Edit tour
Windows
Analysis Report
6723653391970.vbs
Overview
General Information
| Sample name: | 6723653391970.vbs |
| Analysis ID: | 1546044 |
| MD5: | 8d36763727659594c5481673a560d80c |
| SHA1: | 227412dd9a84be814117efa39544dfb173cc3b73 |
| SHA256: | 6b16c2a1897f02f6f05f97ffcadd357071dc660708312b5c71341f9bb4bc285a |
| Tags: | geoGrandoreiroMEXPRTvbsuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Excessive usage of taskkill to terminate processes
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Classification
- System is w10x64
wscript.exe (PID: 7596 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\67236 53391970.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
BLOCKBUSTER.exe (PID: 7748 cmdline: "C:\_67236 5339188b\B LOCKBUSTER .exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) 
cmd.exe (PID: 7956 cmdline: "C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
taskkill.exe (PID: 8116 cmdline: taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3512 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8016 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 7696 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 7980 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 8148 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2104 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 8096 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 792 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 8012 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 3612 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 8028 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8108 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4452 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2500 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3288 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 8136 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7580 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4076 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3980 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6424 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7296 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7484 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7876 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7676 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 2488 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 7320 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5304 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3060 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 180 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 2692 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2412 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5724 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7740 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5936 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 7328 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7920 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3632 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5956 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 1896 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3568 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 7304 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 8184 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 5820 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 365339188b \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5756 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 3632 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5808 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3384 cmdline:
taskkill / f /im BLOC KBUSTER.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 3608 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Michael Haag: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-31T12:19:16.689662+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.4 | 49732 | TCP |
| 2024-10-31T12:19:56.843145+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.4 | 49746 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Binary or memory string: | memstr_7823754c-f | |
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 1_2_6F89C2D0 | |
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | TCP traffic: | ||
| Source: | Initial file: | ||
| Source: | Initial file: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process created: | ||
| Source: | TCP traffic: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||