1232Invoice_T03-4019577_vbs_2019-09-06_08_30.txt

1.  
2. * ID: 1232
3. * MalFamily: "Gozi"
4.  
5. * MalScore: 0.5
6.  
7. * File Name: "Invoice T03-4019577.vbs"
8. * File Size: 1711388
9. * File Type: "ASCII text, with very long lines"
10. * SHA256: "d31246625c830ccd4eec46a7f5298528fc4174091c966e09760cf6f6033b1043"
11. * MD5: "fd8215070bad98d9c68ef687e5d8038a"
12. * SHA1: "5db74f87cae39b60170f552eef8933cd4701ed2e"
13. * SHA512: "5d1f2a0ca3e544e240d5a47f3bd6b023b017f01fdaeef09bd8c404fb9380c6503967ea2f7ad9233b3f5aa2f33ee0b4f89feba70236f525e324c34d16535cdecc"
14. * CRC32: "52B49CBC"
15. * SSDEEP: "49152:9k83DoInFMiyNs9sx1X7OVsQtSP6LSIX9B7VO/9SH5pg5mZBjTY:m"
16.  
17. * Process Execution:
18. "wscript.exe"
19.  
20.  
21. * Executed Commands:
22.  
23. * Signatures Detected:
24.  
25. "Description": "Attempts to connect to a dead IP:Port (3 unique times)",
26. "Details":
27.  
28. "IP_ioc": "2.18.65.113:80"
29.  
30.  
31. "IP_ioc": "199.195.250.171:443 (United States)"
32.  
33.  
34. "IP_ioc": "192.35.177.64:80"
35.  
36.  
37.  
38.  
39. "Description": "File has been identified by 2 Antiviruses on VirusTotal as malicious",
40. "Details":
41.  
42. "NANO-Antivirus": "Trojan.Script.ExpKit.fugogz"
43.  
44.  
45. "Qihoo-360": "virus.vbs.crypt.c"
46.  
47.  
48.  
49.  
50.  
51. * Started Service:
52.  
53. * Mutexes:
54.  
55. * Modified Files:
56. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
57. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\E0F5C59F9FA661F6F4C50B87FEF3A15A",
58. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab54F8.tmp",
59. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar54F9.tmp",
60. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5558.tmp",
61. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5559.tmp",
62. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
63. "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
64. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab580A.tmp",
65. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar580B.tmp",
66. "C:\\Users\\user\\AppData\\Local\\Temp\\TableOfColors.exe"
67.  
68.  
69. * Deleted Files:
70. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab54F8.tmp",
71. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar54F9.tmp",
72. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5558.tmp",
73. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5559.tmp",
74. "C:\\Users\\user\\AppData\\Local\\Temp\\Cab580A.tmp",
75. "C:\\Users\\user\\AppData\\Local\\Temp\\Tar580B.tmp"
76.  
77.  
78. * Modified Registry Keys:
79. "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList"
80.  
81.  
82. * Deleted Registry Keys:
83.  
84. * DNS Communications:
85.  
86. "type": "A",
87. "request": "zurichwhispers.com",
88. "answers":
89.  
90. "data": "199.195.250.171",
91. "type": "A"
92.  
93.  
94.  
95.  
96.  
97. * Domains:
98.  
99. "ip": "199.195.250.171",
100. "domain": "zurichwhispers.com"
101.  
102.  
103.  
104. * Network Communication - ICMP:
105.  
106. * Network Communication - HTTP:
107.  
108. * Network Communication - SMTP:
109.  
110. * Network Communication - Hosts:
111.  
112. "country_name": "United States",
113. "ip": "199.195.250.171",
114. "inaddrarpa": "",
115. "hostname": "zurichwhispers.com"
116.  
117.  
118.  
119. * Network Communication - IRC: