home

wscript.exe

wscript

The executable wscript.exe, “Microsoft Scripting Runtime” has been detected as malware by 8 anti-virus scanners. While running, it connects to the Internet address 125.235.4.59.adsl.viettel.vn on port 80 using the HTTP protocol.
Publisher:
Microsoft*  (Invalid match)

Product:
wscript

Description:
Microsoft Scripting Runtime

Version:
1.00

MD5:
9d9c68e0e49424d4d730d05401463c99

SHA-1:
fb89f75abfb9f6cbdfc294d48bb775a2cb0410db

SHA-256:
82683374d8ec9a447c8b68389770a2800a9e2218c768f61b76a63f090e137cec

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
12/26/2024 12:11:22 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.VP.om0@amVr1pii
1140

Avira AntiVirus
TR/Spy.Gen
7.11.120.238

Bitdefender
Gen:Trojan.Heur.VP.om0@amVr1pii
1.0.20.1775

Comodo Security
TrojWare.Win32.Agent.ASSP
17470

Emsisoft Anti-Malware
Gen:Trojan.Heur.VP.om0@amVr1pii
8.13.12.21.12

F-Secure
Gen:Trojan.Heur.VP.om0@amVr1pii
11.2013-21-12_7

G Data
Gen:Trojan.Heur.VP.om0@amVr1pii
13.12.22

MicroWorld eScan
Gen:Trojan.Heur.VP.om0@amVr1pii
14.0.0.1065

File size:
236 KB (241,664 bytes)

Product version:
1.00

Original file name:
idmpatcher.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\wscript.exe

File PE Metadata
Compilation timestamp:
12/18/2013 9:58:29 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:vI5y9UMq9wT0y9bU9ZLzkWzkqyZ4nX2HPHoi:CMqC0yOpHyZgw

Entry address:
0x27C0

Entry point:
68, 80, 31, 40, 00, E8, F0, FF, FF, FF, 00, 00, 00, 00, 00, 00, 30, 00, 00, 00, 38, 00, 00, 00, 00, 00, 00, 00, D0, 4A, DE, 8E, C1, AE, 74, 46, 98, CF, F6, E4, ED, 3A, FF, C1, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 20, 20, 20, 20, 20, 20, 77, 73, 63, 72, 69, 70, 74, 00, 00, 00, 00, 00, FF, CC, 31, 00, 08, 04, E1, F8, 3D, 47, 18, CC, 43, B1, 3F, FF, 75, 03, DF, EB, EB, CF, E4, A0, 1F, A0, 59, 07, 48, B0, BE, 97, 0F, 6E, 5E, 88, 62, 3A, 4F, AD, 33, 99, 66, CF, 11, B7, 0C, 00, AA, 00, 60, D3, 93, 00, 00, 00...
 
[+]

Entropy:
5.8678

Developed / compiled with:
Microsoft Visual Basic v5.0/v6.0

Code size:
224 KB (229,376 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mx9456.superdata.vn  (112.213.94.56:80)

TCP (HTTP):
Connects to ip-184-168-221-53.ip.secureserver.net  (184.168.221.53:80)

TCP (HTTP):
Connects to ip-184-168-221-52.ip.secureserver.net  (184.168.221.52:80)

TCP (HTTP):
Connects to 125.235.4.59.adsl.viettel.vn  (125.235.4.59:80)

Remove wscript.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.