File name: | 1873-949513-667212.vbs |
Full analysis: | https://app.any.run/tasks/8b6a18bb-eb6b-4cf3-823c-4c07062363e0 |
Verdict: | Malicious activity |
Analysis date: | March 14, 2019, 14:03:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 2BB8D4994B8BD261A21B40F74925DA60 |
SHA1: | 8C3EDDAD37786EAE47D129DA0C028156DE7AB653 |
SHA256: | EEA8A9327288A4E4DCB6966B4EC21800E9399563D7F8134D645302DB5841712E |
SSDEEP: | 1536:l6vkqXbTNOMQiA08D3gVoizHNOMEGXyAnBvpf3MaBF749GuRx7Vot7w0mnBQ4/Ca:8W1WZXawt20jhGzgj8em |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3564 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\1873-949513-667212.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2712 | "C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp/GiHbf.dll | C:\Windows\System32\regsvr32.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4000 | C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\GiHbf.dll,f0 | C:\Windows\system32\rundll32.exe | regsvr32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3564) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3564) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3564 | WScript.exe | C:\Users\admin\AppData\Local\Temp\GiHbf.dll | executable | |
MD5:07F6603137CFD0822C886BAFDB9072AE | SHA256:A00540421AD31AE9B80024493229A29DA902C6B1F2918AD171E84D1EA1A8369F | |||
3564 | WScript.exe | C:\Users\admin\AppData\Local\Temp\temps | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4000 | rundll32.exe | 209.79.97.165:443 | — | AT&T Internet Services | US | malicious |
4000 | rundll32.exe | 36.133.59.144:443 | — | Guangdong Mobile Communication Co.Ltd. | CN | malicious |
4000 | rundll32.exe | 178.24.124.43:443 | — | Vodafone Kabel Deutschland GmbH | DE | malicious |
4000 | rundll32.exe | 14.163.25.64:443 | — | VNPT Corp | VN | malicious |
4000 | rundll32.exe | 185.92.222.238:443 | — | Choopa, LLC | NL | malicious |
4000 | rundll32.exe | 49.63.85.120:443 | — | Korea Telecom | KR | malicious |
4000 | rundll32.exe | 192.71.249.51:443 | — | lcp nv | BE | malicious |
4000 | rundll32.exe | 82.153.140.44:443 | — | Kcom Group Plc | GB | malicious |
PID | Process | Class | Message |
---|---|---|---|
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |
4000 | rundll32.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Spy.Danabot.I |