Play interactive tourEdit tour
Windows Analysis Report 14 Items receipt.vbs
Overview
General Information
Detection
Nanocore
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Detected Nanocore Rat
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Very long command line found
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
Sigma detected: CrackMapExec PowerShell Obfuscation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sigma detected: Encoded PowerShell Command Line
Java / VBScript file with very long strings (likely obfuscated code)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
Process Tree |
---|
|