Managed XDR

zoo-tank6-data-2026-06...5027f94cf0aaf3e7f451f0 — malware analysis report

File info

Filename
zoo-tank6-data-2026-0626-2fad4e0d0f5027f94cf0aaf3e7f451f0
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon, Archive, ctime=Thu Feb 24 08:21:46 2022, mtime=Thu Feb 24 13:37:38 2022, atime=Thu Feb 24 13:37:38 2022, length=302592, window=hidenormalshowminimized
File size
2 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
85a9b5a87faa247fb594e837d2a69227ad29d856
SHA256
0d231c05710f1934e83807d13e010b34a330f0193dd187fd0f4356b14a68f7e9
MD5
2fad4e0d0f5027f94cf0aaf3e7f451f0

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1176 browser_addon: Installs browser extension

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1057 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

network_bind: Starts servers listening at None
suspicious_explorer_cmdline: Starts explorer.exe process with suspicious command line
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
yara_rules: Static rules