ScreenShot
| Created | 2023.05.17 09:50 | Machine | s1_win7_x6402 |
| Filename | w.vbs | ||
| Type | Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 26 detected (Valyria, Save, Dunihi, SNIC, Skiddo, Malicious, score, iwquii, VPTL, ai score=86, Detected) | ||
| md5 | 9e6396c0f6372ad9dabf49ac46c37b19 | ||
| sha256 | cde3243e5d239396688c6a7bac14a6baf46e60a242fe4788c063ccb3bf0a0e49 | ||
| ssdeep | 768:mCkMaJJTyA0j3jaxA2ZtJhydL5aM1aU9FqjkNblex89OgpzXAgAEFVpFtdFa:MZ | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (10cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 26 AntiVirus engines on VirusTotal as malicious |
| watch | Executes one or more WMI queries |
| watch | Installs itself for autorun at Windows startup |
| watch | Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe |
| watch | Wscript.exe initiated network communications indicative of a script based payload download |
| watch | wscript.exe-based dropper (JScript |
| notice | Connects to a Dynamic DNS Domain |
| notice | Executes one or more WMI queries which can be used to identify virtual machines |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| info | Queries for the computername |
Rules (0cnts)
| Level | Name | Description | Collection |
|---|
Suricata ids
ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain
ET MALWARE WSHRAT CnC Checkin
ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
ET INFO DYNAMIC_DNS HTTP Request to a *.publicvm .com Domain