ScreenShot
| Created | 2024.08.07 13:25 | Machine | s1_win7_x6402 |
| Filename | kiz.js | ||
| Type | Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 15 detected (Malicious, score, Vjw0rm, Skiddo, Detected, Tnega) | ||
| md5 | 00bf8ae55020bb2533b3a4eb875c5e4c | ||
| sha256 | 0424a625aabe7d4c295b37f95b513341a1958714656ac5189b42aa9d03562631 | ||
| ssdeep | 12288:mP+3QknC3fzI38v3WbI3Wed3q8u3xLX3k0z30Li309z3xt83yKl3BH339swxZOIQ:mPvwxZOIEnB | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (26cnts)
| Level | Description |
|---|---|
| danger | The process wscript.exe wrote an executable file to disk which it then attempted to execute |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Drops a binary and executes it |
| watch | File has been identified by 15 AntiVirus engines on VirusTotal as malicious |
| watch | Harvests credentials from local email clients |
| watch | Harvests credentials from local FTP client softwares |
| watch | Harvests information related to installed instant messenger clients |
| watch | One or more non-whitelisted processes were created |
| notice | A process attempted to delay the analysis task. |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Connects to a Dynamic DNS Domain |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
| notice | Looks up the external IP address |
| notice | Performs some HTTP requests |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (7cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | Win32_Trojan_PWS_Net_1_Zero | Win32 Trojan PWS .NET Azorult | binaries (download) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
Network (8cnts) ?
Suricata ids
ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
ET INFO TLS Handshake Failure
ET HUNTING Telegram API Domain in DNS Lookup
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
ET POLICY External IP Lookup - checkip.dyndns.org
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI