Summary | ZeroBOX

File_pass1234.zip

ZIP Format
Category Machine Started Completed
FILE s1_win7_x6402 March 16, 2023, 1:16 p.m. March 16, 2023, 1:19 p.m.
Size 6.3MB
Type Zip archive data, at least v2.0 to extract
MD5 4db4161883df15ab90bd7ffba1df4910
SHA256 dea0765804b2eb89908831ea3bcf39de1324a9d9f6851a92d4a71db09a5a492d
CRC32 7739EEC6
ssdeep 196608:FXlqwgbb9AEtLlUFORS/ht3PBk7P6leHFNHua:Nly/VtZUFQs3PD0NOa
Yara
  • zip_file_format - ZIP file format

IP Address Status Action
104.17.215.67 Active Moloch
104.26.5.15 Active Moloch
149.154.158.34 Active Moloch
164.124.101.2 Active Moloch
172.67.75.166 Active Moloch
34.117.59.81 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49180 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.102:49182 -> 172.67.75.166:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 104.26.5.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49185 -> 104.17.215.67:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49180 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49182
172.67.75.166:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc
TLSv1
192.168.56.102:49183
104.26.5.15:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 8d:c8:6e:29:ea:e9:15:f8:85:80:ae:fd:51:f0:44:ca:8c:7d:0c:dc

suspicious_features Connection to IP address suspicious_request GET http://149.154.158.34/api/tracemap.php
request GET http://149.154.158.34/api/tracemap.php
request GET http://www.maxmind.com/geoip/v2.1/city/me
request GET https://db-ip.com/
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
request POST https://api.db-ip.com/v2/p31e4d59ee6ad1a0b5cc80695a873e43a8fbca06/self
domain ipinfo.io
host 149.154.158.34