Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
l6E.exe
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...

Latest News
09.21 06:09
Shroombots, pagers, To...
09.21 06:09
AI, loss of borders do...
09.21 05:09
Qualcomm Approached In...
09.21 05:09
Zoom to Cut Back on St...
09.21 05:09
Raspberry Pi RP2350-E9...
09.21 05:09
Apple's iPhone Hits St...
09.21 05:09
Intel Gains on Report ...
09.21 05:09
ION Reprices Leveraged...
09.21 05:09
Microsoft bringt Windo...
09.21 05:09
Falsche Buchungen in M...

Summary | ZeroBOX

ee.txt

NPKI Antivirus

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 25, 2021, 3:23 p.m.	May 25, 2021, 3:26 p.m.

Size	4.7KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4124e889a26b37658b95119b69bb8c39`
SHA256	`62903fb8f176f352a3171fc845306f7a9a591a8096090a2fb66064840b8414ee`
CRC32	`F44C5209`
ssdeep	`96:85oskvmU+u1ViXyzQX1f0gUe3X87J3aLQ4UtX4QLoBf/ETQjOfjjepUc/:Mosmmxuj0yzCWIn8oZUx7DMAjCpUc/`
Yara	Antivirus - Contains references to security software

Name	Response	Post-Analysis Lookup
warms.atwebpages.com	A 185.176.43.98	185.176.43.98

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
185.176.43.98	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 185.176.43.98:80	2030890	ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages	Misc activity
TCP 192.168.56.102:49815 -> 185.176.43.98:80	2030890	ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages	Misc activity

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://warms.atwebpages.com/rh/post.php
suspicious_features	GET method with no useragent header				suspicious_request	GET http://warms.atwebpages.com/rh/ee.down
suspicious_features	GET method with no useragent header				suspicious_request	GET http://warms.atwebpages.com/rh/del.php?filename=ee

Performs some HTTP requests (3 events)

request	POST http://warms.atwebpages.com/rh/post.php
request	GET http://warms.atwebpages.com/rh/ee.down
request	GET http://warms.atwebpages.com/rh/del.php?filename=ee

Sends data using the HTTP POST Method (1 event)

request

POST http://warms.atwebpages.com/rh/post.php

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14