Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.18 02:11
DOCTOR FIRM ORDER FORM...
11.18 09:11
babababa.exe
11.18 09:11
Jagtfalkenes.vbs
11.18 09:11
windows_update.dll
11.18 09:11
nicko.exe
11.18 09:11
GHO%E9%95%9C%E5%83%8F%...
11.18 09:11
stories.exe
11.17 10:11
wwbizsrvs.exe
11.15 01:11
wwbizsrvs.exe
11.15 01:11
op.exe

Latest News
11.18 05:11
Strela: A newcomer in ...
11.18 05:11
A week in security (No...
11.18 05:11
A week in security (No...
11.18 04:11
카페 어니언과 함께하는 2025 코리아브...
11.18 04:11
Singapore Oil Tycoon O...
11.18 04:11
Exploit attempts for u...
11.18 04:11
NSO Group Exploited Wh...
11.18 03:11
대한민국 전통가마 연구소 ‘태고사’ 20...
11.18 03:11
더 청담, '2024 전통문화혁신사업 수...
11.18 03:11
동방이기제작소, '2024 전통문화혁신사...

Summary | ZeroBOX

ProjectFunding_B496.wsf

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 28, 2023, 9:41 a.m.	April 28, 2023, 9:43 a.m.

Size	42.8KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`de0e6380f06d01c12e312b58221c1fcd`
SHA256	`1fbca45b85697a0e46cc73caefd77291b1f0c8f5ca25dd0d18330c0bf6b5ec7e`
CRC32	`25CE84F7`
ssdeep	`768:r04vjQj2kWoQ1b/9SeIVwJF/uiSxp7gZxI6xI3hKxviF:1sj/tQl/9SeIGH0p0Bxve`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ProjectFunding_B496.wsf
3008

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.243.147.185	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	HEUR:Trojan.Script.Generic
ZoneAlarm	HEUR:Trojan.Script.Generic

Communicates with host for which no DNS query was performed (1 event)

host

193.243.147.185

Wscript.exe initiated network communications indicative of a script based payload download (2 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 28, 2023, 9:41 a.m.	url: http://193.243.147.185/a8SBzlM9yOU.dat flags: 0	1	1	0
HttpOpenRequestW April 28, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a8SBzlM9yOU.dat	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW April 28, 2023, 9:41 a.m.	url: http://193.243.147.185/a8SBzlM9yOU.dat flags: 0	1	1	0
HttpOpenRequestW April 28, 2023, 9:41 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /a8SBzlM9yOU.dat	1	13369356	0
send April 28, 2023, 9:41 a.m.	buffer: ! socket: 864 sent: 1	1	1	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.243.147.185:80