Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.16 09:11
Spotted at Supercon: G...
11.16 09:11
IT Sicherheitsnews tae...
11.16 09:11
Bitfinex Hacker Gets 5...
11.16 07:11
(g+) Datenschutz: Spor...
11.16 06:11
티오더, 메뉴 사진 무료 촬영 서비스 진행
11.16 06:11
WiFi Status Indicator ...
11.16 06:11
PAN-OS Firewall Vulner...
11.16 06:11
Dahua und Delo vereine...
11.16 05:11
NSO 그룹, 소송 중에도 ‘페가수스’로...
11.16 04:11
Warning: DEEPDATA Malw...

Summary | ZeroBOX

24_06.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 28, 2023, 9:21 a.m.	June 28, 2023, 9:24 a.m.

Size	2.1MB
Type	Zip archive data, at least v2.0 to extract
MD5	`ad691fbd485d94a8fae1a008b081ec80`
SHA256	`ed254a0123ff6810a50bb1e1dff3d60c42d3bc4c7b067073251291c3cb94e82d`
CRC32	`76A957BB`
ssdeep	`49152:plVe5PWZ5FvcB1ZjQXorDcQhg7dMnEBJCgkh3V/4msgca3DQDy:pbAP+U1qWg7OEB1kh3Vu6DUy`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
geo.netsupportsoftware.com	A 62.172.138.8 CNAME geography.netsupportsoftware.com A 62.172.138.67	62.172.138.8
savastijir1.com	A 95.179.140.179	95.179.140.179

IP Address	Status	Action
164.124.101.2	Active	Moloch
62.172.138.8	Active	Moloch
95.179.140.179	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 62.172.138.8:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.102:49169 -> 62.172.138.8:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.102:49167 -> 95.179.140.179:1212	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 95.179.140.179:1212 -> 192.168.56.102:49167	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.102:49167 -> 95.179.140.179:1212	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 95.179.140.179:1212 -> 192.168.56.102:49167	2035895	ET INFO NetSupport Remote Admin Response	Misc activity
TCP 192.168.56.102:49167 -> 95.179.140.179:1212	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity
TCP 192.168.56.102:49170 -> 62.172.138.8:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation
TCP 192.168.56.102:49167 -> 95.179.140.179:1212	2035892	ET INFO NetSupport Remote Admin Checkin	Misc activity

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Lionic	Riskware.ZIP.NetSup.1!c
Alibaba	RiskWare:Win32/NetSup.792a120c
Cyren	W32/Tool.EQYN-2153
ESET-NOD32	Win32/NetSupportManager.AD
Kaspersky	not-a-virus:RemoteAdmin.Win32.NetSup.i
Rising	HackTool.NetSupport!1.E317 (CLASSIC)
DrWeb	Program.RemoteAdmin.837
Zillya	Trojan.GenCBL.Win32.9416
McAfee-GW-Edition	Artemis!Trojan
Jiangmin	RemoteAdmin.NetSup.h
ZoneAlarm	not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
Google	Detected
Tencent	Win32.Trojan.Netsup.Ewnw
Yandex	Riskware.RemoteAdmin!myez5VmqQPE
MaxSecure	Trojan.Malware.73446946.susgen
Fortinet	Riskware/Application