Report - au.js

Malicious Library Malicious Packer .NET framework(MSIL) UPX PE File .NET EXE PE32
ScreenShot
Created 2024.07.31 10:26 Machine s1_win7_x6403_us
Filename au.js
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
11.6
ZERO API file : clean
VT API (file) 16 detected (Malicious, score, Vjw0rm, Skiddo, Detected, Tnega, 1ZF4QB)
md5 dbe4c84c471b795ec32210638cd177cd
sha256 3617a5d88304e87dba38646c8609d695e9fe265a49266c17e05ec41a960fd92b
ssdeep 49152:zL4XsODIgBqMyCt3kFrO/p7ZSNRAzCgsW:+
imphash
impfuzzy
  Network IP location

Signature (25cnts)

Level Description
danger The process wscript.exe wrote an executable file to disk which it then attempted to execute
watch Attempts to create or modify system certificates
watch Attempts to identify installed AV products by installation directory
watch Communicates with host for which no DNS query was performed
watch Drops a binary and executes it
watch File has been identified by 16 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Connects to a Dynamic DNS Domain
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Looks up the external IP address
notice Performs some HTTP requests
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername
info Uses Windows APIs to generate a cryptographic key

Rules (7cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
watch UPX_Zero UPX packed file binaries (download)
watch Win32_Trojan_PWS_Net_1_Zero Win32 Trojan PWS .NET Azorult binaries (download)
info Is_DotNET_EXE (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (9cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://checkip.dyndns.org/ US ORACLE-BMC-31898 193.122.130.0 clean
https://reallyfreegeoip.org/xml/175.208.134.152 US CLOUDFLARENET 172.67.177.134 clean
api.telegram.org GB Telegram Messenger Inc 149.154.167.220 mailcious
reallyfreegeoip.org US CLOUDFLARENET 104.21.67.152 clean
checkip.dyndns.org US ORACLE-BMC-31898 193.122.130.0 clean
193.122.6.168 US ORACLE-BMC-31898 193.122.6.168 clean
62.133.61.43 RU Perviy TSOD LLC 62.133.61.43 malware
172.67.177.134 US CLOUDFLARENET 172.67.177.134 clean
149.154.167.220 GB Telegram Messenger Inc 149.154.167.220 mailcious

Suricata ids



Similarity measure (PE file only) - Checking for service failure