Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js

Latest News
09.20 02:09
Inside a Portable Sate...
09.20 02:09
리튬포어스, 카카오프렌즈 ‘휴대용 미니 ...
09.20 02:09
제이피에스코스메틱 선형훈 대표이사, 산업...
09.20 02:09
Fence Agents Remediati...
09.20 01:09
재능넷, AI 기반 시각화 전문 지식 서...
09.20 01:09
[PASCON 2024-영상] 카스퍼스키...
09.20 01:09
2024-09-19 UNC1860 Ira...
09.20 01:09
Nvidia Teams Up With A...
09.20 12:09
[PASCON 2024-영상] 펜타린크 ...
09.20 11:09
ISC Stormcast For Frid...

Summary | ZeroBOX

3RdYB0yFDbNXezPE.jpg

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 9, 2021, 8:04 p.m.	July 9, 2021, 8:06 p.m.

Size	497.6KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`b08c1bc14e305a050747155ef13e14fe`
SHA256	`57218d0c8c6a70d873ebd6f1b656b4bf51ce0741693ff733e18eff8ca4df38bf`
CRC32	`6C8D2D32`
ssdeep	`12288:58vcOju3mvgZSriIm4N/SKf2zsJ3KKbBJpL7Lb+QQQQQVQSSSSSSSknhbN1F1kJv:avcOju3mvgZSriIm4N/SKf2zsJ3KKbBH`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\3RdYB0yFDbNXezPE.jpg.hta
2412

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 9, 2021, 8:04 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 9, 2021, 8:04 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73452000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory July 9, 2021, 8:04 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f63000 process_handle: 0xffffffff	1	0	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	Backdoor.ASync!gm
DrWeb	PowerShell.Dropper.31
Rising	Trojan.Injector/PS!1.D2AD (CLASSIC)

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 9, 2021, 8:04 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef90000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200