Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

6481937ec937d.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 8, 2023, 5:54 p.m.	June 8, 2023, 5:56 p.m.

Size	2.2MB
Type	Zip archive data, at least v2.0 to extract
MD5	`9c423f84d55dc3ac786e3d47d0aa2da4`
SHA256	`e936ab7ae4b481775feaa81397205ee01967e66b6e703eab98ada1c94bfd6850`
CRC32	`565D9549`
ssdeep	`49152:1Q6J3WM202p5GutgAJuIxyxWCIZnS85PWZ5FvcBD:e89i7JDmWjzP+UD`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
balibumba1.com	A 91.215.85.180	91.215.85.180
geo.netsupportsoftware.com	A 51.142.119.24 CNAME geography.netsupportsoftware.com A 62.172.138.67	62.172.138.67

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.142.119.24	Active	Moloch
91.215.85.180	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49169 -> 51.142.119.24:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.102:49170 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 91.215.85.180:5222 -> 192.168.56.102:49170	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.102:49170 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 91.215.85.180:5222 -> 192.168.56.102:49170	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.102:49170 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 192.168.56.102:49170 -> 91.215.85.180:5222	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp