Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.22 06:09
audiodg.exe
09.22 06:09
psfod.exe
09.22 06:09
73EtsZxIoDetWTu.exe
09.22 06:09
otqp9.exe
09.22 06:09
xx.exe
09.22 06:09
fck.exe
09.22 06:09
LummaC222222.exe
09.22 06:09
seethebestwayforunders...
09.22 06:09
Name.exe
09.22 06:09
needmoney.exe

Latest News
09.23 05:09
Hackaday Links: Septem...
09.23 05:09
Fed’s Rate Cut Comes W...
09.23 05:09
Schluss mit Bildmanipu...
09.23 05:09
KI-Hardware: Jony Ive ...
09.23 05:09
KI-Experte Neil Lawren...
09.23 04:09
퓨쳐시스템, 국가형 암호장비 시장 다지고...
09.23 03:09
TSMC, Samsung Weigh Ma...
09.23 03:09
펜타린크, AI 기술 접목한 시스템 접근...
09.23 02:09
파수, 데이터 보호 넘어 AI 활용한 인...
09.23 02:09
Brass Propeller Gets I...

Summary | ZeroBOX

last.sct

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 2, 2021, 10:34 a.m.	April 2, 2021, 10:50 a.m.

Size	298.5KB
Type	XML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`a1269f636a62fc84b85d508244db0db5`
SHA256	`5f882673acf6904107474737500719231506c8b36ed70090011cb89aeb386de0`
CRC32	`E7BF0F0B`
ssdeep	`6144:L/ZFcC7dZtk5QEYLI0qtpvv0pasJcxsxA5FXbPu7XI0iJr:bZFcCh9xRqXHsssxA5FLv0i1`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "DmyyiNE" C:\Users\test22\AppData\Local\Temp\last.sct
3804
- notepad.exe "C:\Windows\system32\NOTEPAD.EXE" "C:\Users\test22\AppData\Local\Temp\last.sct"
  3872

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 2, 2021, 10:34 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 2, 2021, 10:34 a.m.	process_identifier: 3872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (12 events)

description	Take screenshot				rule	screenshot
description	Affect system registries				rule	win_registry
description	Affect system token				rule	win_token
description	Affect private profile				rule	win_files_operation
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

DrWeb	Trojan.MulDrop16.37703
ESET-NOD32	JS/TrojanDropper.Agent.OFU
ClamAV	Xml.Malware.Squiblydoo-6728833-0
Kaspersky	HEUR:Trojan.Script.Generic
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
F-Secure	Malware.HTML/Crypted.Gen
Baidu	VBS.Trojan-Dropper.Agent.ap
McAfee-GW-Edition	BehavesLike.HTML.Dropper.dr
Avira	HTML/Crypted.Gen
Microsoft	Exploit:Win32/ShellCode!ml
ZoneAlarm	HEUR:Trojan.Script.Generic
Cynet	Malicious (score: 85)
Rising	Dropper.Agent/JS!1.D49D (CLASSIC)

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3804 resumed a thread in remote process 3872
NtResumeThread April 2, 2021, 10:34 a.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 3872	1	0	0