Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

Claim_E712.wsf

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 26, 2023, 9:13 a.m.	April 26, 2023, 9:15 a.m.

Size	98.0KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`605f0e8f6e2835c4e40b142f2aee3d27`
SHA256	`12bdd4b5ee0ed1156b2c20d07311edb51460f3f89988c3f34dc68ca7748e4301`
CRC32	`AEAA7775`
ssdeep	`3072:v/1ZOI+sttV/y7hKekSMNi1DgEBTBJw3SwP:F1LttV/y7hKJM10EnJwCwP`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Claim_E712.wsf
1648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.39.18.107	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Communicates with host for which no DNS query was performed (1 event)

host

185.39.18.107

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 26, 2023, 9:13 a.m.	url: http://185.39.18.107/ah5tW8LiTPvoXJ.dat flags: 0	1	1	0
HttpOpenRequestW April 26, 2023, 9:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ah5tW8LiTPvoXJ.dat	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 26, 2023, 9:13 a.m.	url: http://185.39.18.107/ah5tW8LiTPvoXJ.dat flags: 0	1	1	0
HttpOpenRequestW April 26, 2023, 9:13 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /ah5tW8LiTPvoXJ.dat	1	13369356	0
send April 26, 2023, 9:13 a.m.	buffer: ! socket: 860 sent: 1	1	1	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.39.18.107:80