Report - wis2war.vbs

Hide_EXE Anti_VM PE File
ScreenShot
Created 2023.08.11 09:44 Machine s1_win7_x6401
Filename wis2war.vbs
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 30 detected (Valyria, Save, Dunihi, Skiddo, Malicious, score, iwquii, Ddhl, VPTL, ai score=81, WarzoneRAT, Wacatac, Detected, TOPIS, 8Pczf7R4UFS)
md5 72fab82acb233fa5b2d7aeb5cecf14bb
sha256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
ssdeep 6144:MhFLSUbTzDvAaRZMF2nkKA3T7oB32XsPhY0/QSE2lGNpUoB+mZIS7/942c:ctxrPgwivYeSV4pR7/M
imphash
impfuzzy
  Network IP location

Signature (19cnts)

Level Description
danger Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually)
danger File has been identified by 30 AntiVirus engines on VirusTotal as malicious
watch Drops a binary and executes it
watch Executes one or more WMI queries
watch Installs itself for autorun at Windows startup
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch One or more non-whitelisted processes were created
watch The process wscript.exe wrote an executable file to disk
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice Allocates read-write-execute memory (usually to unpack itself)
notice Connects to a Dynamic DNS Domain
notice Creates executable files on the filesystem
notice Executes one or more WMI queries which can be used to identify virtual machines
notice Looks up the external IP address
notice Performs some HTTP requests
notice Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation
info One or more processes crashed
info Queries for the computername

Rules (3cnts)

Level Name Description Collection
warning hide_executable_file Hide executable file binaries (download)
notice anti_vm_detect Possibly employs anti-virtualization techniques binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ip-api.com/json/ US TUT-AS 208.95.112.1 clean
chongmei33.publicvm.com SG M247 Ltd 103.47.144.15 mailcious
ip-api.com US TUT-AS 208.95.112.1 clean
103.47.144.15 SG M247 Ltd 103.47.144.15 clean
208.95.112.1 US TUT-AS 208.95.112.1 clean

Suricata ids



Similarity measure (PE file only) - Checking for service failure