Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

2907.zip

ZIP Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 31, 2023, 5:08 p.m.	July 31, 2023, 5:11 p.m.

Size	2.2MB
Type	Zip archive data, at least v2.0 to extract
MD5	`d8491c2201483a1c75ff76fe08e17e2c`
SHA256	`8d8387b1a4374853020ad43af4ed738bfd6538738c448b7b4fbc61b61da79ba4`
CRC32	`5CCB514F`
ssdeep	`49152:slLUXP5qRroZT5YNdzlIbnNsOF1FLbCN8UlVe5PWZ5FvcBU:slLUf5qRroGKsOnFLC8UbAP+UU`
Yara	zip_file_format - ZIP file format

Name	Response	Post-Analysis Lookup
sambireact2.com
geo.netsupportsoftware.com	A 51.142.119.24 A 62.172.138.8 CNAME geography.netsupportsoftware.com A 62.172.138.67	62.172.138.67
sambireact1.com	A 95.179.150.54	95.179.150.54

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.142.119.24	Active	Moloch
95.179.150.54	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 51.142.119.24:80	2034559	ET POLICY NetSupport GeoLocation Lookup Request	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geo.netsupportsoftware.com/location/loca.asp

Performs some HTTP requests (1 event)

request

GET http://geo.netsupportsoftware.com/location/loca.asp

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

DrWeb	Program.RemoteAdmin.837
McAfee	Artemis!EAB603D12705
Cyren	W32/Tool.EQYN-2153
Kaspersky	not-a-virus:RemoteAdmin.Win32.NetSup.i
Zillya	Trojan.GenCBL.Win32.9416
Jiangmin	RemoteAdmin.NetSup.h
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.NetSup
ZoneAlarm	not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen
Google	Detected
VBA32	Trojan.Tiggre
Rising	HackTool.NetSupport!1.E317 (CLASSIC)
MaxSecure	Trojan.Malware.73446946.susgen
Fortinet	Riskware/Application

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

95.179.150.54:1414