Statik Analiz — QUOTEHTADropper | Tehdit: YÜKSEK

Dosya Kimligi

SHA2569fa0a88635b1c1d31ccf0fa03f7616ee716e8b5d26ff55064bf894212d5e10f1
Boyut403,894 byte (HTML/HTA, Unicode UTF-8)
IsimQUOTE-05348-2026.pdf.hta (cift uzanti)

QUOTE-05348-2026.pdf.hta: Cift Uzanti PDF Lurü

CIFT UZANTI: .pdf.hta — Windows uzantiyi gizlediginde .pdf gorunur!
QUOTE-05348-2026.pdf.hta\n\n-- Kullanici gordugu isim: QUOTE-05348-2026.pdf (Windows uzantiyi gizlediginde)\n-- HTA = HTML Application = kisi Windows Script Host uzerinden calistirir\n-- "05348" = referans numarasi (teklif/fiyat teklifi)\n-- "2026" = aktif kampanya yili\n-- Hedef: satin alma/tedarik bolumleri (teklif goruntuleme aliskanligi)\n-- HTA ozellikleri: gizli, minimize, taskbar yok, tek instance\n  singleinstance="yes" showintaskbar="no" windowstate="minimize"

WScript.Shell Cevre Degiskeni Payload Chunking

var Ustinov = intussuscepted.Environment("User");\nvar pythiads = 30000; // blok boyutu\nfor (var sharpnails = 1; sharpnails <= flavoured.length; sharpnails += 30000) {\n  keypunch = "P" + counter;  // P1, P2, P3...\n  Ustinov(keypunch) = flavoured.substring(...); // env degiskenine yaz\n}\ncover = "$env:P1+$env:P2+$env:P3..."; // PS ile birlestir\n\n-- Teknik: buyuk payload 30.000 karakterlik parcalara bolunur\n-- Her parca kullanicinin cevre degiskenine yazilir ($env:P1, P2...)\n-- PowerShell ile parcalar birlestirip calistirilir\n-- Avantaj: string boyut sinirini atar, AV imza tespitini zorlaştirir\n-- "flavoured" degiskeni: base64 kodlu payload (buyuk)

MqVI5ZYptsWhg4UT: AES Sifre Cozme Anahtari

var ruminative = "MqVI5ZYptsWhg4UT";\n$capsaicinoids = [Convert]::FromBase64String(ruminative)\nif ($capsaicinoids.Key) { $capsaicinoids = $capsaicinoids ... }\n\n-- "MqVI5ZYptsWhg4UT" = 16 karakter = 128-bit AES anahtari (base64 kodlu)\n-- PS icinde: $capsaicinoids = base64 coz -> AES nesnesi\n-- "$whetten = [Convert]::FromBase64String($env:P1+$env:P2...)" = payload al\n-- Payload AES CBC/ECB ile sifrelenmis, bu anahtarla cozulur\n-- Cozuldukten sonra: PowerShell shellcode veya .NET assembly yukleme

IOC

SHA2569fa0a88635b1c1d31ccf0fa03f7616ee716e8b5d26ff55064bf894212d5e10f1
LurQUOTE-05348-2026.pdf.hta
AES KeyMqVI5ZYptsWhg4UT
TeknikEnv var chunking, WScript.Shell, PowerShell

QUOTEHTADropper — Malware Profile

HTA dropper with double extension PDF lure (QUOTE-05348-2026.pdf.hta). WScript.Shell environment variable chunk payload delivery (30,000 char blocks). AES decryption key MqVI5ZYptsWhg4UT. Hidden no-taskbar single-instance HTA. PowerShell payload injection.

Malware Type
Loader
Programming Language
JScript/HTA
C2 Protocol
HTTP/PowerShell
Target Systems
Küresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (1 indicators)

IOC — QUOTEHTADropper
# SHA256 9fa0a88635b1c1d31ccf0fa03f7616ee716e8b5d26ff55064bf894212d5e10f1
TypeValueNote
sha256 9fa0a88635b1c1d31ccf0fa03f7616ee716e8b5d26ff55064bf894212d5e10f1
Tags
quoteh-tadropperhta-dropperquote-05348-2026-pdf-hta-double-extension-pdf-lurewscript-shell-user-environment-variable-payload-chunk-storagemqvi5zypts-whg4ut-aes-decryption-key-iocpowershell-injection-via-hta-jscriptinternalcache-hta-application-hidden-no-taskbarsingle-instance-hta-minimized-window