Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.20 09:11
mainbas.bat
11.20 09:11
dll007.dll
11.20 09:11
exe004.exe
11.20 09:11
exe010.exe
11.20 09:11
blecher.exe
11.20 09:11
GetAdapterInfo.exe
11.20 09:11
dll004.dll
11.20 09:11
dll008.dll
11.20 09:11
bestthingsalwaysgetbes...
11.20 09:11
DKM-9067291.pdf.lnk

Latest News
11.20 01:11
Anyone Can Buy Data Tr...
11.20 12:11
ISC Stormcast For Wedn...
11.20 12:11
코막힘 해결사 올바스 브랜드, 바르는 ‘...
11.20 12:11
Batteries Not Included...
11.20 12:11
AI 딥테크 스타트업 폴리머라이즈, ‘폴...
11.20 11:11
62만 유튜버 연츄, 인천 노인주간보호센...
11.20 11:11
Unveiling LIMINAL PAND...
11.20 11:11
이천청솔기숙학원, 2025 입시 준비 조...
11.20 11:11
모즈 탄소매트, 전자파 없는 원적외선 매...
11.20 11:11
유어네스트 ‘이터널 라이트’ 아틀리에 투...

Summary | ZeroBOX

inv.lnk

GIF Format Lnk Format

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 20, 2024, 9:11 a.m.	Nov. 20, 2024, 9:14 a.m.

Size	1.9KB
Type	MS Windows shortcut, Points to a file or directory, Icon number=11, Archive, ctime=Tue Nov 12 01:01:00 2024, mtime=Tue Nov 12 01:00:50 2024, atime=Tue Nov 12 01:00:50 2024, length=156, window=hidenormalshowminimized
MD5	`842132a519bc8f532382c78c1895cb02`
SHA256	`b5bb66a242f901ac5c82eaa653209a45faa6efc968282e1ad1af38738947fadb`
CRC32	`9282D044`
ssdeep	`24:8nps8zZHWWY6/wHcmPnqQE58S5V74DCj+7SToX2JQvMP37tAX2xV74u:8np3HWWf0cuqQE74D75X2JzKX2j74`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GXVgeHUO" C:\Users\test22\AppData\Local\Temp\inv.lnk
1188

Name	Response	Post-Analysis Lookup
native-shipments-forty-polar.trycloudflare.com		104.16.230.132

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 20, 2024, 9:11 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 20, 2024, 9:12 a.m.	buffer: Access is denied. console_handle: 0x0000000b	1	1	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\inv.lnk

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Symantec	Trojan Horse
ESET-NOD32	LNK/TrojanDownloader.Agent.CDU
Sophos	Troj/DownLnk-CN
Google	Detected
GData	Win32.Trojan.Agent.7ROWFL
Ikarus	Trojan-Downloader.LNK.Agent
Tencent	Win32.Trojan-Downloader.Der.Dplw
huorong	TrojanDownloader/LNK.Agent.en
alibabacloud	Trojan[downloader]:Win/Agent.CFW

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 20, 2024, 9:11 a.m.	flags: 15 family: 0		111	0

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden