Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js
09.20 10:09
66ebf725efe38_lyla.exe

Latest News
09.20 12:09
[PASCON 2024-영상] 펜타린크 ...
09.20 11:09
ISC Stormcast For Frid...
09.20 11:09
2024-09-18 SAMBASPY Ja...
09.20 11:09
구립신내노인종합복지관, 지역사회와 함께 ...
09.20 11:09
자동차 부품 제조업체 쉽딱, '트리플X2...
09.20 11:09
[PASCON 2024-영상] 라온시큐어...
09.20 11:09
2024 SAO Contest: The ...
09.20 11:09
Building new hospitals...
09.20 11:09
D-Link Product Securit...
09.20 10:09
2024-09-18 Earth Baxia...

Summary | ZeroBOX

eh.txt

NPKI Antivirus

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 3, 2021, 9:10 a.m.	July 3, 2021, 9:13 a.m.

Size	4.7KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`8bc1da669ee262bf1e25dee032525abd`
SHA256	`4ae2f55348b9e7935c0296ce0ec7d96ebc23c70a9bac334362cc724d571b14c6`
CRC32	`0BBF98DC`
ssdeep	`96:8OJoskmMmU+u1ViXyzQX1f0gUe3X87J3aLQ4UtX4QLoBf/ETQjOfjjepUc/:/Jos3Mmxuj0yzCWIn8oZUx7DMAjCpUc/`
Yara	Antivirus - Contains references to security software

Name	Response	Post-Analysis Lookup
d2js2viceajwla.cloudfront.net	AAAA 2600:9000:2139:d200:11:6feb:6f80:93a1 AAAA 2600:9000:2139:3200:11:6feb:6f80:93a1 AAAA 2600:9000:2139:5e00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:be00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:2200:11:6feb:6f80:93a1 AAAA 2600:9000:2139:ea00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:4e00:11:6feb:6f80:93a1 AAAA 2600:9000:2139:6600:11:6feb:6f80:93a1	99.86.202.125
aus5.mozilla.org	A 35.244.181.201 CNAME balrog-aus5.r53-2.services.mozilla.com CNAME prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201
ripzi.getenjoyment.net	A 185.176.43.98	185.176.43.98
prod.balrog.prod.cloudops.mozgcp.net	A 35.244.181.201	35.244.181.201
d2js2viceajwla.cloudfront.net	A 99.86.202.67 A 99.86.202.125 A 99.86.202.23 A 99.86.202.75	99.86.202.125
aus.thunderbird.net	A 99.86.202.67 A 99.86.202.75 A 99.86.202.125 A 99.86.202.23 CNAME d2js2viceajwla.cloudfront.net	99.86.202.75
prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.176.43.98	Active	Moloch
35.244.181.201	Active	Moloch
99.86.144.100	Active	Moloch
99.86.144.46	Active	Moloch
99.86.144.61	Active	Moloch
99.86.144.82	Active	Moloch
99.86.202.23	Active	Moloch
99.86.202.125	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49332 35.244.181.201:443	C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA	C=US, ST=California, L=Mountain View, O=Mozilla Corporation, CN=aus5.mozilla.org	37:1a:8a:6e:ae:e7:b7:ae:1f:a9:c0:87:53:e5:a0:94:ef:0b:de:0c
TLS 1.2 192.168.56.102:49331 99.86.202.23:443	C=US, O=Let's Encrypt, CN=R3	CN=thunderbird.net	dd:92:a0:f3:c5:f2:3a:c7:42:66:30:75:8a:b3:b3:03:6b:8c:df:9d

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header, POST method with no useragent header				suspicious_request	POST http://ripzi.getenjoyment.net/le/post.php
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ripzi.getenjoyment.net/le/eh.down
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ripzi.getenjoyment.net/le/del.php?filename=eh

Performs some HTTP requests (3 events)

request	POST http://ripzi.getenjoyment.net/le/post.php
request	GET http://ripzi.getenjoyment.net/le/eh.down
request	GET http://ripzi.getenjoyment.net/le/del.php?filename=eh

Sends data using the HTTP POST Method (1 event)

request

POST http://ripzi.getenjoyment.net/le/post.php

Communicates with host for which no DNS query was performed (4 events)

host	99.86.144.100
host	99.86.144.46
host	99.86.144.61
host	99.86.144.82

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

99.86.202.125:443