Will add better photos in the comments!

A client of mine received an spoofed email from their domain. It was a
script with visual basic source code.

Maybe someone here can explain what the script does?

Client didn't opened the file!

Wow, that compression

first

second

third

Just seeing those strings I think it'll try zo download and execute some payload and spam your computer with ads + sound

Found a lot of other files on the server. Tried to gain access to the server, but don't have the knowledge.

Maybe someone can have fun and keep me updated with what methods used.

http://169.239.129.25/content

@hypervtechnics thanks! :)

All i saw is a lot of semen 😂

But in all seriousness, i also kind of agree with @hypervtechnics. The OMEGA string looks like its carefully disected code to stop anti-virus from going off probably, that if you read in reverse, makes more sense.

@iKameo probably done to stop AV from firing off. AVs get real trippy if the word "cmd" is all together in one word, especially a script

Could you upload it to a paste.bin?

@hypervtechnics im not at the computer right now, this is the link to the script @hypervtechnics" style="color: #54556e;">http://169.239.129.25/content/...

@SaltStack I wont access this server ;)

@hypervtechnics if you help me reminding I'll upload it tomorrow!

Yeah. Just looks like noise and display stuff.

It does also look at one of the special folders (documents, music, movies etc) so it could well be trying to do something to the contents of those.

I’d recommend spinning up a VM and running it just to see what mischief it gets up to.

So it sets up a stream object (ADO), but I don’t quite get if it is for backdoor access or just to fetch something. Judging by the script writing, it may be some kind of ukranian / russian adware / malware.

Found this https://pastebin.com/V1iWeh1E

Maybe related (look for pipitr6)

Labeled as Troyan.Downloader.VBS

https://hybrid-analysis.com/sample/...

This is not obfuscation.
This is deliberately nasty looking code.
At the beginning i thought the hacker was maybe trying to bypass some sanitazation process, because after-all im unsure what environment runs this code.

But later on i saw plain arithmetic stupidities and got convinced it was deliberately written this way.

Also funny how he forgot to remove his debugging and logs comments 😂

@SaltStack it makes coffee...

@-ANGRY-CLIENT- I can't do vb 😅

@linuxxx But still 😆.
It's still an interesting topic. Isn't it?

I'll look at that later.

@hypervtechnics fuck. I totally forgot about it. First thing tomorrow to do!

Sorry, but I don't do analysis work for free.