Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
04.27 08:04
main-292e27553c8f5cb8....
04.27 08:04
6814.91bf0d11abffee40....
04.27 08:04
polyfills-c67a75d1b6f9...
04.27 08:04
framework-ca706bf673a1...
04.27 08:04
ee8b1517-cc4d7300db272...
04.27 08:04
_app-8a13ca4ac05f979e....
04.27 08:04
webpack-6751726d88b2d8...
04.27 08:04
gtm.js.pobrane
04.27 08:04
290-f42c07d7b35e4d71.j...
04.27 08:04
75fc9c18-02b28d24f737c...

Latest News
04.28 04:04
Intro to Z3 - Flare 11...
04.28 04:04
IT Sicherheitsnews tae...
04.28 04:04
Bundesweit: Hessen sta...
04.28 02:04
Quick and Easy Digital...
04.28 01:04
Überwachung per KI-Per...
04.28 01:04
Cluely: Wie eine Schum...
04.28 12:04
Huawei Set to Test Pow...
04.28 12:04
윈도우 11 보안 기능 VBS Encla...
04.28 12:04
Big Tech’s Earnings Pr...
04.27 11:04
VESC Mods Made Via Vib...

Summary | ZeroBOX

loader.vbs

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 28, 2025, 9:28 a.m.	March 28, 2025, 9:34 a.m.

Size	940.0B
Type	UTF-8 Unicode text, with CRLF line terminators
MD5	`cae91a547e1f1f9340d8856b5b1ffd07`
SHA256	`aeb04690e950c382b02ccfc85370d5fd7f814bc8160350ee5daa6152dcd18c1e`
CRC32	`7DF518A2`
ssdeep	`24:9AKpLr2KjwGzll9LONnhQrq9t7mBIHyyY0HVW:eoLrlgydwhbs`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\loader.vbs
1984

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247
ntfy.sh	A 159.203.148.75	159.203.148.75

IP Address	Status	Action
159.203.148.75	Active	Moloch
164.124.101.2	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 20.200.245.247:443 -> 192.168.56.103:49163	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 159.203.148.75:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 159.203.148.75:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 159.203.148.75:443 -> 192.168.56.103:49166	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 28, 2025, 9:28 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\win_init.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\win_init.exe		0	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Skyhigh	BehavesLike.VBS.Dropper.xp
Symantec	ISB.Downloader!gen60
ESET-NOD32	VBS/TrojanDownloader.Agent.PHZ
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected
Yandex	HTML.Psyme.Gen
Fortinet	VBS/Agent.RNN!tr.dldr

Wscript.exe initiated network communications indicative of a script based payload download (4 events)

Time & API	Arguments	Status	Return	Repeated
WSASend March 28, 2025, 9:28 a.m.	buffer: migåí-+HRæ²ÒÞÈ n¦ÕÏßÀ/sjÿ/5 ÀÀÀ À 28(ÿ github.com socket: 532		0	0
WSASend March 28, 2025, 9:28 a.m.	buffer: 51gåí-ý¶Þÿ`ÈÚ9î¿À]í°C×"ÛÁc ÿ socket: 532		0	0
InternetCrackUrlW March 28, 2025, 9:28 a.m.	url: https://ntfy.sh/dillertus77 flags: 0	1	1	0
HttpOpenRequestW March 28, 2025, 9:28 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /dillertus77	1	13369356	0

wscript.exe-based dropper (JScript, VBS) (1 event)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (14 events)

Time & API	Arguments	Status	Return	Repeated
WSASend March 28, 2025, 9:28 a.m.	buffer: migåí-+HRæ²ÒÞÈ n¦ÕÏßÀ/sjÿ/5 ÀÀÀ À 28(ÿ github.com socket: 532		0	0
WSASend March 28, 2025, 9:28 a.m.	buffer: 51gåí-ý¶Þÿ`ÈÚ9î¿À]í°C×"ÛÁc ÿ socket: 532		0	0
InternetCrackUrlW March 28, 2025, 9:28 a.m.	url: https://ntfy.sh/dillertus77 flags: 0	1	1	0
HttpOpenRequestW March 28, 2025, 9:28 a.m.	connect_handle: 0x00cc0008 http_version: flags: 81788928 http_method: POST referer: path: /dillertus77	1	13369356	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: jfgåí.DÒNÒ±,~fÖøãù<¢ ¦È@¤;ÿø/5 ÀÀÀ À 28%ÿ ntfy.sh socket: 1304 sent: 111	1	111	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: jfgåí/¼k¬¤á0SL«_Pg¶(ñÑf¬³°²ÊâÝ/5 ÀÀÀ À 28%ÿ ntfy.sh socket: 1304 sent: 111	1	111	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: 51gåí/ÐÊ)õp+_!ÏgpÂl.¶¡ZôÒùz ÿ socket: 1304 sent: 58	1	58	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0
send March 28, 2025, 9:28 a.m.	buffer: ! socket: 1216 sent: 1	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

wscript.exe

martian_process

C:\Users\test22\AppData\Local\Temp\win_init.exe

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Local\Temp\win_init.exe