ScreenShot
| Created | 2024.07.31 10:26 | Machine | s1_win7_x6403_us |
| Filename | au.js | ||
| Type | Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 16 detected (Malicious, score, Vjw0rm, Skiddo, Detected, Tnega, 1ZF4QB) | ||
| md5 | dbe4c84c471b795ec32210638cd177cd | ||
| sha256 | 3617a5d88304e87dba38646c8609d695e9fe265a49266c17e05ec41a960fd92b | ||
| ssdeep | 49152:zL4XsODIgBqMyCt3kFrO/p7ZSNRAzCgsW:+ | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (25cnts)
| Level | Description |
|---|---|
| danger | The process wscript.exe wrote an executable file to disk which it then attempted to execute |
| watch | Attempts to create or modify system certificates |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Drops a binary and executes it |
| watch | File has been identified by 16 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | One or more non-whitelisted processes were created |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
Network (9cnts) ?
Suricata ids
ET INFO TLS Handshake Failure
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET HUNTING Telegram API Domain in DNS Lookup
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET HUNTING Telegram API Domain in DNS Lookup