Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.19 07:11
4f3200e5324a333579e06e...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 02:11
Potwierdzenie.exe
11.19 02:11
cheet.exe
11.19 02:11
chelentano.exe
11.19 02:11
12.exe
11.19 02:11
caspol.exe
11.19 02:11
gambinho.exe
11.19 02:11
Getdp.exe

Latest News
11.20 07:11
T-Mobile Caught Hacker...
11.20 07:11
Securing the RAG inges...
11.20 07:11
Atlassian security adv...
11.20 07:11
Westpac NZ CEO Urges F...
11.20 07:11
Nach Cyberattacke: Süd...
11.20 07:11
Nach Cyberattacke: Neu...
11.20 06:11
Apple security advisor...
11.20 06:11
The DOJ Goes After Goo...
11.20 06:11
Qualcomm Expects to Ma...
11.20 06:11
Raspberry Pi Compute M...

Summary | ZeroBOX

i3YFqH6uMO3o8pg2Cbx.zip

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 9, 2023, 5:07 p.m.	March 9, 2023, 5:10 p.m.

Size	867.1KB
Type	Zip archive data, at least v2.0 to extract
MD5	`5a72267343811d8fe7d72c1f96bac927`
SHA256	`17a85317e36cca87611e4e956679cfcfc4777735bc9f23652a5c14582bfd5968`
CRC32	`2E7A4BF5`
ssdeep	`12288:k4DKwKHCjAbD7j9kd1j89Gpm19Fkf7/sw:zevtlkdJe4m19FgD`
Yara	None matched

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.132.242.26	Active	Moloch
104.168.155.143	Active	Moloch
164.124.101.2	Active	Moloch
164.90.222.65	Active	Moloch
167.172.199.165	Active	Moloch
182.162.143.56	Active	Moloch
183.111.227.137	Active	Moloch
187.63.160.88	Active	Moloch
66.228.32.31	Active	Moloch
72.15.201.15	Active	Moloch
91.121.146.47	Active	Moloch
91.207.28.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49209 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 66.228.32.31:7080 -> 192.168.56.102:49208	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 167.172.199.165:8080	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 91.121.146.47:8080 -> 192.168.56.102:49206	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49216 -> 104.168.155.143:8080	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected
TCP 192.168.56.102:49212 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 182.162.143.56:443 -> 192.168.56.102:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 187.63.160.88:80 -> 192.168.56.102:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 167.172.199.165:8080 -> 192.168.56.102:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Baidu	Archive.Bomb
Kaspersky	HEUR:Trojan.Win32.Heavy.gen
McAfee-GW-Edition	Artemis!Trojan
MAX	malware (ai score=83)
VBA32	suspected of Archive.MailBomb
Rising	Malware.SwollenFile!1.DDB4 (CLASSIC)

Communicates with host for which no DNS query was performed (11 events)

host	103.132.242.26
host	104.168.155.143
host	164.90.222.65
host	167.172.199.165
host	182.162.143.56
host	183.111.227.137
host	187.63.160.88
host	66.228.32.31
host	72.15.201.15
host	91.121.146.47
host	91.207.28.33

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.102:49219
dead_host	72.15.201.15:8080
dead_host	91.207.28.33:8080
dead_host	164.90.222.65:443
dead_host	192.168.56.102:49217
dead_host	103.132.242.26:8080
dead_host	104.168.155.143:8080
dead_host	183.111.227.137:8080