popup

Report - Funds_431353.wsf

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.19 17:53 Machine s1_win7_x6403
Filename Funds_431353.wsf
Type UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file)
md5 05b869c9cc7e17a6216b23cc5da83ade
sha256 8c399ed57197ce38c5aedbc5720690d34172f558701b50303ccf6c37700bc278
ssdeep 1536:RR3LU0FGHNkg5j+9GkGaeA1ZI4sDQ0G29cWoRWvmXYmSelDCPF:zU0Fs+9VpIRItovaYmSelDCPF
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
watch Attempts to create or modify system certificates
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice Performs some HTTP requests
info One or more processes crashed

Rules (0cnts)

Level Name Description Collection

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastebin.com/raw/zD5ag0UX
whois
US CLOUDFLARENET 104.20.67.143 29932 mailcious
https://pastebin.com/raw/mJfkXNYx
whois
US CLOUDFLARENET 104.20.67.143 29928 mailcious
pastebin.com
whois
US CLOUDFLARENET 172.67.34.170 mailcious
104.20.67.143
whois
US CLOUDFLARENET 104.20.67.143 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure