analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Juzgado 61 Administrativo Circuito #646862.vbe

Full analysis: https://app.any.run/tasks/35030967-22ae-4a05-aca1-fdd1c0efc59a
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 22:58:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
Indicators:
MIME: application/octet-stream
File info: data
MD5:

71ED0BF42E970573E9D0012CD21211E1

SHA1:

71CCBEBA75A06108634AFD3D397C7126CFA73CFE

SHA256:

965808A592A0643598544EF28B9A3ABD5677CD55B4390F5F86C9EFCB2B0A7481

SSDEEP:

1536:wyWCSEqiw0xbizetD7ajuI1mr6/lwK90IfjcTbr6/FFnMdNn1f5HQ+mdhWK0l:wyY9q7Gk2/lF0ogTbr6/FFnM7n163dYH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • wscript.exe (PID: 3952)
      • WScript.exe (PID: 3288)

    • Changes the autorun value in the registry

      • wscript.exe (PID: 3952)
      • WScript.exe (PID: 3288)

    • Connects to CnC server

      • wscript.exe (PID: 3952)

    • DUNIHI was detected

      • wscript.exe (PID: 3952)

  • SUSPICIOUS

    • Creates files in the user directory

      • wscript.exe (PID: 3952)
      • WScript.exe (PID: 3288)

    • Application launched itself

      • WScript.exe (PID: 3288)

    • Executes scripts

      • WScript.exe (PID: 3288)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe #DUNIHI wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
3288"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Juzgado 61 Administrativo Circuito #646862.vbe"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3952"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
345
Read events
279
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3288WScript.exeC:\Users\admin\AppData\Roaming\BSxtKCnLwv.vbstext
MD5:6EF86291C274C0A96E2CFAC13875512E
SHA256:5B3005A3B012CDFC9169850C2EFE1620CE845333EF0DA841033BB4114BE685CB
3288WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Juzgado 61 Administrativo Circuito #646862.vbebinary
MD5:71ED0BF42E970573E9D0012CD21211E1
SHA256:965808A592A0643598544EF28B9A3ABD5677CD55B4390F5F86C9EFCB2B0A7481
3952wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BSxtKCnLwv.vbstext
MD5:6EF86291C274C0A96E2CFAC13875512E
SHA256:5B3005A3B012CDFC9169850C2EFE1620CE845333EF0DA841033BB4114BE685CB
3288WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3288WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
3952
wscript.exe
POST
200
23.105.131.225:3456
http://savelifes.tech:3456/is-ready
US
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
wscript.exe
23.105.131.225:3456
savelifes.tech
Nobis Technology Group, LLC
US
malicious
23.105.131.225:3456
savelifes.tech
Nobis Technology Group, LLC
US
malicious
3288
WScript.exe
191.88.248.244:7172
registroclient.duckdns.org
EPM Telecomunicaciones S.A. E.S.P.
CO
malicious

DNS requests

Domain
IP
Reputation
savelifes.tech
  • 23.105.131.225
malicious
registroclient.duckdns.org
  • 191.88.248.244
malicious

Threats

PID
Process
Class
Message
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
3952
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3952
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Juzgado 61 Administrativo Circuito #646862.vbe