Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.21 02:09
l6E.exe
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...

Latest News
09.21 02:09
This New Video Game Is...
09.21 02:09
FTC finds social media...
09.21 02:09
FTC finds social media...
09.21 01:09
Automate detection and...
09.21 01:09
Hackaday Podcast Episo...
09.21 01:09
The Russian Bot Army T...
09.21 01:09
Australia’s Labor Part...
09.21 12:09
Inviting the Public to...
09.21 12:09
How Ransomhub Ransomwa...
09.21 12:09
Middle East backdoored...

Summary | ZeroBOX

PO_20880536,pdf.7z

KeyLogger Escalate priviledges AntiDebug AntiVM

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 2, 2021, 9:18 a.m.	June 2, 2021, 9:25 a.m.

Size	267.1KB
Type	7-zip archive data, version 0.4
MD5	`a98deab6a48941d96e070a75fcbc56d5`
SHA256	`63eab9cbbc4a3bee4de98e498b7c2b4f15951660fcfcf5d8e3c4bcc6b5cd1315`
CRC32	`753118FB`
ssdeep	`6144:hEPHSsnIlcQDeokjWGuaVcJ0bmA5O31uAIcln7RUyh1:hEvSIQVkjVuaaJ0bmzgTmZ1`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gBBpKRUhdNiAAFas" C:\Users\test22\AppData\Local\Temp\PO_20880536,pdf.7z
7140
- 7zFM.exe "C:\Program Files (x86)\7-Zip\7zFM.exe" "C:\Users\test22\AppData\Local\Temp\PO_20880536,pdf.7z"
  6204

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 2, 2021, 9:18 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 2, 2021, 9:18 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 2, 2021, 9:18 a.m.	process_identifier: 6204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 2, 2021, 9:18 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Escalate priviledges				rule	Escalate_priviledges
description	Run a KeyLogger				rule	KeyLogger
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	34.104.35.123

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

MicroWorld-eScan	Trojan.Zmutzy.839
FireEye	Trojan.Zmutzy.839
Malwarebytes	Malware.AI.881595441
K7AntiVirus	Trojan-Downloader ( 00577dce1 )
K7GW	Trojan-Downloader ( 00577dce1 )
Arcabit	Trojan.Zmutzy.839
BitDefenderTheta	Gen:NN.ZelphiF.34692.RKY@aGKhWwbi
ESET-NOD32	a variant of Win32/Injector.EPLM
Kaspersky	UDS:Trojan-Downloader.Win32.Agent.gen
BitDefender	Trojan.Zmutzy.839
Sophos	Mal/Drod7zip-A
McAfee-GW-Edition	Fareit-FZO!01BD85D866B1
Emsisoft	Trojan.Zmutzy.839 (B)
Microsoft	Trojan:Script/Woreflint.A!cl
GData	Trojan.Zmutzy.839
MAX	malware (ai score=89)
Rising	Trojan.Kryptik!1.D2D5 (CLASSIC)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/GenKryptik.EKLE!tr