Loading ...

Play interactive tourEdit tour

Analysis Report PaymentNotification.vbs

Overview

General Information

Sample Name:PaymentNotification.vbs
Analysis ID:399489
MD5:f5b9f4ae6470dd78d53b60dcc6b32a5b
SHA1:c12a160ff346463dfea1a2a5b015b0efd56a9645
SHA256:3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

HawkEye njRat AsyncRAT MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected HawkEye Rat
Detected njRat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the windows firewall
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5972 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\PaymentNotification.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Tmp.exe (PID: 240 cmdline: 'C:\Users\user\AppData\Local\Temp\Tmp.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)
      • servieda.exe (PID: 5648 cmdline: 'C:\Users\user\AppData\Roaming\servieda.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)
        • netsh.exe (PID: 4592 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Roaming\servieda.exe' 'servieda.exe' ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)
          • conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pgr.exe (PID: 1068 cmdline: 'C:\Users\user\AppData\Local\Temp\pgr.exe' MD5: A08F2FAC257ABBBDDDBBD4439F32CFD0)
      • netsh.exe (PID: 5596 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\pgr.exe' 'pgr.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • tmp87E4.tmp.exe (PID: 5036 cmdline: 'C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe' MD5: 6107D33B54A998C142311E55B3EC53D2)
      • tmpFB21.tmp.exe (PID: 4928 cmdline: 'C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe' MD5: 5C0E9E0C72288F8B70BB68C0036ECB52)
        • vbc.exe (PID: 1428 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 5824 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • d4c6a6df7bab3dad31763de990c4ed82.exe (PID: 2244 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe' MD5: 9B30598F8F05C46F8ABB22A4C2ABCC9E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: AsyncRAT

{"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM0JUM8EUrVj86ga7urRpaI/5Al89x4FUeNy3ojdpTRYq3flCWKsnk9p7cMhYXINWZFWdMa1IGGCmlK3YFoEczXqu9D6+zL8Z+xV+pj6rmwzX6PW9RqHIley0P7QBH8iE4AFY1p5PJorWqfs2d68CQuFXOPIunsKtcOzM30OSGck0r6l91Qpdyznv5RK6xaJA==", "ServerSignature": "ISWHB6EJmpETXkSrzzZO+4XR+tFBGrUqWIQgiq+f/Z1utnjjrtR9Zd9ssjAfbUEKoKn1g5ZnXJ3OdA2+5VA6HMPOcjGqbLku4qqYmiWI7nnOg4wV5tgp8fhdBCrJNoe6zLWGVZRFo+FFrnPI9SVkByKFSctFCK2mRMxEPMsqBuOB2yM9abBbLKED5R7WLkNZ9wqoIP6gwufU1ji8pjdVCuYo3OuhkgBL0kjZX3grqk0fHZ4BxsLsdNQMBgTw+W9NV4bKcuxgOo0V6O84Hir+6xsmY32AvEiVEz4+M3CBkWuNsnkjTcKfLI2LJ8Fi2EX6yBS96WSiOpUHxlD+MUGfyDF2QV3Q9nzCyUPTTr04mdeFDpoldcn0kHpsSpyVu1WuW1KS2AN4WdIlSJTOnfm68B/YiVAGvMeZ88eHdnLidkNioBDUtDk5PcS9sTLx0Xorr7wHQf7Fafjphg7NnxrxKOMBhv7k0bUGw3CSqjh/b/SPBjNTohLC1UtOS2tkNuF6syz5zwJ3Id+szSG3tX37C437dOug2ETg7x/O7F9QO/KMDbZ8whpW3X7W0v0mRk9pq0SnEW9Di48x/4FMvNzeTl6n7QV1Bgpv6HZsc3yHpKwz6fYjwhFfzP3WTUSi5cyzFj/bkfk7XJnmM+iNyBmyQoYBMs9OwGuAmLhJD3+yAoU=", "Group": "CONTACTS"}

Threatname: Njrat

{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d30:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4e88:$s3: Executed As
  • 0x4e6a:$s6: Download ERROR
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeJoeSecurity_NjratYara detected NjratJoe Security
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4d9e:$a1: netsh firewall add allowedprogram
    • 0x4d6e:$a2: SEE_MASK_NOZONECHECKS
    • 0x5018:$b1: [TAP]
    • 0x4d30:$c3: cmd.exe /c ping
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d6e:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e46:$msg: Execute ERROR
    • 0x4ea2:$msg: Execute ERROR
    • 0x4d30:$ping: cmd.exe /c ping 0 -n 2 & del
    C:\Users\user\AppData\Roaming\servieda.exeMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
    • 0xdd24:$s1: wireshark
    • 0xdcee:$s2: procexp
    Click to see the 18 entries

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000000.00000003.361826559.000001B866181000.00000004.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x16fd:$a1: netsh firewall add allowedprogram
      • 0x188d:$b1: [TAP]
      • 0x647:$b2: & exit
      • 0x1683:$b2: & exit
      • 0x1651:$c1: md.exe /k ping 0 & del
      00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000003.00000003.375381174.00000000006AD000.00000004.00000001.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0xe69d:$a1: netsh firewall add allowedprogram
        • 0xe82d:$b1: [TAP]
        • 0xd5e7:$b2: & exit
        • 0xe623:$b2: & exit
        • 0xe5f1:$c1: md.exe /k ping 0 & del
        0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Click to see the 134 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.3.wscript.exe.1b86717d130.5.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
          • 0x2f30:$x1: cmd.exe /c ping 0 -n 2 & del "
          • 0x3088:$s3: Executed As
          • 0x306a:$s6: Download ERROR
          0.3.wscript.exe.1b86717d130.5.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.3.wscript.exe.1b86717d130.5.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x2f9e:$a1: netsh firewall add allowedprogram
            • 0x2f6e:$a2: SEE_MASK_NOZONECHECKS
            • 0x3218:$b1: [TAP]
            • 0x2f30:$c3: cmd.exe /c ping
            0.3.wscript.exe.1b86717d130.5.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x2f6e:$reg: SEE_MASK_NOZONECHECKS
            • 0x3046:$msg: Execute ERROR
            • 0x30a2:$msg: Execute ERROR
            • 0x2f30:$ping: cmd.exe /c ping 0 -n 2 & del
            0.3.wscript.exe.1b8660a7cb0.0.unpackMAL_Winnti_Sample_May18_1Detects malware sample from Burning Umbrella report - Generic Winnti RuleFlorian Roth
            • 0xbf24:$s1: wireshark
            • 0xbeee:$s2: procexp
            Click to see the 127 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Tmp.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\Users\user\AppData\Local\Temp\pgr.exeAvira: detection malicious, Label: TR/Dropper.Gen7
            Source: C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\servieda.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
            Source: C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Found malware configurationShow sources
            Source: 0000000C.00000000.429733559.00000000006E2000.00000002.00020000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "185.140.53.71", "Ports": "5622", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "OZbfeCW3Ui2w9m0b2sdvXKLHncuuEV1i", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQALaURRywvfhLupCLKqRXsTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwMzE5MjMyNjE5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIRg8P1eV241T+5WAoYUJpVxKCp2hnrddZER5q6SuwiuoY5WnvnSHE86fmx6xl/ElyDi0aYdKZQgsRV52AsagcOyXPkYTuqgLaJa0uNP/ccUgEF58GRW9G4hxQ0yFipum00HgR4BC17MH/JlxA70ruPgctyQjb155Y9SA/np83nMY49/v/FNGINUINX7VVQmJkXvhptA0Xg//bKsMYgvjpT7RTp+dgd9Sfl3zZN0vd/OWvtZmjqgWG3FcBdKRjeQU0s8yYApwwz/u+XKy39FcEiIgtDSL4JLpaqgPI07lKqei20ZTjt/AjefXLkBO9i9BJ6cSTUvJL9XmMeWtssOuCLqTg54AQPjvZMVYYvkBhoHEe33fBqgV0/+oIcZpVW2bnRKNN58O1OV7xfp7Uz/K5EoxBGpTI+9BwBf6YdIkPCPsdzkahw4Alz2dm0tR9PiTtvyed571Fse+LSYskswzbfN24cvE183EEfGDdoiCQC9HrIR84g+nkQQKYy5mj5j0BN4NxIW7iuhb2X+a3FlR45KTWpy/p627aKpMeSgG2+zG6Io3gaDSAZ+g6CA+jVqqU81S5PxgZOQk4IbCaJWeyN++/iHEyyFY12jpiNkbVwZWU18Bx48uAZIKBPvpAy7BehRNYRfziR/zErfpf96kYCbDYJzO6/7AkTfQfsO4xhxAgMBAAGjMjAwMB0GA1UdDgQWBBQHQJ8DQO/zUgjsn27YFy2w7xPmbjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAES/vZ9rtg1VF0ZlgPVaWR+J4hq/2Mo1LaJW6+VZmbsT/Kw/eZFxPiwCVqDuLXOk9zdBzQjaN+1jbFORJfRusSdwdAz3ELqtgWOHikAPc0oZfglzOT3wjQWEeahe82N8/FMU/s7gXQ03g2apinU3ySsgT9LdIkEtmwnJ6aLjLFWcKTS5t4hX1dsHSoLs2ulVV8vkTJzmEemZwsHTQmOU13q9B/cezpMx4X9AmoQFdiiGn7p9nsOce7dOD/hlFAVUszv9DY37Qwm12OSvxcP9U/vdVbV7GKkYNkZTzA4r3muyDO1/TMEgngfBFvOXFNlc1JQ+3E0AAoaciCjlGuNbjisKnch5/xrHYe+Lnz3lHhbk6ertrNlT10pfZVrOli47RwIgZhdCmg3915G5n0MaTHUHsUBUET5KTV90kNLTLQLwNq82/0HPWzdFRxJy0RNosBON2awrb8q0Y4N+qVBti0tfpu67a0rwzsZFGEIMIFWvM