popup

Report - YesBnk_Transaction_File_9812009_End_Ids_YESBR5_Pdf.js

  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2024.07.29 16:44 Machine s1_win7_x6402
Filename YesBnk_Transaction_File_9812009_End_Ids_YESBR5_Pdf.js
Type ASCII text, with very long lines, with no line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 21 detected (GenericKD, ABHL, iacgm, Kryptik, TOPIS, VydELRugocG, MulDrop28, Detected, ai score=85, Leonem, Ogil, Javascript)
md5 117bc3a7fa3309e3f443ea02c267f1d4
sha256 3b8d52fd0dc9b98235b8558bcf9312ac7aafcac32f100727671cc0f1be325911
ssdeep 1536:8mAsDLCt+0h4o5YkJI4GvtKeMquLlBpcGts0KwByGzRL:8mPnCE0h4oCYI4GvtKFquLlB11BysRL
imphash
impfuzzy
  Network IP location

Signature (21cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Drops a binary and executes it
watch Installs itself for autorun at Windows startup
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch One or more non-whitelisted processes were created
watch Wscript.exe initiated network communications indicative of a script based payload download
watch wscript.exe-based dropper (JScript
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Creates (office) documents on the filesystem
notice Creates a shortcut to an executable file
notice Creates executable files on the filesystem
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Queries for potentially installed applications
notice Searches running processes potentially to identify processes for sandbox evasion
notice Terminates another process
notice Uses Windows utilities for basic Windows functionality
info Queries for the computername
info Tries to locate where the browsers are installed

Rules (0cnts)

Level Name Description Collection

Network (4cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.pdf
whois
US CLOUDFLARENET 172.67.154.165 clean
https://ddfcbb9325637bcdeff.mxttbszhh1.free.hr/oauth/pdf/Monetary_Funding_Sheet_2024.js
whois
US CLOUDFLARENET 172.67.154.165 mailcious
ddfcbb9325637bcdeff.mxttbszhh1.free.hr
whois
US CLOUDFLARENET 104.21.5.141 mailcious
172.67.154.165
whois
US CLOUDFLARENET 172.67.154.165 mailcious

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure