popup

Report - Artikel-4.png.lnk

Generic Malware Downloader Antivirus Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM Lnk Format GIF Format PNG Format MSOffice File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2025.04.09 10:02 Machine s1_win7_x6401
Filename Artikel-4.png.lnk
Type MS Windows shortcut, Points to a file or directory, Has Working directory, Icon number=323, Archive, ctime=Fri Apr 4 07:02:22 2025, mtime=Sun Apr 6 11:33:43 2025, atime=Sun Apr 6 11:33:43 2025, length=94, window=hide
AI Score Not founds Behavior Score
9.4
ZERO API file : clean
VT API (file) 2 detected (WinLNK)
md5 91a93c5a882ec9d46934f5f00bedd453
sha256 a8dedab298933a85b78a398e458c7e9a9b63d5c3887a3f829b7d81f8cc009b70
ssdeep 24:8Jj5ZW004I0WmfQnqQE58slanjCj+7SqT32JQvMmNT32sqlanuu:8Jj5ZWgIDW8qQiq7vD2JUD2T
imphash
impfuzzy
  Network IP location

Signature (22cnts)

Level Description
danger The processes wscript.exe
watch Creates a suspicious Powershell process
watch Creates an Alternate Data Stream (ADS)
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice File has been identified by 2 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
notice Uses Windows utilities for basic Windows functionality
notice Yara rule detected in process memory
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (39cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Antivirus Contains references to security software binaries (download)
watch Network_Downloader File Downloader memory
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info JPEG_Format_Zero JPEG Format binaries (download)
info lnk_file_format Microsoft Windows Shortcut File Format binaries (upload)
info Lnk_Format_Zero LNK Format binaries (upload)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info PNG_Format_Zero PNG Format binaries (download)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://toolkit-nokia-network-alert.trycloudflare.com/error_log.txt
whois
US CLOUDFLARENET 104.16.230.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/
whois
US CLOUDFLARENET 104.16.230.132 clean
https://toolkit-nokia-network-alert.trycloudflare.com/b.txt
whois
US CLOUDFLARENET 104.16.230.132 clean
www.healyconsultants.com
whois
Unknown 162.159.134.42 clean
numbers-queensland-rec-thumbs.trycloudflare.com
whois
US CLOUDFLARENET 104.16.230.132 mailcious
toolkit-nokia-network-alert.trycloudflare.com
whois
US CLOUDFLARENET 104.16.231.132 malware
162.159.134.42
whois
Unknown 162.159.134.42 mailcious
104.16.230.132
whois
US CLOUDFLARENET 104.16.230.132 mailcious

Suricata ids

ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET HUNTING TryCloudFlare Domain in TLS SNI
ET INFO Observed trycloudflare .com Domain in TLS SNI

Similarity measure (PE file only) - Checking for service failure