Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inv-04_PDF.vbs

Overview

General Information

Sample Name:Inv-04_PDF.vbs
Analysis ID:451451
MD5:457617bb66ce73bbc76af8d376469792
SHA1:a1e9d7b4f153da6d345d6e8dd5d6923a260cff10
SHA256:ea11c7637e649da3353f4d11ea0c03e95a53284bc57dc07f947ceb39e2d24230
Tags:NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 800 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • not.exe (PID: 3288 cmdline: 'C:\Users\user\AppData\Local\Temp\not.exe' MD5: 672E9FDC80F39F27F98A048B9F51AEA0)
      • InstallUtil.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • pad.exe (PID: 3864 cmdline: 'C:\Users\user\AppData\Local\Temp\pad.exe' MD5: E98879EEEFFC1846AB8765CE44E9E351)
      • pad.exe (PID: 4848 cmdline: C:\Users\user\AppData\Local\Temp\pad.exe MD5: E98879EEEFFC1846AB8765CE44E9E351)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Inv-04_PDF.vbsSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x6f8ed:$: VFZxUUFBT
  • 0x1884ec:$: RWcVFBQU

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.377527863.0000000004359000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.377527863.0000000004359000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        Click to see the 65 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        21.2.pad.exe.71d0000.34.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1f1db:$x1: NanoCore.ClientPluginHost
        • 0x1f1f5:$x2: IClientNetworkHost
        21.2.pad.exe.71d0000.34.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x1f1db:$x2: NanoCore.ClientPluginHost
        • 0x22518:$s4: PipeCreated
        • 0x1f1c8:$s5: IClientLoggingHost
        21.2.pad.exe.7170000.29.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x2205:$x1: NanoCore.ClientPluginHost
        • 0x223e:$x2: IClientNetworkHost
        21.2.pad.exe.7170000.29.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x2205:$x2: NanoCore.ClientPluginHost
        • 0x2320:$s4: PipeCreated
        • 0x221f:$s5: IClientLoggingHost
        21.2.pad.exe.71c0000.33.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x170b:$x1: NanoCore.ClientPluginHost
        • 0x1725:$x2: IClientNetworkHost
        Click to see the 149 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\pad.exe, ProcessId: 4848, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\pad.exe, ProcessId: 4848, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\not.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\not.exe, ParentProcessId: 3288, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 1256

        Stealing of Sensitive Information:

        bar