popup

Report - sostener.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.10 13:39 Machine s1_win7_x6403
Filename sostener.vbs
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file)
md5 af7ba7e4a9c914e8497936eb7b6ae725
sha256 29baf4677a7faf2847044cfb9739fd440d5bf7038a2d49e991fcdec7207956be
ssdeep 1536:yZccvQGghdpPZp+ogsUJW4Wrle/PhG+/kery+bGhF6J3Qjsv5HnIgs:QghdpP+og0S7SFv3
imphash
impfuzzy
  Network IP location

Signature (20cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
watch Attempts to create or modify system certificates
watch Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowerShell PowerShell script scripts

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
whois
Unknown 172.66.40.229 clean
pastecode.dev
whois
Unknown 172.66.43.27 clean
ia803405.us.archive.org
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious
172.66.40.229
whois
Unknown 172.66.40.229 clean
207.241.232.195
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure