Edit tour
Windows
Analysis Report
ndvdikok.vbs
Overview
General Information
Detection
DarkGate, MailPassView
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Benign windows process drops PE files
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected DarkGate
Yara detected MailPassView
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Potential malicious VBS script found (has network functionality)
Sample or dropped binary is a compiled AutoHotkey binary
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Keylogger Generic
Classification
- System is w10x64
- wscript.exe (PID: 6640 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\ndvdi kok.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - AutoHotkey.exe (PID: 6544 cmdline:
"C:\NwiQ\A utohotkey. exe" "c:\N wiQ\script .ahk" MD5: A59A2D3E5DDA7ACA6EC879263AA42FD3)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DarkGate | First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_MailPassView | Yara detected MailPassView | Joe Security | ||
JoeSecurity_DarkGate | Yara detected DarkGate | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
System Summary |
---|
Source: | Author: frack113, Florian Roth: |
Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: |
Source: | Author: frack113: |
Source: | Author: Michael Haag: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Code function: | 1_2_00480DC0 | |
Source: | Code function: | 1_2_0045E220 | |
Source: | Code function: | 1_2_0047C320 | |
Source: | Code function: | 1_2_0044D570 | |
Source: | Code function: | 1_2_0044D870 | |
Source: | Code function: | 1_2_00437B70 | |
Source: | Code function: | 1_2_0044DBB0 | |
Source: | Code function: | 1_2_00480D30 | |
Source: | Code function: | 1_2_0045EEA0 | |
Source: | Code function: | 1_2_048495A1 | |
Source: | Code function: | 1_2_0489C541 | |
Source: | Code function: | 1_2_0484655D | |
Source: | Code function: | 1_2_0489B145 | |
Source: | Code function: | 1_2_04876FE5 | |
Source: | Code function: | 1_2_04873871 |
Networking |
---|
Source: | Network Connect: | Jump to behavior |
Source: | Initial file: | ||
Source: | Initial file: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | Code function: | 1_2_0045DB90 |
Source: | HTTP traffic detected: |