Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.19 07:11
4f3200e5324a333579e06e...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 07:11
6e1ed6447607ab4c30b3f3...
11.19 02:11
Potwierdzenie.exe
11.19 02:11
cheet.exe
11.19 02:11
chelentano.exe
11.19 02:11
12.exe
11.19 02:11
caspol.exe
11.19 02:11
gambinho.exe
11.19 02:11
Getdp.exe

Latest News
11.20 07:11
T-Mobile Caught Hacker...
11.20 07:11
Securing the RAG inges...
11.20 07:11
Atlassian security adv...
11.20 07:11
Westpac NZ CEO Urges F...
11.20 07:11
Nach Cyberattacke: Süd...
11.20 07:11
Nach Cyberattacke: Neu...
11.20 06:11
Apple security advisor...
11.20 06:11
The DOJ Goes After Goo...
11.20 06:11
Qualcomm Expects to Ma...
11.20 06:11
Raspberry Pi Compute M...

Summary | ZeroBOX

Ndi8RJtM5xSosyq.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 10, 2023, 11:35 a.m.	March 10, 2023, 11:39 a.m.

Size	817.3KB
Type	Zip archive data, at least v2.0 to extract
MD5	`542f53c1fd9de5d3423b7a8a22f6d9bf`
SHA256	`44c7289a2719901900af988f7cb44562cfa62da377723831a47a92c1fda68c19`
CRC32	`C2F5EE83`
ssdeep	`6144:Jk1WVsDd6uJEO6MwHp61v06+RdQ3hU9lX5JN+Y7Q5axi:Jk1csDd6eEO6nHUssQX5CwQ5ag`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.132.242.26	Active	Moloch
104.168.155.143	Active	Moloch
159.65.88.10	Active	Moloch
164.124.101.2	Active	Moloch
164.90.222.65	Active	Moloch
167.172.199.165	Active	Moloch
182.162.143.56	Active	Moloch
183.111.227.137	Active	Moloch
187.63.160.88	Active	Moloch
66.228.32.31	Active	Moloch
72.15.201.15	Active	Moloch
91.121.146.47	Active	Moloch
91.207.28.33	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 66.228.32.31:7080 -> 192.168.56.102:49181	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 182.162.143.56:443	2404306	ET CNC Feodo Tracker Reported CnC Server group 7	A Network Trojan was detected
TCP 192.168.56.102:49185 -> 187.63.160.88:80	2404307	ET CNC Feodo Tracker Reported CnC Server group 8	A Network Trojan was detected
TCP 187.63.160.88:80 -> 192.168.56.102:49185	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49187 -> 167.172.199.165:8080	2404304	ET CNC Feodo Tracker Reported CnC Server group 5	A Network Trojan was detected
TCP 91.121.146.47:8080 -> 192.168.56.102:49179	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 167.172.199.165:8080 -> 192.168.56.102:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 182.162.143.56:443 -> 192.168.56.102:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49189 -> 104.168.155.143:8080	2404300	ET CNC Feodo Tracker Reported CnC Server group 1	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Communicates with host for which no DNS query was performed (12 events)

host	103.132.242.26
host	104.168.155.143
host	159.65.88.10
host	164.90.222.65
host	167.172.199.165
host	182.162.143.56
host	183.111.227.137
host	187.63.160.88
host	66.228.32.31
host	72.15.201.15
host	91.121.146.47
host	91.207.28.33

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	72.15.201.15:8080
dead_host	91.207.28.33:8080
dead_host	164.90.222.65:443
dead_host	192.168.56.102:49190
dead_host	103.132.242.26:8080
dead_host	192.168.56.102:49192
dead_host	104.168.155.143:8080
dead_host	183.111.227.137:8080