Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 5, 2023, 12:30 p.m.	Nov. 5, 2023, 12:33 p.m.

Size	312.5KB
Type	PE32 executable (console) Intel 80386, for MS Windows
MD5	`7e559dc4e162f6aaee6a034fa2d9c838`
SHA256	`4c2e05acad9e625ba60ca90fa7cce6a1b11a147e00f43e0f29225faeff6b54aa`
CRC32	`68CD2745`
ssdeep	`6144:jU+kZmuBc5tF/LdiZ/xCJkQbvy5XVkmZyTJS1xvnLgmbEB968oET0WoABqzMoRXq:jUBZmewtxLE/kJkcvxEtzyB968hTEFZ`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description)

plink.exe "C:\Users\test22\AppData\Local\Temp\plink.exe"
2032

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
5.148.32.222	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (36 events)

Time & API	Arguments	Status	Return
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: PuTTY Link: command-line connection utility console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Release 0.63 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Usage: plink [options] [user@]host [command] console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: ("host" can also be a PuTTY saved session name) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Options: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -V print version information and exit console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -pgpfp print PGP key fingerprints and exit console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -v show verbose messages console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: force use of a particular protocol console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -P port connect to specified port console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -l user connect with specified username console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -batch disable all interactive prompts console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: The following options only apply to SSH connections: console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -pw passw login with specified password console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -D [listen-IP:]listen-port console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Dynamic SOCKS-based port forwarding console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -L [listen-IP:]listen-port:host:port console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Forward local port to remote address console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -R [listen-IP:]listen-port:host:port console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Forward remote port to local address console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -X -x enable / disable X11 forwarding console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -A -a enable / disable agent forwarding console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -t -T enable / disable pty allocation console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -1 -2 force use of particular protocol version console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -4 -6 force use of IPv4 or IPv6 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -C enable compression console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -i key private key file for authentication console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -noagent disable use of Pageant console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -agent enable use of Pageant console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -m file read remote command(s) from file console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -s remote command is an SSH subsystem (SSH-2 only) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -N don't start a shell/command (SSH-2 only) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -nc host:port console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: open tunnel in place of session (SSH-2 only) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: -sercfg configuration-string (e.g. 19200,8,n,1,X) console_handle: 0x00000007	1	1
WriteConsoleA Nov. 5, 2023, 12:30 p.m.	buffer: Specify the serial configuration (serial only) console_handle: 0x00000007	1	1

Communicates with host for which no DNS query was performed (1 event)

host

5.148.32.222

Harvests credentials from local FTP client softwares (1 event)

registry

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

plink.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All