Report - ZeroBOX

ScreenShot


Created	2025.04.30 13:07	Machine	s1_win7_x6401
Filename	pusy.pdf.lnk
Type	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
AI Score	Not founds	Behavior Score	9.6
ZERO API	file : clean
VT API (file)	20 detected (pantera, Save, gen111, LNKEXEC, WinLNK, Static AI, Suspicious LNK, HNDC, Link, Crafted, Probably Heur, LNKScript)
md5	dbb230c7a229e3ef9ce3f05e0282ac42
sha256	859611e07d536cbf9d61dd0d076e486f8510e964af12eba1bb689d8507428e5d
ssdeep	24:8Ayw/BHYVKVWO+/CWR62fVTlP4HXLg/kf1dd79dsoEZ/7QAMN5:8y5al62fVR+N9dJ9ha7Q
imphash
impfuzzy

Network IP location

Level	Description
danger	The process powershell.exe wrote an executable file to disk which it then attempted to execute
warning	File has been identified by 20 AntiVirus engines on VirusTotal as malicious
watch	Attempts to create or modify system certificates
watch	Creates a suspicious Powershell process
watch	Disables proxy possibly for traffic interception
watch	One or more non-whitelisted processes were created
watch	Resumed a suspended thread in a remote process potentially indicative of process injection
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	Drops an executable to the user AppData folder
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Yara rule detected in process memory
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key

Level	Name	Description	Collection
danger	Win32_Trojan_Gen_1_0904B0_Zero	Win32 Trojan Emotet	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (download)
warning	Generic_Malware_Zero	Generic Malware	binaries (upload)
watch	Antivirus	Contains references to security software	binaries (download)
watch	Antivirus	Contains references to security software	binaries (upload)
watch	Malicious_Library_Zero	Malicious_Library	binaries (download)
watch	Malicious_Packer_Zero	Malicious Packer	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (download)
info	anti_dbg	Checks if being debugged	memory
info	DebuggerCheck__GlobalFlags	(no description)	memory
info	DebuggerCheck__QueryInfo	(no description)	memory
info	DebuggerHiding__Active	(no description)	memory
info	DebuggerHiding__Thread	(no description)	memory
info	disable_dep	Bypass DEP	memory
info	IsPE32	(no description)	binaries (download)
info	lnk_file_format	Microsoft Windows Shortcut File Format	binaries (upload)
info	Lnk_Format_Zero	LNK Format	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PowerShell	PowerShell script	scripts
info	SEH__vectored	(no description)	memory
info	ThreadControl__Context	(no description)	memory

Request	ASN Co	IP4	Rule ?	ZERO ?
https://www.4sync.com/web/directDownload/0Vgz84wr/LO8xSpi2.a49f8554be0a61b1097b333578d73c3d whois	WZCOM	199.101.134.238	45463	clean
https://dc444.4sync.com/download/0Vgz84wr/pussy.html?dsid=LO8xSpi2.a49f8554be0a61b1097b333578d73c3d&sbsr=c35311bd3db730227f93ed904127053cb46&bip=MTIxLjEzMy4xMjguMQ&lgfp=40 whois	WZCOM	199.101.133.72	45464	clean
dc444.4sync.com whois	WZCOM	199.101.133.72		malware
www.4sync.com whois	WZCOM	204.155.149.140		mailcious
199.101.133.72 whois	WZCOM	199.101.133.72		malware
199.101.134.238 whois	WZCOM	199.101.134.238		mailcious

Report - pusy.pdf.lnk