{
	"id": "92817795-9f3a-4dab-b209-cfa8d71d09c6",
	"created_at": "2026-04-06T00:14:45.400847Z",
	"updated_at": "2026-04-10T03:21:17.639851Z",
	"deleted_at": null,
	"sha1_hash": "bf2c57875c44650b367b050f39b3ed2af24908de",
	"title": "Having fun with an Ursnif VBS dropper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2587847,
	"plain_text": "Having fun with an Ursnif VBS dropper\r\nBy Robert Giczewski\r\nPublished: 2020-11-27 · Archived: 2026-04-05 22:37:03 UTC\r\nI recently stumbled across an interesting sample that was delivered as part of an encrypted zip archive via a\r\nGoogle-Drive link. The password for the archive was sent by email together with the Google-Drive link. Since the\r\nsample runs only partially in some sandboxes and it’s not even starting in others, I took a closer look at it.\r\nThe sample can be found on VirusTotal and there are still only ten detections so far (even though it’s on VT for\r\ntwo months now).\r\nfd490c7b728af08052cf4876c1fc8c6e290bde368b6343492d60fc9d8364a7e5 - aPsYyn8Rw2Xf.vbs\r\nLooking at the file extension, you could already guess it’s a Visual Basic Script file, which however appears\r\nunusually large. Due to the size, the actual payload is most probably somehow hidden in the VBS file so lets have\r\na look into the file.\r\nDeobfuscation\r\nScrolling through the file we see lots of useless comments, some array definitions, some constant definitions and a\r\nfor loop.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 1 of 7\n\nTo get rid of all the useless code, I wrote a quick’n’dirty python tool to remove all the junk code and convert the\r\nremaining code to python for easier analysis. Since the constant and array definitions are mixed up in the code, we\r\nhave to restructure them. I moved all const definitions to the beginning followed by the array definitions, the\r\nfunction calls and everything else at the end.\r\nf = open(\"aPsYyn8Rw2Xf.vbs\", \"r\")\r\nconst_lines = []\r\narray_lines = []\r\nexecute_lines = []\r\nloop_lines = []\r\neverything_else = []\r\nfor line in f:\r\n if not (line.startswith(\"'\") or line.startswith(\"REM\")):\r\n if \"const\" in line:\r\n const_lines.append(line.replace(\"const\", \"\").replace(\"\\n\", \"\").replace(\" \", \"\"))\r\n elif \"Array(\" in line:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 2 of 7\n\narray_lines.append(line.replace(\"Array(\", \"[\").\r\n replace(\")\", \"]\").replace(\"\\n\", \"\").strip())\r\n elif \"Execute\" in line:\r\n execute_lines.append(line.replace(\"Execute\", \"print\").replace(\"\\n\", \"\").strip())\r\n elif line.startswith(\"for\"):\r\n loop_lines.append(line.replace(\"\\n\", \"\").strip())\r\n else:\r\n everything_else.append(line.replace(\"\\n\", \"\"))\r\nfor item in const_lines:\r\n print(item)\r\nfor item in array_lines:\r\n print(item)\r\nfor item in execute_lines:\r\n print(item)\r\nfor item in loop_lines:\r\n print(item)\r\nfor item in everything_else:\r\n if len(item) \u003e 0:\r\n print(item)\r\nAfter running the python script, we will get a new cleaned up code which is almost runnable in python.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 3 of 7\n\nAt the end we can spot a function kuHKE() which is called several times and is taking an array as an argument.\r\nThis is most probably the function which is used for decoding all the arrays. Another thing here to mention are the\r\nfunction calls at the end of the cleaned code. Those will be relevant later when we have the final deobfuscated\r\ncode.\r\nSo let’s rewrite the kuHKE() function into python and remove the function calls at the end.\r\ndef kuHKE(EUnWxs):\r\n result = \"\"\r\n for Mali842 in EUnWxs:\r\n result += chr(Mali842 - ((26 + 30) - ((17 - 1) + 35)))\r\n return result\r\nAfter executing the cleaned code, we still get a little bit of obfuscated code but since it’s not very much, we can\r\neasily do it manually.\r\nSo the final deobfuscated but still not annotated code can be found here. I will break it down into the most\r\ninteresting things since it will be too much otherwise.