Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

646ff88cd208a.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 26, 2023, 5:41 p.m.	May 26, 2023, 5:43 p.m.

Size	2.2MB
Type	Zip archive data, at least v2.0 to extract
MD5	`9aecd71a5365d68f8b4956239956a45b`
SHA256	`3f7f569a845361ccafe9118054951df745662a323db2b39eac0a71ac5f49cd6d`
CRC32	`2B64D74B`
ssdeep	`49152:6Q6J3WM202p5GutgAJuIxyxWCIZsS85PWZ5FvcBC:p89i7JDmWgzP+UC`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 51.142.119.24 CNAME geography.netsupportsoftware.com A 62.172.138.67	51.142.119.24
blahadfurtik.com	A 91.215.85.180	91.215.85.180

IP Address	Status	Action
164.124.101.2	Active	Moloch
62.172.138.67	Active	Moloch
91.215.85.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 62.172.138.67:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.102:49165 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 91.215.85.180:5222	2035894	ET MALWARE NetSupport RAT with System Information	A Network Trojan was detected
TCP 192.168.56.102:49165 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	A Network Trojan was detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp