Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inv-04_PDF.vbs


General Information

Sample Name:Inv-04_PDF.vbs
Analysis ID:451451

Most interesting Screenshot:


Nanocore AgentTesla
Range:0 - 100


Benign windows process drops PE files
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match


Process Tree

  • System is w10x64
  • wscript.exe (PID: 800 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • not.exe (PID: 3288 cmdline: 'C:\Users\user\AppData\Local\Temp\not.exe' MD5: 672E9FDC80F39F27F98A048B9F51AEA0)
      • InstallUtil.exe (PID: 1256 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • pad.exe (PID: 3864 cmdline: 'C:\Users\user\AppData\Local\Temp\pad.exe' MD5: E98879EEEFFC1846AB8765CE44E9E351)
      • pad.exe (PID: 4848 cmdline: C:\Users\user\AppData\Local\Temp\pad.exe MD5: E98879EEEFFC1846AB8765CE44E9E351)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Inv-04_PDF.vbsSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x6f8ed:$: VFZxUUFBT
  • 0x1884ec:$: RWcVFBQU

Memory Dumps

00000004.00000002.377527863.0000000004359000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.377527863.0000000004359000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000015.00000002.467183565.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfcf5:$a: NanoCore
        • 0xfd05:$a: NanoCore
        • 0xff39:$a: NanoCore
        • 0xff4d:$a: NanoCore
        • 0xff8d:$a: NanoCore
        • 0xfd54:$b: ClientPlugin
        • 0xff56:$b: ClientPlugin
        • 0xff96:$b: ClientPlugin
        • 0xfe7b:$c: ProjectData
        • 0x10882:$d: DESCrypto
        • 0x1824e:$e: KeepAlive
        • 0x1623c:$g: LogClientMessage
        • 0x12437:$i: get_Connected
        • 0x10bb8:$j: #=q
        • 0x10be8:$j: #=q
        • 0x10c04:$j: #=q
        • 0x10c34:$j: #=q
        • 0x10c50:$j: #=q
        • 0x10c6c:$j: #=q
        • 0x10c9c:$j: #=q
        • 0x10cb8:$j: #=q
        Click to see the 65 entries

        Unpacked PEs

        21.2.pad.exe.71d0000.34.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1f1db:$x1: NanoCore.ClientPluginHost
        • 0x1f1f5:$x2: IClientNetworkHost
        21.2.pad.exe.71d0000.34.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x1f1db:$x2: NanoCore.ClientPluginHost
        • 0x22518:$s4: PipeCreated
        • 0x1f1c8:$s5: IClientLoggingHost
        21.2.pad.exe.7170000.29.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x2205:$x1: NanoCore.ClientPluginHost
        • 0x223e:$x2: IClientNetworkHost
        21.2.pad.exe.7170000.29.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x2205:$x2: NanoCore.ClientPluginHost
        • 0x2320:$s4: PipeCreated
        • 0x221f:$s5: IClientLoggingHost
        21.2.pad.exe.71c0000.33.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x170b:$x1: NanoCore.ClientPluginHost
        • 0x1725:$x2: IClientNetworkHost
        Click to see the 149 entries

        Sigma Overview

        AV Detection:

        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\pad.exe, ProcessId: 4848, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\pad.exe, ProcessId: 4848, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\not.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\not.exe, ParentProcessId: 3288, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 1256

        Stealing of Sensitive Information: