analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://broholmer.hamburg/wordpress/wp-content/plugins/fwdiwde/1/Payment%20info%20pdf.vbs

Full analysis: https://app.any.run/tasks/ba895194-a880-406d-995d-2a749f00eb87
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 02, 2019, 18:35:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
stealer
wshrat
Indicators:
MD5:

4DA64DC1CA2728E0959058420FA2E224

SHA1:

E60277854DE6C9FEE32F0661BB1F16C26EDFA052

SHA256:

07120DC77E12421A3E9DB495A972985CCA4D53514EB2FC5F791E6A39E4477FB8

SSDEEP:

3:N8UBy565/AVYAQjcL4TBAPKOeLgVM3bZbW:2yy5VVYAsc8APLfY1y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3508)
      • WScript.exe (PID: 2168)

    • WSHRAT was detected

      • WScript.exe (PID: 3508)
      • WScript.exe (PID: 2168)

    • Connects to CnC server

      • WScript.exe (PID: 3508)
      • WScript.exe (PID: 2168)

    • Application was dropped or rewritten from another process

      • kl-plugin.exe (PID: 2352)

    • Writes to a start menu file

      • WScript.exe (PID: 3508)
      • WScript.exe (PID: 2168)

  • SUSPICIOUS

    • Executes scripts

      • chrome.exe (PID: 1648)
      • WScript.exe (PID: 2168)
      • WScript.exe (PID: 3508)

    • Creates files in the user directory

      • WScript.exe (PID: 2168)
      • WScript.exe (PID: 3508)

    • Application launched itself

      • WScript.exe (PID: 2168)
      • WScript.exe (PID: 3508)

    • Checks for external IP

      • WScript.exe (PID: 2168)
      • WScript.exe (PID: 3508)

    • Connects to unusual port

      • WScript.exe (PID: 2168)
      • WScript.exe (PID: 3508)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3508)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1648)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3508)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1404)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 1908)
      • chrome.exe (PID: 1648)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1648)

    • Application launched itself

      • chrome.exe (PID: 1648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
35
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #WSHRAT wscript.exe wscript.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #WSHRAT wscript.exe wscript.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs taskkill.exe no specs kl-plugin.exe

Process information

PID
CMD
Path
Indicators
Parent process
1648"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://broholmer.hamburg/wordpress/wp-content/plugins/fwdiwde/1/Payment%20info%20pdf.vbs"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2720"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ed2a9d0,0x6ed2a9e0,0x6ed2a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1812"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1972 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3832"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=5305696706946312890 --mojo-platform-channel-handle=1032 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1908"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11565777166462715421 --mojo-platform-channel-handle=1636 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3892"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17770124879143654104 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1448"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8675939578373947880 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1484"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8456511283133952216 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3756"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,13414990043362372438,13216414154305691942,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=988166065410054501 --mojo-platform-channel-handle=3512 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2168"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\Payment info pdf.vbs" C:\Windows\System32\WScript.exe
chrome.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
1 858
Read events
1 483
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
38
Text files
271
Unknown types
6

Dropped files

PID
Process
Filename
Type
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ff45febe-3325-4b37-a48a-5863179cb9b0.tmp
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF39b6a8.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
1648chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
133
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1908
chrome.exe
GET
302
172.217.22.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
2168
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
3508
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
2168
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
3508
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
3508
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
3508
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
2168
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
2168
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
2168
WScript.exe
POST
185.140.53.8:3457
http://miraqueen.publicvm.com:3457/is-ready
DE
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2168
WScript.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
1908
chrome.exe
216.58.205.238:443
sb-ssl.google.com
Google Inc.
US
whitelisted
1908
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1908
chrome.exe
85.25.199.56:443
broholmer.hamburg
Host Europe GmbH
DE
unknown
1908
chrome.exe
216.58.205.227:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1908
chrome.exe
172.217.18.4:443
www.google.com
Google Inc.
US
whitelisted
1908
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
3508
WScript.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
1908
chrome.exe
172.217.18.14:443
clients1.google.com
Google Inc.
US
whitelisted
1908
chrome.exe
172.217.21.227:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
broholmer.hamburg
  • 85.25.199.56
unknown
accounts.google.com
  • 216.58.208.45
shared
www.google.com
  • 172.217.18.4
whitelisted
sb-ssl.google.com
  • 216.58.205.238
whitelisted
ssl.gstatic.com
  • 216.58.205.227
whitelisted
ip-api.com
  • 208.95.112.1
shared
miraqueen.publicvm.com
  • 185.140.53.8
malicious
www.gstatic.com
  • 172.217.21.227
whitelisted
clients1.google.com
  • 172.217.18.14
whitelisted

Threats

PID
Process
Class
Message
2168
WScript.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2168
WScript.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3508
WScript.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3508
WScript.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3508
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM suspected RST injection
3508
WScript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
3508
WScript.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3508
WScript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3508
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
2168
WScript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
Process
Message
kl-plugin.exe
SetWindowsHookEx WH_KEYBOARD_LL
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://broholmer.hamburg/wordpress/wp-content/plugins/fwdiwde/1/Payment%20info%20pdf.vbs