04894_003_0_vbs_2019-07-16_14_30.txt

1.  
2. * MalFamily: "Sonbokli"
3.  
4. * MalScore: 2.05
5.  
6. * File Name: "04894_003_0.vbs"
7. * File Size: 9154
8. * File Type: "ASCII text, with very long lines, with CRLF line terminators"
9. * SHA256: "db53cfb82d7f8965a3a5bfe99ba1a5b4363a9605835cebacc9bbd04778098078"
10. * MD5: "998ce3c4ccb65f680cc90a24e7e40a72"
11. * SHA1: "24255a2a9db792c1875419623351845edf938cdc"
12. * SHA512: "8399062d3b85c474ed43d6aba9e344dae123f65cf95ec47b958f9b400cf0e7bb4f3cdcb31cb368ad0b72a4bf97c44583023fbaa27781712e808fe2b30d7e608e"
13. * CRC32: "E688F201"
14. * SSDEEP: "192:RtkD41ZLHSY14NYQSJyp+9CA/sE95G0PuCXWYa+ew2mtXuwl9OFN/ekq3Tk9uE+p:R241dyUb2+9CUp5zuunTew+wl9C/q3aU"
15.  
16. * Process Execution:
17. "wscript.exe",
18. "ipKGT.exe"
19.  
20.  
21. * Executed Commands:
22. "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe"
23.  
24.  
25. * Signatures Detected:
26.  
27. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
28. "Details":
29.  
30. "IP": "67.23.226.159:80"
31.  
32.  
33.  
34.  
35. "Description": "File has been identified by 5 Antiviruses on VirusTotal as malicious",
36. "Details":
37.  
38. "Symantec": "CL.Downloader"
39.  
40.  
41. "Microsoft": "Trojan:VBS/Sonbokli.A!cl"
42.  
43.  
44. "Rising": "Trojan.Obfus/VBS!1.B96F (CLASSIC)"
45.  
46.  
47. "Fortinet": "VBS/Agent.RPQ!tr.dldr"
48.  
49.  
50. "Qihoo-360": "virus.vbs.qexvmc.1100"
51.  
52.  
53.  
54.  
55. "Description": "Performs some HTTP requests",
56. "Details":
57.  
58. "url": "http://dnaofexcellence.org/dna_excel.php"
59.  
60.  
61.  
62.  
63. "Description": "Drops a binary and executes it",
64. "Details":
65.  
66. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe"
67.  
68.  
69.  
70.  
71.  
72. * Started Service:
73.  
74. * Mutexes:
75.  
76. * Modified Files:
77. "C:\\Users\\user\\AppData\\Local\\Temp\\ipKGT.exe",
78. "C:\\ProgramData\\\\xd0\\xbe\\xd0\\xbb\\xd0\\xbf\\xd1\\x80\\xd0\\xbe\\xd0\\xbb\\xd0\\xbf\\xd0\\xbe\\xd1\\x80\\xd1\\x82\\xd0\\xb4\\xd1\\x8b\\xd0\\xb2\\xd1\\x86.exe"
79.  
80.  
81. * Deleted Files:
82.  
83. * Modified Registry Keys:
84.  
85. * Deleted Registry Keys:
86.  
87. * DNS Communications:
88.  
89. "type": "A",
90. "request": "dnaofexcellence.org",
91. "answers":
92.  
93. "data": "67.23.226.159",
94. "type": "A"
95.  
96.  
97.  
98.  
99.  
100. * Domains:
101.  
102. "ip": "67.23.226.159",
103. "domain": "dnaofexcellence.org"
104.  
105.  
106.  
107. * Network Communication - ICMP:
108.  
109. * Network Communication - HTTP:
110.  
111. "count": 1,
112. "body": "",
113. "uri": "http://dnaofexcellence.org/dna_excel.php",
114. "user-agent": "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)",
115. "method": "GET",
116. "host": "dnaofexcellence.org",
117. "version": "1.1",
118. "path": "/dna_excel.php",
119. "data": "GET /dna_excel.php HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)\r\nHost: dnaofexcellence.org\r\n\r\n",
120. "port": 80
121.  
122.  
123.  
124. * Network Communication - SMTP:
125.  
126. * Network Communication - Hosts:
127.  
128. * Network Communication - IRC: