e0e938b204117354882b577d59c213f1
Hash
- MD5: e0e938b204117354882b577d59c213f1
- SHA1: aaf5f0b6ffff28db488a9db4aa6ad141bd38b96d
- SHA256: 04fcb94c3eed8c2aeb257e94fa3f127db21e1d93ff4fa77f685c47ef7c8a6745
- First Seen: 2026-05-26
- Last Seen: 2026-05-26
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "04fcb94c3eed8c2aeb257e94fa3f127db21e1d93ff4fa77f685c47ef7c8a6745",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/04fcb94c3eed8c2aeb257e94fa3f127db21e1d93ff4fa77f685c47ef7c8a6745"
},
"attributes": {
"last_submission_date": 1779171607,
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260608",
"category": "malicious",
"result": "Trojan.Script.Generic.4!c"
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260610",
"category": "malicious",
"result": "Malicious (score: 99)"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.238",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260608",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.57.59769",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.57.59770",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20230417",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1224",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Gen.NPE"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/TrojanDropper.Agent.PMU trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260610",
"category": "malicious",
"result": "HEUR:Trojan.Script.Generic"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40060052"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Script.Dropper.kypbnp"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40060052"
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260610",
"category": "malicious",
"result": "Script.Trojan.Generic.Ozfl"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/DwnLdr-ADFS"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260610",
"category": "malicious",
"result": "Dropper.DR/SNH"
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5618",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260610",
"category": "malicious",
"result": "ti!04FCB94C3EED"
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260610",
"category": "malicious",
"result": "txt.trojan.generic"
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan.Generic.40060052 (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.5.4.0",
"engine_update": "20260609",
"category": "malicious",
"result": "Trojan-Dropper.VBS.Agent"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1781064090",
"engine_update": "20260610",
"category": "malicious",
"result": "Detected"
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260609",
"category": "malicious",
"result": "DR/SNH"
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38713",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26050.11",
"engine_update": "20260610",
"category": "malicious",
"result": "Trojan:Win32/Ravartar!rfn"
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS.S.Agent.58786"
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107407",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/DwnLdr-ADFS"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44856AVA:64.31389",
"engine_update": "20260610",
"category": "malicious",
"result": "HTML.Trojan.Agent.FVT0EM"
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/Downldr.TI"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260609",
"category": "malicious",
"result": "Trojan/VBS.AGENT.SC314837"
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-06-10.01",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260610",
"category": "malicious",
"result": "Dropper.Agent/VBS!1.137C0 (CLASSIC)"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260610",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "29d3768:29d3768:4ff9544:4ff9544",
"engine_update": "20260609",
"category": "malicious",
"result": "TrojanDropper/VBS.Runner.b!crit"
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260610",
"category": "malicious",
"result": "VBS/Agent.PMU!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260610",
"category": "malicious",
"result": "Script:SNH-gen [Drp]"
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260609",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan[dropper]:Win/Generic.Gen"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260609-00",
"engine_update": "20260609",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.265",
"engine_update": "20260609",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": null,
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.786",
"engine_update": "20260607",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260604",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.9.0.8",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.3.2",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260610",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260608",
"category": "type-unsupported",
"result": null
}
},
"type_tags": [
"source",
"vba",
"vbs"
],
"size": 58786,
"vhash": "cd87f260341667ed16d5513989cc815f",
"vba_info": {
"strings": [
"&H137c8",
"&H16206",
"&H2991",
"&Hf21e",
"&H1472",
"&H16db6",
"&H10fd6",
"&H11e98",
"&H16516",
"&H167f2",
"&H150e",
"&H749",
"&H3133",
"&H103c2",
"&Haa04",
"&H11425",
"&H11428",
"&Hfbd3",
"&Hc05d",
"&H186e9",
"&H6b7a",
"&H6b7c",
"&H13d3",
"&H25f",
"&H92d",
"&H2dfb",
"&H5a89",
"&H12212",
"&Hc420",
"&Hcc2e",
"&H12bee",
"&Hc9b1",
"&H9f78",
"&He616",
"&H13baa",
"&H722c",
"&H323f",
"&H60ab",
"&H5c4d",
"&H1221d",
"&Hb11e",
"&Hdda",
"&Hcc23",
"&H15c58",
"&H925",
"&Hccef",
"&H155a4",
"&Hc514",
"&H4240",
"&H9b12",
"&H7594",
"&H17edd",
"&H9e28",
"&H14ad3",
"&Hba05",
"&H906e",
"&He267",
"&H8e4e",
"&H11ebe",
"&H11ebc",
"&He460",
"&H4c26",
"&H1f6c",
"&H9c20",
"&H82cf",
"&H16e3a",
"&H3562",
"&Hf812",
"&Ha0c8",
"&H17ac6",
"&H14adb",
"&Ha57d",
"&H1f61",
"&H1f60",
"&Hedc",
"&Hb480",
"&H15f3",
"&Hf0dc",
"&H3169",
"&H13498",
"&H6403",
"&H13492",
"&H27ac",
"&H17f0",
"&H1bcc",
"&H1189f",
"&H7a3f",
"&H11d29",
"&Hc99d",
"&H7a5",
"&Hc1df",
"&Hf4bb",
"&H813d",
"&H1513b",
"&H3b4f",
"&H11b25",
"&H105e",
"&H10bed",
"&H17fb9",
"&Ha60d",
"&Ha60f",
"&H3830",
"&H3832",
"&Hc25",
"&H2c0",
"&H2da6",
"&H169e5",
"&H7a39",
"&H1464a",
"&Hfe55",
"&He136",
"&H410a",
"&H8005",
"&H151f2",
"&Hdcc0",
"&H8008",
"&H14d74",
"&H17aea",
"&H10780",
"&H1154a",
"&H11094",
"&H3905",
"&H13a54",
"&H97dc",
"&H16a34",
"&Hdfec",
"&Hd735",
"&H1176e",
"&H48b",
"&H2b20",
"&H6fb9",
"&H2e59",
"&H31e",
"&Hc65b",
"&H4a3e",
"&H4a3a",
"&H4a3b",
"&Hd6ab",
"&Haad5",
"&H12d99",
"&H36f5",
"&H6f50",
"&Haf03",
"VBScript",
"&H116d2",
"&Hae7b",
"&H151d",
"&H15133",
"&H12bd7",
"&H160d6",
"&H7bd8",
"&Ha34f",
"&Ha34a",
"&H7ef6",
"&H2aad",
"&H766a",
"&H425f",
"&Hf0e9",
"&H1278b",
"&H13001",
"&H9b0f",
"&H12842",
"&H75c8",
"&H1244a",
"&H1266",
"&H17ba3",
"&H10f32",
"&H12ff4",
"&H9052",
"&H156f0",
"&H1750b",
"&H6eb5",
"&H377a",
"&H148bc",
"&H13318",
"&H18158",
"&H8e74",
"&Ha3f",
"&Hb653",
"&H3174",
"&H126c0",
"&H17856",
"&Hdbd9",
"&Ha631",
"&H13174",
"&H1215a",
"&H1704a",
"&H9833",
"&H9831",
"&H16ce0",
"&H8059",
"&He3e6",
"&Hb3cd",
"&H1688",
"&H151eb",
"&H17fcf",
"&H16fbc",
"&Hcbaa",
"&H11dc9",
"&H182ef",
"&Hfe40",
"&H4f5a",
"&Hb68",
"&H7a0c",
"&H44a9",
"&H9f0",
"&H15de2",
"&H16fb3",
"&H84df",
"&H8946",
"&H11205",
"&Hab94",
"&H3e67",
"&H173cd",
"&H1679f",
"&H11841",
"&Hd1b5",
"&H16311",
"&H16317",
"&H16315",
"&Hb81e",
"&Hc58b",
"&H11442",
"&H16b45",
"&H5f90",
"&H14d6e",
"&Ha4dc",
"&H97eb",
"&H8bd",
"&H3cb3",
"&Hc443",
"&H2d30",
"&H150a7",
"&H4646",
"&H14cc7",
"&Hc288",
"&Hda5b",
"&H2ff7",
"&H1600b",
"&H1738d",
"&Hbde1",
"&H100c5",
"&Haa2c",
"&H3fbd",
"&H45b9",
"&H45b8",
"&H10e36",
"&H12c1f",
"&H4c00",
"&Hc5fa",
"&H117a4",
"&Hcee3",
"&H682d",
"&H94c0",
"&H1216f",
"&H8a49",
"&H8e6f",
"&Hbac2",
"&H3364",
"&Ha356",
"&H1212",
"&H1a9c",
"&H6f51",
"&H2092",
"&H10942",
"&Hd0ff",
"&H13301",
"&H107a8",
"&Hf943",
"&H153a5",
"&H37c4",
"&H15fbc",
"&H2784",
"&H11d41",
"&H4f6b",
"&Hed59",
"&H1fae",
"&Hd9e",
"&H13e53",
"&He3be",
"&H922b",
"&Hc2b4",
"&H1433a",
"&Hcf72",
"&H5526",
"&H11b01",
"&Hd9b4",
"&H2301",
"&H71db",
"&Ha0e4",
"&H84e7",
"&H5780",
"&H982d",
"&H63f6",
"&H3b27",
"&H15757",
"&Ha2a",
"&H9958",
"&Hfa5b",
"&Hf495"
]
},
"type_tag": "vba",
"times_submitted": 1,
"sha256": "04fcb94c3eed8c2aeb257e94fa3f127db21e1d93ff4fa77f685c47ef7c8a6745",
"unique_sources": 1,
"total_votes": {
"harmless": 0,
"malicious": 0
},
"trid": [
{
"file_type": "file seems to be plain text/ASCII",
"probability": 0.0
}
],
"sandbox_verdicts": {
"Dr.Web vxCube": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "Dr.Web vxCube"
}
},
"ssdeep": "384:DTJxNvhp4cFLrakqmDIFP+SJtmjBe3Z8W0OLvZB0/HlBwTz1cfsdBBYG6DpGYG:/Jz51FLrakqmkJt6IJ8WboflCLJSpXG",
"crowdsourced_ids_results": [
{
"rule_category": "bad-unknown",
"alert_severity": "medium",
"rule_msg": "FILE-OTHER Multiple products ZIP archive virus detection bypass attempt",
"rule_id": "1:26989",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:\"FILE-OTHER Multiple products ZIP archive virus detection bypass attempt\"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:\"|50 4B 01 02|\"; content:\"|00 00 00 00|\",within 4,distance 20; content:!\"|00 00 00 00|\",within 4,distance -8; content:!\"META-INF\"; content:!\"class.pk\"; metadata:policy max-detect-ips drop; service:ftp-data,http,imap,pop3; reference:bugtraq,11448; reference:cve,2004-0932; classtype:bad-unknown; sid:26989; rev:7; )",
"rule_references": [
"https://www.securityfocus.com/bid/11448",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0932"
],
"alert_context": [
{
"src_ip": "199.232.210.172",
"src_port": 80
}
]
},
{
"rule_category": "denial-of-service",
"alert_severity": "medium",
"rule_msg": "SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"rule_id": "1:41379",
"rule_source": "Snort registered user ruleset",
"rule_url": "https://www.snort.org/downloads/#rule-downloads",
"rule_raw": "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:\"SERVER-OTHER Squid HTTP Vary response header denial of service attempt\"; flow:to_client,established; http_header; content:\"Vary|3A|\"; content:!\"|0D 0A|\",within 250; metadata:policy max-detect-ips drop; service:http; reference:cve,2016-2569; reference:url,www.squid-cache.org/Advisories/SQUID-2016_2.txt; classtype:denial-of-service; sid:41379; rev:1; )",
"rule_references": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2569",
"https://www.squid-cache.org/Advisories/SQUID-2016_2.txt"
],
"alert_context": [
{
"src_ip": "74.125.131.94",
"src_port": 80
}
]
}
],
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "f4143907bd6e32636e7bc2f3b4f1fca7dde5ff6787f10a17b360a798f52c6357",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Uncommon Svchost Command Line Parameter",
