Evasive VBS with very low VT

Sandbox Breaker - DFIR · Jun 28, 2023

VirusTotal

www.virustotal.com

ed660ae4e1ff7e57c133b6d3d0a72bd41d6058cd2fe827466afd9d1d372fd4b1 | Triage

Check this report malware sample ed660ae4e1ff7e57c133b6d3d0a72bd41d6058cd2fe827466afd9d1d372fd4b1, with a score of 8 out of 10.

tria.ge

Bypassed Check Point TE.

Caught by OpenTip Kaspersky

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

Caught by Intelix

Intelix Portal

intelix.sophos.com

Caught by Intezer

https://analyze.intezer.com/analyses/4e5ac578-17af-4569-bfa8-840d556746fd/genetic-analysis

Bot · Jun 28, 2023

It appears that the file in question has been flagged by multiple security services. It was caught by OpenTip Kaspersky, Intelix, and Intezer. You can find more details about each detection by clicking on the provided links.

Xeno1234 · Jun 28, 2023

Might have bypassed Checkpoint since it emulated the zip file which was packed. Also light work for kaspersky lol

Sandbox Breaker - DFIR · Jun 28, 2023

Xeno1234 said:
Might have bypassed Checkpoint since it emulated the zip file which was packed. Also light work for Kaspersky lol

Its able to emulate still. Maybe @Trident can check. I'm on ChromeOS.

Xeno1234 · Jun 28, 2023

Sandbox Breaker said:
Its able to emulate still.

Even if its in a zip where its packed?

Sandbox Breaker - DFIR · Jun 28, 2023

Yes they use common passwords also to decrypt.

Xeno1234 · Jun 28, 2023

Sandbox Breaker said:
Its able to emulate still. Maybe @Trident can check. I'm on ChromeOS.

I feel like its different since its in a zip - You know how something in a zip may not be picked up by a scanner, but out of the zip it does? It might be like that

Sandbox Breaker - DFIR · Jun 28, 2023

Xeno1234 said:
I feel like its different since its in a zip - You know how something in a zip may not be picked up by a scanner, but out of the zip it does? It might be like that

It pulls the file out of the zip and executes it.

Xeno1234 · Jun 28, 2023

Sandbox Breaker said:
It pulls the file out of the zip and executes it.

By default it doesnt

SeriousHoax · Jun 28, 2023

Caught by ESET LiveGuard:

likeastar20 · Jun 28, 2023

BD GZ Sandbox UI is the best, shame you can't export the report. I took a full screen photo using a chrome/edge extension, but there are still some things missing in the photo because you have to scroll...

screencapture-cloudgz-gravityzone-bitdefender-webservice-HTML-model-SerenityDetonationResults-...png

Xeno1234 · Jun 28, 2023

Sandbox Breaker said:
VirusTotal

VirusTotal

www.virustotal.com

View attachment 276688

ed660ae4e1ff7e57c133b6d3d0a72bd41d6058cd2fe827466afd9d1d372fd4b1 | Triage

Check this report malware sample ed660ae4e1ff7e57c133b6d3d0a72bd41d6058cd2fe827466afd9d1d372fd4b1, with a score of 8 out of 10.

tria.ge

View attachment 276685
Bypassed Check Point TE.
View attachment 276687
Caught by OpenTip Kaspersky

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

Caught by Intelix

Intelix Portal

intelix.sophos.com

Caught by Intezer

https://analyze.intezer.com/analyses/4e5ac578-17af-4569-bfa8-840d556746fd/genetic-analysis

Checkpoint ONLY missed it cause it was in a zip. if you extract it and scan its detected with Heuristics

Kongo · Jun 28, 2023

SeriousHoax said:
Caught by ESET LiveGuard:

View attachment 276691

Since when does LiveGuard have such an UI?

Trident · Jun 28, 2023

The sample was blocked by behavioral guard immediately after launch and was deleted.

cruelsister · Jun 28, 2023

Seems that the command server is down (at least for me). But one can redo this vbs downloader as a batch that will give similar joy:

Scriptor:
VirusTotal

With the Powershell command yielding:
VirusTotal

Often one can't gain much insight from VT without running the malware.

Xeno1234 · Jun 28, 2023

Trident said:
The sample was blocked by behavioral guard immediately after launch and was deleted.

View attachment 276694 View attachment 276695 View attachment 276696 View attachment 276697 View attachment 276698 View attachment 276699 View attachment 276700

I wanna see if Threat Emulation does anything, can u try to turn everything off besides threat emulation and see how that goes?

Trident said:
The sample was blocked by behavioral guard immediately after launch and was deleted.

View attachment 276694 View attachment 276695 View attachment 276696 View attachment 276697 View attachment 276698 View attachment 276699 View attachment 276700

I also scanned it and was detected with Heursitics

Shadowra · Jun 28, 2023

Detected by Harmony with Kaspersky : HEUR:Trojan-Downloader.Script.Generic

Sandbox Breaker - DFIR · Jun 28, 2023

Shadowra said:
Detected by Harmony with Kaspersky : HEUR:Trojan-Downloader.Script.Generic

View attachment 276701 View attachment 276702

Kaspersky PDM module blocked it before. Now they pushed a sig. Sweet.

Trident · Jun 28, 2023

Sandbox Breaker said:
Kaspersky PDM module blocked it before. Now they pushed a sig. Sweet.

They had 7-8 signatures before the file was uploaded, according to opentip.

Sandbox Breaker - DFIR · Jun 28, 2023

At first I only saw PDM sig. Which is their ML.

Evasive VBS with very low VT

Level 12

Attachments

AI Assistant

Level 14

Level 12

Level 14

Level 12

Level 14

Level 12

Level 14

Level 55

Level 9

Level 14

Level 38

From Hawk Eye

Level 43

Level 14

Level 40

Level 12

From Hawk Eye

Level 12

You may also like...