popup

Report - butterburnverysweetgirleated.gIF.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.20 20:06 Machine s1_win7_x6402
Filename butterburnverysweetgirleated.gIF.vbs
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 5 detected (gen40)
md5 612b79418bc9dee5e9bf503df55a245c
sha256 154365daa42baad94fe2c6de17859212e407767de8f9e8e12c69b9623b63a7a0
ssdeep 3072:855555555gSf55555555e55555555Y55555555655555555jYx1R55555555qy5G:855555555h55555555e55555555Y555O
imphash
impfuzzy
  Network IP location

Signature (20cnts)

Level Description
danger The processes wscript.exe
watch Network communications indicative of a potential document or script payload download was initiated by the processes wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates a shortcut to an executable file
notice Creates a suspicious process
notice File has been identified by 5 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests
notice Poweshell is sending data to a remote host
notice URL downloaded by powershell script
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (3cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
watch Antivirus Contains references to security software binaries (download)
info PowerShell PowerShell script scripts

Network (5cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://pastecode.dev/raw/6l7qjjrz/paste1.txt
whois
Unknown 172.66.40.229 41177 mailcious
pastecode.dev
whois
Unknown 172.66.40.229 mailcious
ia803405.us.archive.org
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious
172.66.40.229
whois
Unknown 172.66.40.229 mailcious
207.241.232.195
whois
US INTERNET-ARCHIVE 207.241.232.195 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Observed Pastebin-like Service Domain (pastecode .dev) in TLS SNI
ET INFO Pastebin-like Service Domain in DNS Lookup (pastecode .dev)

Similarity measure (PE file only) - Checking for service failure