popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

__x64___setup___x32__.zip

ZIP Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 17, 2024, 1:40 p.m. June 17, 2024, 1:42 p.m.
Size 26.0MB
Type Zip archive data, at least v2.0 to extract
MD5 7e05adc41fe0d6484c3cc75893991a2f
SHA256 d8fd991cb180b77de552c9f5b7adbb5748f5d5eeda44cf59be010dbbea9849ed
CRC32 D88B0D03
ssdeep 393216:seo8E/4BL/07TM877zWIh9mfztg21vKZFf06OmC57MCoFy84CcVFonmkr:thIs87W29sztg2EtOmC57U884CQomK
Yara
  • zip_file_format - ZIP file format

Name Response Post-Analysis Lookup
apps.identrust.com
A 182.162.106.144
A 182.162.106.33
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.210.247.57
gay-domain.com
A 172.67.154.227
A 104.21.6.138
172.67.154.227
IP Address Status Action
164.124.101.2 Active Moloch
172.67.154.227 Active Moloch
182.162.106.144 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49170 -> 172.67.154.227:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49170
172.67.154.227:443 		C=US, O=Let's Encrypt, CN=E6 CN=gay-domain.com 25:b3:bd:01:76:b5:3d:7a:e8:55:fd:61:e1:63:e4:30:5c:66:ec:c9

suspicious_features POST method with no referer header suspicious_request POST https://gay-domain.com/licenseUser.php
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request POST https://gay-domain.com/licenseUser.php
request POST https://gay-domain.com/licenseUser.php