msg_19_12_01384462651-7272716591.vbs

Performs some HTTP requests (1 event)

request

GET http://2-wave.com/MjdyeUHS32?

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Wscript.exe initiated network communications indicative of a script based payload download (7 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://intra.cfecgcaquitaine.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369356	0
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://depomedikal.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369356	0
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://2-wave.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0010 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369364	0
InternetReadFile June 25, 2021, 2:04 p.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /MjdyeUHS32 was not found on this server.</p> <hr> <address>Apache/2.2.3 (CentOS) Server at 2-wave.com Port 80</address> </body></html> request_handle: 0x00cc0014	1	1	0

wscript.exe-based dropper (JScript, VBS) (3 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (9 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://intra.cfecgcaquitaine.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369356	0
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://depomedikal.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369356	0
InternetCrackUrlW June 25, 2021, 2:04 p.m.	url: http://2-wave.com/MjdyeUHS32? flags: 0	1	1	0
HttpOpenRequestW June 25, 2021, 2:04 p.m.	connect_handle: 0x00cc0010 http_version: flags: 4194304 http_method: GET referer: path: /MjdyeUHS32?	1	13369364	0
send June 25, 2021, 2:04 p.m.	buffer: ! socket: 800 sent: 1	1	1	0
send June 25, 2021, 2:04 p.m.	buffer: GET /MjdyeUHS32? HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 2-wave.com Connection: Keep-Alive socket: 908 sent: 299	1	299	0
send June 25, 2021, 2:04 p.m.	buffer: ! socket: 800 sent: 1	1	1	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

MicroWorld-eScan	VB:Trojan.VBS.Agent.AQN
CAT-QuickHeal	Trojan.VBS.GIRansom.4537
McAfee	VBS/Downloader.ea
Arcabit	VB:Trojan.VBS.Agent.AQN
Cyren	VBS/Downldr.HM
Symantec	VBS.Downloader.B
ESET-NOD32	VBS/TrojanDownloader.Agent.PLS
TrendMicro-HouseCall	VBS_SCARAB.SMJS02
Kaspersky	HEUR:Trojan.Script.Agent.gen
BitDefender	VB:Trojan.VBS.Agent.AQN
NANO-Antivirus	Trojan.Script.ExpKit.ewjogg
AegisLab	Troj.Script.Agent!c
Ad-Aware	VB:Trojan.VBS.Agent.AQN
Emsisoft	VB:Trojan.VBS.Agent.AQN (B)
Comodo	UnclassifiedMalware
F-Secure	VB:Trojan.VBS.Agent.AQN
DrWeb	VBS.DownLoader.1051
TrendMicro	VBS_SCARAB.SMJS02
McAfee-GW-Edition	VBS/Downloader.ea
Sophos	Troj/VBSDldr-T
F-Prot	VBS/Downldr.HM
Avira	VBS/Drldr.Agent.4368
Antiy-AVL	Trojan[Downloader]/VBS.Agent.pkq
Microsoft	TrojanDownloader:VBS/Schopets.O
ViRobot	VBS.Downloader.4971
ZoneAlarm	HEUR:Trojan.Script.Agent.gen
GData	Script.Trojan-Downloader.Agent.AEZ
AhnLab-V3	VBS/Downloader
ALYac	VB:Trojan.VBS.Agent.AQN
MAX	malware (ai score=100)
Rising	Downloader.Schopets!8.EAAB (TOPIS:9cv31yapexE)
Ikarus	Trojan-Ransom.Script.GlobeImposter
Fortinet	VBS/Agent.PLT!tr.dldr