Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 8, 2023, 9:37 a.m.	Nov. 8, 2023, 9:39 a.m.

Size	7.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`cf34cf3dc725d0145cb4b3ecfba459e7`
SHA256	`6766c478915817f5a95bc278a0205a89d0fbc03432d544399b70ab3fdc137001`
CRC32	`511E323F`
ssdeep	`48:hSJE7GJLO4JJoNK5JzOTwgNS2utIGndHsRbJJz0GhD7GJ5o4fuwufQAJ6Gmfo/iT:yO1wtOMgR1uMF5SNEiGF4sdc`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ORDER-23116FC.pdf.js
2560

Name	Response	Post-Analysis Lookup
grapemundo.com	A 103.50.163.157	103.50.163.157

IP Address	Status	Action
103.50.163.157	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.101:49163 -> 103.50.163.157:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49161 -> 103.50.163.157:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.50.163.157:443 -> 192.168.56.101:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW Nov. 8, 2023, 9:37 a.m.	url: https://grapemundo.com/Apk/work.vbs flags: 0	1	1	0
HttpOpenRequestW Nov. 8, 2023, 9:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /Apk/work.vbs	1	13369356	0

Time & API	Arguments	Status	Return
InternetCrackUrlW Nov. 8, 2023, 9:37 a.m.	url: https://grapemundo.com/Apk/work.vbs flags: 0	1	1
HttpOpenRequestW Nov. 8, 2023, 9:37 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /Apk/work.vbs	1	13369356
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: qmeJØ7]´*ûpOKØ ¼Å½it÷?Âë8nÜìy×`/5 ÀÀÀ À 28,ÿgrapemundo.com socket: 956 sent: 118	1	118
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: qmeJØ7ÿ7i¿PÒ ë¶aúg©H[âÉ%²ð,B/5 ÀÀÀ À 28,ÿgrapemundo.com socket: 956 sent: 118	1	118
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: 51eJØ8cøKÛ ®* \|¶Å¾óK82õ ÿ socket: 956 sent: 58	1	58
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1
send Nov. 8, 2023, 9:37 a.m.	buffer: ! socket: 844 sent: 1	1	1

FireEye	JS:Trojan.Cryxos.10732
Skyhigh	BehavesLike.JS.Downloader.zx
VIPRE	JS:Trojan.Cryxos.10732
Symantec	ISB.Downloader!gen60
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	JS:Trojan.Cryxos.10732
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	JS:Trojan.Cryxos.10732
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:9kuM9iQ3OWD)
Sophos	JS/Drop-DHB
Emsisoft	JS:Trojan.Cryxos.10732 (B)
GData	JS:Trojan.Cryxos.10732
Varist	URL/Downldr.EA.gen!Eldorado
MAX	malware (ai score=88)
Arcabit	JS:Trojan.Cryxos.D29EC
ZoneAlarm	HEUR:Trojan.Script.Generic
Microsoft	Trojan:Script/Wacatac.B!ml
Google	Detected
ALYac	JS:Trojan.Cryxos.10732
Ikarus	Trojan-Downloader.JS.Agent

ORDER-23116FC.pdf.js