"rule_description": "Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.\nThis could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.\n",
"rule_author": "Liran Ravich",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\system32\\svchost.exe",
"Image": "C:\\Windows\\system32\\svchost.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "a97837cc5246d1005cb41d097acb5e089b3031009ed77e1792b93102e79c1f03",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Access To Windows Credential History File By Uncommon Applications",
"rule_description": "Detects file access requests to the Windows Credential History File by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"FileName": "%APPDATA%\\microsoft\\protect\\credhist"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "ec1d4770fddf21948d437ee8ade88904c7b95601bf83cfe214687e2611dd530c",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Access To Windows DPAPI Master Keys By Uncommon Applications",
"rule_description": "Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"FileName": "%APPDATA%\\microsoft\\protect\\s-1-5-21-4226853953-3309226944-3078887307-1000\\preferred"
}
}
]
},
{
"rule_level": "low",
"rule_id": "0f8e3c8e1fbbfbe7cf4a673a7445d726cd5c91d52f036a090b8e242dd368058e",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious File Access to Browser Credential Storage",
"rule_description": "Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.\nAdversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.\nThis behavior is often commonly observed in credential stealing malware.\n",
"rule_author": "frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore",
"match_context": [
{
"values": {
"FileName": "%LOCALAPPDATA%\\microsoft\\edge\\user data\\default\\login data"
}
},
{
"values": {
"FileName": "%LOCALAPPDATA%\\microsoft\\edge\\user data\\default\\cookies"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"CommandLine": "%WINDIR%\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "%WINDIR%\\system32\\windowspowershell\\v1.0\\powershell.exe",
"Image": "C:\\Windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
}
],
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 2
}
},
"last_analysis_stats": {
"malicious": 29,
"suspicious": 0,
"undetected": 32,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 14
},
"sha1": "aaf5f0b6ffff28db488a9db4aa6ad141bd38b96d",
"magika": "VBA",
"reputation": 0,
"crowdsourced_ids_stats": {
"high": 0,
"medium": 2,
"low": 0,
"info": 0
},
"md5": "e0e938b204117354882b577d59c213f1",
"type_description": "VBA",
"first_submission_date": 1779171607,
"magic": "HTML document, ASCII text, with CRLF line terminators",
"names": [
"35f0fd02-2b77-4be6-aadb-cc230e600571",
"octet-stream",
"kb[1].zip"
],
"tags": [
"powershell",
"enum-windows",
"obfuscated",
"run-file",
"vba"
],
"meaningful_name": "35f0fd02-2b77-4be6-aadb-cc230e600571",
"last_modification_date": 1781075506,
"tlsh": "T1924301428D383DED909F65A72DF310441192DE1A7FBA6473C12724B41939AD83EE2EF6",
"filecondis": {
"dhash": "e4e0a50084c6a0e0",
"raw_md5": "a325d3c9e36a6cce441320c7b7164992"
},
"sigma_analysis_stats": {
"critical": 0,
"high": 1,
"medium": 2,
"low": 2
},
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 15,
"value": "trojan"
},
{
"count": 7,
"value": "dropper"
}
],
"popular_threat_name": [
{
"count": 2,
"value": "adfs"
},
{
"count": 2,
"value": "dwnldr"
},
{
"count": 1,
"value": "crit"
}
],
"suggested_threat_label": "trojan.adfs/dwnldr"
},
"last_analysis_date": 1781068283
}
}
}