New VBS Downloader variant observed

Update February 11, 2021:

This appears to be a Danabot downloader. I ran across the following sample:
https://www.virustotal.com/gui/file/d2d729f364e3232e22746fd6520caefff465e2ae605e6429205793db37088a27/detection
After grabbing the downloaded executable from the link in the VBS, I ran it through a sandbox.
https://app.any.run/tasks/1cc898a5-c0b1-413f-86b1-3dedd259c191/
Today I saw another one a here is that sandbox run:
https://app.any.run/tasks/8173f683-8629-405a-b074-c3d1a44e04db

Quick post on this, I've run across a variant of a VBS downloader that does not appear to have a lot of detection and can only find a few other similar samples. There appears to be junk comments to throw off analysis and AV detection, but otherwise its fairly easy to follow. Here is a screenshot:

As you can see this downloads another file, which appears to be placed in "programdata" and registered using regsvr32. The couple samples I've worked with do not pull down the file. However there are a couple samples I've found via VirusTotal Hunting which are similar.

One string I looked at was "a.setOption 2,13056:" which leads to the following related pages:

https://www.virustotal.com/gui/file/cd58b53b47bb1055315702e8ead6d185e9e6817164a2fbd4b8789262ba7556d8/detection
https://www.virustotal.com/gui/file/89c5fb43ce166f9087d5c6c8f86d89ec155ffb2812b077e2badb53265db6eca4/detection
These suggest a tool called MSHTA-VBS-download-and-execute use this string, the may not be related, if it is, it may be more of an inspiration than anything.

Another sample, which has some comments and relations to a downloaded DLL is as follows:
https://www.virustotal.com/gui/file/e96690d200a9807552c99c62f2a6c2eb91d7f69cc60120f0cf2c6d78c75861b7/detection

And the downloaded DLL is https://www.virustotal.com/gui/file/7d9116a0502fff49ea1903d78ad0e08b71e8e6a6e21be80b278ce7762e1d04e1/detection

I'm definitely still looking for some answers to what this is, I'll keep digging, but if someone runs across this and knows, please let me know.

EDR Detection:
Process Path containing RegSvr32.exe and a Process CommandLine of "programdata"
There are potentially a couple false positives.

YARA:vbs_downloader_jan2021.yar

Comments