Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER230322.vbs

Overview

General Information

Sample Name:ORDER230322.vbs
Analysis ID:832141
MD5:2a76503660d140d0aa08bd758cb9c29c
SHA1:55c1ba23321e11c0298450fb9dfa1ccebdea2d86
SHA256:5f0329e51f347ca573ea69cd865bb03d0526d9e9e91477a4502a9fe35c3fbddf
Tags:RATvbsWSHRAT
Infos:

Detection

WSHRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected WSHRAT
Detected WSHRat
System process connects to network (likely due to code injection or exploit)
Sigma detected: Register Wscript In Run Key
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Snort IDS alert for network traffic
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
C2 URLs / IPs found in malware configuration
Uses known network protocols on non-standard ports
Drops VBS files to the startup folder
Windows Shell Script Host drops VBS files
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 5492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\ORDER230322.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2352 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5448 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 1276 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4024 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6032 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Houdini, WSHRATHoudini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.houdini
{"C2 url": "chongmei33.publicvm.com", "Port": "7045", "Install folder": "%temp%"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_WSHRATYara detected WSHRATJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_5492.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
      amsi64_2352.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
        amsi64_5448.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security
          amsi64_4024.amsi.csvJoeSecurity_WSHRATYara detected WSHRATJoe Security

            Data Obfuscation

            barindex
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5492, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER230322.vbs

            Persistence and Installation Behavior

            barindex
            Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Local\Temp\ORDER230322.vbs", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 5492, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ORDER230322
            Timestamp:192.168.2.3103.47.144.224972770452017516 03/22/23-11:40:42.430467
            SID:2017516
            Source Port:49727
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973070452017516 03/22/23-11:41:00.836849
            SID:2017516
            Source Port:49730
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972370452017516 03/22/23-11:40:19.769701
            SID:2017516
            Source Port:49723
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970770452017516 03/22/23-11:38:44.353443
            SID:2017516
            Source Port:49707
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971170452017516 03/22/23-11:39:07.144389
            SID:2017516
            Source Port:49711
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971770452017516 03/22/23-11:39:44.283625
            SID:2017516
            Source Port:49717
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971370452017516 03/22/23-11:39:18.634150
            SID:2017516
            Source Port:49713
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970370452017516 03/22/23-11:38:21.870237
            SID:2017516
            Source Port:49703
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972170452017516 03/22/23-11:40:08.630285
            SID:2017516
            Source Port:49721
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973170452017516 03/22/23-11:41:06.386063
            SID:2017516
            Source Port:49731
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972670452017516 03/22/23-11:40:36.721932
            SID:2017516
            Source Port:49726
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970670452017516 03/22/23-11:38:37.956187
            SID:2017516
            Source Port:49706
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971670452017516 03/22/23-11:39:38.695593
            SID:2017516
            Source Port:49716
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970970452017516 03/22/23-11:38:55.844827
            SID:2017516
            Source Port:49709
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971270452017516 03/22/23-11:39:12.966342
            SID:2017516
            Source Port:49712
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224969870452017516 03/22/23-11:37:51.449935
            SID:2017516
            Source Port:49698
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970270452017516 03/22/23-11:38:16.269118
            SID:2017516
            Source Port:49702
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971970452017516 03/22/23-11:39:56.012177
            SID:2017516
            Source Port:49719
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972270452017516 03/22/23-11:40:14.190562
            SID:2017516
            Source Port:49722
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972970452017516 03/22/23-11:40:53.627793
            SID:2017516
            Source Port:49729
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224973270452017516 03/22/23-11:41:12.041835
            SID:2017516
            Source Port:49732
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971570452017516 03/22/23-11:39:32.263868
            SID:2017516
            Source Port:49715
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224970570452017516 03/22/23-11:38:31.858320
            SID:2017516
            Source Port:49705
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224972570452017516 03/22/23-11:40:31.131057
            SID:2017516
            Source Port:49725
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224971870452017516 03/22/23-11:39:50.397216
            SID:2017516
            Source Port:49718
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.47.144.224969970452017516 03/22/23-11:37:58.976360
            SID:2017516
            Source Port:49699
            Destination Port:7045
            Protocol:TCP
            Classtype:A Network Trojan was detected