Saturday, February 1, 2014

ApacheBench behind the Encoded VBE file

Recently I received a VBE file from a friend that looks suspicious with its encoded content and request to do quick analysis on it. So, I manage to play around with it and see what's inside.

The file name that I got is s64.vbe (0B826D9869B139B2C5BB139234C08D43) which is an encoded script file content. The size of this file is around 608,904 bytes. The content of the encoded file is shown below:


To decode this file I use scriptDecode.vbs from Jean-Luc Antoine. The output of the decoded file is a VBScript as shown in the picture below:


If we scroll to the bottom of the file we can see this is some kind of Windows binary file that is converted into ASCII format within VBS. The file svchost.exe is the file name use to save into the disk and run it.


Most of antivirus product is already detect this file as malicious:

https://malwr.com/analysis/YzkzNDUxOTlmOTQxNDAxYmEwNjdmNGI4MTk5YjBmYzI/share/1a8cbf4acb5944d1856d04d4e72b8ed7

https://www.virustotal.com/en/file/6b01071c7936d4a1ba1f53b5651db5f604dfe7f5aa3e4ed38d48f6ba66eebd5e/analysis/

The svchost.exe (333ABC2F9864B70F7EF48B049CBA9286) file is a program called ApacheBench command line utility. At first place, this program use to measure performance test of HTTP web servers. Although, the binary file that I got is not correctly run as it not responsive sometimes. It is possible to use this tool as DDOS attack.

~ alternat0r