popup

Report - n.txt.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.10.20 17:37 Machine s1_win7_x6401
Filename n.txt.vbs
Type ASCII text, with CRLF line terminators
AI Score Not founds Behavior Score
7.6
ZERO API file : mailcious
VT API (file)
md5 d3a0f829492384059994c6d1c53d9d5f
sha256 2b27f3f5cfb2ab5a728a0c33f33977c6290578b142cd1c311d665d2a16bd44c9
ssdeep 6:X4ftGTygG0RxUpeC4RxWPfgF8XIRxWrSzYRxq5fDoCtq9NuPMo2lw5XXUyCXSMX8:oftDgGoEeCc9Qm8o5boCtq+Ppnfiuv
imphash
impfuzzy
  Network IP location

Signature (18cnts)

Level Description
danger The processes wscript.exe
watch Communicates with host for which no DNS query was performed
watch Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch One or more non-whitelisted processes were created
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice One or more potentially interesting buffers were extracted
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (4cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowerShell PowerShell script scripts
info PowershellDI Extract Download/Invoke calls from powershell script scripts

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://185.81.157.213:222/a3.jpg
whois
FR Inulogic Sarl 185.81.157.213 malware
185.81.157.213
whois
FR Inulogic Sarl 185.81.157.213 mailcious
172.111.167.99
whois
GB M247 Ltd 172.111.167.99 mailcious

Suricata ids

ET HUNTING [TW] Likely Hex Executable String
ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps

Similarity measure (PE file only) - Checking for service failure