Windows Analysis Report
mYX4N3FRJj.vbs

General Information

Sample name: mYX4N3FRJj.vbs
renamed because original name is a hash value
Original sample name: 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9.bin.sample.vbs
Analysis ID: 1686591
Has dependencies: false
MD5: f91705e56983ba3c3cd940d62bc2ed35
SHA1: de2e039c69f6f4f5af23d4eac2d3235e2ce4f20c
SHA256: 28a0596b9c62b7b7aca9cac2a07b067109f27d327581a60e8cb4fab92f8f4fa9
Tags: LOSTKEYSVBSuser-KodaDr
Infos: sigma

Detection

Score: 64
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: mYX4N3FRJj.vbs Virustotal: Detection: 21% Perma Link
Source: mYX4N3FRJj.vbs ReversingLabs: Detection: 25%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 95.1%
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: inStream.SaveToFile(fn)

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: mYX4N3FRJj.vbs Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal64.winVBS@1/0@0/0
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\mYX4N3FRJj.vbs"
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mYX4N3FRJj.vbs Virustotal: Detection: 21%
Source: mYX4N3FRJj.vbs ReversingLabs: Detection: 25%
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1686591 Sample: mYX4N3FRJj.vbs Startdate: 10/05/2025 Architecture: WINDOWS Score: 64 8 Multi AV Scanner detection for submitted file 2->8 10 Potential malicious VBS script found (has network functionality) 2->10 12 Sigma detected: WScript or CScript Dropper 2->12 14 Joe Sandbox ML detected suspicious sample 2->14 5 wscript.exe 2->5         started        process3 signatures4 16 Windows Scripting host queries suspicious COM object (likely to drop second stage) 5->16
No contacted IP infos