popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cincocicnnc.vbs

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 28, 2023, 7:02 p.m. Oct. 28, 2023, 7:04 p.m.
Size 110.5KB
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5 13f5fea2cf9c8eab90170dfda8194c09
SHA256 adfaeb4613d63d648ee38acc5c85c2bf21fddc7d45e3781f13db8ba56e2c4048
CRC32 E87A397B
ssdeep 1536:F+iTxT2e4Mi3mI2hb7KZ18C2NGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDDp5:Dl2eBQZxNj53e
Yara None matched

Name Response Post-Analysis Lookup
paste.ee
A 172.67.187.200
A 104.21.84.67
104.21.84.67
IP Address Status Action
164.124.101.2 Active Moloch
172.67.187.200 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 172.67.187.200:443 2034978 ET POLICY Pastebin-style Service (paste .ee) in TLS SNI Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 172.67.187.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
172.67.187.200:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=paste.ee cd:77:4c:26:1f:f8:63:15:43:5a:ba:aa:11:f1:e7:1a:23:3e:4b:15

request GET https://paste.ee/d/fHQVm
Symantec ISB.Downloader!gen40
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan.VBS.SAgent.gen
Rising Downloader.AgentTesla/VBS!8.16EB2 (TOPIS:E0:9qkf2iiUsAC)
Varist VBS/Agent.BFC!Eldorado
ZoneAlarm HEUR:Trojan.VBS.SAgent.gen
Google Detected
AVG Script:SNH-gen [Trj]
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<ܥˡš®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 972
0 0

WSASend

 buffer: FBA›îGÀnpˋtÿøÖ¬¹Œ=X¸²Pö>aïwœâVr°O+Úü3%ªÇ÷û»è“0’ÆlàfkÝÿ<ýŸþ0 G“Œg>s“ËÆe¾‰ññYSR K±j—uҔâ8+Œc“Ç ò¹¯G@n؞
socket: 972
0 0

WSASend

 buffer: À8E §#h0·Ñ  @Åöx䇱¢jd‹…ʼn ôŒaŸpNª£z:Ëj뎡Ïm¾7@B(»Yúÿµ<~vÅÀ`K;› ™_GÆu¼ zP-’´ßEÙÕ¸<æ0V?AêçmcFæ_ʘ‰‚?j­Mzá Wû n¯ °̀O†íÿ5¹< »C†Ï±ÍÛ¶ÊÖ+¢Vkž½d(nlh%Ü<²Æ2m**PèàBŸ’菎xS‘Ø
socket: 972
0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
Time & API Arguments Status Return Repeated

WSASend

 buffer: kge<ܥˡš®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28&ÿ paste.ee  
socket: 972
0 0

WSASend

 buffer: FBA›îGÀnpˋtÿøÖ¬¹Œ=X¸²Pö>aïwœâVr°O+Úü3%ªÇ÷û»è“0’ÆlàfkÝÿ<ýŸþ0 G“Œg>s“ËÆe¾‰ññYSR K±j—uҔâ8+Œc“Ç ò¹¯G@n؞
socket: 972
0 0

WSASend

 buffer: À8E §#h0·Ñ  @Åöx䇱¢jd‹…ʼn ôŒaŸpNª£z:Ëj뎡Ïm¾7@B(»Yúÿµ<~vÅÀ`K;› ™_GÆu¼ zP-’´ßEÙÕ¸<æ0V?AêçmcFæ_ʘ‰‚?j­Mzá Wû n¯ °̀O†íÿ5¹< »C†Ï±ÍÛ¶ÊÖ+¢Vkž½d(nlh%Ü<²Æ2m**PèàBŸ’菎xS‘Ø
socket: 972
0 0