ScreenShot
| Created | 2025.04.09 10:25 | Machine | s1_win7_x6401 |
| Filename | ori.js | ||
| Type | ASCII text, with very long lines, with CRLF line terminators | ||
| AI Score | Not founds | Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 30 detected (javascript, jalapeno, Cryxos, many, gen1, ELBP, AADL, Malicious, score, Agensla, jpdkao, CLASSIC, Detected, Obfuse, RVBD, Eldorado, QQPass, QQRob, Rwhl, Maloader) | ||
| md5 | 01e995c96291c13d4ec3a08ebcdca4f6 | ||
| sha256 | 2a0c1351c878e5adef79827dabfb660e8450fd3a8d19b536071a7762875a9191 | ||
| ssdeep | 6144:eKUb2TCD3Gfn8E/3daJn68s+1bfFe45sqFydvjR0E:eKUaoe3GlfFV2qFydl0E | ||
| imphash | |||
| impfuzzy | |||
Network IP location
Signature (20cnts)
| Level | Description |
|---|---|
| danger | The process wscript.exe wrote an executable file to disk which it then attempted to execute |
| danger | File has been identified by 30 AntiVirus engines on VirusTotal as malicious |
| watch | A process attempted to delay the analysis task. |
| watch | Creates a windows hook that monitors keyboard input (keylogger) |
| watch | Drops a binary and executes it |
| watch | Harvests credentials from local email clients |
| watch | Looks for the Windows Idle Time to determine the uptime |
| watch | Makes SMTP requests |
| watch | One or more non-whitelisted processes were created |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Connects to smtp.gmail.com |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Steals private information from local Internet browsers |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | One or more processes crashed |
| info | Queries for the computername |
Rules (11cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| danger | Win_Trojan_AgentTesla_M_B_Zero | Win Trojan AgentTesla | binaries (download) |
| warning | hide_executable_file | Hide executable file | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| info | Is_DotNET_EXE | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | OS_Memory_Check_Zero | OS Memory Check | binaries (download) |
| info | OS_Name_Check_Zero | OS Name Check Signature | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
