New VBS Downloader variant observed

New VBS Downloader variant observed

January 24, 2021

Update February 11, 2021:

This appears to be a Danabot downloader. I ran across the following sample:
https://www.virustotal.com/gui/file/d2d729f364e3232e22746fd6520caefff465e2ae605e6429205793db37088a27/detection
After grabbing the downloaded executable from the link in the VBS, I ran it through a sandbox.
https://app.any.run/tasks/1cc898a5-c0b1-413f-86b1-3dedd259c191/
Today I saw another one a here is that sandbox run:
https://app.any.run/tasks/8173f683-8629-405a-b074-c3d1a44e04db

Quick post on this, I've run across a variant of a VBS downloader that does not appear to have a lot of detection and can only find a few other similar samples. There appears to be junk comments to throw off analysis and AV detection, but otherwise its fairly easy to follow. Here is a screenshot:

As you can see this downloads another file, which appears to be placed in "programdata" and registered using regsvr32. The couple samples I've worked with do not pull down the file. However there are a couple samples I've found via VirusTotal Hunting which are similar.

One string I looked at was "a.setOption 2,13056:" which leads to the following related pages:

https://www.virustotal.com/gui/file/cd58b53b47bb1055315702e8ead6d185e9e6817164a2fbd4b8789262ba7556d8/detection
https://www.virustotal.com/gui/file/89c5fb43ce166f9087d5c6c8f86d89ec155ffb2812b077e2badb53265db6eca4/detection
These suggest a tool called MSHTA-VBS-download-and-execute use this string, the may not be related, if it is, it may be more of an inspiration than anything.

Another sample, which has some comments and relations to a downloaded DLL is as follows:
https://www.virustotal.com/gui/file/e96690d200a9807552c99c62f2a6c2eb91d7f69cc60120f0cf2c6d78c75861b7/detection

And the downloaded DLL is https://www.virustotal.com/gui/file/7d9116a0502fff49ea1903d78ad0e08b71e8e6a6e21be80b278ce7762e1d04e1/detection

I'm definitely still looking for some answers to what this is, I'll keep digging, but if someone runs across this and knows, please let me know.

EDR Detection:
Process Path containing RegSvr32.exe and a Process CommandLine of "programdata"
There are potentially a couple false positives.

YARA:vbs_downloader_jan2021.yar

Comments

Post a Comment

Pages

Home

Privacy Policy

Popular Posts

New HydraSeven malware loader found in the wild

Updated Nov 22, 2023 Updated notes are at the bottom of the page. Hello World! I am investigating a new malware loader and calling this unknown loader Hydra Seven . Here are some of the details. Over the past several weeks there has been some limited chatter about an interesting suspicious PDF software (pdfconverters.exe, pdfunk.exe). The first details I've run across with this were found on this twitter post https://twitter.com/neonprimetime/status/1711510658959749324 . The initial analysis suggests the malware may be related to redline through some heuristic detections from a couple security vendors. This is possible, though I haven't been able to verify Redline yet, I'm still working on it. I started digging a bit into the pdfconverters.exe, which leads to a download and install of AppData\Local\Temp\PDFunk-Setup.exe then ultiamtely AppData\Local\Programs\PDFunk\PDFunk.exe. Traffic when running PDFunk.exe shows a User-Agent that includes "P

New Solarmarker Variant October 2023

Squiblydoo came across a new variant of solarmarker malware and posted the finidings here: https://twitter.com/SquiblydooBlog/status/1717464614403735562 Unfortunately this new version no longer works with my extractor tool found here: https://github.com/securitymagic/tools/blob/main/extractsmdll.py However, RussianPanda posted a new tool which can be used after the Inno Package is extracted. A quick analysis suggests that the new dropper uses Inno Setup, some quick tools can pull some of the data, including a few of the powershell commands seen below. innounp -x -m .\Appendix-C-Acceptance-of-Acknowledgement-of-Policies-and.exe strings .\CompiledCode.bin WIN-VUA6POUV5UP 0CC47AC83803 JOHN-PC FkLmng TNewEdit Cancel {tmp} .pdf {tmp}\budget_fy2024.pdf \..\ \budget_fy2024.pdf open {tmp}\data.dat pSDubTWyjzdAhmBNLtROxasMKfJUPQVv iex([Text.Encoding]::UTF8.GetString((({$F=[IO.File]::ReadAllBytes($args[0]);(rm $args[0]);return $F}.invoke('

What is canonicalizer.ucsuri.tcs?

Recently I have observed a few hosts which were attempting to POST data to this domain, albeit, unsuccessfully as this is not a valid domain. Everything about the data in the PCAP suggests Microsoft SmartScreen, such as the user agent and even the decoded hex in the HTTP request header: For example: 252F680074007400700073003a002f002f00700069006e0067002e002e0063006800650063006b0061007000700065007800650063002e006d006900630072006f0073006f00660074002e0063006f006d002f00770069006e0064006f00770073002f007300680065006c006c002f0061006300740069006f006e007300 Translates to https://ping..checkappexec.microsoft.com/windows/shell/actions Upon further investigation, I found that several hosts were attempting to query and unsuccessfully resolve this domain. So I did some digging and the results for this ranged wildly: A Patent for reputation based software patentimages.storage.googleapis.com/pdfs/US8695092.pdf A suggestion that this is part of a Canon printer https://translate.google.co

Powered by Blogger