popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

719.vbs

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 7, 2024, 9:48 a.m. Aug. 7, 2024, 9:53 a.m.
Size 837.8KB
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 bddc705622e0b2e5022ab7e66e2fd204
SHA256 885b63dd0de712c05ee61438c2e9059684e801d54681c63975748272e653d831
CRC32 76A4936C
ssdeep 3072:bkTBCf9cJbUIQ25xtsfIJJJXlLIQP091T:WNJbUIQ25xtvlLIQP091T
Yara None matched

Name Response Post-Analysis Lookup
chongmei33.publicvm.com
A 46.246.6.6
46.246.6.6
ip-api.com
A 208.95.112.1
208.95.112.1
IP Address Status Action
164.124.101.2 Active Moloch
208.95.112.1 Active Moloch
46.246.6.6 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2054141 ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49171 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49177 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49168 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2034457 ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com) Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected
TCP 192.168.56.101:49173 -> 208.95.112.1:80 2022082 ET POLICY External IP Lookup ip-api.com Device Retrieving External IP Address Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
domain chongmei33.publicvm.com
request GET http://ip-api.com/json/
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3252703
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252691
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252671
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252537
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252536
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0
domain ip-api.com
wmi select * from win32_logicaldisk
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.4818,"lon":127.1392,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.4818,"lon":127.1392,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.4818,"lon":127.1392,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.4818,"lon":127.1392,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

InternetReadFile

 buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-gu","zip":"058","lat":37.4818,"lon":127.1392,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.152"}
request_handle: 0x00cc000c
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\719 reg_value wscript.exe //B "C:\Users\test22\AppData\Local\Temp\719.vbs"
wmi select * from antivirusproduct
wmi select * from win32_operatingsystem
wmi select * from win32_logicaldisk
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 1092
sent: 259
1 259 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 1204
sent: 259
1 259 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 412
sent: 259
1 259 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 1220
sent: 259
1 259 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlW

 url: http://chongmei33.publicvm.com:7044/is-ready
flags: 0
1 1 0

InternetCrackUrlW

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /json/
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

send

 buffer: GET /json/ HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
socket: 412
sent: 259
1 259 0

send

 buffer: !
socket: 996
sent: 1
1 1 0

InternetCrackUrlA

 url: http://ip-api.com/json/
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 71303168
http_method: POST
referer:
path: /is-ready
1 13369356 0

send

 buffer: !
socket: 996
sent: 1
1 1 0
Cynet Malicious (score: 99)
ALYac VB:Trojan.Valyria.4537
VIPRE VB:Trojan.Valyria.4537
Sangfor Malware.Generic-VBS.Save.d63cbaa2
Arcabit VB:Trojan.Valyria.D11B9
Symantec VBS.Heur.SNIC
ESET-NOD32 VBS/Agent.OXW
Avast JS:Skiddo-A [Trj]
Kaspersky Trojan.VBS.Agent.bdq
BitDefender VB:Trojan.Valyria.4537
NANO-Antivirus Trojan.Script.Agent.iwquii
MicroWorld-eScan VB:Trojan.Valyria.4537
Emsisoft VB:Trojan.Valyria.4537 (B)
F-Secure Malware.VBS/Dldr.Agent.VPTL
FireEye VB:Trojan.Valyria.4537
Sophos VBS/DwnLdr-ACDC
Ikarus Trojan-Downloader.VBS.Agent
Avira VBS/Dldr.Agent.VPTL
Kingsoft Script.Ks.Malware.9344
ZoneAlarm Trojan.VBS.Agent.bdq
GData VB:Trojan.Valyria.4537
Varist VBS/Dunihi.A
MAX malware (ai score=89)
Fortinet VBS/Agent.OXW!tr
AVG JS:Skiddo-A [Trj]
dead_host 46.246.6.6:7044