Analysis of 1d4a1bc1cf53be8e18789b4c6c351c6f0ee88e14cf4fbde0adc55e0b39010bdc (maldoc)

The samples included in this analysis were obtained from MalwareBazaar. This writeup will look at two different files. The first file is a .vbs file and the second is a .ps1 script that is downloaded by the vbs file.

Summary

This is an analysis of two malicious files that are used to download AsyncRAT. The initial stage is a .vbs script that is delivered via e-mail. When the file is run it reaches out to a sharetext URL to download the second stage which is a powershell file. The powershell script then contains a array of bytes that appear to be a portable executable and uses the C# compiler to run additional code and use installutil.exe to install additional software.

Overall Process Graph

VBS file

The .vbs file is the first payload, which is delivered via e-mail. The file name is 7PAX _Trip Itinerary Details.pdf.vbs. It has the following hashes:

SHA1: 2c45d7c3a5c61fca6ee20a129d5cb9b80cdc1f0d SHA256: 1d4a1bc1cf53be8e18789b4c6c351c6f0ee88e14cf4fbde0adc55e0b39010bdc MD5: 6e4351b0e6632264c05dd58c9e53d607

The file size is 200 KB.

Detections

As of 2021/09/04 15:50 EST, the file was flagged as malicious by 3/57 vendors. The three vendors that were able to flag the file as malicious are

  • Bkav Pro
  • ZoneAlarm by Check Point
  • Symantec

Analysis of File

The file consists of 866 lines. Most of which are commented out. The actual code runs from line 257 to line 288. There is one function RWS which takes in a parameter called keyword.

Analysis of function RWS.

There is a variable called Lang declared in the function and stores the value 87x83x67x80x84x46x115x104x101x108x108. The values stored in Lang are split based on the parameter that is passed to the function. After the split, each value is converted into an interger and then the character representation of that interger value is used to generate a string.

Using Python we were able to determine that the value in Lang stored the string “WSCRIPT.Shell” if the x in the string are removed which is what happens when line 273 is run since RWS is called with the parameter “X”.

Another hardcoded string is stored in a variable called script. This long string contains a repeating varible that is removed on line 270. The command is a powershell script that is run.

In the command the string “DownloadFile” is split up in order to minimize detection.

Powershell is called but the command is split into multiple variables to minimize detection.

The second stage is downloaded using the command:

The 0 means that the WShell window is hidden.

The command uses powershell to download a file called SystemUpdate.PS1 from hxxps://sharetext[.]me/raw/y0cktoco0.
Once the file is downloaded it is run.

Note: a juypter notebook file showing the deobfuscation process is available here

SystemUpdate.PS1

This is the second stage of that is downloaded upon successful execution of the vbs file. The file hashes for the powershell script are:

MD5: 62459ccd2fbacac2dd46653600d01a63
SHA1: 9ca7324059344f4134072e021a48e4c1cd667415
SHA256: a6eca39c1bfa2e285ea50a5de74e1bcb1e56d9f244c7ab3144cce3daf586d5ab

Detections

Analysis of Powershell

IOCs

First stage object — “7PAX _Trip Itinerary Details.pdf.vbs”

SHA-256: 1d4a1bc1cf53be8e18789b4c6c351c6f0ee88e14cf4fbde0adc55e0b39010bdc
SHA-1: 2c45d7c3a5c61fca6ee20a129d5cb9b80cdc1f0d
MD5: 6e4351b0e6632264c05dd58c9e53d607

Downloaded 2nd stage object — “SystemUpdate.ps1”

SHA-256: a6eca39c1bfa2e285ea50a5de74e1bcb1e56d9f244c7ab3144cce3daf586d5ab
SHA-1: 9ca7324059344f4134072e021a48e4c1cd667415
MD5: 62459ccd2fbacac2dd46653600d01a63

Dropped executable file — C:\Users\admin\AppData\Local\Temp\xbws1zru.dll

SHA-256: EBDAEDB61981309A62CF67740384F27DCCEB279983F2D710120395B8F8C7F569

DNS Requests

Domain:
akconsult[.]linkpc[.]net

Network Connections

IPs:
79[.]134[.]225[.]27:6699
67[.]26[.]137[.]254:80

MITRE Att&ck Framework