popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

wis2war.vbs

Hide_EXE Anti_VM PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 11, 2023, 9:41 a.m. Aug. 11, 2023, 9:43 a.m.
Size 1.9MB
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
CRC32 C2C96FFC
ssdeep 6144:MhFLSUbTzDvAaRZMF2nkKA3T7oB32XsPhY0/QSE2lGNpUoB+mZIS7/942c:ctxrPgwivYeSV4pR7/M
Yara None matched

Name Response Post-Analysis Lookup
chongmei33.publicvm.com
A 103.47.144.15
103.47.144.15
ip-api.com
A 208.95.112.1
208.95.112.1
IP Address Status Action
103.47.144.15 Active Moloch
164.124.101.2 Active Moloch
208.95.112.1 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0xbf2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 3013432
registers.edi: 0
registers.eax: 40734960
registers.ebp: 3013460
registers.edx: 1
registers.ebx: 0
registers.esi: 52700504
registers.ecx: 1920480732
1 0 0
domain chongmei33.publicvm.com
request GET http://ip-api.com/json/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3251689
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251664
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251644
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251510
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3251509
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0
domain ip-api.com
file C:\Users\test22\AppData\Local\Tempwinlogon.exe
file C:\Users\test22\AppData\Local\Temp\aug.vbs
wmi select * from win32_logicaldisk
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"057","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"057","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"057","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"057","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"057","lat":37.5024,"lon":127.123,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wis2war reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\wis2war.vbs"
file C:\Users\test22\AppData\Local\Temp\aug.vbs
wmi select * from antivirusproduct
wmi select * from win32_operatingsystem
wmi select * from win32_logicaldisk
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 1196
sent: 259
1 259 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 1300
sent: 259
1 259 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 416
sent: 259
1 259 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 476
sent: 259
1 259 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7045/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 472
sent: 259
1 259 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 1136
sent: 1
1 1 0
parent_process wscript.exe martian_process "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\aug.vbs"
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\aug.vbs
file C:\Windows\SysWOW64\wscript.exe
file C:\Users\test22\AppData\Local\Tempwinlogon.exe
dead_host 103.47.144.15:7045
Lionic Trojan.Script.Agent.4!c
MicroWorld-eScan VB:Trojan.Valyria.4537
FireEye VB:Trojan.Valyria.4537
ALYac VB:Trojan.Valyria.4537
Sangfor Malware.Generic-VBS.Save.4b44637b
Arcabit VB:Trojan.Valyria.D11B9
Cyren VBS/Dunihi.A
Symantec Trojan.Mdropper
ESET-NOD32 VBS/Agent.OXW
Avast JS:Skiddo-A [Trj]
Cynet Malicious (score: 99)
Kaspersky Trojan.VBS.Agent.bdq
BitDefender VB:Trojan.Valyria.4537
NANO-Antivirus Trojan.Script.Agent.iwquii
Tencent Vbs.Trojan.Agent.Ddhl
Sophos VBS/DwnLdr-ACDC
F-Secure Malware.VBS/Dldr.Agent.VPTL
VIPRE VB:Trojan.Valyria.4537
Emsisoft VB:Trojan.Valyria.4537 (B)
Avira VBS/Dldr.Agent.VPTL
MAX malware (ai score=81)
Gridinsoft Trojan.U.WarzoneRAT.bot
Microsoft Trojan:Script/Wacatac.B!ml
ZoneAlarm Trojan.VBS.Agent.bdq
GData VB:Trojan.Valyria.4537
Google Detected
Rising Trojan.Agent/VBS!8.11E09 (TOPIS:E0:8Pczf7R4UFS)
Ikarus Trojan-Downloader.VBS.Agent
Fortinet VBS/Agent.OXW!tr
AVG JS:Skiddo-A [Trj]