92678afdd428064e

4390176 bytes

/tmp/om2UDhJc

SHA256: 57a00d800debbc709a3c96ca2c04dad7011805bb983868c5e7dd8e1b4f2a2d64

4390176 bytes

/tmp/bVrSlADyZ4o

SHA256: fb229ec335f33284fc90dbf8407d399d41fe112d0577cf64cc9beac32da7dcda

4390176 bytes

/tmp/cqjzSiU73By

SHA256: e62105ab36579f0e55c397d63f757e6a4320e6c7713ccbdfff883e9f53ffdebf

4390176 bytes

/tmp/F7IqVO5f

SHA256: b8d4721ea987582cf08147fd37e6acced139395c5f393dd577a95f7c0f51754b

4390176 bytes

/tmp/eBWWDqnvbdDLkrf

SHA256: 50d60a26c70b45c368acbc11050bbd1a045a782be90fe849243fa5051182a321

4390176 bytes

/tmp/kCpppADPqDKxu

SHA256: 98c27ea6ce8602916aa24ae3ecf91af2e8140a986eb38d39a0251c8f2d4b0941

4390176 bytes

/tmp/DFxVFwauOgIk

SHA256: 118bcc73f2b740392af9729382f348b5d85f497424f1523c3d14b1cc57d75985

4390176 bytes

/tmp/OipGuY5ZHQ

SHA256: 96100ae4c14b93ef405bc304a74f9f2b0a4128322382742b960fadfc4e5e4dd3

4390176 bytes

/tmp/wTDo8tMptjJDlh

SHA256: 957bf53bc91efd4bc60c775acf5e0377f1f5ff819d818747d084f0832a140f40

4390176 bytes

/tmp/3OjDwN9995

SHA256: e83e31dc4668df3f5579d0378f7dce17f6fae85a261b05912803348f5cbf0dfe

4390176 bytes

/tmp/sCojBBMFtx

SHA256: 1040477d7f0879e8b8d240c1f1ee3a2c8269a6c7c376993cb1e864d0b66eab08

4390176 bytes

/tmp/EM2MQLaiTE6mC

SHA256: 0aef3ab099fe3a4328e82cdbb117f6c52eeebc706b9897d98cd30e31c6b83e21

4390176 bytes

/tmp/jZarcqy5

SHA256: 91a6b03403ae57b4baeaf75bef25d1cbdc6cf515656183af978dec3898eef335

4390176 bytes

/tmp/WxBZ3BBKHmDpQ

SHA256: 48888ed8cbb57b313f4bcc5035dd752bc6563729c9fd92ff5b3533605f6b3cf0

4394272 bytes

/tmp/PPE7btu7fOrN

SHA256: 7d915f35c60fbe29055582c29b442dae9f8b99fdc0c5b8c1d629823e43dba66b

4390176 bytes

/tmp/zgLzKMHEZxE

SHA256: 392be2e84dea7841533a69d5cec884d82d7a9fcec8614112413507ddd81df7bd

4390176 bytes

/tmp/7MoyVH2jd

SHA256: c797aee0e67bf6838776e32adeef89129200a0c72ee1acd6398edc0cdd3f3eb6

4390176 bytes

/tmp/thRwk1fopqdqz

SHA256: 93dfe5972eef0062814a3a54461876e15f6dc5cfc1833b4ca5804ef7baeaf4b9

4390176 bytes

/tmp/5ol6jVOFkC0r40

SHA256: 0aee3b5f39d3b36a9833785c19d0b96e62a9ce74e7efe6cc37888b229e258e43

4390176 bytes

/tmp/tGCMZuUP5P

SHA256: ed6955339fdee5950014e261da90f3c40600891fd7b8bb0d49b53a11431abe8f

4633216 bytes

/tmp/VX8w7lcfV5St

SHA256: 839725b904fbc7176823984b4d03f69a0fdbc556bcac5eed28ff84bb83eb7d0b

4633216 bytes

/tmp/mhrHHPKOD

SHA256: 9ea0f4c0175997f99bf4def49e4a625371051bb542f0e8e949f4535865c36674

4390176 bytes

/tmp/f7BMexE7XQapQc

SHA256: b4a14463f7d823517b1cee04f446e892559ef695b0dbd48ccabd395011813099

4390176 bytes

/tmp/BL8CEnSyY867ne

SHA256: e5b4789119007fd53b4f41daa2355865590306fe364245988c295eac5964034b

4390176 bytes

/tmp/4WQYOZwkbHwR23N

SHA256: 20682c6a79c57eeef7afd6ed836d2dd9bd146c9e4a4e19532d54922baab5c66d

4390176 bytes
Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 89.234.157.254​Malicious