Edit tour
Windows
Analysis Report
Sursdep.vbs
Overview
General Information
| Sample Name: | Sursdep.vbs |
| Analysis ID: | 624865 |
| MD5: | 434578c759bef1db26fa7b3165ac84ad |
| SHA1: | df84b67b8df35a4ab8770b9f3c3f370e26b7763a |
| SHA256: | 5439ae4fe11fe9f6f264fc0d4617eefa997719d9b65be8745d3632b2203e3557 |
| Infos: |  |
 | |
Detection
GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Remcos RAT
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected MSILDownloaderGeneric
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges