Felipe osorio 0 Posted December 26, 2023 Share Posted December 26, 2023 Hi!, I hope you are doing well. We have the following alert generated for the path C:\Windows\Temp\q.vbs, attached is an image. The issue now is that the antivirus product (ESET Endpoint Antivirus) appears to block this path because it detects the Trojan, and it does not allow the execution of an Excel file with macros. I have attached an image of the error that appears. Text in English from excel error: Script: C:\Windows\Temp\q.vbs Line: 5 Character: 1 Error: This script contains malicious elements, and the antivirus software has blocked it: 'Send' Code: 800A802D Source: Microsoft VBScript Runtime Error Link to comment Share on other sites More sharing options...
itman 1,789 Posted December 26, 2023 Share Posted December 26, 2023 Is q.vbs a legit script you created? If so, why is it running from C:\Windows\Temp directory? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted December 26, 2023 Administrators Share Posted December 26, 2023 Are you positive that the heavily obfuscated script is legitimate? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted December 26, 2023 Administrators Share Posted December 26, 2023 I've analyzed the script and at the final stage it downloads malware detected by ESET as Win32/Rescoms.B trojan. Please provide the Excel file with macro in an archive encrypted with the password "infected" to make sure that the macro is detected prior to execution. Link to comment Share on other sites More sharing options...
itman 1,789 Posted December 26, 2023 Share Posted December 26, 2023 (edited) 16 minutes ago, Marcos said: Are you positive that the heavily obfuscated script is legitimate? My vote is it's malicious since its running PowerShell hidden in bypass mode. Edited December 26, 2023 by itman Link to comment Share on other sites More sharing options...
Felipe osorio 0 Posted December 26, 2023 Author Share Posted December 26, 2023 Greetings! Here is the file compresed as you asked. And regarding itmans question, the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked, but we do not have further information on this matter. RENTA 2022.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted December 26, 2023 Administrators Share Posted December 26, 2023 The Excel file doesn't seem to contain a macro. Couldn't it be that it was detected and removed by ESET? Link to comment Share on other sites More sharing options...
itman 1,789 Posted December 26, 2023 Share Posted December 26, 2023 25 minutes ago, Felipe osorio said: the computer where this alert was found belongs to a client who has told me that it appears that the Excel being used is cracked Assumed here is its a cracked version of MS Office. The computer needs to be thoroughly examined since the crack obviously has made system modifications. It goes without saying that the cracked software needs to be removed. Link to comment Share on other sites More sharing options...
itman 1,789 Posted December 26, 2023 Share Posted December 26, 2023 11 minutes ago, Marcos said: The Excel file doesn't seem to contain a macro Macro's can be hidden: https://smallbusiness.chron.com/estimate-cash-flow-project-65327.html Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted December 27, 2023 Administrators Share Posted December 27, 2023 8 hours ago, itman said: Macro's can be hidden: https://smallbusiness.chron.com/estimate-cash-flow-project-65327.html I assume the file would still contain vbaproject.bin inside but this was missing in the above xlsx file. I'll pass it to our researchers for a check though. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted December 27, 2023 Most Valued Members Share Posted December 27, 2023 (edited) It is indeed a virus and the location of it indicates it more WINDOWS/TEMP , And the file name is more weird ,I doubt some of your colleagues have to work on a file named q.vbs and store in TEMP Remove that file after you send it to ESET , and inform the place where it came from that they are sending malicious files , and if there is no response / action from their side , block them. If your client doesn't use macros inside Word or Excel files , its recommended to disable them by default even from trusted locations. Edited December 27, 2023 by Nightowl Link to comment Share on other sites More sharing options...
Recommended Posts