Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 14, 2023, 10:26 a.m.	Dec. 14, 2023, 10:28 a.m.

Size	7.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`516442412f0c621f39abd64b645f587c`
SHA256	`3dbe569606e7cb9d93ad9f5bb8135fb9e6faf2d525c365dbc0eb672a45419ff9`
CRC32	`843059F8`
ssdeep	`48:MOIWNECVZvY3thH1S4T0O2NiIVEggU3mOOFANEeoTmKaU9Osxi4OcKGE+G:zYCVZ+FTbmVEgg+u9Ny8MXV+G`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ORDER-231211.Xls.js
1984

Name	Response	Post-Analysis Lookup
nac-ecs.co.mz	A 144.208.78.130	144.208.78.130

IP Address	Status	Action
144.208.78.130	Active	Moloch
164.124.101.2	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 144.208.78.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 144.208.78.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 144.208.78.130:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

No Suricata TLS

Time & API	Arguments	Status	Return	Repeated
InternetCrackUrlW Dec. 14, 2023, 10:26 a.m.	url: https://nac-ecs.co.mz/onedrive/wp.vbs flags: 0	1	1	0
HttpOpenRequestW Dec. 14, 2023, 10:26 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /onedrive/wp.vbs	1	13369356	0

Time & API	Arguments	Status	Return
InternetCrackUrlW Dec. 14, 2023, 10:26 a.m.	url: https://nac-ecs.co.mz/onedrive/wp.vbs flags: 0	1	1
HttpOpenRequestW Dec. 14, 2023, 10:26 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /onedrive/wp.vbs	1	13369356
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: plezY×±æFùLan@<X$r®#¸¯t3ÕãCØ"c/5 ÀÀÀ À 28+ÿ nac-ecs.co.mz socket: 964 sent: 117	1	117
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: plezYØüE³"gýÆÀ´)¤@uëã³ïIN¤/5 ÀÀÀ À 28+ÿ nac-ecs.co.mz socket: 964 sent: 117	1	117
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: 51ezYØÅ½j2õÑÞt BZÓî½9óÜ¤¶/a§ ÿ socket: 964 sent: 58	1	58
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1
send Dec. 14, 2023, 10:26 a.m.	buffer: ! socket: 836 sent: 1	1	1

Lionic	Trojan.Script.Cryxos.4!c
FireEye	JS:Trojan.Cryxos.10732
ALYac	JS:Trojan.Cryxos.10732
Symantec	ISB.Downloader!gen60
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	JS:Trojan.Cryxos.10732
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	JS:Trojan.Cryxos.10732
Emsisoft	JS:Trojan.Cryxos.10732 (B)
VIPRE	JS:Trojan.Cryxos.10732
Sophos	JS/Drop-DHB
Google	Detected
Kingsoft	Script.Trojan.Generic.a
Gridinsoft	Trojan.U.Gen.tr
Arcabit	JS:Trojan.Cryxos.D29EC
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	JS:Trojan.Cryxos.10732
Varist	ABRisk.YTIT-11
MAX	malware (ai score=84)
Ikarus	Trojan-Downloader.JS.Agent
AVG	Other:Malware-gen [Trj]

ORDER-231211.Xls.js