Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe
11.15 01:11
msf.exe
11.15 01:11
lum250.exe
11.15 01:11
msf443.exe
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe

Latest News
11.15 09:11
DoorDash Wants to Give...
11.15 09:11
Homebrew pH Meter Uses...
11.15 09:11
France’s Proparco Anch...
11.15 09:11
Vietnamese Hacker Grou...
11.15 08:11
Alibaba Sales Disappoi...
11.15 08:11
BofA Strategists Say B...
11.15 08:11
Chinese SilkSpecter Ha...
11.15 08:11
Dark Web Profile: Cade...
11.15 08:11
Trump’s Anti-Regulatio...
11.15 08:11
체크멀, ‘2024 대한민국 디지털 이노...

Summary | ZeroBOX

Invoice_RVSJKAM02GH_pdf.lnk

GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 2, 2023, 4:57 p.m.	Aug. 2, 2023, 4:59 p.m.

Size	2.9KB
Type	MS Windows shortcut, Points to a file or directory, Has Working directory, Icon number=0, Archive, ctime=Sun Dec 31 15:32:08 1600, mtime=Fri Jun 30 05:52:53 2023, atime=Fri Jun 30 05:52:53 2023, length=352216, window=hidenormalshowminimized
MD5	`ca4756de93f1356c73c37d5ce1e64405`
SHA256	`84d32881ef43a7662841c032d263478fb93c5bac82a126a0d06daf685ad7fa3c`
CRC32	`ED9A4BFD`
ssdeep	`24:8DqaYbE+uLiOd8nzE58ypDCj+7ShcE+WzhjCRaEduuYjSGJntVBQeTjFxMcriWq5:8D5YY5iBze7yYShjCKjSGj3TjIbWqjO`
Yara	Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "XlKIYwIkHLD" C:\Users\test22\AppData\Local\Temp\Invoice_RVSJKAM02GH_pdf.lnk
3044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.155.91.72	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49163 -> 192.155.91.72:5000	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic
TCP 192.168.56.102:49163 -> 192.155.91.72:5000	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic
TCP 192.168.56.102:49163 -> 192.155.91.72:5000	2019158	ET MALWARE Possible Malicious Invoice EXE	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 2, 2023, 4:58 p.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1	0

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f22000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Aug. 2, 2023, 4:57 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da3000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 2, 2023, 4:58 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Invoice_RVSJKAM02GH_pdf.lnk

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

FireEye	Trojan.GenericKD.68469944
BitDefender	Trojan.GenericKD.68469944
MicroWorld-eScan	Trojan.GenericKD.68469944
MAX	malware (ai score=80)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 2, 2023, 4:57 p.m.	flags: 15 family: 0		111	0

Communicates with host for which no DNS query was performed (1 event)

host

192.155.91.72

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden