analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

win11.vbs

Full analysis: https://app.any.run/tasks/9278bd7b-0ed1-47ae-871c-d2549b1a970e
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 15, 2022, 00:34:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
diamondfox
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

124302B3760B268460B2FB319C44C1B4

SHA1:

7C3F31666EB1290F3FB35B207F294025E75AB3B4

SHA256:

AE14E4629AFA528411B3339E7FBB3CC2DE1C14540DDA11774E7BAE5521E1AC65

SSDEEP:

384:He7AO1CbUWdHbUo05S8I5H/2KJC2CSPS:+r4pdHbUo05S8I5H/XC2CSPS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 1536)

    • DIAMONDFOX was detected

      • WScript.exe (PID: 1536)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 1536)

    • Connects to CnC server

      • WScript.exe (PID: 1536)

  • SUSPICIOUS

    • Checks supported languages

      • WScript.exe (PID: 1536)

    • Reads the computer name

      • WScript.exe (PID: 1536)

    • Creates files in the user directory

      • WScript.exe (PID: 1536)

  • INFO

    • Checks Windows Trust Settings

      • WScript.exe (PID: 1536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DIAMONDFOX wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
1536"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\win11.vbs"C:\Windows\System32\WScript.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
546
Read events
542
Write events
4
Delete events
0

Modification events

(PID) Process:(1536) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:win11
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\win11.vbs"
(PID) Process:(1536) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:win11
Value:
wscript.exe //B "C:\Users\admin\AppData\Roaming\win11.vbs"
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1536WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win11.vbstext
MD5:124302B3760B268460B2FB319C44C1B4
SHA256:AE14E4629AFA528411B3339E7FBB3CC2DE1C14540DDA11774E7BAE5521E1AC65
1536WScript.exeC:\Users\admin\AppData\Roaming\win11.vbstext
MD5:124302B3760B268460B2FB319C44C1B4
SHA256:AE14E4629AFA528411B3339E7FBB3CC2DE1C14540DDA11774E7BAE5521E1AC65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1536
WScript.exe
POST
200
172.67.192.254:80
http://timesync.live/panel/gate.php
US
malicious
1536
WScript.exe
POST
200
172.67.192.254:80
http://timesync.live/panel/gate.php
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1536
WScript.exe
172.67.192.254:80
timesync.live
US
malicious

DNS requests

Domain
IP
Reputation
timesync.live
  • 172.67.192.254
  • 104.21.92.120
malicious

Threats

PID
Process
Class
Message
1536
WScript.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
1536
WScript.exe
A Network Trojan was detected
ET TROJAN Trojan Generic - POST To gate.php with no referer
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
win11.vbs