IP Address: 89.36.22.198Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
89.36.22.198​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

DNS Query Human Download and Allow Execution Download File 24 Shell Commands SFTP Access Suspicious Domain Listening Malicious File SSH Successful SSH Login Kill Process Outgoing Connection

Associated Attack Servers

www.speedtest.net comcast.net shentel.net edinburg.speedtest.shentel.net stosat-malt-01.sys.comcast.net stosat-rstn-01.sys.comcast.net kagoya.net s1.speedtest.wdc1.us.leaseweb.net bigdaddy.wave2net.com

207.244.94.68 151.101.2.219 69.241.0.94 204.111.5.18 124.248.151.49 204.111.21.7 69.241.87.90

Basic Information

IP Address

89.36.22.198

Domain

-

ISP

Digital Cable Systems S.A.

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-01

Last seen in Guardicore Centra

2018-07-02

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password 3 times

Successful SSH Login

Process /usr/sbin/sshd started listening on ports: 22

Listening

The file /root/.x/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/bot was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/frankfurd.pl was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/go was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/port was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/random was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/viteza.py was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/vpsinfo was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/perl generated outgoing network traffic to: 124.248.151.49:6969 2 times

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net, stosat-rstn-01.sys.comcast.net, s1.speedtest.wdc1.us.leaseweb.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:80, 69.241.87.90:80, 204.111.21.7:80, 207.244.94.68:80, 69.241.0.94:80 and 204.111.5.18:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: bigdaddy.wave2net.com

DNS Query Outgoing Connection Access Suspicious Domain

A user logged in using SSH with the following credentials: root / *************** - Authentication policy: Correct Password

Successful SSH Login

Connection was closed due to timeout

/root/.x/bot was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

Associated Files

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/root/.x/vpsinfo

SHA256: 5170a3587326cfb4caa4931529ad140db10fd298a4434e5b7cadd83f68a7f300

1602 bytes

/root/.x/viteza.py

SHA256: a2c2824f2ff4fffc9a189c52eedbc43802eaf0416dcec7e9601296b1391dd841

25432 bytes

/root/.x/bot

SHA256: 4ec8554774cd0bdcf00df6febf701693f7ff729b7e850bfbacaae8309630bf56

39460 bytes

/root/.x/random

SHA256: b8e8f1d7f781f6a48b1f4ff22212cdf76df0198e30397b241b475c813835b576

322 bytes

/root/.x/ssh.filepart

SHA256: 949f965cd9d9462e63d74b3093ecaad09133c032535aabf1ff680377beb511e5

1485768 bytes

/root/.x/frankfurd.pl

SHA256: 6707ffa98d523e9895963b05d671c862448684ec73fb13bfba5bb718d67cc2f6

2021 bytes

/root/.x/go

SHA256: b121572b5f3a58c6c5dac129914f0daa4e44fc1ad5841f488724851d175ec1f7

1160 bytes

/root/.x/pscan2.filepart

SHA256: 469a5e09383b03c974c8cf01904a0c885f12ac46b10726faf7873e9f66c9059b

888972 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 89.36.22.198​Previously Malicious