Managed XDR

zoo-tank6-data-2026-06...ac9185bf913ded4ca25d8b — malware analysis report

File info

Filename
zoo-tank6-data-2026-0626-069fc9fe63ac9185bf913ded4ca25d8b
File type
MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon, Archive, ctime=Tue May 26 08:43:41 2020, mtime=Tue May 26 08:43:41 2020, atime=Tue May 26 08:43:41 2020, length=302592, window=hidenormalshowminimized
File size
2 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
05d4a1dae0160327f5e8f27ef64a463f0d3bc224
SHA256
518764fa218c03ded6dd533e2c3800d453fdb59207306c92f2e72e12424ac441
MD5
069fc9fe63ac9185bf913ded4ca25d8b

Signatures

Execution

T1204 suspicious_lnk: LNK file with suspicious content
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests

Persistence

T1176 browser_addon: Installs browser extension

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1082 has_wmi: Executes one or several WMI requests
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Other

suspicious_explorer_cmdline: Starts explorer.exe process with suspicious command line
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
yara_rules: Static rules