Thursday, April 29, 2021

Threat Library - Agent Tesla

 Agent Tesla

---------------------------------------------------

date: 5/5/2021

delivery: Unknown

persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.

special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this has "Snake Keylogger" inside it per strings, as well as API.Telegram.org connections and possible SMTP c2 with email address

samples: 

EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection

links: 

https://twitter.com/neonprimetime/status/1389964247942279168

screenshots: 













---------------------------------------------------


date: 4/29/2021

delivery: email [Subject: New PO#422328, ISO (PO#0422328.pdf.iso) w/ EXE inside (PO#04222328.pdf.exe)]

persistence: startup registry entry (hkcu\software\microsoft\currentversion\run, gqxRqe, c:\users\<userid>appdata\roaming\gqxRqe\gqxRqe.exe)

capabilities (per memory strings): Keylogger (KeyDown, KeyboardState), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)

c2s: unknown

identification method: strings in memory matching previously seen ( %mailaddres%%password%%smtp%%toemail% )

special notes: .net executable, link to torproject.org download in .net code, code for webrequest and smtpclient, double file extension (PO#04222328.pdf.exe), starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, only gets to ~17mb or 18mb, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft

samples: 

ISO - https://www.virustotal.com/gui/file/f07b343d5a7b752a5b396b06174428a66ab98d8bb28bf33e9ea911797c32af2d/detection

EXE - https://www.virustotal.com/gui/file/83bcf31fc0d06b39c6cce6bc074cde9033f5e378f0104da887ec3f924f73376a/detection

links: 

https://twitter.com/neonprimetime/status/1387837559531786243

screenshots: 










---------------------------------------------------

 date: 10/13/2020

delivery: email [Subject: Request for Quotation, Link to DOC (http://107.173.219[.]56/document ), downloads EXE from same domain ( http://107.173.219[.]56/tmt.exe ), runs Equation Editor exploit (EQNEDT32.EXE)]

persistence: unknown

capabilities (per memory strings): unknown

c2s: smtp.yandex[.]ru

identification method: twitter replies

special notes: child processes of "vbc.exe" and "RegAsm.exe"

samples: 

DOC - https://app.any.run/tasks/0410129a-646d-4c19-8207-081679403171/

links: 

https://twitter.com/neonprimetime/status/1316107602942668800

screenshots: 








---------------------------------------------------

Threat Library - Hagga / Aggah

 Hagga / Aggah

 date: 11/18/2020

delivery: email [Subject: Order-PO500-18, Attachment: .PPT Powerpoint creates scheduled task]

persistence: scheduled task "lunkicharkhi" that runs downloads VBS script inside blogspot url (madarjaaatresearchers.blogspot[.com/p/thirdsaint3.html) and runs it with MSHTA)

capabilities (per memory strings): unknown

c2s: unknown

special notes: Powerpoint, scheduled task that connects to blogspot url runs VBS with MSHTA

samples: 

PPT - https://app.any.run/tasks/c896710d-c2e3-4bba-ba7a-cf801e9544cf/

VB Script - https://app.any.run/tasks/f6b585e9-e906-4882-942c-1bfb6cca666d/

links: 

https://twitter.com/neonprimetime/status/1330905903562940427

screenshots: 


















---------------------------------------------------

Threat Library - Dridex

 Dridex

 date: 11/23/2020

delivery: email [Subject: Payment Advice, Attachment: .DOC with Office 365 logo, downloads more from hxxps://redin[.]redsla[.]com/laravelRedin/vendor/webmozart/assert/qDqNRqo3hREb.php]

persistence: unknown

capabilities (per memory strings): unknown

c2s: 173.249.20.233:8043

identification method: twitter replies

special notes: uses rundll32.exe to run a DLL it saved (c:\windows\temp\qtxzf.dll)

samples: 

DOC - https://app.any.run/tasks/92d94699-7ab0-4acc-8752-3bf23e662c7b/

links: 

https://twitter.com/neonprimetime/status/1330969313294028804

screenshots: 
















---------------------------------------------------

Threat Library - Zloader

Zloader

 date: 2/26/2021

delivery: email [Subject: Invoicing info294564, Attachment: .DOC with plain text body asking to enable editing, downloads from findinglala[.]com]

persistence: unknown

capabilities (per memory strings): unknown

c2s: 

hxxps://timemeaning[.]com/post.php

hxxps://timeremain[.]com/post.php

hxxps://cacesatansingmilk[.]tk/post.php

hxxps://tenlapatevaj[.]tk/post.php

hxxps://toclylene[.]tk/post.php

identification method: twitter replies

special notes: user agent was "MSFrontPage/12.0"

samples: 

DOC - https://app.any.run/tasks/4df98427-fb86-4c7f-a082-1a2eb179e214/

links: 

https://twitter.com/neonprimetime/status/1365328294674112513

https://tria.ge/210219-g8t2kxnh8e

screenshots: 














---------------------------------------------------

Threat Library - NJRAT / Bladabindi

NJRAT / Bladabindi

 date: 2/26/2021

delivery: email [Subject: Lease Agreement, Attachment: Zip (Lease Agreement.zip) w/ VBS Script inside (Lease Agreement.vbs), downloads from paste.ee/r/bsKo9 site]

persistence: unknown

capabilities (per memory strings): Keylogger ([ENTER], [TAP], get_CtrlKeyDown)

c2s: xxxcarldon.duckns[.]org

identification method: twitter replies

special notes: powershell with Unicode (airplanes and envelopes), url was reversed in code

samples: 

Zip - https://app.any.run/tasks/0874b873-2dde-4540-85f5-7ede1a1bfaf6/

links: 

https://twitter.com/neonprimetime/status/1365351048525791232

screenshots: 
















---------------------------------------------------

Threat Library - Qakbot / Qbot

Qakbot / Qbot

 date: 4/15/2021

delivery: email [Link to Zip w/ XLSM inside , "Docusign logo themed", links ( à¸šà¸²à¸‡à¸ªà¸°à¸žà¸²à¸™[.]com/hGQC4/catalogue-93.zip , xn--72c0bbr3dtble[.]com/hGQC4/catalogue-93.zip )

persistence: unknown

capabilities (per memory strings): unknown

c2s: 

rosenbaum-milan15y[.]ru[.]com/body.html

boehm-kavon15lc[.]ru[.]com/body.html

identification method: twitter replies

special notes: url was unicode/punycode

samples: 

XLSM - https://www.joesandbox.com/analysis/387819/0/html

links: 

https://twitter.com/neonprimetime/status/1382743458494902274

screenshots: 












---------------------------------------------------

Malware Threat Library Index

- Agent Tesla

- Aggah (same as Hagga)

Ave Maria (same as Warzone RAT)

- Bladabindi (same as NJRAT)

- Dridex

- Hagga (same as Aggah)

- NJRAT (same as Bladabindi)

- Qakbot (same as Qbot)

- Qbot (same as Qakbot)

Snake Keylogger 

Warzone RAT (same as Ave Maria)

- Zloader

Threat Library - Ave Maria / Warzone RAT

Ave Maria / Warzone RAT


date: 4/27/2021

delivery: email [Subject: Requirement, Attachment: Zip (Requirement.7z) w/ EXE (Sales Order.xlss.exe)

persistence: scheduled task "Updates\xSaltlJa" out of c:\users\<userid>\Roaming\xSZaltlJa.exe

capabilities (per memory strings): N/A

c2s: 104.209.133.4:7500

identification method: in-memory strings say "Ave_Maria"

special notes: in-memory references to security researcher "Vitali Kremez"

samples: 

7z - https://www.virustotal.com/gui/file/86b17ec2dd6ff42243356c4bf06e7b20fb044bba13d74c342c3df706e98484bd/detection

unpacked exe - https://www.virustotal.com/gui/file/e85769eee5f2539084a2da5bf79027849249130be251d1f2e8b3de0021d194ab/detection

links: https://twitter.com/neonprimetime/status/1387139547025260547

screenshots: 






---------------------------------------------------

date: 4/13/2021

delivery: email [Subject: Wholesale Price List, Attachment: XLSB (1-Copy of Quote Industro Sheet 20210413.xlsb, "Digicert logo themed", downloads maskcovld[.]ga/token/rfq/DrawingKit.exe )

persistence: unknown

capabilities (per memory strings): unknown

c2s: crf.eur-import[.]com:6021

identification method: twitter replies

special notes: none

samples: 

File - https://app.any.run/tasks/0cf85641-e5be-4979-9e97-8afc0f30fa67/

Payload - https://tria.ge/210413-mp9t774whx

links: https://twitter.com/neonprimetime/status/1381955462967476228

screenshots: 

    








---------------------------------------------------

Monday, April 26, 2021

Using PE-SIEVE to unpack malware

Just practicing unpacking malware with this sample

http://dreamofareverseengineer.blogspot.com/2017/03/unpacking-malware-in-minutes.html?m=1

md5:dca9106dc8556f9a15d7e18b4fad5d44


What worked was using x64dbg

Attach a breakpoint on CreateProcessInternalW

if I ran a few lines past this I saw a child process spawned (svchost.exe)

And given the context and strings around this call I saw "NtResumeThread" among others

So I set a breakpoint on NtResumeThread (which appears to be ready to launch code in the child process svchost.exe)


Then open a new 2nd instance of x64dbg

"Attach" to svchost.exe , which really isn't doing much right now

Go to the threads tab and you'll see 2 of them!

1 of them is in the "suspended" state


Click into that suspended state and set a breakpoint on the 1st line of code in there

Then click "run" in svchost.exe just to get it so you're not stuck on any breakpoints anymore


Then return to the original x64dbg and click "detach" to allow it to proceed and start the "svchost.exe" process

In the x64dbg on svchost you should now hit it's breakpoint

Now you're inside the 2nd state of the malware but the malicious code hasn't been unpacked so there are still no good strings yet.


Set a breakpoint on VirtualAlloc's ret 10 statement.

Run, then check strings.  If you see nothing, run again, and check strings.

Proceed until you notice the good strings ... (like URLs, etc.)


Then one easy way to get the executable out of memory is to just run 

pe-sieve64.exe /pid ??? 


it will dump the unpacked executable for you

Friday, April 16, 2021

Generic unpacking malware steps

1.) Open malware in IDA

2.) Find the 'ret' of WinMain and look for closes "call" statements above it

3.) Find a VirtualAlloc, follow the EAX result get passed around until you see it in a "call" statement

4.) Find the address of that "call" statement

5.) Flip over to x32dbg, open the same malware, put a breakpoint on the address of the "call"

6.) Also set a breakpoint on VirtualAlloc (bp VirtualAlloc)

7.) Run until breakpoints, Follow in Dump repeatedly on EAX, looking at previous dumps

8.) Find MZ header that does not match original (use Hex Editor to compare)

9.) Follow in memory map, Dump to File, review in PE Studio to see if unpacked

 

FlawedAmmyy unpacking malware example

 FlawedAmmyy unpacking

https://guidedhacking.com/threads/how-to-unpack-flawedammyy-malware-unpacking-tutorial.16637/

7fb83e646cbabc50bec4b33c8130b5ae

https://app.any.run/tasks/97d8c688-a0ed-4602-af79-2409b6d8cd47/


steps

- open ida

- find bottom of "start" (using graph overview window)

- notice all to "WinMain", take it

- find "ret" near bottom of "WinMain" (using graph overview window)

- look just above & around to find any "call" statements, choose "call" closest to the "ret"

- find return of VirtualAlloc

- follow as it's moved from EAX to a "var_**"

- then moved to a register

- then moved to another "var_**"

- until you find a "call var_**" to near the end of the chain

- switch from graph to text view, find the memory address of the "call" statement (0x0040153F)

- open x32dbg

- right-click in CPU tab, "Go To -> Expression", enter that address "0x0040153F"

- cursor should be at same "call" statement as we had in IDA

- set a breakoint in x32dbg on that "call" statement (F2)

- push the play arrow (twice) and run to the breakpoint

- right-click on the "call" statement, choose "Follow in Dump -> Value" (no MX value yet)

- step into the "call" (F7)

- notice code has lots of Stack Strings (API calls like VirtualAlloc, VirtualProtect, etc.)

- when you see "VirtualAlloc", good time to put a breakpoint on all future calls (command: bp VirtualAlloc)

- scroll down until you find either a "call REGISTER", "jmp REGISTER", or "call/jmp DWORD that was a register"

ex: mov dword ptr ss:[ebp-54],eax

call word ptr ss:[ebp-54]

- set a breakpoint (F2) on the registry call

- then run by hitting play arrow

- If "VirtualAlloc" breakpoint is hit, right-click on EAX and "Follow in Dump"

- Keep going until the "Follow in Dump" shows a value at the bottom starting with "MZ" header

- open Hex Editor

- compare original EXE first chars after "MZ" header with what is in "Follow in Dump"

- if same, then hit play arrow again to keep running

- if different, then you may have the unpacked EXE

notes: It may take a while (unpacking can be slow)

When you hit a breakpoint you're looking at the content of "previous" memory regions

- right click "Follow in Memory Map"

- right click "Dump Memory to File"

- how do you know if you did it right?

drop into PE Studio, look at strings, do you see the actual "Ammyy.Service" or "ammy\svn" strings? 

Monday, April 12, 2021

Malware Analysis - Google Docs to DocX to XLSB

 got this email



Link was google drive

Sender: sunringpal33@gmail.com
Subject: A full documents 9674
X-Originating-IP: [209.85.160.196]
Time: 04/09/21 12:43:33
Malware: Phish.LIVE.DTI.URL
URL: hxxps://drive.google[.com/uc?export=download&id=1Z50lnHAW8NKIOL8cvpubm0iaYNHbWqKu
downloaded MD5: fddea65d6393155f25c9fd004e47df83
downloaded Filename: d7653901.docx

which downloads a word doc





Which has another link in it

hxxps://accounting.marayo[.]com/loved.php





Which downloads an Excel doc and redirects to DocuSign






Which the excel doc has macros and looks like this DigiCert fake




Which has a hidden sheet




Which is you change the font color or copy / paste entire contents to notepad++ you'll see the Macro code and a payload url 

hxxps://masterize[.]com[.]br/vendor/laravel/framework/src/Illuminate/Foundation/Console/scmcs.exe

wmic.exe






https://drive.google.com/uc?export=download&id=1Z50lnHAW8NKIOL8cvpubm0iaYNHbWqKu

w



Oracle Database sqlcl basics

 Need to connect to an oracle database?


Download Oracle SQLcl


https://www.oracle.com/tools/downloads/sqlcl-downloads.html


Extract the zip


Login using this command


> SQL username@//server:1521/databasename


Show what user you are

SQL> show user


Now check what version of oracle you're on

SQL>  select BANNER from v$version;


Display the instance you're on

SQL> select INSTANCE_NAME, HOST_NAME, VERSION from v$instance;


Check what database you're connected to

SQL> select name from V$database;


List all user accounts

SQL> select * from all_users;