Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
11.08 05:11
locker.exe
11.08 05:11
PowerView.ps1
11.08 05:11
cred64.dll
11.08 05:11
ngrok.exe
11.08 05:11
CollosalLoader.exe
11.08 05:11
SharpHound.exe
11.08 05:11
Reaper%20cfx%20Spoofer...
11.08 05:11
dxwebsetup.exe
11.08 05:11
hell9o.exe
11.08 05:11
jerniuiopu.exe

Latest News
11.11 06:11
Building a Motor Feed ...
11.11 05:11
Spam-Anrufe adé: Diese...
11.11 05:11
Bilderkontrolle in Wha...
11.11 05:11
Baguette statt Bitcoin...
11.11 05:11
Beware of the “India P...
11.11 03:11
Component Tester Teardown
11.11 03:11
JPMorgan Braces for ‘I...
11.11 02:11
Zipdump & PKZIP Re...
11.11 12:11
Strom und Heizkosten i...
11.11 12:11
Koffein-Tracking per A...

Summary | ZeroBOX

neverban_dWMkPE.vbs

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 26, 2023, 6:03 p.m.	Sept. 26, 2023, 6:05 p.m.

Size	1.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`1bd0900f5c260ec597662cbcdb396d4a`
SHA256	`a184fa874e95c0338f6d966d41454b8a6e40c416f5ee710e21362f9af94dcd9e`
CRC32	`3BB9918C`
ssdeep	`48:IDKsFeq8Q1O6Z+20CfFENmWLFPR9OaaoYFF6ab:ID7X8WOKiCfuvFPRJqz`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\neverban_dWMkPE.vbs
2060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
66.42.63.27	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
ZoneAlarm	HEUR:Trojan.Script.Generic
Fortinet	VBS/Agent.SJR!tr.dldr
AVG	Script:SNH-gen [Trj]

Communicates with host for which no DNS query was performed (1 event)

host

66.42.63.27

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Sept. 26, 2023, 6:03 p.m.	buffer: POST /znemsbyy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 0 Host: 66.42.63.27:2351 socket: 500		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Sept. 26, 2023, 6:03 p.m.	buffer: POST /znemsbyy HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 0 Host: 66.42.63.27:2351 socket: 500		0	0