Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QF8iBLjaKJ.vbs

Overview

General Information

Sample name:QF8iBLjaKJ.vbs
renamed because original name is a hash value
Original sample name:4e5b0ebdd1f78c156d999a33512c64da.vbs
Analysis ID:1566413
MD5:4e5b0ebdd1f78c156d999a33512c64da
SHA1:96eaa3fe4ba066a12923198c187ef3ca5da2d2bd
SHA256:c24a23672d279afc63629da911e2e69e26c389186abb8eb30207b61b9282269a
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4080 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", ProcessId: 4080, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs", ProcessId: 4080, ProcessName: wscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: QF8iBLjaKJ.vbsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: sus22.winVBS@1/0@0/0
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs"
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information21
Scripting		Valid AccountsWindows Management Instrumentation21
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
QF8iBLjaKJ.vbs0%ReversingLabs
QF8iBLjaKJ.vbs2%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1566413
Start date and time:2024-12-02 07:23:08 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:QF8iBLjaKJ.vbs
renamed because original name is a hash value
Original Sample Name:4e5b0ebdd1f78c156d999a33512c64da.vbs
Detection:SUS
Classification:sus22.winVBS@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .vbs
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Unicode text, UTF-8 text, with CRLF line terminators
Entropy (8bit):5.339435187651574
TrID:
    File name:QF8iBLjaKJ.vbs
    File size:1'545 bytes
    MD5:4e5b0ebdd1f78c156d999a33512c64da
    SHA1:96eaa3fe4ba066a12923198c187ef3ca5da2d2bd
    SHA256:c24a23672d279afc63629da911e2e69e26c389186abb8eb30207b61b9282269a
    SHA512:1b6a1cb553e44c9b689a2377d5fb2561657572500e16ff35dd88f22054296f2cadf23aa7b5013a9a0b019dc97e94400d0e7770b1030443b86075c93767be94b2
    SSDEEP:24:9AHhVuR7Z7hgegLQkwA00MFh0wHxPEL/jKC21WECBRWCwp6aFX+gwtU3SkIyr/CA:ePuvqegSfnP63xBwoaFX+1G3HIyt1tn
    TLSH:503110829A0341738973AFA780D1694EDA78B41F293EE856399DCD140B7772360E82F4
    File Content Preview:On Error Resume Next....Dim htmlFilePath, txtFilePath, objFSO, objHTML, objTable, objRow, objCell, objStream....' ........ ...... HTML ..............htmlFilePath = "C:\Users\Public\aaaaaa\-c -w passlist.html"....' ........ ...... TXT ..............txtFile

    File Icon

    Icon Hash:68d69b8f86ab9a86

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:01:24:03
    Start date:02/12/2024
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\QF8iBLjaKJ.vbs"
    Imagebase:0x7ff78fe90000
    File size:170'496 bytes
    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    No disassembly