04894_003_0_vbs_2019-07-16_17_30.txt

1.  
2. * MalFamily: ""
3.  
4. * MalScore: 1.8
5.  
6. * File Name: "04894_003_0.vbs"
7. * File Size: 9154
8. * File Type: "ASCII text, with very long lines, with CRLF line terminators"
9. * SHA256: "db53cfb82d7f8965a3a5bfe99ba1a5b4363a9605835cebacc9bbd04778098078"
10. * MD5: "998ce3c4ccb65f680cc90a24e7e40a72"
11. * SHA1: "24255a2a9db792c1875419623351845edf938cdc"
12. * SHA512: "8399062d3b85c474ed43d6aba9e344dae123f65cf95ec47b958f9b400cf0e7bb4f3cdcb31cb368ad0b72a4bf97c44583023fbaa27781712e808fe2b30d7e608e"
13. * CRC32: "E688F201"
14. * SSDEEP: "192:RtkD41ZLHSY14NYQSJyp+9CA/sE95G0PuCXWYa+ew2mtXuwl9OFN/ekq3Tk9uE+p:R241dyUb2+9CUp5zuunTew+wl9C/q3aU"
15.  
16. * Process Execution:
17. "wscript.exe",
18. "ipKGT.exe"
19.  
20.  
21. * Executed Commands:
22. "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe"
23.  
24.  
25. * Signatures Detected:
26.  
27. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
28. "Details":
29.  
30. "IP": "67.23.226.159:80"
31.  
32.  
33.  
34.  
35. "Description": "File has been identified by 4 Antiviruses on VirusTotal as malicious",
36. "Details":
37.  
38. "Symantec": "CL.Downloader"
39.  
40.  
41. "Rising": "Trojan.Obfus/VBS!1.B96F (CLASSIC)"
42.  
43.  
44. "Fortinet": "VBS/Agent.RPQ!tr.dldr"
45.  
46.  
47. "Qihoo-360": "virus.vbs.qexvmc.1100"
48.  
49.  
50.  
51.  
52. "Description": "Performs some HTTP requests",
53. "Details":
54.  
55. "url": "http://domeara.com/erator.php"
56.  
57.  
58.  
59.  
60. "Description": "Drops a binary and executes it",
61. "Details":
62.  
63. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe"
64.  
65.  
66.  
67.  
68.  
69. * Started Service:
70.  
71. * Mutexes:
72.  
73. * Modified Files:
74. "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe",
75. "C:\\ProgramData\\\\xd0\\xbe\\xd0\\xbb\\xd0\\xbf\\xd1\\x80\\xd0\\xbe\\xd0\\xbb\\xd0\\xbf\\xd0\\xbe\\xd1\\x80\\xd1\\x82\\xd0\\xb4\\xd1\\x8b\\xd0\\xb2\\xd1\\x86.exe"
76.  
77.  
78. * Deleted Files:
79.  
80. * Modified Registry Keys:
81.  
82. * Deleted Registry Keys:
83.  
84. * DNS Communications:
85.  
86. "type": "A",
87. "request": "domeara.com",
88. "answers":
89.  
90. "data": "67.23.226.159",
91. "type": "A"
92.  
93.  
94.  
95.  
96.  
97. * Domains:
98.  
99. "ip": "67.23.226.159",
100. "domain": "domeara.com"
101.  
102.  
103.  
104. * Network Communication - ICMP:
105.  
106. * Network Communication - HTTP:
107.  
108. "count": 1,
109. "body": "",
110. "uri": "http://domeara.com/erator.php",
111. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
112. "method": "GET",
113. "host": "domeara.com",
114. "version": "1.1",
115. "path": "/erator.php",
116. "data": "GET /erator.php HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: domeara.com\r\n\r\n",
117. "port": 80
118.  
119.  
120.  
121. * Network Communication - SMTP:
122.  
123. * Network Communication - Hosts:
124.  
125. * Network Communication - IRC: