Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.13 04:11
hello.exe
11.13 03:11
espsemhvcioff.exe
11.13 02:11
Geek_se.exe
11.13 02:11
cred64.dll
11.13 02:11
svhost.exe
11.13 02:11
nb.exe
11.13 02:11
svcyr.exe
11.13 02:11
Ghost_1.5.11.5.exe
11.13 02:11
PowderGpl.exe
11.13 02:11
goodlabel%E6%89%93%E5%...

Latest News
11.15 02:11
The Intersection of Ma...
11.15 02:11
Revisiting Battery Safety
11.15 02:11
Diamond Sports Wins Ap...
11.15 02:11
From risks to resilien...
11.15 02:11
Newly patched Windows ...
11.15 02:11
Chinese targeting of U...
11.15 02:11
Expanded cyberattacks ...
11.15 02:11
Data aggregator breach...
11.15 02:11
Chinese malware attack...
11.15 02:11
American Associated Ph...

Summary | ZeroBOX

Edge.js

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 29, 2021, 9:44 a.m.	July 29, 2021, 9:46 a.m.

Size	2.5KB
Type	ASCII text, with CRLF line terminators
MD5	`8a005a721fcf3972456cb12e0a4f3fa0`
SHA256	`f1df2c9befe5e84082891195415c8b032fbf3859090e1e3a856fb9611f85bb5c`
CRC32	`A176D23F`
ssdeep	`48:mup04JDUsJBeNWczSxWDE1YWbJVLNSJ3WQFSVV9vuByx33udwi6Df8zv5XYH:g41jeNRzUNK3WQFMV9mBA33udwi6Ovd6`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Edge.js
2068

Name	Response	Post-Analysis Lookup
fe1eaf89.office.drpease.com	A 195.189.96.41	195.189.96.41

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.189.96.41	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 195.189.96.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 195.189.96.41:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 195.189.96.41:443 -> 192.168.56.102:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	ISB.Downloader!gen406
Avast	SNH:Script [Dropper]
Kaspersky	HEUR:Trojan-Downloader.Script.SLoad.gen
AVG	SNH:Script [Dropper]

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW July 29, 2021, 9:44 a.m.	url: https://fe1eaf89.office.drpease.com/pixel.png flags: 0	1	1	0
HttpOpenRequestW July 29, 2021, 9:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /pixel.png	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (12 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW July 29, 2021, 9:44 a.m.	url: https://fe1eaf89.office.drpease.com/pixel.png flags: 0	1	1	0
HttpOpenRequestW July 29, 2021, 9:44 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /pixel.png	1	13369356	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: ~zaùé¢åE ÔCÉn+ê'NDªSs6»/5 ÀÀÀ À 289ÿ fe1eaf89.office.drpease.com socket: 976 sent: 131	1	131	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: ~zaùêÙJ ÔãØÍ×u$Æ ·2ÐÀHRÕIá >/5 ÀÀÀ À 289ÿ fe1eaf89.office.drpease.com socket: 976 sent: 131	1	131	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: 51aùê\|Ç'aû[xÂ]d::Ràqhû&¸ðM ÿ socket: 976 sent: 58	1	58	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0
send July 29, 2021, 9:44 a.m.	buffer: ! socket: 840 sent: 1	1	1	0