Sinkhole Events Report

This report contains events (connections) to non-http sinkholes. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.

Only infected systems or security researchers should be seen in this list.

File names: event4_sinkhole


  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • src_ip
    The IP of the device in question
  • src_port
    Source port of the IP connection
  • src_asn
    ASN of the source IP
  • src_geo
    Country of the source IP
  • src_region
    Region of the source IP
  • src_city
    City of the source IP
  • src_hostname
    Reverse DNS of the source IP
  • src_naics
    North American Industry Classification System Code
  • src_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • device_vendor
    Source device vendor
  • device_type
    Source device type
  • device_model
    Source device model
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event


"2021-03-04 00:00:00","tcp","190.113.x.x",17409,12252,"PE","METROPOLITANA DE LIMA","LIMA",,,,,,,"178.162.x.x",4455,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service","eset","victorygate.b",,,,,
"2021-03-04 00:00:00","tcp","217.173.x.x",28940,8220,"IE","DUBLIN","DUBLIN",,541611,"Communications, Service Provider, and Hosting Service",,,,"137.116.x.x",16464,8075,"SG","CENTRAL","SINGAPORE",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
"2021-03-04 00:00:00","tcp","37.212.x.x",36735,6697,"BY","VITEBSKAJA OBLAST'","VITEBSK",,,,,,,"168.63.x.x",16464,8075,"HK","HONG KONG","HONG KONG",,334111,"Information","MSDCU",,,"b68-zeroaccess-2-32bit",,,
"2021-03-04 00:00:00","tcp","86.130.x.x",50395,2856,"UK","MID ULSTER","DUNGANNON",,517311,"Communications, Service Provider, and Hosting Service",,,,"",16471,8075,"US","VIRGINIA","ASHBURN",,334111,"Information","MSDCU",,,"b68-zeroaccess-1-32bit",,,
"2021-03-04 00:00:00","tcp","35.205.x.x",44696,15169,"BE","BRUXELLES-CAPITALE","BRUSSELS","",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.x.x",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,
"2021-03-04 00:00:00","tcp","35.197.x.x",36968,15169,"US","OREGON","THE DALLES","",519130,"Communications, Service Provider, and Hosting Service",,,,"148.81.111.x.x",80,1887,"PL","MAZOWIECKIE","WARSAW",,,,,"virut",,,,,

Our 114 Report Types