analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Scan proof of address.vbs

Full analysis: https://app.any.run/tasks/e3ea5307-98df-463e-b0aa-e0140bfd43a1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 17:29:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
stealer
wshrat
Indicators:
MIME: text/x-c++
File info: C++ source, ASCII text, with very long lines
MD5:

B361E0AD2B3F0A9649F5277FFB2424BD

SHA1:

5588F1F0B925530C5FC92BD564545302734115AA

SHA256:

905A4F9487741E04E1F90394889635EE16DA00B9281A67F0BE75332280464720

SSDEEP:

3072:XfPml25X8ehBO+jbtJOv5+bkz4r9A0f+2KzP4V8Er3bd9gSht:PPUcXrhtUv5AC7Br4JRj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 592)
      • wscript.exe (PID: 3248)
      • wscript.exe (PID: 2768)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 592)
      • wscript.exe (PID: 3248)
      • wscript.exe (PID: 2768)

    • WSHRAT was detected

      • wscript.exe (PID: 2768)

    • Application was dropped or rewritten from another process

      • kl-plugin.exe (PID: 1848)
      • rd-plugin.exe (PID: 1784)

    • Connects to CnC server

      • wscript.exe (PID: 2768)

  • SUSPICIOUS

    • Executes scripts

      • WScript.exe (PID: 592)
      • wscript.exe (PID: 2768)

    • Application launched itself

      • WScript.exe (PID: 592)
      • wscript.exe (PID: 2768)

    • Creates files in the user directory

      • WScript.exe (PID: 592)
      • wscript.exe (PID: 3248)
      • wscript.exe (PID: 2768)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2768)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 784)
      • cmd.exe (PID: 184)

    • Checks for external IP

      • wscript.exe (PID: 2768)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 2768)

    • Connects to unusual port

      • wscript.exe (PID: 3248)
      • wscript.exe (PID: 2768)
      • rd-plugin.exe (PID: 1784)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start wscript.exe wscript.exe #WSHRAT wscript.exe wscript.exe no specs cmd.exe no specs taskkill.exe no specs kl-plugin.exe cmd.exe no specs taskkill.exe no specs rd-plugin.exe

Process information

PID
CMD
Path
Indicators
Parent process
592"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Scan proof of address.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3248"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\eJIwWlLvGf.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2768"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\Scan proof of address.vbs"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
1188"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\eJIwWlLvGf.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
784"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2076taskkill /F /IM kl-plugin.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1848"C:\Users\admin\AppData\Roaming\kl-plugin.exe" 92.38.86.175 1337 "WSHRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional |plus|nan-av|false - 11/8/2019|Visual Basic-v2.3|IT:Italy" 1C:\Users\admin\AppData\Roaming\kl-plugin.exe
wscript.exe
User:
admin
Company:
WSHRat Plugin
Integrity Level:
MEDIUM
Description:
klplu
Version:
1.1.0.0
184"C:\Windows\system32\cmd.exe" /c taskkill /F /IM rd-plugin.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2296taskkill /F /IM rd-plugin.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1784"C:\Users\admin\AppData\Roaming\rd-plugin.exe" 92.38.86.175 1337 "WSHRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional |plus|nan-av|false - 11/8/2019|Visual Basic-v2.3|IT:Italy" C:\Users\admin\AppData\Roaming\rd-plugin.exe
wscript.exe
User:
admin
Company:
WSHRat Plugin
Integrity Level:
MEDIUM
Description:
rdplu
Exit code:
0
Version:
1.1.0.0
Total events
772
Read events
698
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\g9dw0ql-.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\m4favgtx.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\f4lom2ab.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\_ufdbedh.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\bowmelxh.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\fjpbpvig.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\hwzpshh6.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\iiypl9qs.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\_t_aqxdb.newcfg
MD5:
SHA256:
1848kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\pxpro3lx.newcfg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
22
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
2768
wscript.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
text
284 b
shared
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
2768
wscript.exe
POST
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
malicious
1784
rd-plugin.exe
GET
92.38.86.175:1337
http://92.38.86.175:1337/open-rdp|1280x720
CZ
malicious
2768
wscript.exe
POST
200
92.38.86.175:1337
http://92.38.86.175:1337/is-ready
CZ
text
40 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2768
wscript.exe
92.38.86.175:1337
ALFA TELECOM s.r.o.
CZ
malicious
2768
wscript.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3248
wscript.exe
194.5.98.46:4132
britianica.uk.com
FR
malicious
1784
rd-plugin.exe
92.38.86.175:1337
ALFA TELECOM s.r.o.
CZ
malicious

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
britianica.uk.com
  • 194.5.98.46
unknown

Threats

PID
Process
Class
Message
2768
wscript.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2768
wscript.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2768
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
2768
wscript.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2768
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2768
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
2768
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
2768
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2768
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
2768
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
Process
Message
kl-plugin.exe
SetWindowsHookEx WH_KEYBOARD_LL
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
kl-plugin.exe
11/08/2019 17:30:01>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=842, y=370, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:01>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=833, y=372, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:01>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=831, y=371, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:02>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=833, y=371, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:02>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=833, y=367, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:02>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=834, y=364, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:02>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=835, y=363, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
11/08/2019 17:30:02>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=836, y=363, mouseData=0, flags=0, dwExtraInfo=0
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Scan proof of address.vbs