| File name: | TNT Collection Request BH7 178845.js |
| Full analysis: | https://app.any.run/tasks/256c1cd0-77ca-496b-a459-ecf887a86a1e |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | September 19, 2019, 04:41:24 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | B28DED06BD8BF831365F48823C0B06F6 |
| SHA1: | 554BFC93BE07783E48A0DAC00EBD2B445E194E2F |
| SHA256: | 382A31D812736E03A8F6310EF0C6CF0864610C4E4AF103F298E1594C357EC09A |
| SSDEEP: | 3072:zvgOngX1oQl+AakDVusQyXg5GWBrseH/8Erbb4wy6Qp:zvgOngKQOkDzg/Brs0Ty |
MALICIOUS
Changes the autorun value in the registry
- WScript.exe (PID: 3792)
- wscript.exe (PID: 2896)
- wscript.exe (PID: 5884)
Writes to a start menu file
- WScript.exe (PID: 3792)
- wscript.exe (PID: 2896)
- wscript.exe (PID: 5884)
WSHRAT was detected
- wscript.exe (PID: 2896)
- wscript.exe (PID: 5884)
Connects to CnC server
- wscript.exe (PID: 2896)
- wscript.exe (PID: 5884)
SUSPICIOUS
Reads the machine GUID from the registry
- WScript.exe (PID: 3792)
- wscript.exe (PID: 5884)
- wscript.exe (PID: 2896)
Application launched itself
- WScript.exe (PID: 3792)
- wscript.exe (PID: 5884)
Creates files in the user directory
- WScript.exe (PID: 3792)
- wscript.exe (PID: 2896)
Executes scripts
- WScript.exe (PID: 3792)
- wscript.exe (PID: 5884)
Checks for external IP
- wscript.exe (PID: 5884)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
97
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2896 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js" | C:\Windows\System32\wscript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3484 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js" | C:\Windows\System32\wscript.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3792 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\TNT Collection Request BH7 178845.js" | C:\Windows\System32\WScript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 5884 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js" | C:\Windows\System32\wscript.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
1 190
Read events
1 156
Write events
34
Delete events
0
Modification events
| (PID) Process: | (3792) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3792) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3792) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3792) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3792) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | TNT Collection Request BH7 178845 |
Value: wscript.exe //B "C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js" | |||
| (PID) Process: | (2896) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | YLFuizCVuT |
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\YLFuizCVuT.js" | |||
| (PID) Process: | (5884) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5884) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5884) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5884) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
0
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3792 | WScript.exe | C:\Users\admin\AppData\Roaming\YLFuizCVuT.js | text | |
MD5:— | SHA256:— | |||
| 3792 | WScript.exe | C:\Users\admin\AppData\Local\Temp\TNT Collection Request BH7 178845.js | text | |
MD5:— | SHA256:— | |||
| 5884 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT Collection Request BH7 178845.js | text | |
MD5:— | SHA256:— | |||
| 2896 | wscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YLFuizCVuT.js | text | |
MD5:— | SHA256:— | |||
| 5884 | wscript.exe | C:\Users\admin\AppData\Roaming\YLFuizCVuT.js | text | |
MD5:— | SHA256:— | |||
| 3792 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TNT Collection Request BH7 178845.js | text | |
MD5:— | SHA256:— | |||
| 5884 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\json[1].json | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
5
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2896 | wscript.exe | POST | — | 45.79.48.200:7757 | http://pluginsrv1.duckdns.org:7757/is-ready | US | — | — | malicious |
5884 | wscript.exe | POST | — | 154.124.195.86:2813 | http://2813.noip.me:2813/is-ready | SN | — | — | malicious |
5884 | wscript.exe | GET | 200 | 54.38.92.92:80 | http://ip-api.com/json/ | FR | text | 305 b | malicious |
2896 | wscript.exe | POST | — | 45.79.48.200:7757 | http://pluginsrv1.duckdns.org:7757/is-ready | US | — | — | malicious |
5884 | wscript.exe | POST | — | 154.124.195.86:2813 | http://2813.noip.me:2813/is-ready | SN | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2896 | wscript.exe | 45.79.48.200:7757 | pluginsrv1.duckdns.org | Linode, LLC | US | malicious |
5884 | wscript.exe | 54.38.92.92:80 | ip-api.com | OVH SAS | FR | malicious |
5884 | wscript.exe | 154.124.195.86:2813 | 2813.noip.me | Autonomous System | SN | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pluginsrv1.duckdns.org |
| malicious |
ip-api.com |
| malicious |
2813.noip.me |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1956 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
5884 | wscript.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
5884 | wscript.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
2896 | wscript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
2896 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
5884 | wscript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
5884 | wscript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |