found by @James_inthe_box #quantloader #malspam run: "Emailing: <characters>", zip (is muffed, base64 file) -> smblink -> js -> #quantloader https://twitter.com/James_inthe_box/status/980808229260161024 https://www.hybrid-analysis.com/sample/00ca7e9e61a3ceaa4b9250866aface8af63e5ae71435d4fd6c770a8c9a167f22/5ac21b077ca3e10c8716fbc0 downloads EvilAmmy ( https://pastebin.com/teJp9PtS ) ------------------------ interesting api calls ------------------------ strcat ( "", "http://200.7.111.128/e6/index.php" ) WININET.DLL StrCmpNICA ( "https", "https://bdns.at/r/biberonata.bit", 5 ) strlen ( "http://biberonata.bit/e6/index.php" ) CreateFileA ( "c:\users\xxx\appdata\roaming\16643456\dwm.exe", 0, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING | FILE_FLAG_SEQUENTIAL_SCAN, NULL ) CreateProcessA ( NULL, "netsh advfirewall firewall add rule name="Quant" program="c:\users\xxx\desktop\[removed].exe" dir=Out action=allow", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 ) CreateProcessA ( NULL, "cmd /c echo Y|CACLS "c:\users\xxx\appdata\roaming\16643456\dwm.exe" /P "xxx:R"", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, 0x0012ec10, 0x0012ec00 )
Friday, April 6, 2018
quantloader sample
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment