BREH_601220432340_15062020.vbs
This report is generated from a file or URL submitted to this webservice on June 16th 2020 13:57:25 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 5 domains and 5 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "192.185.129.64": ...
URL: http://variathfamily.in/vesufb/W/LPKfTSyBp.zip (AV positives: 13/79 scanned on 06/16/2020 12:01:04)
URL: http://variathfamily.in/zyhpptph/1z2w3kMp8T.zip (AV positives: 13/79 scanned on 06/16/2020 11:02:16)
URL: http://variathfamily.in/zyhpptph/Q/vmdaXUHPF.zip (AV positives: 14/79 scanned on 06/16/2020 09:00:29)
URL: http://variathfamily.in/zyhpptph/SA/5w/EKpPFMve.zip (AV positives: 11/79 scanned on 06/16/2020 07:01:40)
URL: http://variathfamily.in/vesufb/D/5YgeAaEkP.zip (AV positives: 11/79 scanned on 06/16/2020 07:00:26)
File SHA256: 2f90590da13be020cab94f6054224224af5d674bb07964796cbb051cef5dde3a (AV positives: 43/75 scanned on 06/06/2020 08:48:38)
File SHA256: 74d614a7e450dec09994cebbbc00e1f1c7786b4156fb9b703fa9edf3eab70a98 (AV positives: 2/74 scanned on 03/27/2020 14:02:16)
File SHA256: 7dd1b3b721e01636d874202aebbd4caaa908c3d71b3dee487ac343af2e4167aa (AV positives: 1/75 scanned on 03/11/2020 06:44:37)
File SHA256: 0f2f8fa513889cb8b68326f4848a67e81287915e0955acef77619777feed33f0 (AV positives: 1/74 scanned on 01/17/2020 04:22:07)
File SHA256: e54979318c06a7cc3d8fb5f00d32d0fa2a169f8447a224ec8822749071c550f6 (AV positives: 23/75 scanned on 01/17/2020 01:15:07)
File SHA256: b22a4ee6962714dad7adda4f93d1281185c1e2c8eabb1ba09725cb4cdedc550a (Date: 02/02/2019 21:59:29)
Found malicious artifacts related to "192.185.164.88": ...
URL: http://pressclub.com.pk/invoice/Rekening.zip (AV positives: 2/79 scanned on 04/25/2020 03:24:05)
URL: http://pressclub.com.pk/bill/Schuld.zip (AV positives: 2/77 scanned on 04/15/2020 03:15:29)
URL: https://pressclub.com.pk/ (AV positives: 2/77 scanned on 04/05/2020 04:21:11)
URL: http://pressclub.com.pk/invoice/Betaling.zip (AV positives: 3/71 scanned on 03/16/2020 08:06:40)
URL: http://pressclub.com.pk/account/Betaling.zip (AV positives: 3/72 scanned on 01/15/2020 16:10:33)
File SHA256: e9f9e3f3134af6749439c0c4b75d181aad3e063ed32665d765506b8a99618e32 (AV positives: 3/69 scanned on 07/08/2018 13:51:33)
File SHA256: b98e58f0f2c62969d61ce2ec31043dacb8d378ecbbfcae138b6250d432e195dd (AV positives: 1/59 scanned on 06/03/2018 08:00:12)
File SHA256: b1fdb6544d00b18c28809c64d7ab4a4a0237e7c30865ba4215708bd6905e5de8 (AV positives: 3/71 scanned on 04/17/2018 05:59:31)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/58 scanned on 07/28/2017 10:53:48)
File SHA256: 2e5898c1628f6de3d2c96823a3d1d185d7e5457a8ed7de433661c8963cab2ea7 (AV positives: 1/55 scanned on 01/30/2016 12:57:45)
Found malicious artifacts related to "192.185.180.29": ...
URL: http://festalgroup.in/xxolnajxuy/k/OKsLX7JmV.zip (AV positives: 4/79 scanned on 06/16/2020 13:45:56)
URL: http://cpanel.claycochamber.com/login.php (AV positives: 5/79 scanned on 06/16/2020 11:16:53)
URL: http://homesouthalabama.com/wfff2/login.php (AV positives: 5/80 scanned on 06/13/2020 19:57:49)
URL: http://www.omacon.com.co/view/ckd/clients/index2.html (AV positives: 2/80 scanned on 06/09/2020 12:32:12)
URL: http://www.omacon.com.co/member/access/LinkedIn.com/piled.php (AV positives: 2/80 scanned on 06/08/2020 20:48:47)
File SHA256: 84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230 (AV positives: 13/73 scanned on 11/11/2019 18:16:47)
File SHA256: b98e58f0f2c62969d61ce2ec31043dacb8d378ecbbfcae138b6250d432e195dd (AV positives: 1/59 scanned on 04/21/2019 01:00:13)
File SHA256: f28a255c832dcb387cc26d4300bbe32964d746bdb03a1500f75bb9af30d62aba (AV positives: 3/59 scanned on 04/17/2019 04:38:20)
File SHA256: 874d0ca8449135b5d6679cb947aae6d664e7e88bfc148d4a3a4f5302b13440ed (AV positives: 3/56 scanned on 04/16/2019 03:35:43)
File SHA256: c515ece145248824c62296e3b9c52c6d2fa4a49b9033fe42ea959971886d9ca1 (AV positives: 29/57 scanned on 10/29/2018 05:58:00) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "192.185.129.64": ...
URL: http://variathfamily.in/vesufb/W/LPKfTSyBp.zip (AV positives: 13/79 scanned on 06/16/2020 12:01:04)
URL: http://variathfamily.in/zyhpptph/1z2w3kMp8T.zip (AV positives: 13/79 scanned on 06/16/2020 11:02:16)
URL: http://variathfamily.in/zyhpptph/Q/vmdaXUHPF.zip (AV positives: 14/79 scanned on 06/16/2020 09:00:29)
URL: http://variathfamily.in/zyhpptph/SA/5w/EKpPFMve.zip (AV positives: 11/79 scanned on 06/16/2020 07:01:40)
URL: http://variathfamily.in/vesufb/D/5YgeAaEkP.zip (AV positives: 11/79 scanned on 06/16/2020 07:00:26)
File SHA256: 2f90590da13be020cab94f6054224224af5d674bb07964796cbb051cef5dde3a (AV positives: 43/75 scanned on 06/06/2020 08:48:38)
File SHA256: 74d614a7e450dec09994cebbbc00e1f1c7786b4156fb9b703fa9edf3eab70a98 (AV positives: 2/74 scanned on 03/27/2020 14:02:16)
File SHA256: 7dd1b3b721e01636d874202aebbd4caaa908c3d71b3dee487ac343af2e4167aa (AV positives: 1/75 scanned on 03/11/2020 06:44:37)
File SHA256: 0f2f8fa513889cb8b68326f4848a67e81287915e0955acef77619777feed33f0 (AV positives: 1/74 scanned on 01/17/2020 04:22:07)
File SHA256: e54979318c06a7cc3d8fb5f00d32d0fa2a169f8447a224ec8822749071c550f6 (AV positives: 23/75 scanned on 01/17/2020 01:15:07)
File SHA256: b22a4ee6962714dad7adda4f93d1281185c1e2c8eabb1ba09725cb4cdedc550a (Date: 02/02/2019 21:59:29)
Found malicious artifacts related to "192.185.164.88": ...
URL: http://pressclub.com.pk/invoice/Rekening.zip (AV positives: 2/79 scanned on 04/25/2020 03:24:05)
URL: http://pressclub.com.pk/bill/Schuld.zip (AV positives: 2/77 scanned on 04/15/2020 03:15:29)
URL: https://pressclub.com.pk/ (AV positives: 2/77 scanned on 04/05/2020 04:21:11)
URL: http://pressclub.com.pk/invoice/Betaling.zip (AV positives: 3/71 scanned on 03/16/2020 08:06:40)
URL: http://pressclub.com.pk/account/Betaling.zip (AV positives: 3/72 scanned on 01/15/2020 16:10:33)
File SHA256: e9f9e3f3134af6749439c0c4b75d181aad3e063ed32665d765506b8a99618e32 (AV positives: 3/69 scanned on 07/08/2018 13:51:33)
File SHA256: b98e58f0f2c62969d61ce2ec31043dacb8d378ecbbfcae138b6250d432e195dd (AV positives: 1/59 scanned on 06/03/2018 08:00:12)
File SHA256: b1fdb6544d00b18c28809c64d7ab4a4a0237e7c30865ba4215708bd6905e5de8 (AV positives: 3/71 scanned on 04/17/2018 05:59:31)
File SHA256: 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 (AV positives: 1/58 scanned on 07/28/2017 10:53:48)
File SHA256: 2e5898c1628f6de3d2c96823a3d1d185d7e5457a8ed7de433661c8963cab2ea7 (AV positives: 1/55 scanned on 01/30/2016 12:57:45)
Found malicious artifacts related to "192.185.180.29": ...
URL: http://festalgroup.in/xxolnajxuy/k/OKsLX7JmV.zip (AV positives: 4/79 scanned on 06/16/2020 13:45:56)
URL: http://cpanel.claycochamber.com/login.php (AV positives: 5/79 scanned on 06/16/2020 11:16:53)
URL: http://homesouthalabama.com/wfff2/login.php (AV positives: 5/80 scanned on 06/13/2020 19:57:49)
URL: http://www.omacon.com.co/view/ckd/clients/index2.html (AV positives: 2/80 scanned on 06/09/2020 12:32:12)
URL: http://www.omacon.com.co/member/access/LinkedIn.com/piled.php (AV positives: 2/80 scanned on 06/08/2020 20:48:47)
File SHA256: 84f1d1ffdc036768ffeba1be92362dcf619e7ce6ec27500ab47844ed24fc4230 (AV positives: 13/73 scanned on 11/11/2019 18:16:47)
File SHA256: b98e58f0f2c62969d61ce2ec31043dacb8d378ecbbfcae138b6250d432e195dd (AV positives: 1/59 scanned on 04/21/2019 01:00:13)
File SHA256: f28a255c832dcb387cc26d4300bbe32964d746bdb03a1500f75bb9af30d62aba (AV positives: 3/59 scanned on 04/17/2019 04:38:20)
File SHA256: 874d0ca8449135b5d6679cb947aae6d664e7e88bfc148d4a3a4f5302b13440ed (AV positives: 3/56 scanned on 04/16/2019 03:35:43)
File SHA256: c515ece145248824c62296e3b9c52c6d2fa4a49b9033fe42ea959971886d9ca1 (AV positives: 29/57 scanned on 10/29/2018 05:58:00) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 3
-
Installation/Persistance
-
Executes a visual basic script
- details
- Process "wscript.exe" with commandline ""C:\BREH_601220432340_15062020.vbs"" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1064 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes a visual basic script
-
Network Related
-
Contacts Random Domain Names
- details
- "festalgroup.in" seems to be random
- source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 172.67.205.130 on port 80 is sent without HTTP header
TCP traffic to 192.185.129.64 on port 80 is sent without HTTP header
TCP traffic to 192.185.164.88 on port 80 is sent without HTTP header
TCP traffic to 194.31.42.8 on port 80 is sent without HTTP header
TCP traffic to 192.185.180.29 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts Random Domain Names
-
Informative 6
-
General
-
Contacts domains
- details
-
"zadelm.com"
"sathyamadvisory.in"
"mioscentrofisioterapico.it"
"casaitaliana.md"
"festalgroup.in" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"172.67.205.130:80"
"192.185.129.64:80"
"192.185.164.88:80"
"194.31.42.8:80"
"192.185.180.29:80" - source
- Network Traffic
- relevance
- 1/10
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "Msxml2.ServerXMLHTTP.6.0.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\msxml6r.dll"
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\system32\en\KERNELBASE.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\netmsg.dll"
"wscript.exe" touched file "%WINDIR%\System32\en-US\winhttp.dll.mui"
"wscript.exe" touched file "%WINDIR%\System32\en-US\msxml6r.dll.mui" - source
- API Call
- relevance
- 7/10
-
Touches files in the Windows directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "zadelm.com"
Heuristic match: "GET /cigkvy/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: zadelm.com"
Heuristic match: "sathyamadvisory.in"
Heuristic match: "GET /cxqfekogfhe/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: sathyamadvisory.in"
Heuristic match: "mioscentrofisioterapico.it"
Heuristic match: "GET /nobtyyxi/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: mioscentrofisioterapico.it"
Heuristic match: "casaitaliana.md"
Heuristic match: "GET /fecntrfwku/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: casaitaliana.md"
Heuristic match: "festalgroup.in"
Heuristic match: "GET /forxru/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: festalgroup.in" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "e7397477e1a678772e717877ee29787785e273776da07877906477773ad57e7726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74FF1000" (part of module "WSHIP6.DLL")
"wscript.exe" wrote bytes "fae67377e1a678772e717877ee29787785e273776da0787726e47377d16d7877003d7677804b767700000000ad3715768b2d1576b641157600000000" to virtual address "0x74AC1000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "c04e767720547777e0657777b53878770000000000d09b7500000000c5ea9b750000000088ea9b7500000000e9687d7582287877ee29787700000000d2697d75000000007dbb9b750000000009be7d7500000000ba189b7500000000" to virtual address "0x77131000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
BREH_601220432340_15062020.vbs
- Filename
- BREH_601220432340_15062020.vbs
- Size
- 36MiB (37966407 bytes)
- Type
- script vbs
- Description
- data
- Architecture
- WINDOWS
- SHA256
- 53f4b6dfca4e956eca0199722171d2e6e3811165e10e57336a6c8c92b33bf22c
- MD5
- 0b0531ebcdf295544ecf94e9159402f9
- SHA1
- eaf2347c2b1608484eaf06ee24c7311d3ad00f98
- ssdeep
- 3072:Y4eaQRrbogfFqlYspwaYIzQ4CDfq9IZdjeSYqzteCw+0fJB0:YtRbogspw/EmrqKHewh
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\BREH_601220432340_15062020.vbs" (PID: 3492)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
casaitaliana.md
OSINT |
194.31.42.8
TTL: 21599 |
- | Moldova Republic of |
festalgroup.in
OSINT |
192.185.180.29
TTL: 14208 |
www.name.com
Name Server: ns767.websitewelcome.com Creation Date: Thu, 11 Apr 2019 08:21:36 GMT |
United States |
mioscentrofisioterapico.it
OSINT |
192.185.164.88
TTL: 14399 |
1 Api GmbH
Name Server: ns1374.websitewelcome.com ns1373.websitewelcome.com Creation Date: Wed, 15 Jul 2015 15:06:43 GMT |
United States |
sathyamadvisory.in |
192.185.129.64
TTL: 164 |
- | United States |
zadelm.com |
172.67.205.130
TTL: 45 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
172.67.205.130 |
80
TCP |
wscript.exe PID: 3492 |
United States |
192.185.129.64 |
80
TCP |
wscript.exe PID: 3492 |
United States |
192.185.164.88 |
80
TCP |
wscript.exe PID: 3492 |
United States |
194.31.42.8 |
80
TCP |
wscript.exe PID: 3492 |
Moldova Republic of |
192.185.180.29 |
80
TCP |
wscript.exe PID: 3492 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.67.205.130:80 (zadelm.com) | GET | zadelm.com/cigkvy/88888.png | GET /cigkvy/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: zadelm.com More Details |
192.185.129.64:80 (sathyamadvisory.in) | GET | sathyamadvisory.in/cxqfekogfhe/88888.png | GET /cxqfekogfhe/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: sathyamadvisory.in More Details |
192.185.164.88:80 (mioscentrofisioterapico.it) | GET | mioscentrofisioterapico.it/nobtyyxi/88888.png | GET /nobtyyxi/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: mioscentrofisioterapico.it More Details |
194.31.42.8:80 (casaitaliana.md) | GET | casaitaliana.md/fecntrfwku/88888.png | GET /fecntrfwku/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: casaitaliana.md More Details |
192.185.180.29:80 (festalgroup.in) | GET | festalgroup.in/forxru/88888.png | GET /forxru/88888.png HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: MasantaLalte
Host: festalgroup.in More Details |
Extracted Strings
Extracted Files
No significant files were extracted.