Summary | ZeroBOX

Document_of_file_newshipment_pdf.js

Category Machine Started Completed
FILE s1_win7_x6401 July 19, 2023, 9:09 a.m. July 19, 2023, 9:11 a.m.
Size 2.8KB
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 5d13e163a153f92e5f656a1fd26269df
SHA256 6f39593b4a9ba49a8ca212b7a5d77298542ad2bb2a369affae481ccf134ab91b
CRC32 DB8872C7
ssdeep 48:oRpNA6vkeVl1DBcrOuf+vM9jrgnASH1+XI3VtegWQQ5VC9:o/66sOFf3OlC9
Yara None matched

IP Address Status Action
104.20.68.143 Active Moloch
104.21.6.247 Active Moloch
121.254.136.27 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 104.20.68.143:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2034938 ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io) Potential Corporate Privacy Violation
TCP 192.168.56.101:49163 -> 104.21.6.247:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
104.20.68.143:443
C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd
TLSv1
192.168.56.101:49163
104.21.6.247:443
C=US, O=Let's Encrypt, CN=E1 CN=wtools.io 9c:25:6b:44:0d:fa:8c:18:14:80:59:26:63:42:4c:cd:97:e8:59:2b

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0x192fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 4192088
registers.edi: 0
registers.eax: 30449600
registers.ebp: 4192116
registers.edx: 1
registers.ebx: 0
registers.esi: 5445272
registers.ecx: 1923233244
1 0 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET https://pastebin.com/raw/NVAgzFRR
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

WSASend

buffer: okd·)®¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28*ÿ pastebin.com  
socket: 600
0 0

WSASend

buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓݬáèü/±RôOök”X® XŽ°¦ô©äPÿ>Z ‡ò’ü.Ӏè >h^0¸ÑÊޖ[àÆßX}*°š•<W]6ú«Ëq–’^[ðºLgÿü.y iÏ%ªç
socket: 600
0 0

WSASend

buffer: ÐZÆ )³?¯.|/býxlç̓ˆWðík¥ûýÄMXP]ˆ ›âA(×ç!–7û$šèòå§Wš7ç@8Ú$ž¦äò)'N¡~OÀ—-†ÿ­pÓ‡‚ìU ŽÔ¯šDõ'r §á‹ŽP1ï¨>F€H”‚ñH`:°Ú‘VP»žåpÔUö®i÷› Í`™Æ¶Ž`ˆ>6O3CaŽšTWSI·>c™¤~ 7™ 7ûf i™mãÄò6ÙL¸§ØN ‚$.ïTáÄw 
socket: 600
0 0

WSASend

buffer: lhd·)¯Uނ„ˆ:"<ž®Ùk6…ä J/o‰TbÈÉ %‚/5 ÀÀÀ À 28'ÿ wtools.io  
socket: 1116
0 0

WSASend

buffer: FBA¸Ùó!åÒÙwÛ†jä#”—z?@KvmûŪCRú—Zýð,#Û.tö0¦-#ì©I¬Ž2’ØÞÀ…l0ÎÀ!*ŠiUº˜kÏVöÌÜ®uG}—çÀä\ÀÞs‘U"‡±2ˆÅùÈ~1£%jI
socket: 1116
0 0

WSASend

buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1168
0 0
Time & API Arguments Status Return Repeated

WSASend

buffer: okd·)®¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28*ÿ pastebin.com  
socket: 600
0 0

WSASend

buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓݬáèü/±RôOök”X® XŽ°¦ô©äPÿ>Z ‡ò’ü.Ӏè >h^0¸ÑÊޖ[àÆßX}*°š•<W]6ú«Ëq–’^[ðºLgÿü.y iÏ%ªç
socket: 600
0 0

WSASend

buffer: ÐZÆ )³?¯.|/býxlç̓ˆWðík¥ûýÄMXP]ˆ ›âA(×ç!–7û$šèòå§Wš7ç@8Ú$ž¦äò)'N¡~OÀ—-†ÿ­pÓ‡‚ìU ŽÔ¯šDõ'r §á‹ŽP1ï¨>F€H”‚ñH`:°Ú‘VP»žåpÔUö®i÷› Í`™Æ¶Ž`ˆ>6O3CaŽšTWSI·>c™¤~ 7™ 7ûf i™mãÄò6ÙL¸§ØN ‚$.ïTáÄw 
socket: 600
0 0

WSASend

buffer: lhd·)¯Uނ„ˆ:"<ž®Ùk6…ä J/o‰TbÈÉ %‚/5 ÀÀÀ À 28'ÿ wtools.io  
socket: 1116
0 0

WSASend

buffer: FBA¸Ùó!åÒÙwÛ†jä#”—z?@KvmûŪCRú—Zýð,#Û.tö0¦-#ì©I¬Ž2’ØÞÀ…l0ÎÀ!*ŠiUº˜kÏVöÌÜ®uG}—çÀä\ÀÞs‘U"‡±2ˆÅùÈ~1£%jI
socket: 1116
0 0

WSASend

buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1168
0 0
FireEye JS:Trojan.Cryxos.12968
VirIT Trojan.JS.Remcos.DSI
ESET-NOD32 JS/TrojanDownloader.Agent.ZYN
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan.Script.Generic
BitDefender JS:Trojan.Cryxos.12968
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan JS:Trojan.Cryxos.12968
Emsisoft JS:Trojan.Cryxos.12968 (B)
DrWeb JS.DownLoader.6233
VIPRE JS:Trojan.Cryxos.12968
MAX malware (ai score=89)
Arcabit JS:Trojan.Cryxos.D32A8
ZoneAlarm HEUR:Trojan.Script.Generic
GData JS:Trojan.Cryxos.12968
Google Detected
ALYac JS:Trojan.Cryxos.12968
Ikarus Trojan-Downloader.PowerShell.Agent
Fortinet JS/Agent.ZYN!tr
AVG Script:SNH-gen [Drp]