I sometimes I take the time to review my honeypot to see if it captured anything that might be worth looking at and found this VBE script that looked kind of interesting. I used Didier's VBE to VBS python  script to examine it content. It contains a WScript that direct the host to download a tmp2.exe file from a website where the file is no longer there.
A check against Virustotal identifies this script as a VBS Trojan downloader script. Since I couldn't get a copy of the tmp2.exe, I started reviewing some of the other files uploaded to the honeypot FTP directory to find any potential relationship with this file (based on the domain, hash, source) and found two text files with the following content captured over the past 3 weeks:
Again, the info.zip file was no longer available on this website. Checking the honeypot logs, I was able to identify the name of VBE script when it was uploaded this past week (Monday) was in fact the file I was looking for, info.exe:
[2017-03-06 04:51:48]  [ftp_21_tcp 26229] [XXX.92.155.17:2018] send: 200 Switching to BINARY mode.
Now that I know the filename, its size and MD5, I can check back when was the first time this info.zip file to see if it was uploaded more than once.
[2017-02-22 10:48:19]  [ftp_21_tcp 29415] [XXX.70.132.153:1599] recv: STOR info.zip
MD5 Results of the 3 Files is a match. Earliest upload captured 22 Feb 2017
root@honeypot:/opt/inetsim/data/ftp/upload# md5sum 570437664c76024ba0b72c9498623f8ed67efd83
The MD5 for the info.vbe script :
vagrant@brain:~$ md5sum info.vbe
Mar 12th 2017
1 year ago
Possible hashes (same file name on site and same download site, per VT intel) for that exe:
Additionally, a commenter here points to a relevant campaign:
A quick look at the strings and the detection rates + behavior tab (all really crude ways to do this, but so it goes in this case), and it looks like that's what we have here- attempted monero/cryptocurrency mining campaign.
1 Posts Posts
Mar 13th 2017
1 year ago