Analysis of *.chm malware

2024-04-05 Plainbit

https://blog.plainbit.co.kr/chm-malware-analysis/

Thumbnail for Analysis of *.chm malware

Plainbit analyzed a paymentconfirmation.chm sample that used a normal-looking help window to hide script execution through hh.exe, cscript, VBS, batch files, and PowerShell. The CHM unpacked files under C:\Users\Public\Libraries, registered emlmanager.vbs as a scheduled task, and used batch scripts to collect systeminfo, tasklist output, and Desktop and Downloads directory listings. Collected data was compressed, Base64-encoded, and uploaded to niscarea.com through in.php, while out.php appeared to return an additional ZIP payload for follow-on execution. The report maps the activity to phishing, system binary proxy execution, script execution, discovery, staging, C2 transfer, and exfiltration techniques, with hashes for the CHM and related scripts.

Indicators of Compromise

Type Value First Seen Last Seen
URL https://niscarea.com 2023-11-28 2024-12-27
DOMAIN niscarea.com 2023-11-28 2024-12-27
HASH e585226bcbec086b268528489103a6d5 2024-04-05 2024-04-05
HASH be0a4914e662724b7e924f35dce751c5 2024-04-05 2024-04-05
HASH 24f6323110ac1e57eee2b2dc74886460 2024-04-05 2024-04-05
HASH 0a8ce62791c48d70f5d31b290cfbeb32 2024-04-05 2024-04-05
HASH 859700ae5a1a3302dc17063a6c9ee61b 2024-04-05 2024-04-05
HASH b72cb01d8650a0a98bc8e62a86127ca0 2024-04-05 2024-04-05
HASH f070a3bd5efcced27baeae32ad25de36 2024-04-05 2024-04-05
HASH d8eb9c484c9d5e1dd3c60cdd41323433 2024-04-05 2024-04-05
HASH 07f1c2d7f5877dea5bd8225533b3d19e 2024-04-05 2024-04-05
URL https://niscarea.com/out.php?cn= 2024-04-05 2024-04-05
URL https://niscarea.com/in.php?cn= 2024-04-05 2024-04-05
URL https://niscarea.com/?cn= 2024-04-05 2024-04-05
HASH 2548d0e05c47c506cf9fd668dace5497 2024-01-17 2024-04-05
HASH fd47c8418d9f8ed39f2f746042c982a… 2024-01-17 2024-04-05
HASH 8ac21a35158ba9ebf80493bdb8cf8eb… 2024-01-17 2024-04-05
URL https://niscarea.com/ 2024-01-17 2024-04-05

Related Reports

2024-09-12 • 33% Match
#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003
Shares tags: T1082, T1059.003, T1041
2025-08-13 • 30% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1218.010 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1573 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004
Shares tags: T1082, T1059.003, T1041
2021-12-02 • 30% Match
#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865
Shares tags: T1082, T1059.003, T1041
« Back