analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

JVC_27906.vbs

Full analysis: https://app.any.run/tasks/dd586a0f-d344-4c10-b527-a7ecad5abca1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 13:22:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
qbot
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

DDB351F2AB548AAF55602EDC6E7E99C7

SHA1:

F20E2B12CEBCDBF32F8AC69EB126B0FA856D36C4

SHA256:

97CA0BED898FFA358398FC585F8A68A31D8D5EDB0F2FCDEBFF7081244BD3FE93

SSDEEP:

49152:K18qle/MYU363OZpGr4iEBSbmNld4hVSsUz/kOQM/pbppteT5GuBmgV/k7AgB3HL:g

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ColorPick.exe (PID: 2872)
      • ColorPick.exe (PID: 2676)
      • ytfovlym.exe (PID: 2768)
      • ytfovlym.exe (PID: 2364)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3952)

    • Downloads executable files with a strange extension

      • WScript.exe (PID: 3952)

    • QBOT was detected

      • ColorPick.exe (PID: 2872)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3584)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4020)

  • SUSPICIOUS

    • Application launched itself

      • ColorPick.exe (PID: 2872)
      • ytfovlym.exe (PID: 2768)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3952)
      • ColorPick.exe (PID: 2872)
      • cmd.exe (PID: 3584)

    • Creates files in the user directory

      • ColorPick.exe (PID: 2872)

    • Starts itself from another location

      • ColorPick.exe (PID: 2872)

    • Starts CMD.EXE for commands execution

      • ColorPick.exe (PID: 2872)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • cmd.exe (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start wscript.exe #QBOT colorpick.exe colorpick.exe no specs ytfovlym.exe no specs cmd.exe ping.exe no specs ytfovlym.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
3952"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\JVC_27906.vbs"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2872C:\Users\admin\AppData\Local\Temp\ColorPick.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exe
WScript.exe
User:
admin
Company:
Silicon Integrated Systems Corporation
Integrity Level:
MEDIUM
Description:
TsDfSwCd DLL
Exit code:
0
Version:
8.3.45.6231
2676C:\Users\admin\AppData\Local\Temp\ColorPick.exe /CC:\Users\admin\AppData\Local\Temp\ColorPick.exeColorPick.exe
User:
admin
Company:
Silicon Integrated Systems Corporation
Integrity Level:
MEDIUM
Description:
TsDfSwCd DLL
Exit code:
0
Version:
8.3.45.6231
2768C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeColorPick.exe
User:
admin
Company:
Silicon Integrated Systems Corporation
Integrity Level:
MEDIUM
Description:
TsDfSwCd DLL
Exit code:
0
Version:
8.3.45.6231
3584"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\admin\AppData\Local\Temp\ColorPick.exe"C:\Windows\System32\cmd.exe
ColorPick.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2432ping.exe -n 6 127.0.0.1 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2364C:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exe /CC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeytfovlym.exe
User:
admin
Company:
Silicon Integrated Systems Corporation
Integrity Level:
MEDIUM
Description:
TsDfSwCd DLL
Exit code:
0
Version:
8.3.45.6231
4020C:\Windows\explorer.exeC:\Windows\explorer.exe
ytfovlym.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
125
Read events
120
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2872ColorPick.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.exeexecutable
MD5:956A826D04DBAFF81A80D6E1B0079BDE
SHA256:B281FCD63A286C349AC77B4D963E2DA86BCBC997BA12CC11281D2FB4D13B308B
3952WScript.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exeexecutable
MD5:956A826D04DBAFF81A80D6E1B0079BDE
SHA256:B281FCD63A286C349AC77B4D963E2DA86BCBC997BA12CC11281D2FB4D13B308B
2872ColorPick.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:B8B48979BF812FE19A55FDD41A9782D6
SHA256:D52AF4A0AC540E3D5B18B17124696C45AE877457B7B024B7B99D9EBBA966CF2B
4020explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Zulycjadyc\ytfovlym.datbinary
MD5:53C1C98642A3BA557D7353CCE9F27BF3
SHA256:E1C9A9B082F9C137001AD85C9D7F46F51A9939A257A8B5EA73257C3AA678BDC2
3584cmd.exeC:\Users\admin\AppData\Local\Temp\ColorPick.exeexecutable
MD5:60B7C0FEAD45F2066E5B805A91F4F0FC
SHA256:80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3952
WScript.exe
GET
200
145.14.145.217:80
http://northmount-dental-care.000webhostapp.com/wp-content/uploads/2019/12/working/444444444444444444444444444444.png
US
executable
680 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
WScript.exe
145.14.145.217:80
northmount-dental-care.000webhostapp.com
Hostinger International Limited
US
shared

DNS requests

Domain
IP
Reputation
northmount-dental-care.000webhostapp.com
  • 145.14.145.217
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
3952
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3952
WScript.exe
A Network Trojan was detected
AV POLICY EXE or DLL in HTTP Image Content Inbound - Likely Malicious
3952
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3952
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
JVC_27906.vbs