Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sursdep.vbs

Overview

General Information

Sample Name:Sursdep.vbs
Analysis ID:624865
MD5:434578c759bef1db26fa7b3165ac84ad
SHA1:df84b67b8df35a4ab8770b9f3c3f370e26b7763a
SHA256:5439ae4fe11fe9f6f264fc0d4617eefa997719d9b65be8745d3632b2203e3557
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Remcos RAT
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected MSILDownloaderGeneric
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges