popup

Report - Funds_166311.wsf

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.04.20 11:18 Machine s1_win7_x6402
Filename Funds_166311.wsf
Type Non-ISO extended-ASCII text, with very long lines, with CRLF, LF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file)
md5 c8cdbe9de89761dd6364ac64c6fdf0cf
sha256 8e6e01a514d1374a01348f3701292cef839b749ab702f521cb26ff502de65628
ssdeep 1536:lQi3QiUM6QuQwWjijsq3bQm4U3KvIseYYvvpy:OstDIb0m3s3Ynpy
imphash
impfuzzy
  Network IP location

Signature (6cnts)

Level Description
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests
info One or more processes crashed

Rules (0cnts)

Level Name Description Collection

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastebin.com/raw/zD5ag0UX
whois
US CLOUDFLARENET 104.20.67.143 29932 mailcious
https://pastebin.com/raw/mJfkXNYx
whois
US CLOUDFLARENET 104.20.67.143 29928 mailcious
pastebin.com
whois
US CLOUDFLARENET 104.20.67.143 mailcious
104.20.67.143
whois
US CLOUDFLARENET 104.20.67.143 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure