Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

ProjectFunding_D305.wsf

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 28, 2023, 9:05 a.m.	April 28, 2023, 9:07 a.m.

Size	47.2KB
Type	Non-ISO extended-ASCII text, with very long lines, with CRLF, LF line terminators
MD5	`254f413905e4ba561b0a85fa7c3a4790`
SHA256	`0ed98f68fb91a0cae4b8ed8386055318d21934c6e3ed201f997d31cf84108ed5`
CRC32	`3404138B`
ssdeep	`768:c0TapE5tZ2yA8PPAhTX//NTBb1VSZ+qNZeHZ1Sh5Qbp6ZoNJInTte:c0Wpu2Z8PPAZ//NTBb1mNZewAGU`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ProjectFunding_D305.wsf
2052

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
149.102.255.183	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Communicates with host for which no DNS query was performed (1 event)

host

149.102.255.183

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 28, 2023, 9:05 a.m.	url: http://149.102.255.183/acv7jAPeF4lNZaiR.dat flags: 0	1	1	0
HttpOpenRequestW April 28, 2023, 9:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /acv7jAPeF4lNZaiR.dat	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 28, 2023, 9:05 a.m.	url: http://149.102.255.183/acv7jAPeF4lNZaiR.dat flags: 0	1	1	0
HttpOpenRequestW April 28, 2023, 9:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /acv7jAPeF4lNZaiR.dat	1	13369356	0
send April 28, 2023, 9:05 a.m.	buffer: ! socket: 860 sent: 1	1	1	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

149.102.255.183:80