Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

MUFG_JOB_DESCRIPTION.docx

Word 2007 file format(docx)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 16, 2022, 10:27 a.m.	Sept. 16, 2022, 10:29 a.m.

Size	2.6MB
Type	Microsoft OOXML
MD5	`0a8a4e2d462fb4b56ea98b25d5b1bdb3`
SHA256	`5816eb32cbaadfc3477c823293a8c49cdf690b443c8fa3c19f98399c143df2b3`
CRC32	`80460438`
ssdeep	`49152:yKyWrBcD/KESkcCFcsGPthcmy2i7f8I/iUsBaDaMgIGqyzUvWU9G3eqiR+Rt/Dqn:ZcjSSFcsWcm3fXlmKEL9KxjbDZFu`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\MUFG_JOB_DESCRIPTION.docx
2128

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.43.165.105
verify.azure-protect.online	A 152.89.247.87	152.89.247.87

IP Address	Status	Action
121.254.136.57	Active	Moloch
152.89.247.87	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 152.89.247.87:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49162 -> 152.89.247.87:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 152.89.247.87:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 152.89.247.87:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49170 152.89.247.87:443	None	None	None
TLSv1 192.168.56.102:49167 152.89.247.87:443	None	None	None
TLSv1 192.168.56.102:49162 152.89.247.87:443	C=US, O=Let's Encrypt, CN=R3	CN=verify.azure-protect.online	05:f0:61:22:2c:09:b8:63:2f:b8:30:fd:ab:d9:06:35:82:f3:e3:e6
TLSv1 192.168.56.102:49169 152.89.247.87:443	C=US, O=Let's Encrypt, CN=R3	CN=verify.azure-protect.online	05:f0:61:22:2c:09:b8:63:2f:b8:30:fd:ab:d9:06:35:82:f3:e3:e6

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	OPTIONS https://verify.azure-protect.online/EcCm9WiaysW/D%2BsYq1Io/yVMuSbkgQZ/Vp6bzP5LXe/Ec08P4lt6g/

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 16, 2022, 10:27 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a52a000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$FG_JOB_DESCRIPTION.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 16, 2022, 10:27 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$FG_JOB_DESCRIPTION.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$FG_JOB_DESCRIPTION.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

MicroWorld-eScan	Trojan.Groooboor.Gen.33
FireEye	Trojan.Groooboor.Gen.33
Arcabit	Trojan.Groooboor.Gen.33
BitDefender	Trojan.Groooboor.Gen.33
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
Emsisoft	Trojan.Groooboor.Gen.33 (B)
VIPRE	Trojan.Groooboor.Gen.33
McAfee-GW-Edition	Artemis
MAX	malware (ai score=89)
GData	Trojan.Groooboor.Gen.33