Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.19 07:11
4f3200e5324a333579e06e...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 02:11
Potwierdzenie.exe
11.19 02:11
cheet.exe
11.19 02:11
chelentano.exe
11.19 02:11
12.exe
11.19 02:11
caspol.exe
11.19 02:11
gambinho.exe
11.19 02:11
Getdp.exe

Latest News
11.20 07:11
T-Mobile Caught Hacker...
11.20 07:11
Securing the RAG inges...
11.20 07:11
Atlassian security adv...
11.20 07:11
Westpac NZ CEO Urges F...
11.20 07:11
Nach Cyberattacke: Süd...
11.20 07:11
Nach Cyberattacke: Neu...
11.20 06:11
Apple security advisor...
11.20 06:11
The DOJ Goes After Goo...
11.20 06:11
Qualcomm Expects to Ma...
11.20 06:11
Raspberry Pi Compute M...

Summary | ZeroBOX

P49A1RKQbr6n5L2G.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 9, 2023, 6:10 p.m.	March 9, 2023, 6:14 p.m.

Size	864.5KB
Type	Zip archive data, at least v2.0 to extract
MD5	`5ed137665b139baccce1abee74282b81`
SHA256	`45efd63ea476b6cb9c7fa9a8f1428475f4dfb5516b77dc4f8d1d6a4af70af553`
CRC32	`95116FCE`
ssdeep	`6144:n0ODy+y5fPfnMe6OKYn02Fyrkw6ppGN8OoZf0cK2/KEPi9WR:nE+y5UeQ6okw6WN8OoOcv/KEPn`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.132.242.26	Active	Moloch
104.168.155.143	Active	Moloch
164.124.101.2	Active	Moloch
164.90.222.65	Active	Moloch
167.172.199.165	Active	Moloch
182.162.143.56	Active	Moloch
183.111.227.137	Active	Moloch
187.63.160.88	Active	Moloch
66.228.32.31	Active	Moloch
72.15.201.15	Active	Moloch
91.121.146.47	Active	Moloch
91.207.28.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49187 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 66.228.32.31:7080 -> 192.168.56.102:49184	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 187.63.160.88:80 -> 192.168.56.102:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 167.172.199.165:8080	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 167.172.199.165:8080 -> 192.168.56.102:49190	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 182.162.143.56:443 -> 192.168.56.102:49186	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49192 -> 104.168.155.143:8080	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected
TCP 91.121.146.47:8080 -> 192.168.56.102:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ESET-NOD32	a variant of Win64/GenKryptik.GHDZ
Kaspersky	UDS:Trojan-Banker.Win64.Emotet.cmtd
Baidu	Archive.Bomb
TrendMicro	TrojanSpy.Win64.EMOTET.SMA
MAX	malware (ai score=82)
VBA32	suspected of Archive.MailBomb
Rising	Malware.SwollenFile!1.DDB4 (CLASSIC)

Communicates with host for which no DNS query was performed (11 events)

host	103.132.242.26
host	104.168.155.143
host	164.90.222.65
host	167.172.199.165
host	182.162.143.56
host	183.111.227.137
host	187.63.160.88
host	66.228.32.31
host	72.15.201.15
host	91.121.146.47
host	91.207.28.33

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 events)

dead_host	72.15.201.15:8080
dead_host	91.207.28.33:8080
dead_host	164.90.222.65:443
dead_host	192.168.56.102:49195
dead_host	192.168.56.102:49193
dead_host	104.168.155.143:8080
dead_host	183.111.227.137:8080