IP Address: 92.114.93.76Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
92.114.93.76​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Outgoing Connection 18 Shell Commands HTTP Access Suspicious Domain Human Download File Download and Allow Execution DNS Query SSH Successful SSH Login Download Operation Malicious File

Connect Back Servers

www.speedtest.net 3x.ro hydrateam.3x.ro scyell.3x.ro stosat-rstn-01.sys.comcast.net shentel.net sp1.winchesterwireless.net ntc-com.com stosat-malt-01.sys.comcast.net customcomputersva.com edinburg.speedtest.shentel.net bigdaddy.wave2net.com comcast.net

69.241.0.94 204.111.5.18 72.21.92.82 69.241.87.90 184.170.114.134 204.111.21.7 89.42.39.160

Basic Information

IP Address

92.114.93.76

Domain

-

ISP

Net-tv Systems Srl

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-26

Last seen in Guardicore Centra

2017-06-27

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: 3x.ro and scyell.3x.ro 2 times

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.160:80 3 times

Outgoing Connection

Process /usr/bin/python2.7 generated outgoing network traffic to: 69.241.0.94:80, 69.241.87.90:80, 204.111.21.7:80, 184.170.114.134:80, 204.111.5.18:80 and 72.21.92.82:80 2 times

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: stosat-rstn-01.sys.comcast.net, www.speedtest.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net 2 times

DNS Query

Process /usr/bin/python2.7 attempted to access suspicious domains: sp1.winchesterwireless.net, customcomputersva.com, bigdaddy.wave2net.com and ntc-com.com 2 times

DNS Query Access Suspicious Domain Outgoing Connection

/root/scyell.py was downloaded

Download File

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password

Successful SSH Login

A user logged in using SSH with the following credentials: root / ************* - Authentication policy: Correct Password

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: hydrateam.3x.ro and 3x.ro

DNS Query Access Suspicious Domain Outgoing Connection

/root/last.tar was downloaded

Download File

Process /usr/bin/wget attempted to access suspicious domains: scyell.3x.ro

DNS Query Access Suspicious Domain

/root/ddos was downloaded

Download File

Process /usr/bin/python2.7 generated outgoing network traffic to: 72.21.92.82:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net

DNS Query

The file /root/ssh was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/pass was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/pscan2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/rootlog was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/scan was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/scan.log was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/sshd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/ssh/v was downloaded and granted execution privileges

Download and Allow Execution

/root/ssh/pass was identified as malicious by YARA according to rules: Apt Apt1

Malicious File

/root/ssh/screen was identified as malicious by YARA according to rules: Maldoc Somerules and Toolkit Thor Hacktools

Malicious File

/root/last.tar was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules, Toolkit Thor Hacktools, Crypto Signatures and Apt Apt1

Malicious File

/root/ssh/sshd was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules and Crypto Signatures

Malicious File

Associated Files

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/scyell.py

SHA256: bbd20572592a6cf69fd31e3707f9be4d79818c1d6fca25c53417262f73f30c13

25319 bytes

/root/last.tar

SHA256: 98e64e0fe5a58c69da16ab15f8454c70efad8649cd48b485071124da049cfd67

1775616 bytes

/var/tmp/amazon/da

SHA256: 6191df75a1bd763b82ca2126b79cefc7ff406baf5b765e1043aaf9538de51982

12416 bytes

/root/ssh/a

SHA256: c0c9dfa52a9068ba4a788326183947c79caf01fd8abf09d1defe979245e47a61

56 bytes

/root/ssh/pass

SHA256: 3fcd02c58ae7fd87457cf7e4523b9d523cd299eb75c3c8edce5756bf5692cf78

17997 bytes

/root/ssh/scan

SHA256: 47148fc611806e80614fab3ec0e19317eb255f9d27800ade935f606231098ee1

854 bytes

/root/ssh/sshd

SHA256: 603f4b80fd7c10358785f4d7895aa07e81151193e1fc60066079752711e97cfa

1485768 bytes

/root/ssh/v

SHA256: d1875b949929110782add388eae6accb4dd21abc0cdebea166ed8ef386ae8401

387 bytes

/root/ddos

SHA256: 317aff19f01b6821906410784f5719669f451539ccf343b4883667569dc4d084

3858 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 92.114.93.76​Previously Malicious