\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 4 of 7\n\nAnalysis\r\nThe sample contains several anti-sandbox tricks and uses WMI and WSH objects to perform them. If one of those\r\nanti sandbox tricks succeed, the script will call a clean up routine which looks as follows (I have annotated the\r\nfunction accordingly for better readability):\r\nFunction clean_up_routine()\r\n send_http_get_request(\"none\")\r\n delete_itself\r\n print_fake_message\r\n WScript.Quit\r\nEnd Function\r\nIt’s sending a HTTP GET request to none (for whatever reason), deleting itself and showing a fake error\r\nmessage in a message box:\r\nIn the following, I explain the functions in the order in which they are called.\r\n1. Anti Sandbox - Check physical space\r\nThe first function NoSkh() is calling the clean up routine when the file\r\n\"%USERPROFILE%\\Downloads\\614500741.txt\" is already there or when your TotalPhysicalMemory is smaller than\r\n1GB.\r\n2. Anti Sandbox - Check Disk space\r\nIf your TotalPhysicalMemory is bigger than 1GB, the next function vgdKyGt() is called which is terminating the\r\nscript if your total disk space is smaller than 60GB.\r\n3. Anti Sandbox - Check country code\r\nWhen the first two anti sandbox checks were not successful, the next function ULLhsI() is called. It checks your\r\nconfigured country code at \"HKEY_CURRENT_USER\\Control Panel\\International\\Geo\\Nation\" . If your nation key\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 5 of 7\n\nis configured to 203 , which is Russia, the script is terminating with its clean up routine. Otherwise it will\r\nproceed.\r\n4. Anti Sandbox - Check LastBootUpTime\r\nThe next function OUbPa() checks how long your machine is already running. Therefor, it’s checking the\r\nLastBootUpTime via WMI and if it’s less than 10 minutes, it will terminate calling its clean up routine.\r\n5. Anti Sandbox - Check Processes\r\nSince the malware does not want to run on an analyst system the function confidante615() is checking for\r\nspecific processes from analysis tools.\r\nrZRjk = Array(\"frida-winjector-helper-64.exe\",\"frida-winjector-helper-32.exe\",\"pythonw.exe\",\"pyw\r\n \r\nIf there is such a process, it’s terminating with its clean up routine. Additionally, it will terminate if there are less\r\nthan 28 processes running on the system.\r\nFinally..\r\nThe next function qlqDsdN() is terminating if the file %TEMP%\\microsoft.url exists. If not, it creates a shortcut\r\nfile %TEMP%\\adobe.url which points to https://adobe.com (No idea why. If someone knows, please tell me.\r\nMaybe a red herring but nobody is looking into the %TEMP% folder, so why!?).\r\nThe function WjwMtT() is making use of the before mentioned kuHKE() function to write a large byte array to a\r\nzip file %TEMP%\\Monica.zip . Inside Monica.zip , there are three files:\r\naccouter.dxf (the final payload)\r\ninhibitory.tif (contains part of a string which may be used from accouter.dfx )\r\nisolate.woff (the other part of a string which may be used from accouter.dfx )\r\nbluish578() copies the three items of Monica.zip into %TEMP% , deletes Monica.zip and gMcKFIz() `\r\nfinally executes the file accouter.dxf which was before copied from Monica.zip into %TEMP% .\r\nExecution is performed via rundll32 :\r\nsXmEKs.Create \"rundll32\" + \" \" + Get_Temp_Folder + \"accouter.dxf\" + \",DllRegisterServer\"\r\n \r\nThe dropped file accouter.dfx can be found on VT and it seems like its Ursnif.\r\nIOCs:\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 6 of 7\n\nfd490c7b728af08052cf4876c1fc8c6e290bde368b6343492d60fc9d8364a7e5\r\n%TEMP%\\adobe.url\r\n%TEMP%\\Monica.zip\r\n%TEMP%\\accouter.dfx\r\n%TEMP%\\inhibitory.tif\r\n%TEMP%\\isolate.woff\r\ned7d22c2f922df466fda6914eb8b93cc27c81f16a60b7aa7eac9ca033014c22c\r\nSource: https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nhttps://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html"
	],
	"report_names": [
		"analyzing-a-vbs-dropper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434485,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf2c57875c44650b367b050f39b3ed2af24908de.pdf",
		"text": "https://archive.orkl.eu/bf2c57875c44650b367b050f39b3ed2af24908de.txt",
		"img": "https://archive.orkl.eu/bf2c57875c44650b367b050f39b3ed2af24908de.jpg"
	}
}