popup

Report - htmlvb.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.21 18:17 Machine s1_win7_x6401
Filename htmlvb.vbs
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
AI Score Not founds Behavior Score
9.0
ZERO API file : clean
VT API (file) 7 detected (Detected, Eldorado, TOPIS, uPNoVYRQDnJ)
md5 a106d0b5d4423dbcb1b7551cc6f011b1
sha256 4fd88f1d3e53c5c526fff164603be0fddaa0a7297d94dbc360786b6a9f75b6eb
ssdeep 3072:VWaWTJAWDkJ8WSW4W2WcWLW2W5WWWayCy0JPnBFgvwwHxN3R8Nh4G1JoCBm5jQ8F:VWaWTJAWAJ8WSW4W2WcWLW2W5WWW3fi4
imphash
impfuzzy
  Network IP location

Signature (21cnts)

Level Description
danger The processes wscript.exe
watch Creates a suspicious Powershell process
watch Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice File has been identified by 7 AntiVirus engines on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowerShell PowerShell script scripts

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://apps.identrust.com/roots/dstrootcax3.p7c
whois
US Akamai International B.V. 23.67.53.17 clean
https://paste.ee/d/gIIFw
whois
US CLOUDFLARENET 104.21.84.67 clean
paste.ee
whois
US CLOUDFLARENET 172.67.187.200 mailcious
uploaddeimagens.com.br
whois
US CLOUDFLARENET 104.21.45.138 malware
104.21.84.67
whois
US CLOUDFLARENET 104.21.84.67 malware
23.43.165.66
whois
US CCCH-3 23.43.165.66 clean
172.67.215.45
whois
US CLOUDFLARENET 172.67.215.45 malware

Suricata ids

ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure