popup

Report - crosscheckrosefloweronhairbeauty.gIF.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.12 16:01 Machine s1_win7_x6402
Filename crosscheckrosefloweronhairbeauty.gIF.vbs
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 8 detected (gen40, Startup, Detected, AgentTesla)
md5 7921681c6200952fdf2db1a77381ac24
sha256 06051fcdf49ca8dc96fecde6f1477cde2994a01f899ea063072e3c77789845fc
ssdeep 1536:yZccvQGghdpPZp+ogsUJW4Wrle/PhG+/kery+bGsvky38sv5HnIgs:QghdpP+og0S7e9
imphash
impfuzzy
  Network IP location

Signature (20cnts)

Level Description
danger The processes wscript.exe
watch Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice File has been identified by 8 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowerShell PowerShell script scripts

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
whois
Unknown 172.66.40.229 41177 mailcious
pastecode.dev
whois
Unknown 172.66.43.27 mailcious
ia803405.us.archive.org
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious
172.66.40.229
whois
Unknown 172.66.40.229 mailcious
207.241.232.195
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure