popup

Report - info.vbe

AntiDebug AntiVM
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.06.26 10:14 Machine s1_win7_x6402
Filename info.vbe
Type data
AI Score Not founds Behavior Score
5.6
ZERO API file : clean
VT API (file) 34 detected (Malicious, score, COINMINE, edxafr, CLASSIC, DWHS, StartPage, Adodb, Detected, Malware@#3nvl5y3ejddip, Ychl, Etecer, bVl1Gm, ai score=94, PossibleThreat)
md5 e9ffdb716af3d355b25096a8ed4de8ef
sha256 30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
ssdeep 24:G9GmLkcIxkoLdlsmSh3AtPgNZQGTJNCURs69ywNypqz2H+rgdtbxMysfT:G9GmLhatLAh3A+ug84s69hTSQaxMyW
imphash
impfuzzy
  Network IP location

Signature (10cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
danger File has been identified by 34 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Yara rule detected in process memory
info Command line console output was observed

Rules (8cnts)

Level Name Description Collection
info anti_dbg Checks if being debugged memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.testswork.ru/tmp2.exe
whois
IR Iran Telecommunication Company PJS 82.97.240.167 40474 mailcious
testswork.ru
whois
IR Iran Telecommunication Company PJS 82.97.240.167 mailcious
www.testswork.ru
whois
IR Iran Telecommunication Company PJS 82.97.240.167 mailcious
82.97.240.167
whois
IR Iran Telecommunication Company PJS 82.97.240.167 mailcious

Suricata ids

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Similarity measure (PE file only) - Checking for service failure