popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

file.rtf

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 22, 2021, 7:25 a.m. April 22, 2021, 7:28 a.m.
Size 36.2KB
Type Rich Text Format data, version 1, unknown character set
MD5 9ca89139d0918e5078122113fc883a7e
SHA256 964158c6194c749d2cfc79d3e40ce26c4a3827566b59590c3b25ef14c82e449f
CRC32 464F6E65
ssdeep 768:5C3VZ/vmwTde7KZciHYOX7tKim4iB11tRClT:5C3VZ/vmwTde7KZciHYOX7tKim4iBkT
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero

Name Response Post-Analysis Lookup
asw-sns.link
A 203.55.176.12
203.55.176.12
mofa.iugur.live
A 185.163.45.56
185.163.45.56
IP Address Status Action
164.124.101.2 Active Moloch
185.163.45.56 Active Moloch
203.55.176.12 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49201 -> 185.163.45.56:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49207 -> 203.55.176.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49206 -> 203.55.176.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49201
185.163.45.56:443 		C=US, O=Let's Encrypt, CN=R3 CN=*.iugur.live e3:d0:2e:6f:dd:cc:f9:aa:87:9f:48:cc:c6:70:fc:71:9b:74:f8:ec
TLSv1
192.168.56.101:49207
203.55.176.12:443 		C=US, O=Let's Encrypt, CN=R3 CN=asw-sns.link ce:10:29:73:2b:ca:8e:65:59:93:ea:2f:41:2d:91:23:4f:a2:b5:61
TLSv1
192.168.56.101:49206
203.55.176.12:443 		C=US, O=Let's Encrypt, CN=R3 CN=asw-sns.link ce:10:29:73:2b:ca:8e:65:59:93:ea:2f:41:2d:91:23:4f:a2:b5:61

suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/3/0/1840589382/files-72843a7a/0/data?d=
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589382/files-52f76d0b/0/
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-16aef47a/1/cuui?data=AQZ0ZXN0MjInSW50ZWwoUikgQ29yZShUTSkgaTUtODQwMCBDUFUgQCAyLjgwR0h6ATISXFwuXFBIWVNJQ0FMRFJJVkUwCzM0MzU2OTk0NTYwBzUyNDI0MjQIMTA0ODMwMDQJVEVTVDIyLVBDDDk0REUyNzhDMzI3NA==
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589558/files-910af97c/1/plaoi
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589558/files-4057b130/1/lkjhg
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-a2da9285/1/lapd?data=1
suspicious_features GET method with no useragent header suspicious_request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-a2da9285/1/lapd?data=2
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST https://asw-sns.link/202/0BDXUKUO8U8p243usxNT46Yj5zTXyrUwpuXOqx92/45326/2623/14188cd3
suspicious_features GET method with no useragent header suspicious_request GET https://asw-sns.link/202/0BDXUKUO8U8p243usxNT46Yj5zTXyrUwpuXOqx92/45326/2623/14188cd3
request GET https://mofa.iugur.live/2623/1/45326/3/3/0/1840589382/files-72843a7a/0/data?d=
request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589382/files-52f76d0b/0/
request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-16aef47a/1/cuui?data=AQZ0ZXN0MjInSW50ZWwoUikgQ29yZShUTSkgaTUtODQwMCBDUFUgQCAyLjgwR0h6ATISXFwuXFBIWVNJQ0FMRFJJVkUwCzM0MzU2OTk0NTYwBzUyNDI0MjQIMTA0ODMwMDQJVEVTVDIyLVBDDDk0REUyNzhDMzI3NA==
request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589558/files-910af97c/1/plaoi
request GET https://mofa.iugur.live/2623/1/45326/3/1/1/1840589558/files-4057b130/1/lkjhg
request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-a2da9285/1/lapd?data=1
request GET https://mofa.iugur.live/2623/1/45326/3/3/1/1840589560/files-a2da9285/1/lapd?data=2
request POST https://asw-sns.link/202/0BDXUKUO8U8p243usxNT46Yj5zTXyrUwpuXOqx92/45326/2623/14188cd3
request GET https://asw-sns.link/202/0BDXUKUO8U8p243usxNT46Yj5zTXyrUwpuXOqx92/45326/2623/14188cd3
request POST https://asw-sns.link/202/0BDXUKUO8U8p243usxNT46Yj5zTXyrUwpuXOqx92/45326/2623/14188cd3
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ca01000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003ec
filepath: C:\Users\test22\AppData\Local\Temp\~$file.rtf
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$file.rtf
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
filetype_details Rich Text Format data, version 1, unknown character set filename file.rtf